CMMC Level 2 Certification Assessment – Final Rule

CMMC Level 2 Certification Assessment – Final Rule

Introduction:

Kyle Lai 00:04

All right, all

Kelly McDermott 00:06

right, we’re on. Well, welcome everyone to the KLCC webinar on Ask the Experts CMMC Level Two, Final Rule. My name is Kelly McDermott, and I work with KLC Consulting, along with Kyle Lai and Layla Paoletti, and we want to thank you for joining us today, this very informational webinar. So there’s a few things I’d like to share. First about KLC Consulting. As many of you know, KLC Consulting is an authorized CMMC third party assessment organization, and we focus on CMMC Level Two certification and consulting services. So a little bit about us, and I believe we’re going to be showing just a little bit more here. We were incorporated in 2002 and we have offices in Marlboro, Massachusetts, and Houston, Texas. But we service across the United States, so we’re really excited today to have you all. I know that there are a lot of pressing questions, and we thank you in advance for submitting your questions. We’ll try to get to as many of those as we can toward the end of the seminar, and if you have questions along the way, please feel free to put them in the Q and A down on the on the lower toolbar here. And again, we’ll try to get to as many as possible. You should receive on this QR code you’ll see here. You can visit our assessment page and sign up for your assessment, and also you’ll get the recording for the webinar and a downloadable toolkit on what to expect during your CMMC assessment. So those will all be made available to you through a QR code at the end of the webinar. And so now I would like to kick off the webinar with introducing Kyle Lai and Layla Paoletti. Kyle is the president and Cisco of KLC Consulting, and Layla Paoletti, of course, is our Director of cyber security services. So welcome Kyle and Layla.

Layla Paoletti 02:19

Hi. Kelly, how are you? Hi, Kelly,

Kyle Lai 02:21

hi everyone. Yeah. Thank you for joining, joining our webinar. So today we’re going to so today we are going to go through the questions. And before we go through the questions, I just want to cover the CMMC rules, 32 CFR and the 48 CFR, because we get a lot of questions in terms of, like, Why? Why are there two separate CFRs the rules? But before we go through that, there are a lot of acronyms, so I’m not going to go through them, but if you email us, we will send you a copy of this slide, both Layla and myself, we are CMMC certified assessors and will be lead assessor, so qualify for as a lead assessor. So yeah, so, and just want to throw it out there so you’re getting some good information from us. Okay, so why are there two CMMC rules?

CMMC Program Rules (32 CFR Part 170)

Kyle Lai 02:37

So one of them is CMMC program rules. That’s for the ecosystem, talking about deep organizations, the organization seeking assessments, certifications, and also the CP OS, and how do we form the C3PAO, but most importantly, right? How the DoD and also accreditation body? How? How do you get the certification? How do you go through the assessments? That’s what’s described in the 32 CFR Part 170, right?

CMMC Acquisition Rule (48 CFR Part 204)

Kyle Lai 03:13

And then there is 48 CFR Part 204, or 48 CFR, that’s a CMMC acquisition rule that is really designed for the DoD contracting officers and what they need to do when they issue the contracts, what languages they need to include in those contracts. So just want to make sure that you have understanding why there are 232 CFR, the CMMC program rule will be, will be effective December 16 of 2024 which means that you will be able to, if you are looking for a certification assessments, you will be able to start The CMMC Level Two certification assessment after the December 16 this year, acquisition rule 48 CFR. We don’t exactly know when it’s going to come out, but it could be any day now. So once it’s published, 60 days after the published date, we are expecting maybe later this year. Maybe. In, maybe in December, or maybe in the q1 of 2025 and then 60 days later, that’s when the effective dates will kick in, okay? And when the effective day kick in. That means tmmc rule is all finalized, totally finalized. Then CMMC rule will start. The CMMC Final Rule will start. And yeah, we’ll go through some of the effective dates and what is the impact to you, how the rules will be rolled out in phases. Okay, so here are the questions that we are going to discuss today, and feel free to add additional questions in the Q and A

Kelly McDermott 05:44

great and again, thank you in advance for submitting a bunch of these questions. These are what are on your mind, so we’re going to try to get to them all. So first question is for Layla,

Key Dates for CMMC Level 2 Certification

Kelly McDermott 05:57

what are the key dates to know for CMMC Level Two certification?

