.jpg?ext=.jpg)
Do You Need CMMC?
There is a lot of talk about the upcoming revision to NIST SP 800-171 (rev 3) as well as CMMC (CMMC went into effect on December 16, 2024). There is an essential question that organizations need to answer before delving into these conversations, however, and that question is whether they actually need to comply with the NIST 800-171 standard. Here is an easy-to-follow guide that will help your organization discover if the answer is “yes” or “no.”
Question 1: Are you a Department of Defense contractor, sub-contractor, or are you a supplier to a DoD contractor or sub-contractor?
Answers in the affirmative mean you have to continue to follow the guide.
If you answered “no” to all of the above, you probably do not need these certifications.
Question 2: If you are a contractor, sub-contractor, or supplier, does your contract include DFARS 252.204-7012, 7019, 7020, and/or 7021?
Once again, any positive answers mean you have to continue to use the guide here.
If your contract does not include DFARS, you may not need to be NIST certified. Double check with your contracting office to confirm.
Question 3: What exactly does your contract cover? Are you handling high-priority programs, prioritized acquisitions, or are you not sure what kind of Controlled Unclassified Information (CUI) you are handling?
Organizations that handle high-priority programs will probably need to be assessed by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center). These agencies will probably need to be certified to NIST SP 800-171 as well as NIST SP 800-172 standards.
If your organization handles prioritized acquisitions, you may need a level 2 advanced certification via a C3PAO (CMMC Third Party Assessor Organization). In this case, all controls in NIST SP 800-171 should be covered.
If you know you handle CUI but you are not sure what classification, you can contact your contracting officer to find out what requirements you need to meet.
If you have questions about any segment of this guide, contact us today. We can discuss your specific situation and help you begin your certification journey on the right path.
Other Common Questions About CMMC
What is ITAR?
ITAR stands for International Traffic in Arms Regulations. All ITAR data is CUI, but not all CUI is ITAR. Learn more about ITAR.
Department of Defense CIO CMMC FAQs
The office of Department of Defense CIO has an excellent FAQs page for CMMC. We highly suggest taking a look at it as you are going through your compliance journey.
About Smithers
Founded in 1925 and headquartered in Akron, Ohio, Smithers is a multinational provider of testing, consulting, information, and compliance services. With laboratories and operations in North America, Europe, and Asia, Smithers supports customers in the transportation, life science, packaging, materials, components, consumer, cannabis, dry commodities, and energy industries. Smithers delivers accurate data, on time, with high touch, by integrating science, technology, and business expertise, so customers can innovate with confidence. Smithers is an authorized C3PAO and can be found on the CyberAB Marketplace.