Secure Your Systems

Effective cybersecurity involves more than just cyber.

As part of your team, our goal is to ensure your business processes and CMMC compliance are synchronized to ensure operations meet both the business and cybersecurity objectives.

Our Services

Effective cybersecurity also encompasses physical security, planning, sustainment, and more. True cybersecurity requires a holistic company approach.

Planning and Policies

171Comply’s policies guide your company’s stakeholders—from corporate management to production staff—to a practical understanding of their vulnerabilities and responsibilities. Our compliance tools, tailorable templates, policy frameworks, and step-by-step workbooks help companies of every size achieve all levels of CMMC compliance by providing a practical roadmap that doesn’t waste your time and resources.

Audit and Compliance

On-site assessment of cybersecurity practices is a requirement of CMMC certification for companies at all CMMC levels. 171Comply carefully prepares clients for this multifaceted assessment, particularly for the documentation of compliance evidence, known as artifacts. Our personalized compliance tools simplify and facilitate your company’s ability to demonstrate institutionalization compliance.

Consulting

With tools and consultation tailored to clients’ specific needs, 171Comply significantly reduces the research and documentation time needed to earn CMMC compliance. Our team leverages vast corporate experience in both practice and process, understanding the need to balance compliance requirements with your specific business goals.

171COMPLY: FREQUENTLY ASKED QUESTIONS (FAQ’S)
c Expand All C Collapse All

Admin

Go to site, menu login.

Classes and Types of Information

A covered contractor information system is an unclassified information system owned or operated by or for a contractor and processes, stores, or transmits covered defense information.

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

CDI is Covered Defense Information. It is a term used to identify information that requires protection under DFARS Clause 252.204-7012. In terms of the CMMC model, it is specifically “unclassified Controlled Technical Information (CTI) or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies and is:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract, OR
  • Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract.”

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

Note that Federal Contract Information (FCI) is not within the CDI definition.

Company Controlled Information is not part of the CMMC model. The CMMC model is only focused on government-controlled information or Covered Defense Information (CDI).

Company Controlled Information is vital to the organization’s survival and should be protected to the same standard as government information. Having the same set of procedures to safeguard all controlled information reduces confusion and error.

Source: 171Comply.com

Controlled Information is a general term that describes the information that needs to be secured and monitored; this can be physical information or electronic information. This would include information stored locally on portable media, a USB device, your phone, or in the cloud.  The information could be government-controlled as Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

In addition, it should include company-controlled information (CCI) as financial data, customer information, personnel information, intellectual property, etc.

Source: 171Comply.com

Controlled technical information means technical information with military or space applications that are subject to access, use, reproduction, modification, performance, display, release, disclosure, or dissemination controls. Controlled technical information does not include information that is lawfully publicly available without restrictions.

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

CUI is Controlled Unclassified Information (CUI), this is information “that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.”

Source: Executive Order (2010), EO 13556 (adapted)

CUI must be identified and marked by the government, and it is information that requires safeguarding.

FCI is Federal Contract Information, which “means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.”

Source: 52.204–21 Basic Safeguarding of Covered Contractor Information Systems.

Government-controlled information is a general descriptive term used to identify government information that must be secured and controlled. This includes Federal Contract Information (FCI), Covered Defense Information (CDI), Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), etc.

Source: 171Comply.com

The determination of information classification is ultimately a federal government responsibility.  FCI is, by default, in all federal government contracts. CUI will be determined by the government and marked as such.  There may be room to discuss what is CUI in contract negotiations and what is shared with subcontractors.

 

CMMC Compliance Scope – Who it applies to.

All defense contractors are subject to the CMMC model requirement, prime contractor, or subcontractor; the issue is based on the handling of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).  The prime contractor is responsible for ensuring their subcontractors secure Covered Defense Information (CDI). “The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause … .”

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

 

All companies in the defense industrial base will require certification; this includes both prime and subcontractors and all business sizes.

However, certification is not required if the company does not handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

The CMMC model is for unclassified systems and information only.

The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) or Request for Quote (RFQ).

All companies in the defense industrial base will require certification if they handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC Level 1 is for companies that will handle FCI only.  CMMC Levels 2 to 5 is for companies that will handle both FCI and CUI.

