We’ve had a resurgence in questions around the change from NIST 800-171 to the new Cybersecurity Maturity Model Certification (CMMC). Here are some of the frequently asked questions and responses.
What is CMMC, and why is it replacing NIST 800-171? CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass five maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive” and will require an audit as the self-assessment model used with the NIST 800-171 attestations was found to be unreliable when audits were performed on self-attesting companies.
Who will audit for CMMC, and how often? The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (www.cmmcab.org).
A CMMC certification will be valid for 3 years.
Will there be an option to self-certify for CMMC? No, however companies are highly encouraged to perform a self assessment or 3rd party gap assessment to prepare for the CMMC audit.
Will my company’s assessment results and level be public? No, the results of a CMMC assessment will not be made public. The only information that will be publically available is that your company has a CMMC certification. The specific certification level will NOT be made public. The DoD, however, will have access to all DIB companies’ certification levels.
How much will it cost to get certified? This will depend on a number of factors, including:
1) The level of CMMC maturity that you need. Smaller companies that don’t have direct access to Controlled Unclassified Information (CUI) would still need to be certified at level 1, while the higher level of classification will be required on RFI and RFPs that will include confidential data.-
2) How far off you are from meeting the appropriate CMMC requirements. If you are already meeting NIST 800-171, that’s approximately the same as CMMC Level 3 with some added requirements. If you have never aligned to a cyber framework or compliance before, it may take much more work, time and money to catch up.
3) The cost of your actual audit and whether you pass the first time or have to pay again.