CMMC Update Week of 9/28/2020


Yesterday, ISOP was part of the CMMC panel discussion for the Central Florida Chapter of the National Veteran Small Business Coalition (NVSBC). Below are four critical takeaways from this discussion:


What is Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) information and what are the level requirements to handle either/or both?

  • Level 1 is required if any contract requires FCI.

  • Level 2 is a transition state for organizations moving to Level 3. As of today, it has been stated that Level 2 will not be required in contracts.

  • Level 3 would be required for any contracts that require CUI.

Is there a firm date when DoD contractors MUST have some level of CMMC certification before they are unable to win new contracts?  If so, what are those dates?

  • The dates are determined by the start date of the awarded contract. Vendors do not need to be CMMC certified to bid on a contract, however the Prime contractor does need to be CMMC certified to the level outlined in the contract before the contract go active.

  • Fully operational on October 1st, 2025.

Are there any ISO standards that a company may already have that will help them in becoming compliant with CMMC?

  • ISO 9001:2015, ISO/IEC 20000-1:2018, ISO/IEC 27001:2013

Concerning the handling of CUI - does previous data and other company data from past contracts need to be handled as new contract business?  In other words, do we need to setup a CUI data store or solution that would also include our data as it currently sits?

  • For CUI, ensure that the CUI data is stored IAW NIST SP 800-171. This includes all 110 controls. 

For our clients that are currently certified to ISO 9001, ISO/IEC 20000-1, and ISO/IEC 27001 you may already have all controls in place to comply with ML-1 but simply need us, as an RPO, to review and modify those to ensure the 17 practice areas are in compliance at your organization. 

Again, there has still been no CMMC pricing structure for RPO RP implementations or C3PAO Assessments provided. Remember, ISOP Solutions has created 6 training modules to provide an overview of all 17 Practices for CMMC Maturity Level 1 (ML-1). Existing clients that have access to the ISOP Learning Management System (LMS) can view these 6 ML-1 courses for free. As these are overview courses and free to our clients there are no CEU credits available. These courses are now available to anyone from a link on our website: https://www.isop.solutions/iso-cmmc-education


If you have any difficulty accessing these courses, please email Compliance@isop.solutions

Look for our latest CMMC update next week.

  • LinkedIn
  • Facebook

© 2020 by ISOP Solutions, Inc. All rights reserved.