CMMC Level 2 Certification Assessment – Final Rule

Introduction:

Kelly McDermott 00:02

Yep, great applause. Okay, looks like we are at the top of top of the hour here. Yes, all right, Kyle, I’m going to kick things off. Welcome everyone to KLCC’s webinar on when do I really need my CMMC Level Two certification? Thank you all for joining. My name is Kelly McDermott and I work with KLC Consulting the host of this webinar. So here’s a little bit about KLC Consulting that I wanted to share with you. Kyle, if you can go to the next slide, that would be great. Okay, so little bit about KMC consulting. We’re a CMMC third party assessment organization, otherwise known as the C3PAO. We are authorized by the cyber AB to assess and certify companies in CMMC. KLC Consulting is also a CMMC compliance consulting firm that helps DIB companies attain us. DoD Information security requirements. We were incorporated in 2002 and we have offices in Marlboro, Massachusetts and Houston, Texas. So before we get going, and I’ll introduce Kyle, and just one second, I’m going to just go over a couple of housekeeping items. First of all, this webinar will be about an hour long, and we really encourage your questions. Just pop your questions into the Q and A at the bottom of the screen here, and we’ll try to get to as many of your questions as we can. Obviously, this webinar is being recorded, and we will be sharing that recording with you shortly after the webinar is over today. And also, if you’re interested in having these PowerPoint slides emailed to you at the end of the webinar, just be sure to reach out to us at CMMC, at KLC Consulting net, and that will be on the slide at the very end of the webinar, and we’ll be sure to send you a copy of the slides. So welcome everybody. Um, I’d love to present our presenter today, Kyle Lai, who is the president and CISO of KLC Consulting. Welcome Kyle. Thanks for having this webinar with us today.

Understanding CMMC Levels: 1, 2, and 3

Kyle Lai 03:12

Yeah. Thank you so much, and I’ll take from here. So my name is Kyle Lai, President CISO at KLC Consulting. We’re in authorized C3PAO, and I’m the Lead CCA credential as well. So today we are going to go through just a quick overview of CMMC and the timeline, and then we’ll start answering the questions. And there are some pre submitted questions. We’ll go through them as well. We’ll try to go through as many questions as possible, and as Okay, Kelly was saying, try to put in your questions, and then we’ll get to them as many as possible. Just a quick review on CMMC, there are three levels, Level One, Two and Three. Level One is for handling what they call the federal contract information. There are only 15 requirements. It’s based on the FAR 52.204-21 it requires a annual self assessment and the annual affirmation for CMMC Level Two, that is the minimum requirements for handling, store, transmit, or process controlled unclassified information, otherwise called CUI right? So there are 110 security requirements, which is based on the NIST 800-171 revision two. And for Level Two, there are self assessment or certification assessment by a CMMC, third party assessment organization, C3PAO, for the if you are handling CY, most likely you will not. Get the contract, or for two, for doing the self assessment, because there are less than 2% of all contracts out there that allows CMC level to self assessment. So most likely, if you’re handling CUI, you will need to get the C3PAO to do the Level Two certification assessment. And that certification assessment is will be you are required to get that done once every three years, and also a annual affirmation, or CMMC level three. These are for this is for companies. There are more stuff, doing some more sophisticated work related to the weapons or some of the nuclear nuclear materials, because they are more likely be targeted by other nation states. So Level Three also requires a Level Two to start with, and then the 24 additional requirements based on this day, 800-172 it will be assessed by DOD dip pack, which is the do these audit organization. They’ll be done once every three years. Also requires the annual affirmation.

