UNDERSTANDING CMMC
The Department of Defense (DoD) acquisition policy implementing the CMMC (DFARS Case 2019-D041) became effective on December 1, 2020.  The Defense Federal Acquisition Regulation Supplement-known as the DFARS-implements the CMMC requirement into Defense acquisition policy.  The CMMC requirement will begin to appear in new Requests for Proposals (RFPs) and Requests for Information (RFIs), which may not reference the CMMC explicitly, but instead reference the DFARS clause at 252.204-7021.  The -7021 clause is the CMMC clause.

DoD Assessment Methodology and Additional DFARS Clauses
The DFARS Case 2019-D041 introduced a NIST 800-171 assessment methodology and added two more clauses in addition to the CMMC clause. These two new clauses are approved for inclusion in all DoD contracts that contain the DFARS -7012 clause. The -7012 clause applies to all companies who process, transmit, store, or otherwise handle Controlled Unclassified Information (CUI), but is often found in contracts where companies do not need to handle CUI. The DoD Assessment Methodology is required to be used for the NIST 800-171 self assessment (see below for new DFARS clauses) as well as is used by DoD to conduct their own NIST 800-171 assessments of Defense contractors (see below for new DFARS clauses).

-7019 CLAUSE
The -7019 clause added as part of the DFARS Case 2019-D041 has the following requirements:
  1. All companies who handle DoD CUI must complete a self-assessment using the DoD Assessment Methodology (see link above) and generate a score.
  2. Companies must then input that score and the date at which they plan to remediate all gaps to the Supplier Performance Risk System (SPRS). SPRS can be found here: https://www.sprs.csd.disa.mil/
At the time of contract award for a DoD contract containing the new -7019 clause, a DoD contracting officer will simply verify a score has been uploaded. At this time there is no baseline score requirement, which means that any score is sufficient to meet the -7019 clause requirement.

-7020 CLAUSE
Along with the -7012 and -7019 clauses, this new clause is approved for inclusion in all DoD contracts.  This new clause requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment. The higher level assessments are the Medium and High assessments. The self-assessment conducted as part of the -7019 clause is called a Basic Assessment.
CONTACT OUR CMMC EXPERTS
Our goal is to prepare you for the CMMC assessment. We will answer all of your questions about the CMMC process and will explain how we can prepare you for the CMMC assessment process. We are always happy to answer any questions you might have about the CMMC and our services (for free), so please do not hesitate to contact us for more information!
CMMC FAQS
Which cmmc level is required?
The government will determine the appropriate level of CMMC (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.
do companies supporting the dod need cmmc?
Yes, all companies doing business with the Department of Defense will need to obtain a CMMC certification (even sub-contractors).
is cmmc an allowable expense?
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
how Is CMMC similar to nist SP-171? 
Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.
Will my cmmc status be publicly available?
Your certification level will be made public, however details regarding specific findings will not be publicly accessible. The DoD will see your certification level.
How does medium & high assessments differ?
A Medium Assessment is conducted by DoD personnel and will consist of a review of the system security plan (SSP) description of how each requirement is met to identify any descriptions which may not properly address the security requirements. Whereas a High Assessment is conducted on-site by DoD personnel at a Defense contractor's location and leverages the full NIST 800-171A assessment methodology to determine if the implementation meets the requirements by reviewing appropriate evidence and/or demonstration (e.g., recent scanning results, system inventories, configuration baselines, demonstration of multi-factor authentication).
Almond Consulting is postured with certified experts to assist with your organization's CMMC audit readiness with our full-spectrum approach.
Contact us today to learn more!
LOCATIONS
Oviedo, Florida – Headquarters
Leesburg, Virginia
RESOURCES
Rules of Behavior
Demand Cyber
CMMC Guide
Visit Almond Consulting on LinkedIn or Indeed, and monitor our site to stay informed of the latest cybersecurity and CMMC updates.
Privacy Policy | Accessibility | Terms and Conditions 
© 2021 ALMOND CONSULTING® ALL RIGHTS RESERVED