DAU Home



from Larisa:Question on Slide 8: Is there a role that contractors can play with developing SCGs with the PO, esp if going to be a MAC?RESPONSE: Yes. This should take place during the Market Research/Conference activities as well as the RFI to outline the requirements and expectations. I will be discussion this in details during the next webcast scheduled 23 June.from Robert:Have there been impact studies to determine the additional costs to programs for the 3rd party assessor, supply chain/Tier 1 & below Contractor Support Agreements, etc., on various acquisitions (ACAT 1, ACAT 3, Abbrev. Acq Pgms, etc.)?RESPONSE: Not that I'm aware of but I know that OSD as well as other organizations applicable to the CMMC AB are developing the cost/pricing tables that will include the cost for achieving CMMC Level certifications and associated timelines.From Bill:how much time will these new requirements add to the procurement process? Looks like a lot! from Larisa:@Bill that is a good question ... do you feel like it's going to slow down the competition or before the RFP is let ??RESPONSE: I do not know at this time since the CMMC AB has not release information concerning the cost/pricing tables or associated timelines.from James:Will organic (government) software engineering organizations be required to be certified.RESPONSE: The DFARS and/or CMMC are not applicable to Government Owned End Item Products. However, if the government requires a contractor to use CUI that is applicable to the development of subject product and/or services, then the DFARS and/or CMMC will be applicable but only to protect the information pathways that includes the FCI and/or CUI.from Jennifer:What's the impact of this new requirement on small business and OTAs?RESPONSE: This is not a short answer/response and it depends. As discussed during the webcast, the small business may need to partner with another large business (prime and/or sub) or co-op with the government (GFM, GFI, GFE, and CSP) to meet the DFARS and/or CMMC requirements.from Donald:Question: Are the third party certifiers up and running?RESPONSE: Not at this time. Please refer to the CMMC AB website on the latest C3PAO status.from david:FYI - For DoD open contracts that we (DCMA) administer, contractors can't ask for additional consideration $ to meet 7012 clause reqs.from Larisa:@David in new contracts, if FFP can they add a ODC line to meet the requirements.....?from david:@ Larisa, i don't think so as all contractors have to already meet 7012 reqs and that clause is on all new DoD contracts and they are way past the date of becoming 7012 NIST 800-171B compliant.RESPONSE: Great conversation and that is correct concerning existing and new contracts. Cost/pricing for existing contracts should only be based on the deltas from DFARS to CMMC and clearly identified in the contractor's deliverables. from D Banks:So what level are you saying that "basic cyber hygiene" resides (if not Level 1)? Level 3? Level 2? other?RESPONSE: Per NIST guidelines and the selection of security controls from NIST SP 800-53, implementing the 110 security requirements from NIST SP 800-171 will allow you to achieve a "basic cyber hygiene" level of confidence.from Robert:Yes, but won't they just either (a) bid a higher overall contract cost or (b) increase overhead to cover these costs.RESPONSE: It depends. If the organization is directly responding to the government, then yes. If the organization is responding and supporting a prime and/or sub, then they have the possibility of over-pricing since they have to submit a fixed-price.from Curt:Donald - No the C3PAO has not been stood up get. This should be happening soon. The next step will require the certification of the assessor prior to them going out to conduct assessments RSPONSE: That is correct.from Donald:QUESTION: Am I correct that Level 3 CMMC with the 110 controls represent basic hygiene?RESPONSE: Yes, you are correct based on NIST SP 800-171.from Larisa:The CMMC AF has put out a RFI seeking comments and feedback about the way they go about certifying the assessing companies.from Curt:@Larisa. Current contract already have the DFAR 7012 clause on contract but the OSD is currently underway with a re-write of the DFARS to incorporate the CMMC requirementRESPONSE: Above comments are correct.from William:From Bill McGuire as I understand the process ant contractor who does not meet the requirements, would not be considered for award - therefore small business will have a hard time with this process. they will require small business help!RRSPONSE: That is correct. We will start to discuss strategies at the next webcast scheduled 23 June.from stephen:Is there a link to find that RFI?RESPONSE: This does not exist, however, OSD are conducting pathfinders exercises that will help understand some of the issues and challenges with the implementation and execution of the CMMC. This will be discuss during the next webcast scheduled 23 June.from Anthony:Do you know if CUI is protected from release via a FOIA request, as with FOUO information? I.e, if a FOIA request is submitted for CUI is there an exemption to withhold the release of CUI? If so, what regulation is that covered in?RESPONSE: All that is marked CUI are not exempted for FOIA, Please refer to DoDI 5200.48 for clarification.from jim:How does the CMMC figure into the SCG and PPP?RRSPONSE: These documents are a methodology to identify/describe FCI/CUI types, sensitivity of the information, and threat components that should be considered when determining the security requirements for protection. The ISSEs/ISSMs should be utilized to help with these decision points; determining the risk.from Koo:Who actually verifies if a contractors has all the requirements of Level 1 or Level 3, or Level 3+, and how?RESPONSE: The C3PAOs will have the responsibility to assess and provide through the CMMC