Cask, an Authorized C3PAO

A. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A. If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

A. Federal Contract Information (FCI) is data that is collected, created, transmitted, or received as a requirement of fulfilling the obligations of the contract – to develop or deliver a product or service.

A. Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.  Examples of CUI could be DoD technical drawings and testing results.

The CUI Registry includes index groupings Critical Infrastructure, Defense, Export Control, Financial, Immigration, Intelligence, International Agreements, Law Enforcement, Legal, Natural and Cultural Resources, NATO, Nuclear, Privacy, Procurement and Acquisition, Proprietary Business Information, Provisional, Statistical, Tax.

A. Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

A. If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.

A. DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store, or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.

A.  Once CMMC 2.0 is implemented, self-assessments will be required on an annual basis. Third-party and government-led assessments, associated with Level 2 and  Level 3 programs, will be required on a triennial basis.

A. Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized C3PAO. C3PAOs shall use only certified CMMC assessors to conduct CMMC assessments.

A. The CMMC assessment costs will depend upon the CMMC level needed, the scope of what needs to be certified, and complexity of the organizations network for the certification boundary.

A. Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.

A. NIST 800-171 specifically focuses on the protection of Controlled Unclassified Information (CUI) and seeks to ensure that such sensitive government information located on contractors’ networks is both secure and protected.

NIST 800-172 provides 35 enhanced security requirements designed to safeguard CUI from cybercriminals whose intent is to infiltrate systems to steal national security-related data. It does not contain guidance to determine high value to critical organizational programs or assets.