CMMC Implementation Timeline and DoD Contracts

Kyle Lai 07:18

Okay, just a little bit more about the CMMC is what we call the FAR clause, 252.204-7021, it is not being finalized yet, but it is coming because the Trump administration, they have put the hold on all the federal regulation that’s not been finalized for that 60 days hold based on the information we get from cyber AB, which is the CMMC accreditation body. So with that, we are expecting the that is the CMMC acquisition rule, which is the part that the contract officers, though, based on this rule, they know how to incorporate this, the CMMC requirements, into the federal into the DoD contracts. That’s what we’re waiting on. That’s a 48 CFR and but in terms of the timeline, we’re expecting the CMMC to be finalized with a 60 days delay around May, probably around May this year, and the 60 days after that will be effective day which is going to be somewhere around July, 2025 that’s what we’re getting right now. There’s a requirement to flow down the the CMMC Depends on the type of information that you send to your subcontractors. There’s a requirement for your subcontractors to follow CMMC as well. That’s what we call the flow down, okay? And this is the two parts of CMMC I mentioned. 32 CFR is already effective. It’s already the rule is already effective. That means it’s a law regulation. It’s not going to be reversed. It’s not going to be it’s not going to have an impact. It’s with a Trump administration so CMMC, the program rule, is already going that means that we, as a C3PAO, already start doing the CMMC certification assessments. This 48 CFR, this the CMMC acquisition, acquisition rule, that is the one that I just mentioned that’s going to most likely going to be effective around July 2025 okay, and the base on that estimate timeline July 2025 the timeline for CMMC implementation is going to be in four phases, phase one, if everything goes well as expected, July, say, starting July 2025 right, phase one is going to start. And you know, with the self assessment for Level One and level 212, months later, it was kick the Phase two will kick in. And the Phase two will require the CMMC Level Two certification assessment. And phase three, which is 24 month after the start of phase one, that’s when CMMC Level Three will kick in. And phase four, which is 36 month after the start of phase one, it will be full implementation. You know, most likely we’re going to expect there are some exceptions during the Phase One, two and three, right? And the phase four, there will not be any exceptions. It will every single solicitation and contracts. You will see a. CMMC requirements, or CMMC clause in those contracts, and on the bottom, just a note in some procurements, DOD may implement CMMC requirements in advance of the planned phase. So it is contract officers discretion in terms of when they want to start the CMMC, you know, the levels that are required by their contract. So there is a possibility that CMMC, you may see some of the CMMC Level Two certification assessments during the phase one, because, you know, it’s already based on the contract officers this question, okay, and this is draft RFP or army maps that’s in the draft right now. It’s a $50 billion IDIQ contract. But you already, we already see that CMMC requirements is already there, and it, you know, highlighted in yellow here on the right side, you will see that they are requiring you to show that you have the proof of CMMC Level Two or higher certification. Or you can show there’s a proof that you already scheduled an assessment with a C3PAO that will take that as a proof, as a way that you are doing something on the CMMC. So, so this is what we see in the in the contract wall right now. So, yeah, so CMMC is coming, GSA stars, three GWAC. This is published several years ago, but you are see the contract that already have the CMMC requirement. What he’s saying is that when, because DOD can purchase through GSA contract, so when DoD start purchasing the contract and the CMMCs in the fact, then the contractors, you know, with a stars three, GWAC, the contractor the offer will need to comply with the CMMC requirements.

Kelly McDermott 12:17

Kyle, I just want to interrupt for one quick second, because I think it’s worth pointing out here how important it is to to get your certification in order to stay competitive, because they’re already starting to put these into contracts, and the requirement is there, and if you want to win more contracts, now’s the time to get going on this, because it’s going to be required.

Kyle Lai 12:40

Yep, now that’s a really good point, because, for example, like army maps, most likely the prime prime contractors. They’re not going to wait until the, you know, couple months before the actual solicitation is out, because they are preparing right now it’s in draft prime contractors. They’re already start looking talking to subcontractors, right? And subcontractors, in order to be on this army maps, teaming with the prime contractors, there are either, either there will be either they already have the certification assessment done, you know, have the CMMC Level Two certification, or they are in the process of getting that certification. So, yeah, the primes, they are, I mean, they are actively looking, talking to the subcontractors, and we’re seeing the activities right now. Thank you. Thank you.