Layla Paoletti 06:00

Yeah. And this is a great first question, because essentially, Kyle already covered what those dates or the specific rules that those dates are attached to. And so the first one is, as Kyle just mentioned, that December 16, 2024, is right up upon us. And that is the effective date of the CMMC program rule, which is again the 32 CFR Part 170 starting from this date, defense contractors and subcontractors can begin obtaining their CMMC Level Two certification assessments from the C 3p O of their choice the I know that many C3PAO are getting full already, starting at the end of this year and certainly into the beginning of next year. So that is the first key date that we’re looking at right now, which is again right around the corner, right on us. The second really key date would be the second rule that Kyle just talked about, which is the CMMC acquisition rule, or the 48 CFR, as Kyle stated, that rule is about to be published again. We’re expecting it to be between now and the end of the year, or quarter 120, 25 the key date here is 12 months after that rule is effective, we will see the DoD start including those certification requirements in the contract. So again, remember, as Kyle stated, that 48 CFR is four contracting officers, so that’s when you’ll see the organizations within the DoD creating that verbiage and narrative and acquisitions and contracts,

Kelly McDermott 07:49

that’s great. Thank you for that. Layla, so there’s a lot of question around this third party versus self assessment, and people are wondering, which one should they do? Kyle, what do you recommend for question number two,

CMMC Level 2: Third-Party vs. Self-Assessment

Kyle Lai 08:06

yep, so you know, if you have a CMMC Level Two certification, or, you know, do you need to do a certification? Or can you actually do the self assessment? Because obviously, everyone wants to do self assessment. But it’s not really up to the organization seeking certification or assessments. It’s really depends on the DoD contract right contracting officers, they have to decide. So if you are are a prime contractor, you have to follow what is specified in the solicitation or within your DoD contract. If they if you are lucky enough that the contract is for self assessment, then great, but there are less than 2% of all the contracts that will allow for self assessment, so yeah, I will say, Don’t give your don’t don’t give too much help. Hope that you will get a self assessment. Well, for the DoD contracts, most likely, if you’re handling CUI, you will need to get a third party certification assessment. If you are a subcontractor, you are really, you really have to talk to your prime contractors to see if self assessment is a option. If your prime contractors is, they are not getting a self assessment from for the contract. Most likely, as a subcontractor, you will not get a self assessment for those CMMC Level Two.

Kelly McDermott 09:42

Very good. Thank you. Kyle, sure. So we’ve heard a lot about the lead up to a CMMC Level Two sort of certification assessment and just how long it takes. And we want to prepare people well in advance so that they can plan ahead and really know. How long this process is going to take. So Layla, maybe you can walk us through the breakdown of the timeline there. Yeah,

CMMC Level 2 Certification Assessment Timeline

Layla Paoletti 10:09

absolutely. Kelly, so all Level Two CMMC certification assessments conducted by see through POS will be following the CMMC assessment process document, otherwise known as the cap. And I state that because it is a formal and prescribed process, however, you know, processes and timelines may still vary slightly between C3PAOs, so I’ll talk to KLCCs process, our process from phase one or pre assessment to issuing an actual an assessment result takes about three months if the organization seeking assessment and certification has no POA&M deficiencies, and I’ll break that down a little little More typically, our KLCCs pre assessment is starts about seven weeks before they agreed upon certification assessment interviews begin, and pre assessment forms, intake forms, etc, are usually owed to us about four weeks or a month out before the certification assessment officially begins Once that once that assessment begins, that process in itself, the assessment, the interviews, the write ups, is another four week process to plan and execute, and then, typically, another four weeks to write our reports, to upload those reports into the eMASS system, and then to have the DoD review it. Sometimes there’s some there’ll be some back and forth between the DoD PMO and the C3PAO. But once all questions are resolved, the DoD will upload the formal assessment into the SPRS database. So again, I’ve outlined kind of three, four week processes that are equal in about three months if you do obtain a conditional or certification, Level Two certification, meaning that you do have poem deficiencies, you really Want to think about that additional 180 days at the maximum time that you would need to close out that poem. So typically, three to four months if there’s no poem. Great.

Kyle Lai 12:33

Yeah. And I also want to just mention that even though there are 180 days you really want to probably do it before 150 days, because there are some additional processes that seafood po need to do, to upload the results to the to DoD, and the DoD, they still have additional work to do to post your information To the SPRS, as what Layla was indicating earlier. So yeah, give yourself plenty of time. Don’t wait until the last minute.

Layla Paoletti 13:07

That’s a good point.

Kelly McDermott 13:09

Yeah, that’s a really important point. So we’re going to move on to something that many fear, and this is a real pain point for a lot of small to mid sized companies. What if I don’t get at least the minimum score of an 88 during my CMMC Level Two certification assessment? What happens then? Kyle, can you walk us through what that looks like?

