Your CMMC Questions answered by a cleared C3PAO
Kyle Lai CISSP, CSSLP, CISA, CIPP/US & /G
President and CISO KLC Consulting, Inc.
Kyle tackles your CMMC Frequently Asked Questions!
1. Q: Is the requirement to flow down CMMC compliance to 1st tier suppliers only a Prime contractor requirement? Thank you.
A: The flow-down requirements of CMMC apply to all subcontractors. It is not just a prime contractor requirement.
CUI Marking and Labeling
2. Q: As a software development company for Logistic support to a DOD Contractor, the MP3.122 “Mark media with necessary CUI markings and distribution limitations” is challenging. Do we need to tag all our CTI (Design, analysis, etc.) documents and our developed screens in our application? Thanks.
A: Yes, but there are different ways of marking an on-screen display. We suggest you check out the ISOO Training site for guidance on CUI Marking.
Working from home and CMMC
3. Q: How do you handle a work-from-home-office environment scenario since the office has limited access? Thanks.
A: This topic is widely discussed within the CMMC community. We recommend following the CMMC ML3 guidance. Examples:
- Establish physical security
- Create a separate network for CUI (a separate wireless connection)
- Setup a VPN
We provide consulting help with the setup of CMMC compliant home office networks.
Commercial Off The Shelf (COTS)
4. Q: Can we perform our own CMMC Level one if we are solely a Commercial Off The Shelf (COTS) manufacturer with EAR99 export classification? Thank you.
A: If you are a 100% COTS supplier, you can pursue a waiver from the Contract Officer for your Prime Contractor.
5. Q: How do you see CMMC requirements rolling down to COTS providers? And how do you suggest COTS providers handle situations where FSIs try to “force” the requirement down? Thanks.
A: If you meet the formal Commercial Off The Shelf (COTS) definition, pursue a COTS exemption from CMMC with your Prime contractor through your contract officer or program manager. There is a well-defined process and we offer consulting services to help.
Implementation of CMMC Controls for Physical Security
6. Q: Could you please speak to implementation methods re: control of physical (printed) engineering drawings in a build-to-print manufacturing environment? Thanks.
A: Yes. A couple of examples are:
- Secure building with physical security
- Only cleared people can work in the office area
CUI and CMMC
7. Q: How can we identify if CMMC is applicable for our organization or not, if it is not mentioned in our contracts? All we are getting is a letter from our customer stating that we need to be compliant. Thanks.
A: Look at your contracts to identify the CUI you receive from your customers (prime contractors). Perform CUI Scoping to determine if you have CUI within your environment. If yes, you need CMMC Level 3. If you provide services that are not COTS and do not handle CUI, you’ll only be required to obtain CMMC Level 1. You’ll need to seek and obtain confirmation from your customers about the CMMC level you need to get.
8. Q: How do we determine if we have CUI? We work with GSA, DOD, and other government entities. So to be on the safe side, we want to be compliant. But we haven’t seen anything come through on paperwork saying “this is CUI” or in clauses of our contracts. I want to know, what do I need to protect? Does CMMC cover financial information? Purchase orders? We don’t do ITAR or handle technical data. So it’s just emails, contracts, purchase orders, sales orders, and credit card info that we have. Obviously, all are important to safeguard but is what is considered CUI? Thank you very much.
A: You should look into the Dod’s CUI Registry to determine what is CUI, but direction still should come from your prime contractor’s contract officer/client program manager.
Tracking CMMC Compliance Progress and Documenting Your Evidence
9. Q: How do you recommend tracking CMMC / NIST 800-171 progress/readiness? We have done a lot of work, but tracking work in Excel doesn’t seem the most efficient. Thanks!
A: Yes, it’s better to use a tool to track policies, procedures, practices, and evidence supporting the practice. We recommend both Exostar Certification Assistant and TotemTech’s Cybersecurity Compliance Management Software
10. Q: The interpretation of how to comply with CMMC seems to vary widely. What documentation will be required to prove to you that we are in compliance? Such as retention of audit logs, centralized logging or alert events? Thank you.
11. Q: Is there a checklist that can be used for self-assessment? Thanks.
A: The CMMC Assessment Guide (Maturity Level 3) and (Maturity Level 1). You also have the DoD’s website. And Exostar Certification Assistant and TotemTech’s Cybersecurity Compliance Management Software are available.
12. Q: What should we do about servers that are too old to conform to CMMC and NIST 800-171 but are still needed to support legacy systems? Thank you.
A: The Assessment Guide recommends segmenting servers that are old and are not supported with patches. This will reduce the risk of impacting another part of the company network in the case of a cyber incident.
Does my Managed Service Provider (MSP) need to be CMMC compliant?
13. Q: If we are required to be CMMC level 3 and use an IT Managed Service Provider (MSP), is the provider required to be level 3 as well? Thank you.
A: It depends on what the MSP can see. Does the MSP have access to CUI? If not, then no. If yes, CMMC Level 3 is required.
Limit CUI scope to your corporate divisions who handle CUI and exclude the others
14. Q: If we have a large global company with several divisions and but only two-division branches deal with CUI, can we carve out those 2 branches for CMMC level 3 and leave the rest out of the certification process? Thank you.
A: Yes. You can scope CMMC L3 for certain branches, systems, and locations. You can also pursue a separate CMMC L1 for sites and systems that handle only Federal Contract Information (FCI).
Official list of C3PAO Auditors
15. Q: Is there an official list of C3PAO Auditors? Thank you.
A: Yes, the CMMC-AB website. KLC Consulting is a cleared C3PAO candidate.
Connectivity and CMMC compliance
16. Q: If we have a user connecting remotely through a VPN and the only traffic we allow through the VPN is Remote Desktop, is that user’s computer in or out of scope for a CMMC assessment? Thanks.
A: It depends on what that user can access. If they access CUI / FCI the user’s computer is in-scope.
17. Q: Regarding an Ethernet Private Line between two buildings, the provider says it does not need a firewall/encryption on the segment because it’s “Layer 2 / EPL”. I am concerned this constitutes a “boundary”, and should have a firewall / encrypted tunnel between these two buildings, despite being an “ethernet private line”. Can you speak to this to clarify the boundary and requirement to encrypt or not encrypt in this situation? Thank you in advance.
A: It depends on how you connect. If it is a cable connection between 2 switches, the “connecting at Layer 2 / EPL” statement is accurate. But If you otherwise have boundary concerns, you should use proper network security equipment/tools to segregate the networks.
Challenges of CUI Marking and Labeling
18. Q: What is the correct course of action when a customer or supplier requests that you apply a Distribution D/CUI label to your documents, etc., even though the data has not been labeled as such by the US Government? Are companies allowed to create and use these labels if they do not originate from the US Government? Thank you very much.
A: Some agencies are behind the curve when it comes to CUI marking and labeling but we’re all required to do it and are moving in that direction. Work with your customers (prime contractors) contract manager to mark them correctly. CUI marking and labeling is often a challenging area for Organizations Seeking Certification (OSC). We feature a great discussion video with one of our experts in this area on our website, and offer consulting help to support your efforts.
Thank you for visiting our website!