CMMC Level 2 Assessment Schedule

Kyle Lai 13:16

Okay, alright, so let’s keep going. So in terms of the CMMC assessment schedule, want to just cover it a little bit so you know what’s a assessment look like. So usually for us, KLC Consulting, we have the assessment. The entire assessment is about 12 weeks, the first the pre assessment phase, about three weeks where we we will send you this after you sign a contract. When we start the pre assessment will send you the request of all the information we need to see to determine if you are ready for the assessment. That is what we call the pre assessment phase. And all those, all the process that we do here, we follow the CMMC assessment process that published by the cyber AB, which is the CMMC accreditation body, right? So within this pre assessment phase, we’ll ask for the system security plan, the SSP, your scope diagram, your network diagram, your asset inventory, just to make sure that you understand the what is CMMC. That you have the your environment scoped properly, and it will review and make sure that we feel comfortable that you understand the CMMC and that you provided the sufficient documentation. We’re not going to dig into to all the details on the system security plan, but we’re going to just review and make sure that you’re ready right then we’ll go into the assessment assessment phase. So the four weeks, so four weeks before the actual assessment. The actual assessment is just one week, but four weeks before the actual assessment starts, we’re going to send you a list of the request for all the assessment artifacts that we want to see, right? And that will give you some time to provide it to us. Two weeks prior to the actual assessment. We want to have all the support documents, the artifacts. So allow us to review, two weeks to review all the documentation, and the more you provide it to us, the more detail you provide to us. And also make it easy for us to review, the better we will be prepared, and there will be fewer questions will ask during the assessment, and then the after the so during the fifth, the fifth week will be the actual the certification assessment. So week eight in this schedule, week eight is going to be the actual certification assessment. If you only have one site, one or two sites, usually, we will cover all the assessment activities, conduct the assessment within one week, right? And the usually is from nine to three of the actual interview, and at the end of the day, we have what we call the checkpoint, or how wash, where we will go through review all the activities that happen during the day, and then let you know if there are any concerns, or anything that’s could be trending not met. And then there could be something that you can do to to take care of these issues or some of the minor stuff, right? So at the end of the day five during this during the assessment week, that’s when we will discuss with you and give you a preliminary understanding on where you are in terms of the assessment. Usually you will know if you pass, you know, have the final status. You have got the score of 110 or if they’re less, and if you can get on to the conditional, you know, allow the conditional status, okay. Then after the assessment, that’s when we will start preparing our results. That’s a step three here. We’ll prepare our results and send that information. Send the results to the DOD. There’s a system called eMASS. We will submit our results if you are 110 or if you are in your conditional status, then we will send these results to the email system. If you go below the threshold for getting the conditional certification, then we will not pursue sending that because then let’s consider not passing then we’re not going to send the results to the DoD emails. But within within these four weeks, we will send you a out brief, what we call the out out brief, the official out brief, let you know where you are and the results of the assessment, okay? And if everything goes well, we will issue you, issue the you, the certificate of the of your CMMC certification status, right the there is the conditional or the final status will issue that certificate to you. If you have the POA&M, if say, you have in the conditional status, that means you are you have the score between 88 to 109 there. And also the deficiencies are allowed under the CMMC rule. Then you will get into the POA&M remediation phase. And when you are ready, you can call us in to do the POA&M close out. Everything has to be done within 180 days that, including our conclusion of the assessment, have to be done within 180 days. If everything all pass, then we will give you the the convert the conditional status to a final status at that time. Okay, so. So there are some free resources the playbook that you can check out. This is our playbook for these, the the assessors for the C3PAO. So this is what we follow. So you can take a look and also get an idea in terms of what we are looking for when we’re going through the assessment. And this slide is you can feel free to send a request to CMMC@KLCConsulting.net, and I we will make this slide available to you. All right, that’s a quick overview, so hand it back to you.

Key Questions About CMMC Level 2 Certification

Kelly McDermott 20:45

That was great. Kyle, thank you for for that timeline. I think that’s really important. And we do have some questions in the Q and A, so be assured. We’re going to try to get to those as we comb through these questions here, and maybe we’ll answer them as we go down this list. So the first one we want to tackle here is, what is the expectation for assessing an external service provider? We get this question a lot at KLC, so if you’re an MSP or a cloud service provider, what are the expectations for an assessment with those folks,

Assessing External Service Providers (CSPS and MSPs)

Kyle Lai 21:17

right? And I will bring you to the next slide here. So, yes, when we’re talking about external service provider, we are really talking about the cloud service provider, the CSP, and not CSP, which means the manage service provider. So it could be your IT services company that helping you with the with our IT services, right? So if we are talking about a cloud service provider that handle the store process or transmit CY, that means that cloud service provider must have the FedRAMP, moderate or higher authorization. You know, so you must use a if you are using a cloud service provider for handling CUI, you must choose a, you know. You must make sure that your CSP has the veteran moderate or higher certification. If you are having a managed service provider on the right side, you will see here on the right side, managed service provider. If managed service provider is handling CUI, they just need to be part of your assessment. So when we go on site, or when we are conducting our assessment, to you as a OSC, we will want to also have the managed service provider to be there with you, or be there with you when we are interviewing you or looking at the controls that involve the managed service provider. Okay, so if there is another category, security, protection, data, if your cloud service provider or managed service provider, if they’re handling security protection data, if they are running some vulnerability assessment tools or manage firewalls, For example, VPNs, we will also want to assess the companies there with that responsibility, organization or people with that responsibility have has to be part of the assessment scope. And as a C3PAO, as an assessor, we will assess those controls with their, you know, get an understanding of their their roles and responsibilities. And when we’re assessing the managed service provider or cloud service providers, we will look at what we call the customer responsibility matrix, or share the responsibility matrix, to make sure that we have a good understanding on what, what is responsible by which organization. Okay, so that’s pretty much it.

