CMMC Final Rule 48 CFR is Here!

In this video, we break down the #CMMC Level 2 assessment process, walking you through the requirements and what to expect during an audit. We provide #C3PAO insider tips to help your company prepare and succeed in achieving #CMMCAccreditation… CMMC Final Rule 48 CFR is Here!Transcript for: [expand title=”CMMC Final Rule 48 CFR is Here!” id=”cmmctranscript” swaptitle=”close” ]

Introduction

Kyle Lai 00:04

Right. We are live.

Kelly McDermott 00:05

All right. Welcome everyone to KLC’s webinar on Ask the Expert, CMMC, Final Rule 48 CFR, what primes and subs need to know? My name is Kelly McDermott, and I work with KLC Consulting, the host of this webinar. Welcome everybody. Thanks for being here.

About KLC Consulting: CMMC Experts

Kelly McDermott 00:33

Here’s a little bit about KLC Consulting. So we’ll go to that slide to show you what KLC Consulting is all about. And while we’re doing that, just want you to know that we’ve conducted quite a few Certification Assessments already, and we have three lead CCAs in house. So a little bit about KLC Consulting. Next slide please. So we’re a CMMC third party assessment organization, or C3PAO authorized by the Cyber AB to assess and certified companies for CMMC Level Two. KLC Consulting is also a CMMC compliance consulting firm that helps DIB companies meet us, DoD Information security requirements, and we were incorporated in 2002 and established in offices in Framingham, Massachusetts and also Houston, Texas.

Understanding the CMMC Timeline and Phases

Kyle Lai 02:36

Hi Kelly. Hi. How you doing? I’m really glad to be here. Hi everyone. We’re going to talk about a lot to go through today, because, as you know, CMMC Final Rule 48 CFR just got finalized on September 10, and it’s going to go into effect on November 10. So a lot to go through. I will go through, you know, the just the overview of what the CMMC We’re not going to go deep on CMMC, because I think you guys probably already have a lot of familiarity with what CMMC is about. We’re going to focus on what’s new and some of the things that you really need to know, the interaction between the DoD contracting officer and also prime contractors and the subcontractors. So that’s our focus today. Okay, a lot of acronyms, so we’ll breeze through after the after this webinar will make it, make this recording available, so you will be able to go through, go back and review some of the items. If you’re interested, we’re not going to go through these CMMC, there are three levels. I think you all know there are three levels, and though we are going to cover all three levels in this webinar, because CMMC is general that cover all different all three levels, so we’ll go through but as a C3PAO, obviously we do a lot more CMMC, level two. Okay, let’s talk about the timeline. We know because the 48th CFR, the CMMC Final Rule, is going to be effective on November 10, 2025 and if you recall, there are four phases, phase one where the DoD, they’re going to focus on the contracts, or solicitations, contracts that are doing self assessment right? So you are going to start seeing contracts, solicitations, RFI, RFPs, that have the CMMC Level One or CMMC Level Two self assessment included these clauses. Included in the contract or the solicitation. Phase two will start a year later, 12 months later, a year later, November 10, 2026 that’s when you will start seeing the CMMC Level Two certification requirements. And phase three, you will start seeing that in November 10, 2027 and that’s when the contracts or solicitations will start including the clauses for requiring CMMC Level Three certification. And as you recall, CMMC Level Three certification still requires the level two certification first and CMMC Level Two, CMMC Level Three. Of that 24 additional requirements that will be performed by the DoD, dip, CAG organization and app and on November 10, 2028 that’s where we go for the phase four. That’s the full implementation. That means all solicitations and the RFPs, RFIs, the contracts will have the contract clause will include the CMMC after November 10, 2028 and CMMC Level Two be included in the in the phase one? The answer is, possibly, because this timeline is a suggestion, right? So, if so, if the contracting officer or some of the program office, they feel that we need to include the CMMC Level Two Certification Assessment in the solicitation, RP, RFI, they will do that in phase one. So it’s up to the program office or the the contracting officers their discretion to include or to move the requirements the CMMC Level Two or the Higher, higher level CMMC status requirements ahead of the plant phases.