The DFARS is generally written for US contractors and does not consider complications introduced by foreign partners/sub-contractual relationships. Potential conflicts have been identified between the requirements of DFARS Clause 252.204-7012 and existing country agreements/national laws in areas such as the reporting of cyber incidents directly to the DoD, the submission of malware and media to the DoD, and providing access to information and equipment. OUSD(A&S), OUSD(R&E), and DoD CIO are currently working with the Defense Technology Security Administration (DTSA), under OUSD(Policy), to resolve these potential conflicts on a country-by-country basis and to provide guidance for US Contractors on how to implement the rule within National Law and Country Agreements. Contractors should notify the Department of Defense at [email protected] if they require assistance concerning this issue.

Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1

DFARS clause 252.204-7012 was structured to ensure that controlled unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of safeguarding controlled unclassified information clauses and contract language by the various entities across DoD.

Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1

DFARS clause 252.204-7012 flows down to subcontractors without alteration, except to identify the parties, when performance will involve operationally critical support or covered defense information. Per 252.204-7012(m)(1), the prime contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information, thus necessitating the flow-down of the clause. The contractor should consult with the contracting office if clarification is required. The Department’s emphasis is on the deliberate management of information requiring protection. Prime contractors should minimize the flow down of information requiring protection. April 2, 2018 rev 1.16 Flow down is a requirement of the terms of the contract with the Government, which should be enforced by the prime contractor as a result of compliance with these terms. If a subcontractor does not agree to comply with the terms of DFARS Clause 252.204–7012, then covered defense information shall not be on that subcontractor’s information system.

Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1

The contract solicitation or the contract Request for Information (RFI) will list the CMMC Level required.  In the Request for Proposal (RFP) or Request for Quote (RFQ), the CMMC Level will be identified in section L&M.

Implementation Concepts

Cloud Services can be used. However, there are two conditions to consider; the first, the storage of non-government-controlled information in the cloud is without restriction.  The second, the storage of government-controlled information, Covered Defense Information (CDI), must meet the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline, as outlined below.

“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in the performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (HTTPS:// www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

Unless prohibited by the FAR/DFARS, all costs associated with DFARS clause 252.204-7012 are allowable.

Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1

FARS Clause 252.239-7010, Cloud Computing Services, applies when a cloud solution is being used to process data on the DoD’s behalf, or DoD is contracting with a Cloud Service Provider to host or process data in a cloud. DFARS Clause 252.239-7010 requires the cloud service provider to comply with the DoD Cloud Computing Security Requirements Guide and with the requirements for cyber incident reporting and damage assessment. DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, applies when a contractor intends to use an external cloud service provider to April 2, 2018 rev 1 54 stores, process, or transmit covered defense information in the performance of a contract. DFARS Clause 252.204-7012 requires the cloud service provider to meet security requirements equivalent to those established for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.

Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1

Media means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system.

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

The best advice is to use a FedRAMP certified cloud service provider. The FedRAMP Moderate baseline is well established and understood by Cloud Service Providers (CSPs) that provide such service to the (United States Government (USG). Again the best solution would be to use a CSP service approved by FedRAMP at the “Moderate” level. However, if co-tenancy is not possible, it is acceptable to use a similar service that has not formally been approved by FedRAMP if the CSP can demonstrate to the contractor that it is equivalent. The demonstration of equivalency will need to be satisfied before the service can be used.

Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1

The URL for FedRAMP service providers: https://www.fedramp.gov/cloud-service-providers/

DoD does not develop ”cost recovery models” for compliance with DFARS rules. The requirements levied by this rule should be treated the same as those imposed by any other new DFARS rule, and the cost related to compliance should be considered during proposal preparation. Contractors should continue to comply with their own internal accounting processes. Contractors should consult with their Audit Compliance/ Accounting/Finance departments for guidance on this matter.

Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1

Cloud computing services shall be subject to the security requirements specified in clause 252.239–7010, Cloud Computing Services, of this contract.

“For covered contractor information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply:

  • Cloud computing services shall be subject to the security requirements specified in clause 252.239–7010, Cloud Computing Services, of this contract.
  • Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract (CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting).”

A cyber incident is the actions taken through computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

A non-government or contractor system is an unclassified information system owned or operated by or for a contractor, which may process, store, or transmit covered defense information.

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

Malicious software is the software that is loaded onto your computer to steal information, destroy information, or take over your computer system. It is the “computer software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware.”