CMMC Level 2 Assessment Scoring and Outcomes

Kyle Lai 13:41

Yeah. So if you, unfortunately did not get a minimum score of 88 which is the required score for you to get a conditional certification, right, meaning that you, you have a you have a additional poem, poem items, the plan of action and milestone items, right? You need to resolve, unfortunately, if you do not meet the minimum requirements of 88 points, then you will need to start over the assessment, the entire assessment, so you will need just then need to go through the process again, so hopefully you have enough preparation and you don’t get into this situation. So when you are preparing for your assessment, don’t just shoot for the ADA ADA points, because if something goes wrong, then you will fall below the ADA points, then you have to start over,

Kelly McDermott 14:37

really important to know. And then what if you get at least a minimum score of 88 or higher, then what

Kyle Lai 14:46

happens? Yeah, I think we just talk a little bit earlier, that if you have a minimum score of 88 then that means you have a SSC three, PAO, we will give you. A conditional certification. That means you have 180 days like we just talked about, to resolve all your remediation, remediate all your deficiencies, and also post that results to SPRS. We’re not talking about just remediating. We’re talking about 180 days the DoD, they have to see your SPRS results in the SPRS system, right? So that’s why you have to get a score of 110 right. And you, you, you will get one chance to get your poem close out. So you just want to make sure that you have all your poem items resolved before you start that close out assessment. Obviously you you want to avoid to having too many deficiencies, right the gaps during the assessment. So you just want to make sure that, you know, do enough preparation, and if you are not too sure what’s going to look like, we also offer a mock assessment before the official assessment. That means that before we do these official CMMC Level Two certification assessment. During this mock assessment, we will conduct the assessment just like as we will conduct the official assessment. The only difference is, you know, between the mock assessment and the regular those readiness assessment is that we will not give you consulting. We will not give you any ideas on how to remediate these conditions. We’ll let you know what the problem, what those gaps are, what those deficiencies are, but we’re not going to tell you. So if you are not too sure, if you want to take advantage of you having a mock assessment first, it will give you a higher confidence of getting a better score during the real official assessment.

Kelly McDermott 17:05

And I think that’s really good advice Kyle, because first of all these assessments, they cost money, number one, and they take time. So if you want to try to improve your chances and ensure that you are clearing up any of these deficiencies and and improving your confidence level and your capabilities. It makes sense to do this mock assessment to really fully be prepared, so that you can go through it without the extra expense and time. Should you not reach the 110 score.

Kyle Lai 17:42

Yep, exactly, yeah.

Kelly McDermott 17:45

So that’s really great advice. Yeah.

Understanding CMMC Deficiency Types

Kyle Lai 17:49

I also want to just say, just talked about the 32 CFR. Just briefly, 32 CFR, Final Rule, they introduced a few other terms, right on the deficiencies, the type of deficiencies, what we were talking about is plan of action and milestone poem deficiencies. Those are the deficiencies that must be closed out within 180 days, right if you have control, they are not fully implemented or are missing some of the assessment objectives, then you will have a poem item, and those must be completed, must be remediated within 180 days, right? There is a term operational plan of action. That means that if you have implemented the controls, and those are deemed satisfactory, the themes that meeting the requirement, the CMMC, the NIST, 801 71 requirements. But now you have some vulnerabilities that you discover during the within your operation. Right? Say firewall. They need to have a firmware updates. Then you can file a operational plan of action that’s allowed during that’s allowed for the CMMC. We’re not talking about the poem items. We’re talking about. When you’re during the operation, you will be able to say, missing patches. Need to apply patches, missing vulnerability, vulnerabilities. You identify new vulnerabilities need to be resolved, need to be patched. Those are operational plan of action and during exception. That means, like, if you have a that’s allowed in during exception, these are, for example, if you have a, if you are many manufacturer for medical devices, right? And some of the tools that testing tools that have operating operating system within these tools, and these tools must be certified by FDA, for example, the. Federal Food and Drug Administration to the vulnerable operating system, because then you will notify the validity of the of some of the testing tools that’s so you just need to make sure that when, when this type of situation occurs, some of the testing equipments, if you’re a manufacturer for aerospace, some of the equipments could be from 1980s 70s, right? These are very old. There’s no way you can upgrade the operating system. So you you know, in this situation, you have to put together a plan and say, This is how we are going to secure these environments. Maybe put them into a separate and separate network, or say we treat it in the special way to secure these secure these devices there, you just need to document them in the SSP system security plan. There is no operational plan of action required. Then there’s the temporary deficiency. The example I can give you is that if there is a firmware that is that has the FIPS validation firewall firmware, they already have the FIPS validation but the firewall manufacturer release a new firmware version, so go from 1.0 to 2.0 2.0 will require another 18 months to get the FIPS validation. In that situation, you will file a temporary deficiency and put it into your follow your operational plan of action. Then that’s allowed within the CMMC program, because you just, you know, follow the follow the process you documented within your system security plan and documented your plan of action. And then keep track of the keep track of the remediation. If there are remediation that’s become about becomes available, then you will apply those remediation so those are allowed. So these are just some differences between the the the terminology, the definitions of the deficiencies.

