Your CMMC Compliance FAQs Answered
by KLC Consulting, a Cleared C3PAO Candidate Company
1. Can you summarize the CMMC 2.0 changes?
Yes! CMMC 2.0 is the result of the DoD’s 6-month review and takes into account all the feedback received from the CMMC Ecosystem. CMMC 2.0 recognizes the need to balance improving defense information security, cost, and scalability.
2. Is the requirement to flow down CMMC compliance to 1st tier suppliers only a Prime Contractor requirement?
The flow-down requirements of CMMC apply to all subcontractors. It is not just a Prime Contractor requirement.
3. Do we need to tag all our CTI (Design, analysis, etc.) documents and our developed screens in our application?
Yes, but there are different ways of marking an on-screen display. We suggest you check out the ISOO Training Site and research CUI Marking.
4. How do you handle a work-from-home-office environment scenario since the office has limited access?
This topic is widely discussed now within the CMMC community. We recommend following the CMMC Assessment Guide. For example:
- Establish physical security
- Create a separate network for CUI (a separate wireless connection)
- Setup a VPN
5. Can we perform our own CMMC Level One if we are solely a Commercial Off The Shelf (COTS) manufacturer with EAR99 export classification?
If you believe are a 100% COTS supplier, pursue a waiver from your Prime Contractor Contract Officer. If successful, you’re exempt from NIST 800-171 and CMMC. Please check the service we offer to help you obtain a waiver.
6. Could you please speak to implementation methods, (ie: control of physical printed engineering drawings), in a build-to-print manufacturing environment?
Yes. A couple of examples are:
- Secure building with physical security
- Only cleared people can work in the office area
7. How do we determine if we have CUI? We haven’t seen anything come through on paperwork saying “this is CUI” or in clauses of our contracts?
Look into the DoD’s CUI Registry to determine what is CUI, but direction still should come from your prime contractor’s contract officer/client program manager. We can also help you.
8. How do you recommend tracking CMMC / NIST 800-171 progress/readiness? Tracking our work in a spreadsheet doesn’t seem the most efficient.
Yes, it’s better to use a tool to track policies, procedures, practices, and evidence supporting the practice. We recommend both Exostar Certification Assistant and TotemTech’s Cybersecurity Compliance Management Software.
9. How do you see CMMC requirements rolling down to COTS providers? And how do you suggest COTS providers handle situations where prime customers try to “force” the requirement down?
If you meet the formal Commercial Off The Shelf (COTS) definition, pursue a COTS exemption from CMMC with your Prime Contractor through your contract officer or program manager. There is a well-defined process and we offer our consulting services to help.
10. What should we do about servers that are too old to conform to CMMC and NIST 800-171 but are still needed to support legacy systems?
The Assessment Guide recommends segmenting servers that are old and are not supported with patches. This will reduce the risk of impacting other parts of the company network in the case of a cyber incident. We can also help you with this.
11. How can we identify if CMMC is applicable for our organization if it is not mentioned in our contracts? All we are getting is a letter from our prime customer stating that we need to be compliant.
Look to your contracts to identify the CUI you receive from your customers (Prime Contractors). Perform CUI Scoping to determine if you have CUI within your environment. If yes, you need CMMC 2.0 Level 2. If you provide services that are not COTS and do not handle CUI, you’ll only be required to obtain CMMC 2.0 Level 1. You’ll need to seek and obtain confirmation from your Prime customers of the CMMC level you need to get.
12. If we are required to be CMMC 2.0 level 2 and use an IT Managed Service Provider (MSP), is the provider required to be level 2 as well?
It depends on what the MSP can see. Does the MSP have access to CUI? If not, then no. If yes, CMMC 2.0 Level 2 is required.
13. If we have a large global company with several divisions and but only two divisions branches deal with CUI, can we carve out those 2 branches for CMMC and leave the rest out of the certification process?
Yes. You can scope CMMC for certain branches, systems, and locations. Also, you can pursue a separate CMMC L1 for sites and systems that handle only Federal Contract Information (FCI).
14. If we have a user connecting remotely through a VPN and the only traffic we allow through the VPN is Remote Desktop, is that user’s computer in or out of scope for a CMMC assessment?
It depends on what that user can access. If they access CUI / FCI, the user’s computer is in-scope.
15. Is there a checklist that can be used for self assessment?
The CMMC Assessment Guide. You also have the DoD’s website. In addition, Exostar Certification Assistant and TotemTech’s Cybersecurity Compliance Management Software are available.
16. Is there an official list of C3PAO Auditors?
Yes, the CMMC-AB marketplace website. And KLC is a cleared candidate C3PAO.
17. I have a question about an Ethernet Private Line between two buildings: The provider says it does not need a firewall / encryption on the segment because it’s “Layer 2 / EPL”. Can you speak to this to clarify the boundary and requirement to encrypt or not encrypt in this situation?
It depends on how you connect. If it is a cable connection between 2 switches, the “connecting at Layer 2 / EPL” statement is accurate. However If you otherwise have boundary concerns, you should use proper network security equipment/tools to segregate the networks.
18. What documentation will be required to prove to you that we are in compliance with CMMC? Retention of audit logs, centralized logging or alert events?
Refer to the CMMC 2.0 Assessment Guide.
19. What is the correct action when a customer or supplier requests that you apply a CUI Distribution label to your documents, etc., even though the data has not been labelled as such by the US Government?
Some agencies are behind the curve when it comes to CUI marking and labeling but we’re all required to do it. We’re all moving in that direction. Work with your customers (prime contractors) contract manager to mark them correctly. CUI marking and labeling is often a challenge for Organizations Seeking Certification (OSC). We feature a great discussion video with one of our experts in this area – Carl Johnson about automated solutions, and we offer to consult to help to support your efforts.
20. What’s your opinion about the best way to package CMMC documents (an SSP, all the related policies, and artifacts)?
We recommend Exostar Certification Assistant and TotemTech’s Cybersecurity Compliance Management Software.
If you’d like to submit your question to our CMMC Compliance FAQ,
please use the Contact Us form and we’ll answer as soon as we can!
Discover The 7 Steps to
Becoming CMMC Compliant
Helps to Remediate Your POAM Items
KLC Consulting’s DoD cybersecurity experts coordinate with your team to support all areas of NIST 800-171 and CMMC. Let’s get started on your CMMC Compliance program!