Okay, here’s the rest of the transcript with SEO-appropriate headings:

FAR and DFARS Clauses

Kelly McDermott 24:11

great. All right, thank you for that. Number two, the final rule mentions both FAR clause 52.204-21 and DFARS clause 252.204-7012, how do these clauses relate to CMMC and which one applies to my contracts? Okay,

Kyle Lai 24:30

yeah, so we did talk about this a little bit so FAR 52.204-21 is based on CMMC Level One, right? It’s for CMMC Level One, and the DFAR 7012 is for CMMC Level Two. So what it is is that CMMC is to verify the the NIST 800-171 implementation under the far 7012 that’s all we’re verifying. If the NIST 800-171 controls. The security requirements are implemented if the country, if the the implementation actually meet the security requirements, right? So how do you know which one apply to your contract? So this is when you have this is the part that you have to look at your contract, your existing contract, if it says there’s a DFAR 7012, most likely that you are already required, required under CMMC Level Two, because you’re handling CUI. But as we are, as the CMMC is finalized, there is going to be contract updates. So you will, most likely, you will actually see a CMMC required requirements, CMMC requirements and the level that you need to meet for your contract is your existing contract will be updated. And if there are any questions, it’s easy for it’s better and easier for you to just contact the contract officer, if you’re a prime or contact your prime contractor, point of contact if you are so,

CMMC Level 2 Requirements in Contract Renewals

Kelly McDermott 26:21

okay, great. If I’m in the first or second year of a contract and the option period or renewal requires CMMC Level Two. What’s the expectation for me?

Kyle Lai 26:32

Yep. So if you are in the contract already, and as we know, some of the contract will last five years, right? And as these, during after the first year, there’s a contract renewal option period, so CMMC Level Two, if you’re required to handle CUI, most likely these, these, during the renewal, these CMMC requirements will be added to your renewal, to your clause, and I mean, most likely we will see this in the phase two of the timeline, but maybe in phase three. But it’s really up to the contract officers discretion in terms of when they are going to put this into their contract.

CMMC Self-Assessment vs. Certification Assessment

Kelly McDermott 27:22

Okay? What is the difference between a CMMC self assessment and a CMMC certification assessment? When is each required, and what is the process for each these two get confused a lot by people, and it would great for you to walk us through this Kyle.

Kyle Lai 27:38

Yeah, everybody wants to do the self assessment, right? If we all have the opportunity to get this, you know, Level One or CMMC, Level Two, self assessment will be easy, but that most likely it’s not going to be the reality. If you are handling CY, as I mentioned earlier, most likely you will need to get the C3PAO to do your CMMC Level Two certification assessment. So if you’re, if you’re, you know, just required the CMMC Level One self assessment, you know, or actually doing the CMMC Level Two self assessment, all you have to do is do the self assessment, go through the controls yourself, and then you report your results into the the SP, the DoD as the the SPRS system, right? You just for CMMC Level One, you just say if you are complying or not, there is no deficiency allowed. There’s no gap allowed, no POA&M allowed for CMMC Level One, so you just say yes or no if I’m comply or not for CMMC Level Two. Self Assessment, you just go to the SPR system and the self report, the score that you that you tested, to say what is your score, okay, and if you are going for the CMMC certification assessment, that means you will have to get the the C3PAO to conduct the assessment. We already went through this, and they’re going to go through it again, but this is the schedule that you just have to plan ahead. And you know, conduct this certification assessment at the end of this, at the end of the assessment, then this, the results will be uploaded to the eMASS and that and the results, if everything goes well, the score is going to be populate, automatically populated from eMASS to the SPRS system when it’s all said and done.

CMMC Level 2 Requirements Phased into DoD Contracts

Kelly McDermott 29:52

Okay, excellent, all right. Number five, when will CMMC Level Two require? Requirements be phased into DoD contracts. I think we touched on that in the beginning of the webinar. But if you want to just high level it for those that might have joined a little bit later,

Kyle Lai 30:09

right? So CMMC Level Two requirements should be starting after the 12 month after the phase one. So if we are expecting July 2025 the official phase for Level Two is going to be certification assessment for phase two. It is going to be in phase two, which is 12 month after the start of the CMS, alright, sorry, 12 month after the phase one. And if we are saying July 2025 Phase two will start at July 2026

Business Advantages of Early CMMC Level 2 Certification

Kelly McDermott 30:50

Okay, but, but again,

Kyle Lai 30:51

it’s really up to the DoD contract officers discretion on when they want to start adding the CMMC Level Two requirements into this, into their contracts. It could be so this could happen in during the phase one, it could be earlier than phase two.