32 CFR vs. 48 CFR: CMMC Acquisition Rules Explained

Kyle Lai 06:17

Okay, so there are some confusions out there as well. What is 32 versus 48 CFR, so let’s just get that clear. 32 CFR, the part 170 that is the CMMC program rule. It basically spell out how the how, how the ecosystem work. What are the rules for of engagement, for performing a Certification Assessment, while the roles and responsibilities of different roles within the CMMC ecosystem, right? So that is what it was in the 32 CFR Part 170 and the CMMC, the CF so the CMMC acquisition rule, that’s the 48th CFR. So we want to make sure that you know you understand 48 CFR, spell out all the requirements, or the contract requirement clauses to be included by the DoD contracting officer. That’s why we are waiting for the 48 CFR to come out before the CMM zero is finalized. So 48 CFR also includes the the famous DFARS, 252-204-7021, that is the contractor compliance with the CMMC level requirements. That is, that is a quote, unquote CMMC rule to be included in the contract.

The CMMC Unique Identifier (UID) and SPRS

Kyle Lai 07:54

Okay, all right. So, before we get too far, I want to introduce the term CMMC, UID, CMMC unique identifier. So why this is that this is a 10 alphanumeric characters that make up this CMMC Unique ID, CMMC UID, and it specifies the assessment, CMMC assessments, and identify the SPRS, and I think, and identifying the SPRS for each contractors information system. So that means is. What it means is that every time you do a CMMC assessment, whether it’s self assessment or a Certification Assessment, you will get a new CMMC Unique ID, and first two letter indicates the the level you’re on, and then there’s the actual number.

Prime Contractor and Subcontractor Responsibilities Under the Final Rule

Kyle Lai 10:01

So this 48 CFR. So there are some things that you need to know before we get too far. On the right side, you will see there the CMMC status. There are seven different statuses, right? So there’s a Level One, that’s all self assessment. Level two, there’s a conditional and the final for self assessment. Then there is a conditional conditional level two and the final level two for C3PAO Certification Assessment. And then there is the conditional Level Three and the final Level Three for the pack assessment. Okay, so, and because we are going to use this CMMC status. So I just want to make sure that we get that square away first. So when we have a contract contracting officer, they must verify the CMMC status in the SPRS System before they can make the contracting award make before they can issue the award to the contractors. And what we are talking about here are the prime contractors, right? If there is no record in the SPRS, the contract cannot, cannot be awarded to companies that without that record, right, without the CMMC required CMMC status, okay, and also the prime contractors, they must provide all the CMMC UIDs for systems that process, store, transmits, FCI and the CUI during the contract performance. So that means that could include prime and also the subcontractors, CMMC u IDs, right? So, and it’s, it’s a prime contractors responsibility to make sure they get all these the CMMC UID from the subcontractors, right? And it’s up. It’s a mandatory for the prime contractors to flow down the CMMC requirements to their subcontractors that handle FCI or CUI, okay, and they also need to make sure the prime contractors also need to make sure the subcontractors meet the continuous compliance. What it means is that the annual affirmation in the SPRS System, that’s from prime to the subs, okay, we are going to, we’re going to talk a little bit more about continuous compliance, because it come up a lot within these the 48 CFR, the CMMC acquisition rule. So yeah, we’ll discuss a little bit more about Prime’s responsibility there. Okay, if you have not seen a SPRS System, once you go in, you will see there’s a menu on the left side. It says cyber reports, CMMC and NIST 800-171. Sorry, NIST, once you click on that, this is the screen that you will see on the top. You will if you click on the CMMC assessment, then you will see the four different tabs here, just to give you an example, if you have a CMMC Level Two Certification Assessment by C3PAO, then you will see the details. You will see a record with a CMMC UID unique identifier here, and then fill out with the details self assessment. Obviously, that is something that the OSC they enter the CMMC record themselves. But if the if this is a CMMC Level Two, C3PAO, conditional or final status, then it’s automatically filled out by the, what they call the DoD mass system, because as a C3PAO, we upload a record your assessment results to the DoD eMASS system. Then the eMASS will automatically populate the the SPRS record for the for the Certification Assessments. Okay, so this gives you an idea of what what’s it look what’s it look like in the SPRS, okay. And also, there’s a requirement, if there are any changes to the CMMC UID, the scope, the systems, then you will then the prime contractor will have to report the changes to the DoD contracting officer, there are still some confusion in terms of what, what are, what do you mean? Change? Do you actually want me to report every change? Yeah, that is still need to be clarified by exactly what need to be reported. But, but from. The the language, right? The paragraph e1, that’s basically what it says. Any change need to be reported to the contracting officer, right? And, and the reason there are still some confusion, if I add laptops, if I hire more people, issue, more laptops. Do I need to report that? If I you know, this is a very common question, if I just acquire another company, MNA, do I need to report or do I need to redo the certification? So these are some of the discussions that is still going on. We still hear some discussion from the Cyber AB and DoD, so there are still some discussion over there, because there’s something that DoD will have to clarify.