cert process the applicable level.from James:Question: Will organic (government) software engineering organizations be required to be certified.RESPONSE: The DFARS and/or CMMC are not applicable to Government Owned End Item Products. However, if the government requires a contractor to use CUI that is applicable to the development of subject product and/or services, then the DFARS and/or CMMC will be applicable but only to protect the information pathways that includes the FCI and/or CUI.from Parker:In light of the CMMC helping secure contractor sites to extend the cybersecurity boundary further from DoD, will organic software orgs be required to become CMMC certified for the same reasons?RESPONSE: The DFARS and/or CMMC are not applicable to Government Owned End Item Products. However, if the government requires a contractor to use CUI that is applicable to the development of subject product and/or services, then the DFARS and/or CMMC will be applicable but only to protect the information pathways that includes the FCI and/or CUI.from Jennifer:How will this requirement impact OTAs and reaching those non-traditional contractors?from Larisa:@jennifer, currently OTAs are not covered under the DFARS7012 requirement but CMMC folks say they will be including OTAs. OTA has more flexibility to issue GFE or other workarounds to some of the implementation issues, maybe from Jennifer:@laris. That makes sense. It will be balancing these requirements and innovating Acquisition.RESPONSE: That is correct. In addition, DoDI 8582.01, Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information applies to contracts, grants, or other legal agreements with the DoD and requires those systems processing, storing, or transmitting DoD CUI must be protected in accordance with NIST SP 800-171.from Jared:it can be "dangerous" when contractors help create SCGs- SCGs set classification requirements, and requirements *could* be bent to fit individual desires vs. requirements. This would obviously be a no-noRSPONSE: AWF has the ultimate responsibility and decision authority.from Jennifer:Can you give us some examples of what technologies or requirements (part of requirements) look like for each levels? Ex: NNP for Level 4 or 5? What would be example of Level 1-2?RSPONSE: Most items purchased from GSA are considered FCI and should be protect under CMMC at Level 1. It really depends on the command, what the procuring activity is purchasing, and the required supply chain to support the procurement request (PR). There is not a "set in stone" list of items for each level. Recommend you coordinate with the ISSM/ISSE to determine the critical items/technologies and required protection level based on the sensitivity of the information and the threat capability.from John:Good question about OTAs and non-traditional, since other transactions are outside the FAR. Still, non-traditional contractors should be NIST compliant. Would be interesting to hear the official answer.RESPONSE: That is correct. In addition, DoDI 8582.01, Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information applies to contracts, grants, or other legal agreements with the DoD and requires those systems processing, storing, or transmitting DoD CUI must be protected in accordance with NIST SP 800-171.from Ronnie:How will this requirement affect current contracts.RESPONSE: Currently, CMMC is not a policy, requirement, and not applicable to current contracts.from Michael:Question: 20 years ago the USG required every contractor that wanted to win a USG DoD contract to become CMMI level 5 certified. However, 5-7 years later the DoD backed off on this requirement. What is the vision the DoD has with the Cyber Maturity Model with regards to contracting and realistically will this requirement be eroded over time because of the cost and time required by the contractors to get certification?RESPONSE: Great question(s). I have not idea, however, the current policy is DFARS and I would concentrate efforts to ensure contractors are in "compliance" and the NIST SP 800-171 110 security requirements and incident reporting.from Donald:QUESTION: When do your expect the DFARS will be updated with the CMMC requirements?RESPONSE: I have no idea. Current administrative is trying complete the DFARS Rule Making by Oct/Nov 2020.from Dan:Question: Do you have a ballpark price for Level 1 and Level 3 compliance? RESPONSE: Not at this moment. Please check with the CMMC AB website for updates.from D Banks:What's mapping between cyber Tiers and CMMC Levels? Seems like we're overlaying them without much specificityRESPONSE: Please refer to slides 18 - 20. You have three levels of security; Level 1, 3, and 3+ based on the aggregation of security requirements/practices and what you are trying to defend against (advisory) which is stated on slide 9.from connor:is there a certain point of diminishing returns seen across many programs? Is there much ROI gained above level 3 for example to make any extra expenditure worth aiming higher?from Larisa:@connor - the 800-171 B has a good explainer of the differences of why you would go to level 4/5 instead of 3RESPONSE: That is correct. Other concepts/best practices and lessons-learned are involved which is beyond this webcast; includes Defensible Architectures, Threat-Based Engineering, Active Cyber Defense, Cloud Security, the integration of SSE per NIST SP 800-160 and the System Engineering Process (SEP).from James:Question: Will organic (government) software engineering organizations be required to be certified.RESPONSE: The DFARS and/or CMMC are not applicable to Government Owned End Item Products. However, if the government requires a contractor to use CUI that is applicable to the development of subject product and/or services, then the DFARS and/or CMMC will be applicable but only to protect the information pathways that includes the FCI and/or