Kelly McDermott 31:10

So it’s good to be prepared early, just in case. And it kind of leads to this next question, if I choose to pursue CMMC certification early, even if it’s not immediately required from my current contracts. What are the potential business advantages beyond simply meeting compliance requirements?

Kyle Lai 31:29

Yeah, yeah. I mean in terms of the advantage you can start market your services to the if you are, say, CMMC Level Two, you already got your CMMC Level Two certification. Then you know, certificate for Level Two, final status. Then you can start market to the DOD, if you’re a prime or if you’re a sub, start talk market to the if you are subcontractors that market to the prime contractors, because the way it is is that in the when the contract requires to requires the CMMC Level Two certification, that means the prime contractor that will need to comply with us, and also get the CMMC Level Two certification. But also, if they send the CUI information to their subcontractors, their subcontractors has have to comply, right? Have to get the CMMC Level Two certification as well. So and the prime contractors, they know that and that they are going to start talking to the subcontractors. They are either ready or already have the certificate right, or the CMMC Level Two certification. So the earlier you get a certification, the you will have the competitive advantage and the start market to these, you know, build a teaming relationship with primes, or start market to the DOD, because you can definitely show up that you are ready to take on the see the contracts that coming out that require the CUI

Kelly McDermott 33:19

And Kyle earlier in the webinar, you said that primes are beginning to look for subs at least six months prior to those contracts going into effect, so they’re already starting to curate their list of subs in advance to make sure that they’re ready to go when they are. Yes,

Kyle Lai 33:38

yeah, most likely the for example, like the army maps, right? They are still in their draft RFP, but I know the prime contractors, they are already talking to, to the subcontractors, and they are asking a where, where are you now? In terms of your journey to getting your CMMC Level Two certification. It’s a 50 just army Maps is a $50 billion IDIQ contract.¹ That means it’s going to go out, you know, the army maps is going to go out to hundreds of contractors, right? And the hundreds of contractors there are primes, and then they are going to talk to their subs, right? And it just easier. It will be a lot easier, a lot better for you to start preparing. And you know, at least try to get the schedule scheduled, CMMC Level Two certification assessments with a C3PAO, so you can get ahead of the game, because, as you see from that draft RFP, they are looking you may not have the certification assessment yet, but they are looking for the proof that you already scheduled a assessment. So that is in the that is in the draft RFP right now. So we’re expecting that to the prime contractors they are is, you know, most likely they’re going to follow and that they’re going to start talking to the subcontractors that are ready.

What Happens If you Fail Your CMMC Certification Assessment?

Kelly McDermott 35:18

Makes sense, for sure. All right, moving on to Question seven, what happens if I fail? This is a good one, because we get this question a lot. What happens if I fail my CMMC certification? You get less than an SPRS score of an 88

Kyle Lai 35:38

Yeah, this part is right now, what we know as a C3PAO is that if you are score is less than the SPR score of 88, that’s a passing score, and plus that the POA&M items have to be allowed under CMMC In order for you to get a conditional status right. But if you are score is below SP the the 88 points, that means that you are that means that you did not pass the CMMC certification Level Two certification assessment. That means that you will have to go back to redo and remediate, and when you are ready, let us know, then we will start the process again. We’ll have to start the pre assessment process. There might be some familiarity with your environment already, but we have to start the process over. So that is the requirement from the DOD and the cyber ad at this time. Okay, so you definitely want to make sure that you are well prepared, you know, I mean, I see the question number eight, that’s kind of the follow on

The Importance of a Mock Readiness Assessment

Kelly McDermott 36:59

it is, it’s related to that. So what can you do to help with that? And you’re going to answer this by what is the significance of having a mock readiness assessment prior to having a CMMC assessment?

Kyle Lai 37:11

Yep. So one of the services that we offer is called Mock Assessment, or readiness assessment, and other C3PAOs also have this service is that we want to, I mean, one of the, one of the ways that the OSC, the organization seeking certification, the defense contractors, they can do is to hire C through po like KLC. We will do the Mock Assessment, where readiness assessment, or however you want to call it, we will do the assessment on your security requirements, but we are not allowed to provide the consulting or the remediation service, you know, the help. We are not going to do that part, because if we do that, then we will not be able to continue to do the final the official certification assessment, right? So the purpose is that we do a Mock Assessment for your environment, understanding where you are and identify if there are any gaps with without. Telling you how to fix them, you fix them yourself, and you can bring us back to take a look at at your remediation, to assess your remediation and to assess these gaps. So we can do a POA&M close out. You know, assessment, on these, on your controls, on your security requirements. And if we are done with a Mock Assessment, obviously, then you are more ready to go for your official certification assessment. And we will be when you are ready, we will go back and do your official certification assessment, and because we did not, or will not provide the remediation consulting, so we will be able to do the official certification assessment after the Mark says, and this will, yeah, I mean, companies choose to Have this to do the Mock Assessment first, before the official certification assessment, there’s less chance of surprises, right? Fewer chance of identifying something that’s of a gap surprise well,

Kelly McDermott 39:36

and to your point too, Kyle, if you if you should fail, you have to do it all over again, which, of course, means more time and more expense. If you do the the mock or the readiness assessment, you can already identify where those gaps are and prevent that from happening and put yourself in better position for passing and if you could also just speak very briefly about. Out the fact that you get one shot at a POA&M. Close out. Can you just talk about that for a minute? Yes.