Kelly McDermott 15:53

sorry, Kyle, just interrupt for a second, little clarification on if a company does a self assessment, will they get a CMMC UID number like an

Kyle Lai 16:06

they will, okay, they will, because the at the time they enter their CMMC assessment, self assessment record into the SPRS System. The SPRS System will generate a CMMC UID for that assessment.

Kelly McDermott 16:25

Okay, great. Thank you. Okay,

Kyle Lai 16:27

as I mentioned before, 7021 there is a requirement to flow down the the CMMC requirements from prime to the subs, right? So, yes, there’s a requirement. So for this reporting to the reporting the changes to the contracting officer, this is the prime contractors responsibility. Does the sub have that responsibility? Because the there’s a flow down? No, the subcontractors do not need to report the do not need to report the changes directly to the contracting officer. And the reason is that the contracting officer has no idea of, not privy to the subcontracts between the prime and the subs. So subs there’s, there’s an exclusion in the in the paragraph F, saying that you want is excluded from passing flow down to the subcontractors. Okay, so, yeah, just want to make that clear. However, there should still be some kind of relationship, or reporting relationship between the prime and the sub because prime contractors, you are still responsible for the changes that could impact the scope, the overall CMMC scope of the contract that prime are performing for the DoD. There is one thing on the bottom here, I just want to make sure that we cover that if you are adding new users, say you’re growing from 5200 users. That is not really considered a change of scope. They clarify that in the 48 CFR, okay, I know I talked a lot about the, you know, all these relationships, so I just created the swim lane diagram make it a little bit hopefully it’s a little bit simpler in terms of the relationship between the contracting officer and the prime contractor and the subcontractor. So let’s start from the top left. So contracting officer, everything starts with a solicitation right in the contracts. So before they issue the contracts, usually the program office, whichever Contracting Officer work with contracting office, they will before they issue the solicitation. RFP, RFI, they will, they will determine what is the minimum CMMC status requirement right for that solicitation. So that’s when contracting officer will add a CMMC status requirements to the solicitation. And then they will go through their bidding process before they issue the contract award that say that they already they already know who’s going to win. Okay, so then, before they issue the contract award, contracting officer has the responsibility to verify CMMC UID and also the required, minimum required status, CMMC status in the SPRS System. Okay, so once the contract award is is a once the contract is awarded, let’s go to the right side. That’s the box. I. Process. On the right side, there’s a continuous compliance requirements for the prime contractor to to submit their annual affirmation to SPRS, right? That’s an annual affirmation. That’s a requirement, and also they need to kind of what we talked about, notify any system changes to the prior to the contracting officer, and also notify new CMMC UID to the contracting officer, okay, and they will send this information to the contracting officer. They will review. They are going to they have the responsibility to review the continuous compliance and make sure that they verify again their CMMC UID if there are new ones, if there, because they don’t know if there are going to be new ones included in the contract, unless the prime contractors report to the to the contracting officer. So contracting officer will be busy verifying the CMMC UID and the status CMMC, CMMC status in the SPRS, and make sure the contract award stays current and the state compliance. And then let’s go down. There’s an arrow going down. That’s a flow down from prime contractor to the subcontractor. And before you know prime contractor, before they award the subcontract to a subcontractor, then they have to verify the CMMC UID is current, and the status meets the minimum required status of the CMM, the minimum required CMMC status in the SPRS. Here’s a note. Prime contractor will not have access to the subcontractors SPRS record. The SPRS record is only between the and the dip company and also and the DoD, so there are no other companies will be able to see that SPRS record, right? So prime contractors, they will ask for a screenshot most likely to show that to for the subcontractors to show that, hey, we actually have this you CMMC UID, and we have our status from our from our SPRS assist, SPRS System. Okay, and let’s just take a look on the left, the box on the left here, bottom left, so there is the continuous compliance. There is a requirement for the subcontractors to stay compliant and submit the annual affirmation to the SPRS System, and they will have to provide that information to the prime, prime contractors point of contact, to make sure that you know they the the primes get the information that the subcontractors, that they are state current and the state compliant. So I put the red dotted box here because there is no, there is no there is no requirement. I think it’s more like a notification instead of continuous compliance. There is a requirement for reviewing the subcontractors continuous compliance, but there is no requirement for the prime to review any changes that are made by the subcontractors. They are not a requirement, but obviously, is something that should be done, but it’s not shall be done. So it so. Just want to make sure, sure that prime contractors, you know that there’s, there’s no requirement, but you still need to understand what, what the changes? If there are changes to the compliance the scope or some of the systems, see CMMC, UID that are used by the provided by the subcontractors, you still need to make sure they are staying compliant before you can tell the DoD contracting officer that everything within the contractor compliant. So so there you go. Hopefully this this diagram is helpful for companies that are trying to understand the relationship. Okay, so I know there are a lot to cover, so we’ll go into the Q, amp, A, but you know, if you are interested, there we are, C3PAO, there are things that you can look at pre input in preparation for the C3PAO assessment, the Certification Assessment. So these are the. Playbook for our CMMC assessors. It’s going to be an open book when we do the assessment, so there’s no surprises. We want to we’re another gotcha type of assessor. We want to see our OSC clients be successful. Just another view. This is the objective evidence checklist that originally developed by the dip tech organization, but we modified it a little bit so we will see what we’re looking for during the assessment. So feel free to download,