Kelly McDermott 22:21

Okay, good to know. So we’re going to move on to question number six. Now, as a prime company, what might we excuse me, what might we need from our subcontractors to comply with CMMC and Layla, I’m going to call on you to take this one. Okay,

CMMC Requirements for Subcontractors

Layla Paoletti 22:46

sure. So this is kind of a broad question, and so I’m going to answer it as specifically as I can. The the short answer here really is, if you have a contract with DFARS clauses that requires Level Two CMMC certification, and you are working with subcontractors that that are also handling CUI on that contract, then that subcontractor also needs to be CMMC certified? I think that’s the short answer, right? Because according to 48 CFR, before awarding a contract to a subcontractor, you must verify that your CMMC subcontractor also has a current CMMC certification status. So it in you know that flow down is a one to one for CMMC. This is slightly different than MSPs, right, or managed service providers. And so I just wanted to bring that up, because the question is, kind of high level managed service for providers while being part of a prime or subcontractor scope, do not, at this time require a formal CMMC certification, although your managed service provider would be part of your assessment Team and in scope, right? So that’s just just to clarify. We’re talking subcontractors, not managed service providers.

Kelly McDermott 24:27

Great, excellent. And the DoD contractors and subcontractors, they need to verify that the subcontractor has a current CMMC certification, not older than three years, right? So being current is within that three year period. Is that accurate to say Layla,

Layla Paoletti 24:47

yeah. I mean, absolutely. So CMMC will never be a one and done, right? You always be needing to get recertified every three years, and that is why we are seeing a. Of the larger primes, sending out surveys to the subcontractors, because it is, in part, a responsibility there that if you have partners that you know you’ll be working with, or continue to be working with once the MMC goes live, then it’s a good idea now to make sure that the that those partners subcontractors are also prepared and working towards CMMC. So

Kyle Lai 25:26

I just want to add that there is a annual affirmation process for the affirmation official within the company there that you know whether they’re you are prime or sub you need to do this process to keep the the CMMC certification current right. So if you are a CMMC Level Two, if you don’t do the annual affirmation, or if you miss the deadline for getting the affirmation, annual affirmation, then you will your certification will consider labs, then the contract will be in jeopardy. So, yeah, just want to make sure that the as a contractor, they will also make sure there’s contractor permission. Okay,

Kelly McDermott 26:15

that’s a that’s a good distinction. Thank you, Kyle, So Layla, following up on that. We’ll move on to number seven. Are the CMMC requirements only for new contracts.

CMMC Requirements for New and Existing Contracts

Layla Paoletti 26:27

No, you know. So CMMC is going to be the full rollout. Will be phased it will be a phased out approach. So we’ll start seeing CMMC requirements in new solicitations and contract but also in option years for existing contracts. So absolutely going to be both and per the phase roll out. It basically is a year roll out from the publication of the rule, and then another year roll out. So full implementation looks like about three years to encompass all new and existing contracts, but that really is a guide. It. It will depend on your you know, specific client, DoD client, on how they will add CMMC to those option years as well.

Kelly McDermott 27:20

Very good. And Kyle, this is for you. Number eight. Can we continue using our IT service provider and still comply with CMMC Level Two certification requirements?

