What does "Allowable Costs" mean?
The DoD has maintained that CMMC-related costs would be thought of as "allowable costs", or in other words could be charged directly to the DoD as part of a contract. This includes the costs associated with CMMC requirements implementation, supporting a CMMC assessment, and contracting with C3PAO.
What is the CMMC-AB, and what is a C3PAO and CAICO?
The CMMC-AB (www.cmmcab.org) is an independent organization that will authorize, oversee, and accredit CMMC Third Party Assessors.
A C3PAO is an accredited Third-Party Assessor that is responsible for providing CMMC assessment services to the DIB organizations that are housing unclassified data, then issuing CMMC certifications based on the outcomes of the assessments.
The CMMC Assessors and Instructors Certification Organization (CAICO) is a new addition to the CMMC Ecosystem and was established to manage and oversee the training, testing, supporting, and certifying of any potential assessors and instructors, in accordance with DoD requirements and those of ISO/IEC 17024.
What will a happen after a CMMC assessment is completed?
Upon completion of a CMMC assessment, the C3PAO will provide the client with an assessment report and if there are no major findings or issues, the C3PAO will process and issue the appropriate CMMC certificate to the DIB organization for the specified certification level. The C3PAO will also submit a copy of the assessment report and CMMC certificate to the DoD.
Other than the oversite from the CMMC-AB and CAICO are there any other requirements for C3PAOs?
Yes, C3PAOs must meet all DoD requirements and achieve full compliance with ISO/IEC 17020 (Conformity Assessment – Requirements for the Operation of Various Types of Bodies Performing Inspection requirements before being approved to conduct CMMC assessments and issue certifications. The CMMC-AB can authorize C3PAOs to conduct CMMC assessments prior to the C3PAO achieving accreditation, but all C3PAOs must be accredited by the CMMC-AB within 27 months of their registration.
What is the current state of the CMMC Pilot Program?
The DoD will require that 15 new Prime acquisitions meet CMMC requirements as part of a CMMC pilot program. The focus will be on mid-sized programs that require a contractor to process or store CUI (CMMC Level 3). The Primes will then be required to flow down the appropriate CMMC requirement to their subcontractors.
The DoD has pared down from prior projections on the number of contractors and defense contracts that will require Maturity Level 4 and Maturity Level 5 CMMC certifications. “For subsequent fiscal years of the rollout, the Department intends to incorporate CMMC Levels 4 and 5 on a small number of contracts”.
- information courtesy of cmmcinfo.org