CMMC Certification and Scope Changes: Q&A

Kelly McDermott 25:35

okay, okay, great. We’ll get to your pre submitted questions, and then we have a sprinkling of other great questions here in the Q and A as well that we hope to get to. So the first one here, Kyle is, after retaining a CMMC Level Two certification, what types of changes in scope trigger a new assessment?

Kyle Lai 25:57

Yep, so this is the part that we’re not too, too sure yet, but I can. So for example, if you have a CMMC certificate, certificate, and if you you know, say you are using a Microsoft Azure environment, now you’re changing it to AWS, that’s a given. There is a big change, major change there on your environment. So you will require a new assessment. In that case, if you have a say, data center right now, they’re located in Washington, DC, you are moving into Florida, right? So there’s, it’s going to be pretty similar setup for the for the data center. Everything is very similar, but because there are some changes there, there might be a requirement for a new assessment. So in those cases, that’s why I can think of but for if you already have a IT environment that’s already set up, you acquire a company that are going to use, you know, this new company, they’re going to have a new CAGE Code. They’re going to use the same IT environment. In this case, you’re adding a new CAGE Code, but not changing the environment. That is the part that is not too clear in terms of like, do you need to have a new CMMC certification for the new CAGE Code? There is something I think we will need to have a more definite answer from the DoD and

Kelly McDermott 27:43

ultimately Kyle, that would be up to the contracting officer at this point. Wouldn’t it be?

Kyle Lai 27:48

I think it’s more than that. I think it’s probably more a direction from the CMMC program office to see, to give a little bit more guidance in terms of, like, if I have an MMA the other company of five more CAGE Codes, but we’re using the same IT environment. Do we need to have a new certification? Or can we actually, what is the process of just adding these five CAGE Codes into our environment? That is the part that is not too clear, right?

Kelly McDermott 28:21

Okay, all right, okay. So the second question is, what is KLC’s experience with assessing Small Business subcontractors?

Kyle Lai 28:31

Yeah, that’s a good question. So we have conducted several assessments for smaller environments. So there are small we’re talking about like three people to 50. So we have conducted quite a few of those assessments already for small environments. I mean, we it’s a public information that we conducted the assessment for Microsoft, the mixed reality division. So we have come for the very large, complex power software as a CUI, those environment down to small ones. So, yeah, we’re comfortable doing the small business contractors as well. Great.

Kelly McDermott 29:13

Will the DoD allow waivers for contractors who have been unable to obtain certification from a C3PAO,

Kyle Lai 29:22

yep, so there is this clause in the 32 CFR, Part 170 there’s the place talk about waivers, but in terms of the waivers, that is up to the the agency who you work with, their program office. It’s based on their internal policy, on how they are, how they deal with the waivers, and the contracting officer, they will be able to, you know, follow those policy, their internal policies to issue waivers. But we, I think the 48 CFR, it mentioned that don’t count on the. Waivers, and don’t refer waivers to like, you know, there’s a discretion on the contracting officer or program office, because it’s not something that is going to be normalized. You know, hey, you you can. Here’s the process for issuing waiver. Is something that the program office for the agency you work with, they it’s their decision on how they want to do this.

Kelly McDermott 30:27

Okay, excellent. Number four, we find that our government customers are not up to date with CMMC and CUI requirements. Is there a program in place to educate the government agencies on the proper handling of CUI, for example.