CMMC Level 2 and IT Service Providers

Kyle Lai 27:33

Yeah, so Layla mentioned a little bit about the MSP. So this IT service providers. That’s when we consider these are managed service providers. So these in the rule. They make it a little bit confusing. This external service provider is not cloud service provider, so they’re in this category. So yes, you will still be able to use your IT service provider, providing that if they are doing some work for you. So let me just go back if they are doing some work for you and that the IT service providers, they do not they do not store any their premise. That means that they are not doing your backup. They are not keeping a backup of your assist UI in their premise. In that case, you just need to include your IT service providers within your scope. When the assessors come to assess your environment and talking during the interview, understanding how the process work, you need to include your own process and also the IT service providers processes, right? So you want to create, you want to have create, create a customer, share the responsibility metrics with your IT service provider and identify which part is done by you. The organization seeking certification, and which are done by the IT organization. So give you an example, if you have a if you need to create a new user, usually is the usually is you, you, if you are the organization seeking certification. Usually it’s you, you know, providing who you’re going to grant this access to, you are going to be the one that approve, right, giving the authorization which accounts are going to be created. But then the IT service provider, IT support organization, they are going to be the one that create the create the they’re going to be the one create the account, right? So there’s a distinction in terms of the roles and responsibilities. So you need to distinguish what roles and what’s the responsibilities are between you and the. Your IT service providers, if so, if your organization, so say, if your IT service provider, if they do handle CUI for you, then you definitely need to make sure that you include them as well. And the detail, all the how they actually handle these CUI for you in your SSP, in very detail, because it will be assessed looking closely by the assessor.

Kelly McDermott 30:28

All right, thank you for that clarification. Good to know. Moving on to number nine, we’re a small company, and recently submitted a score of a negative 50 to the SPRS system. What do you recommend we do to achieve a passing score? And I’m going to have Layla answer this one for us,

Improving Your SPRS Score for CMMC

Layla Paoletti 30:49

sure. So with the understanding that to achieve a final, CMMC levels two certification, not a conditional, but a final, that you must have that perfect score in the SPRS of 110 right? So many companies are bringing on a subject matter expert to their internal IT or security team that perhaps is a certified CMMC professional, or CA, CCP, or even a CCA, bringing someone like that to your existing security team on staff to help them prepare for CMMC. If you’re a company who, again, using this example of a small company, and perhaps don’t have the budget to bring on a CMMC staff to your security team, I’d recommend hiring a CMMC consultant to guide you through preparing for CMMC. If you go out to the cyber AB marketplace, there are, there’s a listing of registered practitioner organizations or RPOs, however many, C3PAOs also do consulting work. KLCC is one of them. We we do assessment and consulting work, but all to say, the process from getting to a negative 50 to 110 in the SPRS, getting that score up, it’s going to retire, require time, effort, of course, the financial investment, and ultimately, support from your senior management. And so you really want to ensure that your senior management understands the importance of CMMC certification if your company is currently pursuing DoD contracts or subcontracts or plans to and I just kind of wanted to add to this, I’ve been looking a little bit at the Q and A, the live Q and we’ll, we’ll go over them at the end of this, I’m sure. But I think there was a question that I saw come in that said, if we are a company where our employees handle CUI At what point do we have to train them? I think it to some degree, this goes with that support from senior management, because it becomes a culture and within your organization. And so the answer to that is upon hire and then annually, right? And so it does become the culture of your organization to make sure that your your staff is trained on CUI,

Kelly McDermott 33:19

good point, yeah, and I think this is a really good time to just point out another related thing here, where this is happening. As of December, this is coming up really fast. And for the folks on the webinar today, there are 77,000 defense industrial based companies in the United States. So there’s 77,000 and there are less than 75 C3PAOs. So the point is here, it’s really important to queue up to get an assessment, to do the things now, get yourself on the list. Get yourself in I know KLCC, this is not a sales pitch, but we really do believe that there will be a bottleneck here in the system in order to have this assessment done and to get you ready, and now is the time to do that. So just want to put that out there as we’re talking about this, and it all relates to particularly small to mid sized companies and trying to speak to senior management and get themselves in a ready position. Now is the time to do that, because it will be tough as time progresses here. So thank you for that. Moving on to number 10 can

Kyle Lai 34:40

before we move on. Yeah, so I saw there, I saw there was another question from the chat, from the FAQ. So if you don’t have, if you have a score that is not accurate, or if you have an improvement of your score, you can always go into the SPRS to update you. Our score. So there’s not really any concern there, because you just want to make sure that you know, whenever you have a score, maybe it was put it as 110 but in reality, you found out it’s actually going to be like 60. Yeah, it’s okay for for you to just adjust that SPI score, so make sure that it’s reflected to your existing current status.

