UW Research

Frequently-Asked Questions

Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) FAQs

FAQs for the DoD Cybersecurity Maturity model Certification (CMMC) requirements.


Where do I find out more about the DoD Cybersecurity Maturity Model Certification?

The Office of the Under Secretary of Defense for Acquisition & Sustainment has a very informative website on Cybersecurity Maturity Model Certification.

Who can help me to understand whether UW IT resources meet the standards imposed by the DoD CMMC Level?

If you need help understanding whether UW IT resources meet the standards imposed by the DoD CMMC Level, contact help@uw.edu

Can a UW central office assess and certify my Cybersecurity Measures?

Assessment and Certification of Cybersecurity Measures as required by the Department of Defense is not done centrally at the UW. A unit may carry out a self-assessment if handling Federal Contract Information (FCI) and only need Level 1 IT security. If a unit needs a higher level, such as Level 3, an accredited third-party assessor must carry out the Assessment.

Is there a list of accredited third-party CMMC assessors/certifiers?

A Certified Third-Party Assessor Organization (C3PAO) undergoes an accreditation process. The CMMCAB has more information. A variety of commercial entities advertise as C3PAOs or are in the process of becoming accredited.

How come the UW is not certified at the enterprise level?

Only those parts of the institution conducting DoD-sponsored research under a contract either as prime or subcontractor, must obtain CMMC certification at the level (1 low – 5 high) appropriate to the work they are doing for DoD.

If you are a current PI that receives DOD funding, you recently received information on steps to take to ensure that your project/department meets the CMMC requirements for current or future DoD contract funding. You can also find those steps are available on the CISO CMMC website.

I have completed the Assessment and I understand I need to register in the DoD Supplier Performance Risk System (SPRS) for the contract to be issued. Does someone at UW register for me or does my department need to do this?

Once your Assessment is complete, you, your IT advocate/administrator, or your department administrator will register for your unit and project in the SPRS, using the naming convention UW-dept_PI name.

Your department will link to UW’s CAGE Code “1HEX5”. This way, the Contracting Officer issuing the contract, or the pass-through entity providing DoD contract funding, will be able to find your registered Assessment.

Is Fundamental Research exempt from CMMC?

There is no exemption from CMMC for fundamental research.

The specific IT security requirements apply to DoD Contracts handling:

  • Federal Contract Information (FCI)
  • Controlled Unclassified Information(CUI)

UW fundamental research projects can include FCI or CUI.

Can the UW submit my DoD proposal even if I don’t have the CMMC Level needed in place?

UW can submit a proposal without the required CMMC Level in place, unless the RFP/RFI states otherwise. If certification is an eligibility criterion, the proposal is subject to rejection by the DoD sponsor.

How do I build in the cost of becoming certified as a direct cost in my proposal?

The DoD states the cost of certification will be considered an allowable, reimbursable cost. In order to integrate into your budget, follow any instructions in the RFP on this, and obtain estimates of cost, so you can substantiate charging to the sponsor. This includes obtaining quotes on system upgrades and the cost of obtaining a third-party assessment, if that is your situation.

Will the University include the cost to comply with CMMC requirements as part of F&A?

At this time, there is not “enterprise level” CMMC certification and therefore, the cost to comply is not University-wide and not included in F&A.

DoD will cover the cost of CMMC certification as a direct cost per project. These costs can be built into a budget, with proper justification/back-up documentation.

When will university-based labs and other research facilities conducting DoD-sponsored research need to be CMMC certified?

Effective Nov. 30, 2020, DoD intends to add CMMC certification requirements to its Requests for Proposals (RFPs), starting with approximately 15 procurements for critical DoD programs and technologies, such as those associated with nuclear and missile defense. DoD estimates that each of the 15 primes will have an average of 100 subcontractors, and thus approximately 1,500 primes and subcontractors will be affected by fall 2021.

Don’t wait.

If you are a PI/department or other organizational unit at UW intending to respond to a DoD RFP in the next several months, or you regularly pursue DOD contract funding or collaborations with defense contractors, you should prepare to submit your IT security plan, self-assessment, and other required documentation into the DoD SPRS system for Level 1 (FPI) or Level 3 (CUI).

Don’t wait until the RFP is released.

Keep track of costs to obtain the IT Level of Security. Include the associated costs with your i proposed scope of work when an RFP becomes available.

Who do I talk to about how to do an assessment, how to carry out a security plan, or how to submit on DoD SPRS?

Assessment and Security Plan:

  • IT administrator in your organizational unit
  • UW CISO (Office of the UW Chief Information Security Officer)
  • Third-party consultant

Submission into SPRS:

  • Prepare documentation (see above)
  • Submit directly into SPRS:
    • Follow naming convention procedures: UW-dept_PI name
    • Link to UW’s CAGE Code: 1HEX5
  • Need help after looking through the online SPRS Quick Entry Guide? Contact security@apl.uw.edu

Will the CMMC requirement apply to DoD grants, in addition to contracts?

At this time, it is understood this will apply to DoD contract funding only, and only pertains to the project when the RFP/RFI includes a statement as to the CMMC Level that will apply. However, we are monitoring all DoD awards as they are made.

My sponsor is a defense contractor. They have issued a subcontract to the UW that requires UW to comply with Level 3 IT security. However, I am not handling Controlled Unclassified Information (CUI). What do I do?

University research labs will not automatically need to achieve the same CMMC level as the pass-through entity (in this case, the defense contractor).
Instead, CMMC level requirements will be based entirely on the type of information shared by the prime with the university researchers. For example, if CUI (Controlled Unclassified Information) is not being shared by the pass-through entity with the UW, then for that contract, the UW would likely only need to achieve Level 1, which is focused on safeguarding FCI (Federal Contract Information).
Review your contract and if in doubt, discuss with your programmatic contact at the pass-through entity. If contract terms need to be modified, the pass-through entity should issue a modification changing its requirements from Level 3 to Level 1.

I have experienced a cyber incident. How does this get reported?

Cyber incident reporting is according to UW Administrative Policy Statement (APS) 2.4. See CISO website for more information.