Kyle Lai 30:43

DAU, yeah, yes. So DAU, that’s a Defense Acquisition University. I have seen, I don’t know, I’m not a government employee, so I cannot really see, say, like, how they actually do this part, but I’m pretty sure that the government, the DoD, there are, I mean, I have heard, and also, I think I’ve seen that there are more da you, if you go to DAU, there are more courses related to the CMMC, and not the actual acquisition about the cybersecurity so and also handling of CUI, that’s a big thing, right? We all know that there are a lot of, you know, mislabeling, or there are a lot of documents that were from old labeling, or they’re just like supposed to be CUI. We think there are CUI, but there is no label. There is no marking on the CUI, or some organization they over market. So I think it’s going to get better. Now we have a 48 CFR published. Now the default 7021 is officially going to be effective. It’s finalized, and it will be officially effective. November 10, 2025 DoD, pretty sure. I’ll bet that DoD, their up, their game, training, their defense, their acquisition officers and their employees to make sure that they are more up to speed with the marking and handling of the CUI that’s how I see it.

Kelly McDermott 32:35

Okay, great. Is a penetration test a requirement for CMMC Level Two?

Kyle Lai 32:42

No, I think it’s a mystery. I think some people mentioned about I think we need to have the one of the penetration testing. So I want to distinguish the difference between penetration testing and vulnerability assessment. Vulnerability Assessment, vulnerability management is a requirement in the CMMC Level Two, right? However, penetration testing is not penetration testing. It’s a requirement in the CMMC Level Three. So just want to make sure that we have that distinction. If you’re only going for CMMC Level Two penetration testing is not a requirement,

Kelly McDermott 33:23

okay? And actually, this question came up in our Q and A, what companies and what data qualify for self assessment in the first year versus those requiring C3PAO Certification Assessment. So this is about what companies qualify for assessment in the first year, right?

Kyle Lai 33:44

So this, if you recall the diagram I was showing, the very first step is issuing is the agency’s program office. They give a CMMC status requirements to the contracting officer to add to the solicitation the RPR file. So the contract is going to base on the requirements that’s on the our RP, RFI, you know, it’s going to based on the contract that there’s the CMMC. Requirement is going to be based on the contract. What is the contract language, right? So this is something that we have to check. So what have company qualify for self assessment for the first year? Is, I would say it’s going to be based on the contract. I think people, some people, are saying that, you know, first year there may be more contracts or solicitations, they may maybe more of the CMMC level to self assessment, then convert to CMMC Level Two Certification Assessment and. The I don’t know if that is all true, because we have seen some contracts or some solicitations draft RFI, you know, they already have the CMMC Level Two Certification Assessment requirements in there, so we don’t know exactly how it will play out. I wouldn’t doubt the if there are some contract that may have the self assessment and required to have the Certification Assessment later, I wouldn’t doubt that, but I just haven’t seen that yet. But most likely, you know, to reduce the the confusion, I think some some of the contracts, some of these solicitations, they might just go directly to the CMMC Certification Assessment. Right off the bat, those are the we already see, some of the draft RFPs with that requirement.

Kelly McDermott 36:01

Okay, here’s a good one. After we’re CMMC Level Two certified, may we share our certificate with our customers?

Kyle Lai 36:11

Yes, so it is definitely okay for to share, because once you have gone through that big handful process of getting certified, right with a C3PAO, yes, you want to brag and say that you are you definitely have the competitive event advantage to other competitors that they’re just starting or have not had their certification. So yes, you you can definitely share your you know that your certificate of the final status to your customers, the word of caution is that the actual certificate you might want to be careful with the CMMC UID, because when we as a C3PAO, we issue, when we issue the certificate, it’s going to have the CMMC UID on the certificate, just to prevent any misuse or fraud, fraudulent use of the certificate. You just want to be careful with the CMMC UID, not advised not to make it public. But you know, just to your certificate, showing your certificate to your customers, yeah, you should. You can definitely do that. It’s your certificate. You can do whatever you want.

Kelly McDermott 37:39

That’s a really good point, though, about the UID on that and just being a little bit cautious about sharing it broadly.

Kyle Lai 37:47

Yes, yeah, absolutely.

CMMC Level Two Certification Assessment and Cost

Kelly McDermott 37:50

All right, so what are the typical costs of a C3PAO assessment among different industries? What are typical assessment time frames?