Kelly McDermott 35:28

Okay, great. Um number 10, can an organization with multiple sites theoretically achieve one CMMC certification for all locations and cage codes, or will each location need its own assessment? I think you touched on this a little bit earlier, but Kyle, if you can help explain the difference here, sure,

CMMC Certification for Multiple Sites and Cage Codes

Kyle Lai 35:55

yeah, so, so for you to have a one certification or multiple cage code entities. That means that you need to have the proper cage code hierarchy, right? So you need to have all these cage code you want to have put it into one Certification Report to the same highest level owner, Hlo, right? So if you don’t have that hierarchy set up, then you are not going to be able to put in all the different cage codes under the certification. Because the certification the SPR system, it’s pulling the information, the cage code information, from sam.gov or cage.dla.gov.mil so you need to go into stem.gov That’s where you input all the information about your organization, your subsidiaries, your cage codes, right, Find out all the cage codes and that determine the immediate there’s something called immediate level ownership, right? Immediate level owner, and also, who is your highest level owner? Just make sure that you have that hierarchy set up in place if you have a higher so let’s just say you have the all the hierarchy properly set up, and different entities, they might be sharing the same corporate network. It network and they are managed by the same people, right? Then you are really managed by the same organization. In that case, yeah, it’s there is no issue to have them put all into one certification, because you can justify that. Yeah, there’s only one certification, the policies, procedures, the SSPs, the the part, the procedures, the SOPs, all apply across the controls, the requirements, all apply across two different cage codes. However, if you have a few cage codes, they are totally separate. They are running on totally separate network managed by totally separate group. In that case, you might want to have a separate certification for those situations. So for those cage codes, because they’re not operating under the same network, and that they might be running under different standard operating procedures. So yeah, so just want to mention that. Well, that

Kelly McDermott 38:34

was great. You mentioned that, Kyle, because you kind of answered question number 11, which is, if you have a parent company with two subsidiary companies, the parent company does not have a cage code. Would it be okay for the subsidiary company A be the parent of a subsidiary company B, to avoid creating a cage code for the parent company. So if you want to elaborate on that, that’d be great. Okay,

CMMC and Parent/Subsidiary Company Structure

Kyle Lai 38:59

yep, so and again, these are all depends on the hierarchy, because if you don’t have the hierarchy set up properly, there are going to be consequences, right? Because if you say you have your parent company, your parent company does not have a cage code, or you have a sub, say, subsidiary A and the sub subsidiary B, company A and company B as a subsidiary. And if you have say, we don’t want to create the parent cage, COVID, the parent company, and we just want to have the the company, sub Company B, report to sub Company A. That means sub Company A, right now is the higher is the higher level ownership of Company B, right? So you really want to make that look. Look into the hierarchy and the see if that is how you want to set up, because that’s going to be how the government see your hierarchy, right? If you have the higher owner, if a company A, if a company B, sub Company B reports to, you know, is a reports to the sub Company A. That means, you know, sub Company B is, has a, sorry, let, let me just go back. Sub Company A is the higher level ownership of sub Company B. So from that hierarchy, there are three. Going to be three. You know, in reality, there are going to be three different levels. There’s a parent company and that there’s a company A and company B. Company B is going to be reported to company A and company A is going to be reported at the parent company. So company A and company B, they’re not no longer be at the same hierarchy level. So you want to make sure that you have the you have the hierarchy defined properly before so, so you will be able to when you are, when you are putting together your certification. You will have a understanding in terms of how your CMMC Level Two certification will be put together. Okay,

Kelly McDermott 41:22

great. And we’ve got a burning question here in the Q and A that while we’re on this topic I want to cover. The question is, so is everyone just making up their own CUI training? This is my biggest issue. Nothing from our customers says CUI specifically. So how do we know what they are giving us? Is CUI? Can you answer that?

CUI Training and Identification

Kyle Lai 41:49

Sure, yep. So in terms of what is UI, feel free to jump in Layla. So in terms of a CUI, if it’s not specified CUI that, I mean, if you know it’s CUI and it’s not marked, you still have to treat it as CUI based on the 32 CFR Part 2002 right? But it’s really the government’s responsibility to mark the document that see why it’s not the contractor’s responsibility. So if you are not too sure, if you have any questions, you really need to go back to the contracting officer to find out if the documents that you are handling, processing, store or transmit, if there are CUI in the past, it is very difficult to get them to clarify, because there are contracting officers, they’re probably less knowledgeable, because there are so many, so many details in terms of, like, what is CUI I said, I would say, like with the CMMC, the rule, the 32 CFR, The 48 CFR. And based on what we have seen, seems like there are a lot more training happening within the within the DoD, within the government itself. So I will say that, yeah, it will. I think if you reach out to the contracting officers, they will have a better answer to if they don’t, they will provide you with some context that you can reach out. Layla, what do you see?