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

A custodian is a general term that describes someone responsible for something.  All controlled information and system components need to be controlled.  The custodian(s) are assigned control and responsibility for system components and physical and electronic controlled information.  A custodian is responsible for physical access to the organizational spaces and information resources, physical or electronic.  Control can be assigned to others (i.e., custodian(s)). Control is through a documented chain of custody.  The goal is an established clear chain of control and responsibility so that at any point in time, the device or physical information is accounted for by the custodian.  It is also to ensure spaces or facilities are under the control of a custodian.

Source: 171Comply.com

Cyber hygiene is the activities taken to reduce the risk of compromise or cyber incidents. These activities include inventorying hardware and software assets, configuring firewalls and other commercial products, scanning for vulnerabilities, MFA, patching systems, monitoring, etc.

Threat intelligence is the analysis of the threats within the cyber domain. The intent is to provide information that can reduce vulnerabilities and decrease the risks associated with cyber threats.

Adequate security means protective measures commensurate with the consequences and probability of loss, misuse, or unauthorized access to or modification of information. “The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections” as outlined in CFR 252.204–7012.

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

MFA is Multifactor Authentication; it is a means of user authentication. In general, there are three ways to authenticate a user.  First is something the user knows a password or the answers to a series of questions.  Second is something that the user is, for example, a fingerprint, facial recognition.  The third is something the user has as a token, card, or phone. In many applications, MFA is used in addition to a password to validate the individual trying to gain access; passwords can be compromised. MFA is a second step in the assurance process.

MFA is easy to use and is highly recommended as a means to validate users for all systems.  However, all MFA techniques are subject to hack or compromise, which calls for a defense-in-depth approach to system security.

Compromise means disclosure of information to unauthorized persons or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

As of December 31, 2017, all covered contractor information systems will comply with NIST SP 800-171.

“Covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, ”Protecting Controlled Unclassified Information in Non- federal Information Systems and Organizations” (available via the internet at HTTP:// dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer.

The Contractor shall implement NIST SP 800–171 as soon as practical, but no later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at [email protected], within 30 days of contract award, of any security requirements specified by NIST SP 800–171 not implemented at the time of contract award.

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

The Certification Process

he organization’s certification level will be made available to the Government and not to the public.  Government access is required so that your certification level can be used as an award criterion.

The process of requesting a CMMC certification is in development.  Once the process is in place, the organization will need to contact a local Certified Third-Party Assessment Organization (C3PAO).

A standard cost or range of cost for a CMMC certification is not determined at this time.  It will depend on the “maturity” of the organization.  Maturity is a general term that would describe how close the organization is to meeting the required level, granted this is obvious.

Consider that sustainment of the System Security Plan will be the most significant cost over time.

A certification will be good for three years. After which, the organization will have to be reassessed.

The cost of certification is unknown at this time. The goal is to make the cost “reasonable.”  The cost of certification is allowable.

It is important to note that by 2026 all companies in the defense industrial base will have to be certified.

At present, the CMMC certification process is being developed.  In general, the construct is to work along these lines; the organization will need to contract with a local Certified Third-Party Assessment Organization (C3PAO).  The organization will have to pay for its assessment. All CMMC accessors will work for or will be affiliated with a C3PAO. It is the C3PAO that will “manage” the accessors; the accessors will be certified to a CMMC level(s) at this time; there will be two levels, CMMC Level 1 and 3. The contractor and accessor will schedule the assessment and will conduct the assessment on-site.

The assessment will be based on a scoring mechanism; once certified, the certification will last three years and will then have to be renewed.

At this time, the certification process has not started, and there are no organizations that can certify any organization in terms of the CMMC model.

A higher certification level will cover lower-level certifications; for example, an organization certified at Level 5 will be certified for Levels 1 through 4.

The organization or the contractor will have to pay for the upfront cost for compliance and certification. However, the costs required to meet CMMC compliance and certification are “allowable costs.”

A Certified Third-Party Assessment Organization (C3PAO) will perform the assessment. The assessment will be performed by a certified accessor affiliated with the C3PAO and certified to the appropriate CMMC Level.

A compromise will not automatically require recertification. The general consensus is that if the organization meets the reporting and notification requirements outlined in the Incident Response domain and there is no negligence, the certification will hold.  The issues that will cause the loss of certification may be late reporting, poor execution of the system security plan, and the security controls.