Kyle Lai 38:00

Yeah, so I think it’s going to vary greatly, because there are some differences in terms of the size and the complexity. And also now we are seeing a little bit more companies that, if especially the small companies, they are using the they’re subscribing some of the cloud service provider. They provide the CUI enclaves. So if you you are using enclaves, there are FedRAMP equipped with a FedRAMP, Fed ramp equivalency, or if it’s a FedRAMP authorized, then you can inherit quite a few controls. So instead of you, instead of you implementing all 110 controls, you can inherit some of the controls from these cloud service providers, right with the CUI enclave environment. So instead of doing 110 controls, you might be only doing 50 controls. Some of them are shared responsibilities. Some of them are your the customer OSC responsibilities, and some of them are going to be your CUI enclave providers, responsibilities, right? So if you have these responsibilities in heritage, and you’re the OSC, are, you know, just developing fewer controls, then as a C3PAO, we may take less time to conduct those assessments, so the cost might be a little bit lower. So what we can say is that our range is from, you know, from the 30,000 ranch all the way to, you know, large, I think typical is like 30,000 to about 80,000 the larger ones. So you. Let’s just give you a range, but I think we want to have a discussion with you and make sure we understand your your complexity, your size of your number of users, number of devices, if you are cloud or a hybrid, or if everything’s on prem. And also the type of industries varies as well, if you are just doing, mostly say, professional services. Most of your people, your staff, use the GFE right. Government furnished equipment. Government issued the laptops, and that we only have a very small environment, versus a company that doing a lot of software development with manufacturing and firmware, consider as CUI as well, and that they are complex, that is going to cost a lot more than a simple environment. So I think it varies. We do have a if you on the on the top right, you see the QR code. If you scan a QR code, and you can go to our website and try to use that instant quote tool, we will give you an instant price quote. And you can take a look and see the price range that we welcome you to give us a kind of a set up, a meeting with us so we can go through the detail and just just discuss the size of complexity. Then we can give you a more precise quote at that time, I was

Kelly McDermott 41:37

just going to mention that Kyle the automatic price quote that we have on our website. So that’s, that’s great. Yeah, you can just snap that QR code and and put in your info, size of your company, and, and you’ll get a an estimate back from us. And then the second part of this question, Kyle, was,

Kyle Lai 41:54

just want to say it’s only take. It only take about 10 minutes.

Kelly McDermott 41:58

There you go. Excellent. What are the typical assessment time frames? Can you give us an idea of the kind of time frame we’re talking about?

Kyle Lai 42:07

Sure different C3PAOs. May have different time frame. We typically will start a Pre-Assessment. Pre-Assessment is what we usually ask for this SSP, the system security plan, and your your like a CUI, boundary diagram, data flow diagram, your network diagram. Sa, inventory. We just want to see if you are ready, truly ready, for the assessment phase. So we will give you three weeks to provide us that information, and we will make the determination if you are ready for the assessment. If you are ready for the assessment, we’ll start with the assessment planning and go into the assessment phase as we will start with assessment planning. And you know, give, give you a sometimes some additional time to provide all the information to us, and then we will conduct the assessment on the week number eight to conduct the assessment. Then we’ll allow ourselves four weeks to each to to get all these the assessment results to the eMASS system, and if you have the conditional or final status, will issue you this certificate, all within four weeks after the the assessment interview week. So the entire duration from beginning to the end, from the Pre-Assessment, day one, Pre-Assessment to the day ish, you know, issue, you the certificate. It will be 12 weeks.

CMMC and Commercial Off-The-Shelf (COTS) Exemptions

Kelly McDermott 43:56

Okay, please explain the COTS exemption and how a company may obtain one from the DoD.