Layla Paoletti 43:25

Yeah, I would agree with everything you said. Kyle, and just add that there’s two topics here, in a way, there’s there’s CUI training, which I did put the DoDs, CDSC training in the chat. There’s also marking. So the training is a requirement. The marking is a requirement. If you go out to the NARA website, there’s a really good job marking aid. I recommend to my clients that they follow that right, and incorporate the guidance that is in that marking guide with their internal guidance. And if you have a DoD client that’s

Kelly McDermott  44:32

very good. So Layla, if you want to continue on to Question 12, here, we’re an MSP and do not process or transmit any CUI when working with OSAS or oscs, would we be considered in scope or out of scope?

CMMC Level 2 for MSPs and Assessors

Layla Paoletti 44:48

That’s a good question. If you’re an MSP that your client is an an organization seeking assessment or a certification. Right? You’re still going to be responsible for certain requirements. If you handle change management processes, if you are providing security protection assets or security protection data, right, which is a new term with CMMC, or if you’re connecting your computers to your clients, IT systems, you’re still essentially in scope. Again, it doesn’t mean that you must obtain a CMMC certification. However, I do speak with MS MSPs lately that have decided based on their client base, based on the breadth of the different OSC clients that they have that they have decided to get a CMMC certification, because it’s there’s clear benefits to doing this. And if you get, if you’re an MSP who gets a CMMC certification, then that takes less responsibility from your team during the actual assessment, because essentially, your clients can inherit controls from you. So then you can put together shared responsibility matrix, matrix, or matrices, with your client, and then potentially not have to participate in each of your client certification assessments. So just to kind of summarize that, yes, you’re in scope, and if you decide to pursue a CMMCss certification, Level Two certification, then perhaps you take some staffing off. And again, it’s definitely a advantage and benefit to have that CMMC certification for reciprocity for your clients,

Kelly McDermott 46:46

right? I’m going to jump to a question here in the Q and A I understand that assessors need to follow the cap, but is there a potential for different assessors to require more evidence for control slash objectives? Who would like to take that one?

Consistency in CMMC Assessments

Kyle Lai 47:05

I can feel free to jump in Leila in terms of the number of the evidence that the assessor will look for. I think it all depends on the background, because assessors have different background, but they all follow cap and also, most likely will use the assessment guide as a guideline in terms of reviewing the evidence right the support documents that you provide. So yeah, there are going to slightly change in terms of, you know, the background based on the background of the assessor, but hopefully it’s not going to be different to differentiate too much

Kelly McDermott 47:50

great. And now we’re going to jump to some additional questions that were submitted in advance. And here’s one that is forefront on everybody’s mind. And Layla, maybe you can answer this one, how much does a CMMC Level Two certification assessment with a c3 PAO cost?

Cost of CMMC Level 2 Certification Assessment

Layla Paoletti 48:13

Well, that’s a great question. And the overall answer is that depends. It depends on the size and scope of your organization. It depends if you are doing, exercising or utilizing an enterprise wide CUI enclave, CUI certification for your entire organization, or if you’ve implemented a CUI enclave and therefore inheriting many of your controls from that enclave or cloud solution. Potentially, I will say that KLC Consulting has a very easy tool on our website. I don’t know if Kelly or Kyle if you want to put it into the chat, but it is essentially a pretty close to instant Level Two assessment price quote after answering just a few questions about your organization. And so, yeah, without throwing out numbers, it really does kind of depends on the complexity and scope of your organization.

Kelly McDermott 49:21

Very good, yes, and we will put that that form in the chat in just a moment. And while we’re doing that, Layla, what is the earliest date I can schedule my CMMC Level Two assessment with KLC Consulting, of course, but what is the earliest date that one can schedule.

Scheduling Your CMMC Level 2 Assessment

Layla Paoletti 49:42

So yeah, just going back to the 32 CFR, you see three POS including KLC Consulting, of course, can begin scheduling and performing CMMC Level Two assessments as of December 16. This year of 2024 right now we’re not seeing any indication that that date could push back. And a couple factors in there that would potentially cause that date to shift to the right is the CMMC instance of eMASS wouldn’t be ready. But right now we’re not seeing any indication of that. I think there’s actually training out for see through POS before the end of the year, or even before the December 16 date. And the other thing that could potentially push that date back is if the certification assessment process the cap isn’t finalized. But again, we’re not seeing that risk at this time, it seems like everything is moving along as I should. So all to say, Yeah, December 16 of 2024, if you are concerned of a date, that date getting pushed back, then maybe recommend that quarter 1 2025

Kelly McDermott 50:58

great, excellent, and moving right along, I’ve heard conflict, conflicting views regarding the storage of FIPS validated encryption of backups being stored in FedRAMP Moderate clouds. Some people state that if it’s FIPS encrypted, then it’s not CUI anymore, and that it can be in any cloud storage which is accurate. Kyle, do you want to take that one?

