UW Research

Frequently-Asked Questions

Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) FAQs

Collected FAQs for the DoD CMMC requirements effective for DoD contracts as of 11.01.2020

DoD CMMC FAQs

Where do I find out more about the DoD Cybersecurity Maturity Model Certification?

The Office of the Under Secretary of Defense for Acquisition & Sustainment has a very informative website on Cybersecurity Maturity Model Certification. The UW Chief Information Security Officer (CISO) maintains general information about the CMMC requirement.

Who can help me to understand whether UW Provided IT resources meet the standards imposed by the DoD CMMC Level? If

If you need help understanding whether UW provided IT resources meet the standards imposed by the Department of Defense Cybersecurity Maturity Model Level, contact help@uw.edu

Can a UW group certify my Cybersecurity Measures?

Certification of Cybersecurity Measures as required by the Department of Defense must be done by an entity outside of the UW. In other words, the UW cannot “self-certify”.

Is there a list of accredited third-party CMMC certifiers?

A Certified Third-Party Assessor Organization (C3PAO) undergoes an accreditation process. The CMMCAB has more information. A variety of commercial entities advertise as C3PAOs or in the process of becoming accredited.

Can UW submit my DoD proposal even if I don’t have the CMMC Level needed in place?

UW can submit a proposal without the required CMMC Level in place, unless the RFP/RFI states otherwise. If certification is an eligibility criterion, the proposal is subject to rejection by the DoD sponsor.

How do I build in the cost of becoming certified as a direct cost?

DoD states the cost of certification will be considered an allowable, reimbursable cost. In order to integrate into your budget, follow any instructions in the RFP on this, and obtain estimates of cost that are substantiated. This includes obtaining quotes on system upgrades or using estimated cost data provided by UW CISO (under development). Your unit may also consider implementing necessary steps to achieve certification at the necessary Level, so that the costs incurred, to degree they are applicable to your specific project, can be reimbursed by the DoD sponsor.

Can the UW accept a DoD contract if I haven’t had my system certified?

The DoD contract will include a new DFARS clause that confirms we, as the contractor/awardee, have certification in place. The UW cannot make this assertion and accept a DoD contract without documentation that third party certification for the CMMC Level required by DoD is in place for your project. As well, DoD may request a copy of the certification.

Will the CMMC requirement apply to DoD grants, in addition to contracts?

At this time, it is understood this will apply to DoD contract funding only, and only pertains to the project when the RFP/RFI includes a statement as to the CMMC Level that will apply. However, we are monitoring incoming DoD grant and cooperative agreements for language on this requirement, as well.

Does this apply to current DoD funding I have?

According to DoD, the CMMC requirement is effective November 1st, 2020, and applies when the RFP/RFI includes a statement as to the required CMMC Level. However, we are monitoring incoming modifications to current DoD contract funding.

Resources