Kyle Lai 43:56

Okay, yeah, we actually did a few COTS exemption for our clients, cuts exemption. Want to make sure that we get one thing straight. If you sell COTS and also sell something that’s non cots, then you are not qualified for COTS exemption. Because COTS exemption, you have to be 100% selling COTS. In that case, there’s then you are going to be exempt. And for the COTS exemption, that process is that there is a commercial determination, commercial item determination process, and there’s the COTS determination process. So before you can go for COTS, you have to make sure that you have identified a everything I sell, it’s commercial item. And the commercial item there’s that, if you are a sub, you have to fill out what they call the commercial item and the cards determination form. Form and send this to your prime contractor. Usually, the prime contractors will will know, or they should know that process, especially for the larger ones, small ones, I’m not sure, but there are plenty of examples out there. Lockheed, Raytheon, they all have make their commercial item determination form, or cost determination form, public on their website, so you can download and take a look at that. So if you are a prime and the you sell everything 100% the keyword, 100% cost items, then you can, you can also work with a commercial item office, the CID commercial item office, so you will be able to provide them. You know, you will fill out the commercial item determination form. I will tell you, it’s for DoD. It’s going to be a lot of information that you have to fill out. You have to prove that whatever you sell is a commercial item. That means it’s it’s something that everyone can order, right? It’s not just for the DoD. It’s not just for the government. And also it’s something that you sell in large quantity, if you sell only five things, and the two to the commercial industry, and the three to the government, they cannot make that determination. Say it’s a commercial off the shelf product, right? So we have to be a large quantity. And also cots, means that it cannot be modified. If you have a modification to your product, then it’s not cuts commercial off the shelf means no modification. So if you meet some all these requirements, then yes, you will be able to, you know, go through and claim that you are selling all cuts, provide the information to DoD or your prime contractor, and so we have helped a couple companies that file those commercial item determination and cost determination get them off their CY requirements.

Continuous Compliance, Waivers, and Government Education

Kelly McDermott 47:19

Great, lots of excellent questions here, last one on pre submitted, and then we have quite a few hanging in the Q and A so we’ll try to get to as many of those as we can. If CUI isn’t shared with a subcontractor, is CMMC still required to participate in the contract?

Kyle Lai 47:36

No, so Well, it’s we are following the data, CMMC. We follow the information. So if this information, if there is no CUI shared to your subcontractors, there is no requirement for CMMC Level Two, if you still share your federal contract information to your subcontractors, that means that you still need to comply, you know, flow down the requirements to your subcontractor to comply with CMMC Level One, so it depends on the type of information you pass to your subcontractors.

Kelly McDermott 48:15

Okay, excellent. All right, in the few minutes that we have left, we will go through some of these questions that you may or may not have answered already. Let me see is CMMC Level One self within SPRS, replacing the current NIST 800-171 self assessment score already in SPRS,

Kyle Lai 48:41

currently no. So currently, the NIST 800-171 is still their own. It’s just as a framework, the framework standard, right? It’s a required, it’s it’s a standard saying that here is the NIST 800-171 I think you might be work. Your question might be on the DFAR 7012 right. DFAR 7012 there’s a requirement for implementing the NIST 800-171 so is CMMC. Replacing the FAR 7070 12 is DFAR 7021 replacing the FAR 7012 The answer is no, not at this, not today, I’m not sure about in the future, but they are still kept separate for

Kelly McDermott 49:35

now. Okay, this one would we want subs to report their sub tiers, UIDs, so that the prime can report every entity under them?

Kyle Lai 49:51

Yes, so I think reporting every entity under the contract. So we’re talking about. Contract. So CMMC is very specific to the contract. So if you have a contract, then you have 10 subcontractors. They all have their own CMMC ID for these 10 subcontractors, right? Because they are performing they you pass, you are sending some of the CUI to these 10 subcontractors. And these 10 subcontractors, they all have a system. They are capable and authorized and certified to handle CUI. So you will need to include that the CUI is the CMMC. Sorry, you will need to include the CMMC UID for these 10 subcontractors in the submit all these package with all these CMMC UIDs, the prime and the subcontractors together to the contracting officer. You will have to do that and it’s it is the prime contractors responsibility to make sure they are all staying compliant. You know, they have to report the continuous compliance to the sub to the DoD contracting officers as well.

Kelly McDermott 51:15

Okay, excellent. Will the 48 CFR increase activities for the certification industrial complex and the OSCs,

Kyle Lai 51:27

I believe so. Because, let’s face it, the if prime contractors right, the large prime contractors, Lucky Raytheon, they’re not going to wait for a solicitation. Or the RFI RFP to come out, then they look for the subcontractors, right partners. Usually they know this a year, six month, eight months before the solicitation RFI is released, right and usually DoD they have the draft RFI RFP solicitations out there. So, so different, the contractors, right? The prime contractors, they know what’s coming. And yeah, so they’re going to look for the partners way ahead of time. So yes, they’re just a, just a let you know that you know, once the CMMC Final Rule is released, even though it’s not effective, we have got, there is a search on the request for Certification Assessment for us, and we are pretty booked up for the 2025 it’s, you can still call us. We will still fit you in. But we just want to, you know, indicate that yes, there’s a big search on the request for getting certified. And yes, we’re expecting to see a search on the requirements. You know, these companies getting through and making going through the certification process, you know, very soon,

Kelly McDermott 53:09

yeah, we can’t underscore that enough to not wait to queue up for your appointment, because it’s a supply and demand thing. There are, you know, less than 100 C3PAOs, and over 77,000 DIBs. And so we need to really know that there will be a bottleneck and to not wait.

