FAQ
The DoD CIO has published their own FAQ here: https://dodcio.defense.gov/CMMC/FAQs/
____________________________________________________
The COE Discord and CMMC Reddit pages are free resources led by the community. Some of the most common questions are listed below, along with some of the answers offered.
NOTE: Depending on your own situation, these answers may not work for your environment. Work with your own compliance or legal team to ensure your implementation and interpretation is acceptable for compliance.
How much does compliance cost?
ANSWERS HERE
How do I know if I have CUI?
It should be marked by the person who sent it to you. If it's not, but if your purchase order or contract flow-down requires you to protect the data as if it were CUI, contact your buyer/customer and ask for clarification.
Have you watched Ryan Bonner's video on this?
Are machine files (like CAD models) CUI if I create them as the manufacturer?
ANSWERS HERE
How do I convince management to be compliant?
ANSWERS HERE
What can I expect during a CMMC assessment?
ANSWERS HERE
Do all of my Security Protection Assets (SPA)s need to be CMMC-compliant?
ANSWERS HERE
How do I choose a C3PAO?
ANSWERS HERE
What options are out there for training to become a CCP/CCA?
ANSWERS HERE
What should my System Security Plan (SSP) look like, what should it include, and how long should it be?
ANSWERS HERE
What is the difference between Plan of Actions and Milestones (POAM) and Operational Plan of Action (OPOA)?
Items put on POAM must be closed out within 180 days, and must be one of the allowable items.
Items on a OPOA are items that were acceptable before, but are temporarily not compliant for some reason.
Is Department of Defense (DoD) the only government agency that requires CMMC?
As of right now (November 2024), yes. Department of Energy, and others, may call out NIST 800-171, but at this time, DoD is the only government agency that is poised to require third party assessments to confirm compliance.
What's the difference between a Registered Practitioner (RP) and a CCP?
ANSWERS HERE
Are phones in scope of a CMMC audit?
If phones (mobile devices) are capable of accessing the information system that stores FCI or CUI, yes.
What do I do if I'm sent CUI by my customer?
There's not much to do when a sender doesn't follow directions pertinent to your environment.
The best thing is to have policies in place on what to do when it actually happens.
Arguably, small businesses that rely on big primes business have a harder time telling their customers that they're not following directions, and expecting not to become the problem child as a result.
One small business owner says: "Early on in the process, we sent out a memo to all of our aerospace customers, reminding them of CUI sharing responsibilities per flow down. We did it under the guise that we just wanted them to be aware that we were compliant in our practices.
It allowed us the opportunity to remind them on proper sharing practices."
If some small businesses had to file a report for every single time CUI was inadvertently shared unencrypted through email, by its big customer who should arguably know better, those small businesses would have no business.
It's helpful to consider "what is it that we're trying to do here?" It's helpful to get grounded here and there.
You can only control your own environment, and your own team. If the best you can do is over communicate and remain hyper aware once data is in your environment, then you're light years ahead of most.
What should I do if my customer requests my SPRS score?
If you are prime on the contract, your Contract Officer has the ability to see your score in SPRS, provided that you have submitted a score. If you are a subcontractor, your customer cannot see your score in SPRS. They may request you provide evidence of your submission, and may also request details of the score or even a copy of your SSP. You do not have a DoD contractual obligation to provide this information, however your mileage may vary when it comes to how much you can push back on providing this information.
Do all of my applications have to be FedRAMP to be CMMC compliant?
ANSWERS HERE