Kyle Lai 40:07

So if so, during the certification assessment, if you have POA&M items, if you are in the conditional status, means that you have a score between 88 to 109 and you are allowed to remediate these POA&M items or the deficiencies, so you can bring us back to do the assessment on your POA&M deficiencies, and what we call the POA&M close out assessment. POA&M. Close out assessment is a one time assessment, right? We just want to see how we are doing if all the assessments are are all closed, right, and they’re all ready to go. And so if there are some, if there are some deficiencies that’s still open after we done, after we are done with our assessment, we determine that some of the gaps deficiencies, they are still open, then we will not be able to give you convert to that conditional certification, as we will not be able to convert the conditional status to a final status, because and then you have to start over point. What we offer is that there is a mock there is a mock POA&M close out that we can offer to you. So if you are not sure if the you know, if the the gaps, if the deficiency are fully closed out, we can do a Mock Assessment. We’ll let you know if there are still deficiencies on those POA&M items, right? And the weekend Again, we’ll tell you if, if there are any deficiencies, but will not tell you how to remediate or how to fix them. We’ll just let you know if there are any, still any things that’s all right and that will help you to, you know, get ready, and if there are mock if you say you choose to go through the mock hole and close out assessment. And you, you we determine that everything is all good, then we can just choose to go for the official point. Close out assessments.

Estimated Costs for CMMC Level 2 Certification

Kelly McDermott 42:33

Great. Thank you for explaining that. That’s great. So the bubble above everybody’s head, I feel when you’re talking about these processes and options is, what are the estimated costs for a certification assessment, and what factors can influence the cost?

Kyle Lai 42:50

Yeah, so the cost? Yeah, in terms of the cost, let me just bring to the some of the factors that we’re talking about, the size of the organization, the number of endpoints, how many, how many assets do you have? Right, the system complexity, and also the number of locations and how many sites that we have to go on, go outside to take a look at these systems, right, whether you are on prem or you are in the cloud, that will take, that will get into some the cost factor as well, and also the number of cage code entities that are in scope, and depends on where they are, we will have to maybe visit Some of the sites as well. So these all take into the factors. We do have the instant quotes link over here I provided to you. So if you go here, you will be able to, if you are OSC you can get the instant quote to get the price. So usually our price starts around 49 about 49,000 and up depends on the complexity and the different factors that we mentioned here. But, you know, I mean, this is kind of a how we determine, but we definitely welcome you to get the instant quote and we can discuss a little bit more details. Feel free to contact us. Excellent.

On-Site vs Remote CMMC Assessments for Multiple Sites

Kelly McDermott 44:26

Okay, we have quite a few questions in the in the Q and A, but we want to finish these up, because maybe these will answer some of those questions. I have multiple sites. Do you need to come visit them? All related to that? Do you come on site for all these assessments? Do you need to be on premises to do these? Kyle,

Kyle Lai 44:45

this is a good question, because if you have multiple sites, it’s all depends on how the sites are organized and the function of these sites say, if you have a corporate office or. Say, if you’re a manufacturer, right, you have a corporate office, and then you have 10 manufacturing facilities, manufacturing facilities, they are pretty much the same, and that you have a one corporate office, then we might just choose to go to the cop, visit the corporate office, because you have CY over there, and also your manufacturing facility. We may depends on how you set up. We may go, you know, in terms of physical security, if all 10 say, in this example, right, all 10 manufacturers all have the same physical security set up, everything is all pretty much identical. Then we just go to one. If you have couple different variation of physical security, some of them are using batch for example. Some of them are using keys. We might choose to go to two other, I mean, two of the manufacturing facilities. So we can get the idea in terms of how the physical security works. So that’s, you know, it’s, it requires some discussion in terms of how the how your security requirements are implemented, the security practices are implemented, and how you meet the security requirements. If you have, like a if your system all remote, and you have something like a VDI, the virtual desktop infrastructure, and you don’t really have a physical presence, then we may be able to do all the assessment virtually. So I think it’s all depends on how how your environment is set up. So there’s a possibility that we could do everything remotely

Reliable Resources and Guidance for the CMMC Process

Kelly McDermott 46:45

Great, all right, and we’ve talked about quite a few of these organizations here. But where can I find reliable resources and guidance to help me navigate the CMMC process, including official DoD Information, accredited C3PAOs and other support organizations, and we’re going to share that slide with you here, right?