CUI.from Julie:Will the Government reimburse contractor's for their CMMC certification? I have had a contractor inquire about recouping costs for the certification.from Jennifer:@julie: From the CMMC FAQ site, the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. ()RESPONSE: That is correct and only if you (contractor) responding directly to the government (privy). If you are a lower tier, then you have to include/embed your CMMC expense in your cost which may not be reflected or recoup by the prime and/or major sub.from Ken:Since the 3rd party CMMC assessors will not be government employees, do we know what will happen if they incorrectly certify a contractor as compliant at Level 3 and the contractor relies on that certification?RESPONSE: Hopefully the CMMC AB will establish an adjudication process. This should be considered in the government RFI/RFP contract strategy timelinefrom ANGELINA:Wouldn't these added costs be addressed at the onset of contract initiation??RRSPONSE: Depending on the PMO understanding the supply chain and applicable support agreements. Since the government will only have contract privy at the first and second tiers, knowledge beyond that point will be unknown and not considered at contract initiation. Market research/ conference will become a very important effort.from Maurice:based on the info on slide 23 is it safe to say we should stay clear of proprietary software's and equipmentRESPONSE: It depends. Some commands and procurement efforts will not have a choice and/or options.from Ken:During COVID there has been a surge of support teams, vendors etc using web based collaboration tools. TEAMS, WEBEX, Connect etc. even free sites However, it does not Appear that the DOD teams are checking to see IF those sites are secure or approved.from Curt:@ken. Currently the only platform that can be used on GIG is TEAMS and WEBEX. You are correct a lot of organization are using unauthorized platformsRESPONSE: That is correct.from jim:There may be a program to provide some funding at OSD or related to SBIRs for CMMC certification for small businesses, etc. States may also provide grants to some businesses. Just a thought. RESPONSE: That is correct. The DIB should contact their MEP/PTAC regional representative.from Michael:I think I'm hearing that the WBS should identify CMMC levels. Would the Government WBS indicate at their level of indenture what CMMC level should be there and that the Contractor WBS further breaks it down? Is there an instance where the Government WBS element 1.0 would be at a CMMC level 4 but CWBS 1.1 element would be at a CMMC level 3 or below? Is that something the Contractor would propose in their proposed CWBS?RESPONSE: Hopefully, that could be the case but it depends on the knowledge of the PMO and contractor.from osaruyi:How is government going to conduct training for companies to become assessors?RESPONSE: That is the responsibility of the CMMC AB. Please refer to the CMMC AB website for further information.from lawrence:What recourse would the Govt have if certifications turn out to be invalid based on evidence?RESPONSE: I do not know how to provide a response without assumptions. If you are stating that you need contractors to be at a certain level and they cannot achieve that, then the government will have to re-evaluate the requirement to protect as unclassified and move to another environment that can protect the required protection. If the contractor is trying to achieve a certain CMMC level and disputes with the C3PAO, then the CMMC AB should have an adjudication process. Hopefully I came close to responding to your question.from Brooke:How will acquisition professionals evaluate the increased costs associated with meeting cyber requirements when doing a pricing analysis for proposals submitted to DoD?RESPONSE: When the CMMC AB defines/identifies the cost/pricing tables or associated timelines.from osaruyi:when will auditors start officially auditing companies?RESPONSE: I do not know. Please check with the CMMC AB website for the latest status.from Michael:Hi Jennifer. I'm getting at who does the splitting. Government WBS only goes down some number of indenture levels with the Contractor developing additional levels of indenture for them to manage their program. If the Government sets a CMMC level 5 at WBS 1.0, and the Contractor adds 3 additional levels of indenture, can 1.1.4.2 be at a CMMC level 2 and who decides that?RESPONSE: The command/ procuring activity is responsible for identifying the technical requirements. Recommend you coordinate with the ISSMs/ISSEs to determine the critical items/technologies and required protection level based on the sensitivity of the information and the threat capability.from Jennifer:@james, NIST SP 800-171 is not same as 800-53 nor same as CMMC and is not being replaced by CMMC; requirement for compliance with 800-171 remains IAW DFARS 252.204-7012. CMMC will have it's own new clauses..RESPONSE: That is correct and my understanding.@michael, my understanding is that the level set by PO is the level carrying thru the chain. The possible exception is if the PO/Prime segregates the CUI to relieve the supply chain -RESPONSE: That is correct.from Martin:Will there be a requirement to review the required CMMC levels in light of updated threat intelligence and then to modify the contractual requirements as needed?RESPONSE: That should be included as part of the contract requirements. I'll discuss this further in the new webcast scheduled 23 June.from Charlie:How will this work in the pre-solicitation phase? If the government needs to provide CUI for solicitation purposes, how will this requirement be levied?RESPONSE: The government will have to provide respondents a way to access the RFP information in a secure fashion via website and/or using cloud technology. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download