Kyle Lai 53:33

Yeah, I think there are more than that, more than that many C3PAOs, but still, yeah, I mean safer. Pos, I think we’re all easy.

Kelly McDermott 53:43

Yes, alright, so let’s see what do we have next. This one says that we do SBIR. When awarded the contract, I would assume that the awardee of the SBIR contract would be considered by the prime contractor. Would be considered the prime contractor, is that correct?

Kyle Lai 54:05

Yeah, so if you have a SBIR the if you are the direct recipient of the SBIR grant, that means that you are the prime contractor, because you are the one that signed the contract directly with the DoD, right? So you are the prime contractor, yes. So most likely SBIR is just another contract mechanism, right? The vehicle or contract, a different type of contract. So most likely the SBIR will also specify the CMMC, the status requirements in the contract itself. So yes, as a prime contractor, you will make sure that you need you meet the requirements.

Kelly McDermott 54:57

Okay, we just have a few left. So. Hopefully we’ll get to them all on the Enclave with AWS, which, with the person managing AWS becomes a CSP.

Kyle Lai 55:11

The I think we may have to have more discussion here, because that, I think, to to answer simply the, if there is a person that manage, I think, who’s CSP, which, who actually owns the account? I think it’s going to be important, right? If you have a AWS account, but it’s owned by you, the OSC, and you hire a managed service provider, hire a consultant to manage it for you, then you are hiring a in it, managed service provider to manage your instance of the AWS cloud. You know, a cloud instance. So in that case, the person who is helping you is considered a managed service provider, right? But AWS, they provide the infrastructure. They are FedRAMP certified, authorized, so AWS itself is the cloud service provider. So because in order to answer this question fully, I think we have to get into a little bit more detail before I can fully answer that

Kelly McDermott 56:33

question. Okay, all right, and we’ll share the contact info at the end of the webinar so that this person could get in touch with you about that? Um, here’s one. Can a remote audit be done?

Kyle Lai 56:48

Yes, yeah, that’s a good question. So remote, we have conducted quite a few remote assessments, and the reason we can do that is the is the the reason is that there’s no physical CUI on prem on their facility, right? So at their facility. So that means, like, if a company, they are using VDI, the virtual desktop. So if I so NIST, sorry, the 32 CFR 170 part 170 stated that if a company, they have, they have a virtual desktop infrastructure, the VDI infrastructure, that means I have a CUI enclave that is in the cloud, right, for example, in the cloud, AWS or Azure, most likely GCC or GCC high then all I’m doing from my laptop is just remote control. I can remote into this, this virtual desktop, providing that there’s no file download, there’s no copying, there’s no printing. Of capability, all these are turned off on my laptop, for my laptop, then I will be able to claim that, yeah, this setup meets the requirement for meeting the VDI requirements. And if that is the case, and the environment is considered VDI, then the laptop itself is considered out of scope, and we only need to conduct the remote assessment and the focus on the CUI enclave that’s in the cloud. So there are there are obvious, obviously. There are more discussion that we need to have before we can make that determination, if we can do the remote assessment, but yeah, definitely feel free to give us a call.

Kelly McDermott 58:54

Excellent. This is one that I think is on the top of everyone’s mind following KLC, completion of some assessments, how prepared have contractors been, and what is the passing rate?

Kyle Lai 59:09

Yeah, so for us, knock on wood. We there are very close calls where we in the Pre-Assessment. We you know, almost have a have to turn down, you know, make a call of not ready for a couple companies, but at the end they pull through, they pull a few all nighters and get the documentation ready. So we were able to move to the assessment. So right now, the company so we, as I mentioned, the overall the Pre-Assessment time is, we give seven weeks to the Pre-Assessment starts seven weeks before the actual Certification Assessment. Interview, and the reason we give a little bit more time is just that we want to make sure that there is enough time for the for the OSC to prepare. So in that case, we have not been able to fail anyone. But there are a few close calls that we have to make by the at the end, yeah, these companies, that will pull through great.

Kelly McDermott 1:02:03

No, I think that’s, I think the word of advice is just to book your assessment early, because I think C3PAOs are going to get very busy very soon.

Kelly McDermott 1:02:16

Thank you all, thanks for joining us.