There are no self-certifications. At this time, the certification process has not started, and there are no organizations that can currently certify any organization in terms of the CMMC model.

The CMMC Framework

The goal is to have one cybersecurity or system security standard within the DoD, which is the CMMC model.  Other government agencies have different standards.

The CMMC model incorporates NIST SP 800-171 and elements from NIST SP 800-53, ISO 27001, ISO 27032, and others. In addition to the control standards, the CMMC model requires institutionalizing these system security practices and processes.

 

The CMMC model is one in a series of Federal initiatives focused on information security.  The first was FAR Clause 52.204-21 June 2016, which mandated all federal contractors meet a set of 15 basic cybersecurity controls for contractor information systems upon which “Federal contract information is stored, processed or transmitted.” The second was DFARS Clause 252.204-7012, December 2017, which made NIST SP 800-171 the requirement for all defense contractors.  The NIST SP 800-171 with 110 requirements also incorporated the 15 basic cybersecurity requirements from FAR 52.204-21. The CMMC model came into place in January 2020 with the publication of version 1.0. The

CMMC model is built on the requirements as outlined in NIST SP 800-171, in addition to other commercial system security best practices.  CMMC Level 3, with 130 practice requirements, incorporates NIST SP 800-171 with 110 system security requirements. The exception in NIST SP 800-171 in section 3.12.2, which calls for a Plan of Action and Milestones (POAM).  Within the CMMC model, a POAM used to demonstrate progress towards compliance is considered non-compliant.  The point is that the organization at the time of certification should be compliant with all appropriate CMMC Level practice requirements.

The CMMC Level you will have to meet will be determined by the type of information in the contract, Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). For most companies, about 60% will be at CMMC Level 1, focused on securing FCI, with 17 practice requirements.  CMMC Levels 2 and above are focused on securing FCI and CUI. The class will be determined by the government contract and negotiations between the prime contractor and the government contracting officer. All government-controlled information, CUI, must be identified and plainly marked.

The Cybersecurity Maturity Model Certification (CMMC) consists of five levels, with Level 1 the most common with 17 practice requirements, and Level 5 the most restricted with 171 practice requirements. For levels 2 and above, there is a requirement for a system security plan and to demonstrate the institutionalization of practice requirements.

The Cybersecurity Maturity Model Certification (CMMC) is essentially a certification process by the Department of Defense for all defense contractors; this includes large or small businesses, primes, or subcontractors.  The goal is to secure the defense industrial base against cyberattacks and the theft of US intellectual property.

There are five levels in the CMMC model, Level 1 is the most common and has 17 practice requirements; Level 5 will be the most restricted with 171 practice requirements.

CMMC model is built on the requirements as outlined in NIST SP 800-171, in addition to other commercial system security best practices.  CMMC Level 3, with 130 practice requirements, incorporates the 110 system security requirements in NIST SP 800-171.  The exception in NIST SP 800-171 in section 3.12.2, which calls for a Plan of Action and Milestones (POAM).  Within the CMMC model, a POAM used to demonstrate progress towards compliance is considered non-compliant.  The point is that the organization at the time of certification should be compliant with all appropriate CMMC Level practice requirements.

Currently, the DoD requirement for system security is conformance to the NIST SP 800-171 standard. There is an initiative to change the DFAR and replace the NIST requirement with the CMMC model.

The first version of the CMMC framework, version 1.0, was released on January 31, 2020.  There was a second release, version 1.02, on March 18, 2020; this version made minor changes and corrections to version 1.0.

The Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) is the “manager” of the CMMC process.  With the goal to help ensure common standards and consistency in providing for a cyber-safe, cyber-secure, and cyber-resilient defense industrial base. To accomplish this, the CMMC AB is also charged with developing the audit and auditor standards, training and certification for Certified Third-Party Assessment Organization (C3PAO), and specific elements of CMMC training for contractors in the defense industrial base. This process is to be coordinated with the Under Secretary of Defense for Acquisition and Sustainment.

The initial implementation of the CMMC will only be within the DoD. It is anticipated after the rollout of the CMMC program within the DoD, other Federal Agencies may consider the CMMC model as a means to secure information.

Note that at this time, the GSA is in their contracts has placed an option to require contracts to have CMMC certifications.

Call Us

Contact us and we'll get back to you within 24 hours.

171Comply

a Division of CommTech Systems, Inc

Send Us a Message