Cask, an Authorized C3PAO

A. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A. If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

A. Federal Contract Information (FCI) is data that is collected, created, transmitted, or received as a requirement of fulfilling the obligations of the contract – to develop or deliver a product or service.

A. Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.  Examples of CUI could be DoD technical drawings and testing results.

The CUI Registry includes index groupings Critical Infrastructure, Defense, Export Control, Financial, Immigration, Intelligence, International Agreements, Law Enforcement, Legal, Natural and Cultural Resources, NATO, Nuclear, Privacy, Procurement and Acquisition, Proprietary Business Information, Provisional, Statistical, Tax.

A. Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

A. If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.

A. DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store, or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.

A.  Once CMMC 2.0 is implemented, self-assessments will be required on an annual basis. Third-party and government-led assessments, associated with Level 2 and  Level 3 programs, will be required on a triennial basis.

A. Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized C3PAO. C3PAOs shall use only certified CMMC assessors to conduct CMMC assessments.

A. The CMMC assessment costs will depend upon the CMMC level needed, the scope of what needs to be certified, and complexity of the organizations network for the certification boundary.

A. Cask will provide a CMMC Level 2/NIST 800-171A assessment of your organization’s current implementation of the 110 practices.  We will review and assess current implementations of the practices verifying compliance using the CMMC 2.0 assessment process which aligns with the NIST 800-171 assessment methodology.

A. Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.

A. NIST 800-171 specifically focuses on the protection of Controlled Unclassified Information (CUI) and seeks to ensure that such sensitive government information located on contractors’ networks is both secure and protected.

NIST 800-172 provides 35 enhanced security requirements designed to safeguard CUI from cybercriminals whose intent is to infiltrate systems to steal national security-related data. It does not contain guidance to determine high value to critical organizational programs or assets.

A: The Joint Surveillance Voluntary Assessment Program is a joint assessment performed as a team. The team consists of an Authorized C3PAO, such as Cask Government Services, and the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DCMA, DIBCAC) team.

A: Any business or organization that chooses to have a Joint Surveillance Voluntary Assessment should reach out to an Authorized C3PAO and have that C3PAO add you to their JSV list.  The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) reviews the C3PAOs list and then contacts the OSC to schedule the assessment.

A: A Joint Surveillance Voluntary Assessment is a NIST 800-171 High Assessment of an organization’s implementation of the 110 NIST controls/practices.

A: The best way to prepare for a NIST 800-171 High Assessment is to perform a self-assessment of your organization’s adherence to the 110 NIST controls/practices, ensuring there are two forms of evidence supporting each practice and each objective, or have an outside organization, such as an Authorized C3PAO, conduct a Pre-Assessment or Gap Analysis.

A: An Authorized C3PAO, such as Cask Government Services, will conduct your organizations Joint Surveillance Voluntary Assessment with the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DCMA, DIBCAC), overseeing the activities and verifying the C3PAOs assessment.

A: The C3PAO will assign a Lead Assessor to build the team.  One to two Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Assessors will be added to the team to oversee the assessment of the implementation of the 110 NIST controls/practices. The team will verify adherence to the level of compliance within the DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, implementation of NIST 800-171 requirements.

A: Organizations queuing up for the opportunity to be assessed understand the competitive advantage of positioning themselves with the opportunity to bid on government contracts that contain DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and in achieving CMMC Level 2 certification. They’re staying ahead of the curve by demonstrating to primes that they will be in compliance when CMMC is implemented via the Interim Rule expected in March 2023.

A:  Joint Surveillance Voluntary Assessments are expected to convert to CMMC Level 2 Certifications upon the completion of final CMMC rulemaking.

A: Cask Government Services submits organizations and their POC names to the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DCMA, DIBCAC) once they have completed a CMMC Assessment Readiness Review (CA-RR) and confirmed ready to be scheduled for an assessment. The DCMA, DIBCAC will contact the Organizations POC once selected. Please fill out and return a Cask Client Engagement Form so that we can help you get started!

A: A Joint Surveillance Voluntary Assessment costs the same amount as a quoted CMMC Level 2 Formal Assessment and is directly related to the Scope and Boundary which needs to be assessed.

A: The Scope = Systems, components, networks, buildings, or people which process, store, or transmit Controlled Unclassified Information (CUI).

A: Once your organization has met the Joint Surveillance Voluntary Assessment requirements, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will submit your score to the Supplier Performance Risk System (SPRS) and your organization will be required to self-attest annually and upload your scores to SPRS via the Procurement Integrated Enterprise Environment (PIEE).