CMMC FAQ – Pacific Aerospace Consulting

Cybersecurity Maturity Model Certification

Secure your future with CMMC compliance.

Unlock CMMC Certification Success with PAC’s Expert Guidance.

PAC is uniquely positioned to support your organisation’s compliance with both Australian and US cybersecurity frameworks.
PAC’s Infosec Registered Assessor Program (IRAP) consultants are also endorsed by the Cyber-AB – the Cybersecurity Maturity Model Certification (CMMC) accreditation body – to the Registered Practitioner Advanced (RPA) level, which allows consulting and implementation services for CMMC Level 1 (FCI) and Level 2 (CUI).

As a CMMC Registered Practitioner Organisation (RPO), our team can provide advice, consulting, and recommendations to other businesses to help them meet CMMC requirements. To achieve this, we will determine the appropriate certification level to target, conduct an audit-readiness assessment, address any gaps, document new processes and practices, test, validate, and document the results, resolve any

Diverse Experience

Trusted cybersecurity expertise across industries.

User-Centric

Blending security, operational needs and compliance for optimal performance.

Innovative Strategies

Our proactive strategies keep you safe from emerging threats.

Proven Results

A strong track record in delivering robust cybersecurity.

What is the Cybersecurity Maturity Model Certification (CMMC) framework?

The CMMC framework provides a mechanism for DOD to verify contractor and sub-contractor compliance with cybersecurity requirements for protecting federal contract information (FCI) and controlled unclassified information (CUI).

When will CMMC take effect?

The DOD is in the final stages of the rulemaking process and could begin phased implementation starting in late 2024.

Is CMMC mandatory?

With limited exceptions, the proposed rule indicated CMMC will be required for any business globally in the US DoD supply chain, to include prime contractors, sub-contractors, and supply chain partners if they have FCI or CUI requirements.

How many Australian companies will be impacted by CMMC?

The US Defense Department’s Regulatory Impact Analysis indicated an estimated 220,000 US companies will be impacted by the CMMC final rule. It is unknown how many Australian and other international defense industrial base partners may be impacted.

How long does it take to become ready for certification?

If starting from a minimal cybersecurity baseline, compliance with NIST 800-171 rev2 can take 12-18 months. The number of systems within the scope of an assessment and documentation preparation all play key roles in assessment readiness timelines.

What do I need to know about the three CMMC maturity levels?

Your organisation’s CMMC compliance and assessment requirements will depend on the sensitivity of the data you’ll be working with. The proposed rule identifies the following three levels:

Level 1 – Federal Contract Information (FCI)

Standard to be Met: FAR Clause 52.204–21
Number of Requirements: 15
Assessment Type: Self-Assessment
Affirmation Requirement: Senior official from prime contractor and any applicable subcontractor required to annually affirm continuing compliance with the specified security requirements.

Level 2 – Controlled Unclassified Information (CUI)

Standard to be Met: NIST SP 800–171 rev 2
Number of requirements: 110
Assessment Type: Self-Assessment or Third Party Certification – to be identified in contract
Affirmation: A senior official from the prime contractor and any applicable subcontractor will be required to affirm continuing compliance with the specified security requirements after every assessment, including POA&M closeout, and annually thereafter.

Level 3

Prerequisite: Must meet Level 2 certification before Level 3
Standard to be Met: NIST SP 800–171 rev 2 + 24 selected requirements from NIST SP 800-172
Number of requirements: 110 + 24 = 134 total
Assessment Type: Self-Assessment or Third Party Certification – to be identified in contract
Affirmation: A senior official from the prime contractor and any applicable subcontractor will be required to affirm continuing compliance with the specified security requirements after every assessment, including POA&M closeout, and annually thereafter.

What standard will CMMC use to verify compliance?

Based upon the proposed rule and the recent class deviation announcement by DOD, CMMC is expected assess compliance against NIST SP 800-171 rev2.

What is federal contract information (FCI) and controlled unclassified information (CUI)?

Federal contract information (FCI) is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Controlled unclassified information (CUI) is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Who oversees the US CUI program?

The National Archives and Records Administration (NARA) is the Executive Agent (CUI EA), which issues guidance to US Executive branch departments and agencies that handle unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies.