Kyle Lai 47:06

Yep, yep. So DoD CIO, CIO, if you search the DoD CIO CMMC, that’s the website, they will list all the related information on the CMMC resources, the assessment guide, or the scoping guide, some of the CMMC documentation is all listed there. The actual CMMC model. It’s all this. That’s the official site for CMMC program, cyber AB. Cyber AB also has a marketplace where you can go to look up, look up the the C3PAOs, RPOs, the RP.² So there are the ecosystems is managed by cyber A B. So if you go to cyber A b.org, and you will be able to learn a little bit more about the CMMC, the ecosystem, and also go to marketplace to be able to reach out to different organizations. Some of them are certified. There are certified professionals, certified assessors, lead assessors, the C3PAOs, you will be able to get them from there RPOs as well, and also KLC Consulting, we have a lot of good information on the CMMC. CMMC is pretty much what we focus on. So we were doing the consulting, but now our focus is more on the assessment. So by use, there are a lot of information that we provide.

Addressing Audience Questions

Kelly McDermott 48:48

Yes, thank you for that. There’s lots of videos and blog posts and a contact us form to just reach out and ask questions directly. And we’re really happy to help you. Before we get to the Q and A, because I know there are a lot of great questions in there, I do want to take an opportunity. To just say that you know, for KLC Consulting, we’re a firm that is not a gotcha firm, like we’re here to help and we’re here to help you get certified. That’s that’s our main goal. We’re not trying to catch you, trip you up, or anything like that. So we’re looking to see that you’ve shown us the evidence and implemented the security practices and can demonstrate it, and we want you to pass. So we’re here to help you pass, and hopefully this information that we’ve provided will help you to prepare, know what’s in store and know who to contact or where to go in order to get more information on your CMMC journey. So I did want to point that out. So let’s go to the questions here, because they have been it’s been quite active here. So Kyle, if you get a Level Two. Two certification. Does that cover you for Level One?

Kyle Lai 50:05

So depends on the scope. So if you are going for Level Two certification, we only Level Two certification, only focus on controlled unclassified information, right? So if FCI is part of this scope and that you have the controls in place to take care of that, that the your environment, all your controls also address the FCI, then yes, it will cover but, but I just want to make sure that we understand that CMMC Level Two certification only covers the controlled unclassified information. CUI, it’s not specifically called, I will say it covers the federal contract information. It does not have that clause in the CMMC Level Two assessment guide. Yeah. So, so basically, if you want to have the CMMC Level One, you might have to do a CMMC Level One covering the federal contract information. You might want to submit a separate CMMC Level One certification, but that’s a self assessment, so it’s a lot easier.

Kelly McDermott 51:19

Yes. And again, these slides will be available after the presentation. Just shoot us a quick email. CMMC@KLCConsulting.net, we’re happy to share the slides with you. Just reach out to us. That’s perfectly fine. Happy to do so. Another question which controls are not allowed in a POA&M?

Kyle Lai 51:43

Okay, so which one are not allowed in the POA&M, if you look at the CMMC Level One, so if you’re looking at the FAR 52.204-21, right, the CMMC Level One requirements are not allowed to be POA&M, right? So if you have anything that’s not meeting CMMC Level One, that you cannot pull in those and that there are about 17, about 17 related NIST 800-171 controls in the they’re related to Level One. Those are not allowed. And and three pointers in the SPRS scoring, there are, there are security controls, security requirements. There are three pointers or five pointers, they are considered a little bit medium high risk controls, they are not allowed to be POA&M. The only exception is that if you have one that’s related to the FIPS, it’s security controls that one is three pointer that is allowed to be a POA&M. But otherwise, no, you cannot pull him anything that’s three point or five points or level anything related to Level One controls.

Kelly McDermott 53:07

Okay, good question. In SPRS, there is an an annual 801-71 self assessment option. Now there is an option to do it, CMMC Level One assessment. Do we do both of those before getting our CMMC Level Two certification?

Kyle Lai 53:27

No. CMMC Level Two is independent. Only focus on CMMC Level Two. It’s it’s not related to the CMMC Level One. So you do not need to have a Level One before you go for Level Two.