CMMC, FIPS Encryption, and Cloud Storage

Kyle Lai 51:24

Yep, so based on, based on my understanding, right? If you are using a cloud based backup solution, that means they are doing the backup for you, right? They have access to the encrypted information first, then they do the backup. That means they will have access to the actual encrypted Cy so in that case, you need to have a FedRAMP certified cloud the backup service provider, cloud based service provider. However, if you just back up everything yourself, right? You own the key, you back up the and you back up the the CUI into a file. You own the key, and nobody else have the key to decrypt the file. Then that file becomes just a cipher text, and you will be able to store it somewhere.

Kelly McDermott 52:23

Okay, great. And along those lines, Kyle, if the backup of CUI is FIPS and encrypted, is it okay to store at a third party facility such as Iron Mountain?

Storing FIPS Encrypted CUI Backups

Kyle Lai 52:36

Yeah, I would say so, because we just have to make sure that nobody else actually have the key to decrypt right other than you then, then you will be able to just store that file off site,

Kelly McDermott 52:52

all right. And here is a question about close out assessment. What is the process for a close out assessment? Am I only allowed one POA&M reassessment during the 180 day conditional certification period. We touched on this earlier, but let’s further clarify that Kyle, do you want to take that one? It’s about the closeout assessment.

CMMC Closeout Assessment Process

Kyle Lai 53:20

Yeah, so, I think we touch earlier. So close our assessment. Yes, you will, you know, only allow one chance to have the POA&M. Close out assessment, you know, within 180 days. Yeah, so, so you just need to plan ahead and make sure that, you know, if I’ll suggest to you know, just do the POA&M assessment. POA&M, close out assessment before 150 day mark. So give yourself enough time to have that information up uploaded to the SPRS.

Kelly McDermott 53:55

Okay, great. And then how do I know if my CMMC requirement flows down to my subcontractors. Who would like to take that Kyle or Layla feel free to jump in on the CMMC requirement flow downs to my subcontractors.

CMMC Requirements Flow Down to Subcontractors

Kyle Lai 54:16

Yeah. So, so there’s definitely a requirements. How I there’s a requirement. So it’s all depends on the information that you you you pass to your subcontractor, so whether it’s Level One or Level Two. So you have to first determine right which which subcontractors are getting my information and what type of information are they getting. Then you have a requirements, you know, for flowing down to the subcontractors, because DoD, they are going to be very look very closely, based on the draft, based on the proposed rule of 48 CFR, they’re going to be very strict. Know, very careful in terms of how the information is slow down in the every system subcontractors they’re handling the CUI or the FCI, they will get a, what they call the DoD unique ID for the system they handle, they use to handle the FCI or CUI. So they that DoD that. Want the prime contractors to keep track of those IDs and the DoD themselves, the contracting officers, they will track those certification the validity of those certifications.

Layla Paoletti 55:34

Yeah, and I would just add there that I don’t I think this was a discussion or or a question in the chat when I was looking at it a little while ago, the flow down is a requirement. You know, when you really kind of take it, take a step back. You know, take a step back and look logically, is your subcontractors handling, processing or storing FCI or CUI? If you have a subcontractor that’s only viewing CUI and it does not enter their environment at all, that same contractor is not creating any CUI, then the flow down requirement wouldn’t be a wouldn’t be a requirement, right? So I just want to make sure we’re still kind of exercising that, that common logical sense here of it’s coming back to the data. Whether that’s data is federal contract information Level One CMMC, or controlled unclassified information Level Two CMMC.

Kelly McDermott 56:36

Great. That’s really good to know. So we’ve covered a lot of territory. And thank you both for highlighting what we really need to know. These are a lot of the questions that KLC Consulting gets a lot of, and it’s great to be able to answer these with two leading experts in the field. And thank you all for joining us today. I hope you learned a lot, have a lot of takeaways, and again, we will be sending out the recording of the webinar along with the downloadable toolkit on pretty much demystifying the CMMC certification process for you, and be sure to reach out to us via email if you have any follow up questions, or if you would like a copy of this PowerPoint, we’re happy to share that with you as well. Just email us at CMMC at KLC Consulting net, again, CMMC@KLCConsulting net, and we’d be happy to answer more of your questions and share whatever whatever toolkits we have available for you. So enjoy the rest of your day, and thank you again for attending the webinar. It’s great to see you.

Layla Paoletti 57:55

Thank you Kelly. Thank you everybody. Thank you.

Kelly McDermott 57:59

Bye, bye, you.

I hope this is helpful! Let me know if you have any other requests.