The CUI program applies to not only Defense information but also other organizational index groups: critical infrastructure, export controls, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax, and transportation.

Isn’t NIST SP 800-171 revision 3 coming out?

Yes, rev3 of NIST SP 800-171 is forthcoming but the US DoD on 2 May 2024 issued a Defense Federal Acquisition Regulation Supplement (DFARS) class deviation that will require contractors, who are subject to DFARS clause 252.204-7012, to comply with NIST SP 800-171 revision 2, instead of the version of NIST SP 800-171 in effect at the time a solicitation is issued.

Does CMMC accept reciprocity with Australian cybersecurity standards?

The proposed rule does not include Australian standards, such as the Essential 8 or an Infosec Registered Assessors Program (IRAP) assessment. However, the proposed rule reserved space to allow for other standards acceptance. No timeline for reciprocity with international standards was included in the proposed rule.

Get in contact Today

Work with us to protect your business and build a resilient cyber culture.

Frequently asked questions

What is Cybersecurity Maturity Model Certification (CMMC)?

CMMC is an initiative designed to help protect the data shared within the USA’s Defense Industrial Base (DIB) and the contract information essential for National Defense. It is a certification program created by the Department of Defense (DoD) that assesses an organisation’s cybersecurity posture.

What is the difference between CMMC and NIST?

NIST is a quality standard that can improve an organisation’s processes and products focused primarily on security maturity. CMMC is a certification program that verifies an organisation’s compliance with specific security practices. It combines the controls from NIST SP 800-171 and other sources, depending on the level of certification. CMMC is a new model that will complement NIST 800-171 and will be enforced by the DoD.

What is CMMC Compliance?

Three main objectives define CMMC Compliance:

Protect sensitive Defense information from cyber-attacks and nation-state actors.
Create a unifying cybersecurity standard for Defense contractors.
Ensure accountability for Defence companies that are responsible for protecting the government.

Is CMMC mandatory?

CMMC is required for any USA DoD supply chain business, including contractors interacting exclusively with the DoD and all subcontractors. According to the DoD, the CMMC requirements will affect over 300,000 organisations. Australian companies that desire to do business with the USA DoD will be required to comply.

What companies need to be CMMC certified?

CMMC applies to anyone in the USA’s Defense contract supply chain that is required to hold Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

How long does it take to get CMMC certification?

The DoD intends to only approve the inclusion of CMMC requirements in any contract after completing the CMMC 2.0 rulemaking process. The DoD intends to only approve the inclusion of CMMC requirements in any contract after completing the CMMC 2.0 rulemaking process. The DoD intends to have all the DIB certified by 2025.

What are the CMMC levels?

CMMC contains three security levels:

Level 1 – Foundational: For organisations holding Federal Contract Information (FCI).
Level 2 – Advanced: For organisations holding Controlled Unclassified Information (CUI).
Level 3 – Expert: Designed to reduce Advanced Persistent Threats (APTs) applicable to large Defence contractors.

Your organisation’s CMMC maturity level and compliance and assessment requirements will depend on the sensitivity of the data you’ll be working with.

How often is CMMC required?

The interim Defense Federal Acquisition Regulation Supplement (DFARS) rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).

How long is CMMC certification good for?

Once the assessment meets the criteria for the chosen CMMC level, the CMMC-AB will issue your organisation a CMMC certificate of compliance. This certification lasts for three years.

Why does my business need CMMC certification?

The CMMC program is aligned with DoD’s information security requirements for DIB partners. It is designed to enforce the protection of sensitive unclassified information that the Department shares with its contractors and subcontractors.

How can PAC help my business in obtaining the CMMC certification?

As the only Australia-based sovereign company with Cybersecurity Maturity Model Certification (CMMC) accreditation body – Cyber-AB – endorsed RPA personnel, PAC is uniquely positioned to provide consulting and implementation services for CMMC Level 1 and Level 2.

As a Registered Practitioner Organisation (RPO), our Information Security team can provide advice, consulting, and recommendations to other businesses to help them meet CMMC requirements. To achieve this, we will determine the appropriate certification level to target, conduct an audit-readiness assessment, address any gaps, document new processes and practices, test, validate, and document the results, resolve any remaining gaps after an audit, and remain engaged to ensure clients’ progress undergoes periodic validation.