Kelly McDermott 53:42

Okay. And here’s a question about the OSC. What if the OSC will be moving into a new building later this year, the physical boundary and controls will be changing. Should they wait until everything is moved over and self assessed before reaching out to a C3PAO for scheduling the assessment.

Kyle Lai 54:05

I think this is going to be the yeah business decision. But the requirements 48 we still have to get the 48 CFR, the the rule, the the acquisition rule to be finalized. But why? What’s in the draft, the 48th CFR rule right now is that, if you get your certification right now, and if there is a significant, if there are any change, any chance right now, it’s you have to report to your contract officer. I mean, there’s a speculation that really mean a significant change. So if you’re moving your physical environment to a new building, and there could be some significant change, right? There could be some differences on how. You manage your physical security, then they may consider but I don’t know the detail, but they may consider that as a major, significant change, then you may need to get another update or another certification assessment at that time, so it’s probably good to check with your C3PAO, I mean, yeah, if you choose us to be your C3PAO, contact us. We can go through a little in more detail in terms of your circumstances.

Kelly McDermott 55:34

Okay, thank you. If my company does not receive CUI, but the customer, who is a prime contractors, receives it is CMMC Level Two, automatically inherent to my it

Kyle Lai 55:49

does not, no, it does not. So it’s all depends on if your prime is required to get the store, transmit or process CUI, and and it’s required by your prime because the prime has the contract that require Level Two certification, which is, find the prime. Your prime has to have the Level Two certification. However, it’s all depends on what the information is passed to you as a subcontractor from the prime contractor. If your prime sent you only the federal contract information, only sent you the FCI, then your prime probably only require you to get the CMMC Level One certification. However, if you receive CY and it’s required for your work. Yeah, then you will need to get the CMMC Level Two certification. So it’s all depends on the information you receive from the prime if you are only required, I mean, if you are your business, only need to get the federal contract information. You don’t really need to have the Level Two, see, you don’t need to have the CUI to perform your work, but your prime still send those CUI to you. You might be able to talk to your prime and push back and say, Don’t send me the CY because we don’t need it to perform our work. Then you can simplify that process and stay at it. Just require the CMMC Level One for your organization.

Kelly McDermott 57:29

Okay, thank you. And then, how long will the OSC have to wait to be assessed at Level Two after signing the contract?

Kyle Lai 57:39

There is no requirement for us. I mean, you can reserve a time. Some of our clients, OSC already reserved to November, December or 2026 so we just require a deposit to hold the date. And then, you know, I mean, we know things change for us. We do have three. We do have three, lead w2 lead CCA is the lead assessors with us. So we can be flexible in terms of our time. You know, if you need to change the schedule, we because we are not. I mean, we do use some 1099, in some certain, some certain assessments. But for us, we mostly will be performing the assessment using the internal w2 based lead assessors. So we can be flexible on the timing. And if you need to change the schedule. We can be flexible. So, yeah, I mean, you can schedule any time the contract for the deposit, then we can be flexible on the schedule.

Kelly McDermott 58:51

Okay, that’s great advice. Kyle and I do want to point out too that we’ve mentioned this in previous webinars, that there are over over 77,000 defense industrial based contractors in the US. And currently, today, there are about 100 C3PAOs.

Kyle Lai 59:07

Yeah, it’s, I think they’re only, like, 5050, something.

Kelly McDermott 59:11

Oh, okay, so 50, so half of that. And so you can see that the demand for C3PAOs is is pretty intense that there are a lot of lot of DIB companies out there that are going to need to get certified, and you can see the supply and demand. So we’re here to encourage you to to start the process to you know whether it’s us or another C3PAO, but just understand what the landscape is out there and know what the constraints are, so that you can go into this with with eyes wide open,

Kyle Lai 59:45

so and, and we still have the capacity, I know we are. We’re conducting the certification assessment. I mean, we have quite a few assessments going on right now, throughout. The spring, but we still have capacity throughout the year, so feel free to contact us.

KLC Consulting Contact Information and Conclusion

Kelly McDermott 1:00:05

That’s great, alright? And we’ve had some requests to show our email address again, and we’re going to show that to you on our last slide. Here we go. This is how to contact us. CMMC at KLC consultant, net Our website is linked here. You can also click on the QR code to go to our site. And I just wanted to thank you all for joining us today at our webinar. What do I really? When do I really? Really need my CMMC Level Two certification? So thank you for joining us. Kyle, thanks for leading us through all of that information. We hope this was helpful to you, and please reach out with any questions you have. We’ll be sending the recording, as we said, and you’re obviously welcome to get the slides by contacting us as well. So thank you so much, folks. Have a great day. Yep, See you next time!