News & Insights

Top 10 Cybersecurity Management Model Certification (CMMC) Questions and Answers

WhiteHawk Inc.

Top 10 Cybersecurity Management Model Certification (CMMC) Questions and Answers

In 2020 CMMC has become the new Department of Defense (DoD) standard for all Defense Contractors and Suppliers.

Many Cyber Risk experts believe it will become the National Standard for all Businesses and Organizations because it is a Tiered practical approach to Cyber Resilience that any entity of any size can start to implement, to efficiently and effectively address their key Digital Age Risks today.

If you do anything, just start your path to CMMC Level 1 which is comprised of 17 foundational steps or best practices (controls).

As initially Defense Contractors start their CMMC Journey - Here are our observed top 10 CMMC most asked questions to get you started.

Why was CMMC created?

  • The DoD needed a centralized method for all contractors and suppliers to become cyber resilient by getting a meaningful but tiered cybersecurity certification, providing a meaningful, consistent and third-party assessment to audit companies."

  • The DOD is planning to use the new CMMC framework to assess and strengthen the cybersecurity posture of the DIB.

  • Since the loss of Controlled Unclassified Information (CUI) from the DIB increases the risk to national economic security, the DIB sector must ensure the protection of CUI across all networks, devices and data sets.

Who needs to achieve CMMC?

  • All DoD and eventually Federal contractors or suppliers will need to achieve CMMC level 1-5 if they want to continue to do business with the DoD and eventually the Federal Government.

  • Currently, other Federal Non-DoD contracts or companies that primarily produce Commercial-Off-The-Shelf products do not require CMMC compliance (but we estimate this may change).

How does an organization become certified?

  • A non-profit, independent organization called the CMMC Accreditation Body (AB) will accredit CMMC Third Party Assessment organizations (called a C3PAOs) and individual auditors.

  • The CMMC AB (a non-profit) will establish a CMMC marketplace with a list of approved C3PAOs for DIB companies to choose an auditing organization.

How does the CMMC framework function?

  • CMMC has five different certification levels (1-5) that reflect the maturity and reliability of a government contractor's cybersecurity practices and infrastructure to protect their company and the sensitive and proprietary government information they may have access to.

  • The five levels build upon each other's technical requirements, including the requirements from the previous level.

  • The five levels build upon each other's technical requirements, including the requirements from the previous level.

How do I know what level is right for my company?

  • Level is determined by the specific contract RFP but everyone will need to be level 1 if they want to respond to RFP's, bid on contracts.

  • Anyone handling (Confidential Unclassified Information) CUI needs to be certified at level 3.

How expensive will CMMC be?

  • CMMC was created to be accessible for all small to medium businesses to obtain the qualifications for levels 1 -3 affordably.

  • Implementing these best practices will protect your business from cybercrime, espionage and fraud, with certification expenses to be an allowable cost of doing work on a DoD contract.

  • We recommend recording all transactions relating to certification.

When will CMMC third-party auditors be ready to initiate audits?

  • The CMMC Accreditation Body (AB) is looking to get the first qualified C3PAOs by the end of the 2020 fiscal year on September 30th with audits starting on October 1st.

Where can I find a qualified third-party auditor?

  • The CMMC AB is in the process of finalizing audit criteria and creating courses to certify C3PAOs officially.

  • It is currently too early to find an auditor; but it is not too early to get the Level 1 best practices/controls in place, in order to maximize your competitiveness.

  • Once a C3PAO has audited your company, you can find your audit findings and certification as appropriate on the CMMC AB website at

How are the CMMC controls different from those of CIS or NIST?

  • CMMC Controls are based upon those of NIST/CIS.

  • It is the Levels 1-5 that make Level 1 achievable for all, according to the requirements of the RFP/Contract.

  • And because each CMMC Level builds upon the previous Level, there is a path for sophisticated companies and Primes to reach Levels 4 and 5 as needed.

My company is not deeply technical and I don't have an experienced CIO or CISO; will CMMC be challenging to obtain?

  • Even if your company is not cyber aware or sophisticated, everyone can get on a path to CMMC Level 1 today, ensuring they have the 17 Controls/Best Practices in place.

  • WhiteHawk provides an intial complimentary virtual consult and assessments to CMMC controls tools that can also assist you with mapping your current cyber maturity and a pragmatic, effective and affordable online journey to CMMC.

If you still have questions, 23 additional frequently asked questions are available on the CMMC website.