iQuasar Cyber

Request a Callback

FAQ

FAQ

General Questions CMMC 1.0

Q: What/Who are we (iQuasar Cyber)?

A: We are a Sterling, Virginia based company providing Cybersecurity consulting and managed service to our clients. Our cybersecurity consultants have vast experience in consulting and advisory services having served fortune 100 companies. iQuasar Cyber’s advisory and consulting services have provided solutions to various industries including government agencies at state and federal levels. Our consultants have provided services to clients such as HHS Connect, United States Postal Services, CalPERS, Federal Reserve, Department of Health, etc. Our experience in dealing with large and small government agencies helps us address your concerns in a much shorter period thereby focusing on meaningful conversations and planning strategic paths ahead. Whether the concerns are related to Compliance Services (CMMC 1.0), Managed Services or other cybersecurity related issues, we can provide consulting. Our experienced consultants have at least fifteen years of experience in the compliance services. We thrive on experienced consultants who deliver high quality work at non Big4 sticker price.

Q: How are you cost effective?

A: Our consultants have worked in large consulting companies including the Big4 and multinational system integrators. Being a nimble company with less overhead our company delivers quality work without high fees associated with large overhead other companies incur.

Q: Do you provide services to meet new DoD CMMC 1.0 compliance?

A: Yes, we do provide CMMC 1.0 assessment services and help our clients prepare for CMMC1.0 assessment.

Q: What other type of compliance services do you provide?

A: iQuasar Cyber can also help with FFIEC, PCI and ISO audits as well as help you with NIST based frameworks. iQuasar Cyber has consultants on staff that have helped with ISO audits for a large number of clients.

Q: What is CMMC 1.0?

A: CMMC 1.0 stands for “Cybersecurity Maturity Model Certification”. CMMC 1.0 is a new certification model introduced by the Department of Defence (DoD) to verify that DoD contractors have adequate security and process controls to safeguard sensitive data, including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC 1.0 compliance will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive Cybersecurity Maturity Model Certification (CMMC 1.0)”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.

Q: Is CMMC 1.0 A Mandatory Compliance Requirement?

A: Yes

Q: Why is CMMC 1.0 being created? Cybersecurity Maturity Model Certification (CMMC 1.0)

A: DOD is planning to migrate to the new CMMC 1.0 framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC 1.0 is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

Q: What is Controlled Unclassified Information (CUI)?

A: CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Q: What is the difference between CUI and FOUO?

A: CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding. FOUO, which stands for ‘For Official Use Only’, is a document designation used by the DoD.

Q: What’s the difference between NIST 800-171 and the CMMC 1.0?

A: CMMC 1.0 is a mandatory compliance which will be certified by an approved independent assessor while the other frameworks may not be mandatory. The intent of the CMMC 1.0 is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC 1.0 will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

Q: How will my organization become certified?

A: A third party certified organization or a certified independent assessor will review your cyber security risk as per CMMC 1.0 requirements. The assessor has to be a certified C3PAO organization (https://www.cmmcab.org). Your company will be awarded certification at the appropriate CMMC 1.0 level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor.

Q: Will there be self-certification for CMMC 1.0 compliance?

A: NO

Q: Do I need to be CMMC 1.0 Crtified?

A: Anyone who does business with the Department of Defense (DoD) must be certified, even subcontractors.

Q: Do companies not handling CUI need to be certified?

A: Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.

Q: We are a subcontractor on a DoD contract. Does my organization need to be certified?

A: Yes, all companies doing business with the Department of Defense will need to obtain CMMC 1.0.

Q: How often does my organization need to be reassessed ?

A: In general, a CMMC 1.0 certificate will be valid for 3 years. Please continue to review the CMMC 1.0 CAB site at cmmcab.org for all CMMC 1.0 related updates.

Q: How will I know what CMMC 1.0 level is required for a contract?

A: The DoD will specify the required CMMC 1.0 level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

Q: Can I do self-certification for CMMC 1.0?

A: No, the CMMC 1.0 requires that a third-party be involved to assess your company in order to accurately assess its security posture in accordance with criterion provided by the DoD.

Q: What are the levels of CMMC 1.0?

A: CMMC 1.0 has five levels of practices as follows:

  • Level 1 – Basic Cyber Hygiene
  • Level 2 – Intermediate Cyber Hygiene
  • Level 3 – Good Cyber Hygiene
  • Level 4 – Proactive Cyber Controls,
  • Level 5 -Advanced/Progressive Cyber Protection.


The higher the level you are awarded, the more advanced your security posture needs to be.

Q: What is CMMC 1.0 Level 1 for?

A: CMMC 1.0 level 1 is the basic level of security controls required for a defense contractor to earn Cybersecurity Maturity Model Certification. This is considered the basic cybersecurity hygiene needed to safeguard Federal Contract Information (FCI).

Q: What is CMMC 1.0 Level 2 for?

A: According to DoD, no contracts will require CMMC 1.0 Level 2. It’s been described as a bridge to CMMC 1.0 Level 3. Even though no contract will require CMMC 1.0 Level 2, it may be required by some partners, primes, or investors as a prerequisite to level 3 certification.

Q: What is CMMC 1.0 Level 3 for?

A: Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. Please contact iQuasar Cyber consultant for more information at info@iquasarcyber.com

Q: What is CMMC 1.0 Level 4 for?

A: CMMC 1.0 Level 4 represents a substantial and proactive cybersecurity program. Organizations achieving Level 4 certification have shown the ability to adapt their protective measures and activities. Allowing them to respond to changing techniques, tactics and procedures used by Advanced Persistent Threats (APTs). Please contact iQuasar Cyber consultant for more information at info@iquasarcyber.com

Q: What is CMMC 1.0 Level 5 for?

A: CMMC 1.0 level 5 requires defense contractors to standardize and optimize their process implementation at an advanced manner organization-wide. Building on the proactive approach in level 4, level 5 puts focus on the protection of Controlled Unclassified Information (CUI) from Advanced Persistent Threats (APTs). Please contact iQuasar Cyber consultant for more information at info@iquasarcyber.com

Q: What’s the best way to prepare for certification?

A: The first step is assessing your company’s security and risk posture by reviewing current controls utilizing a Certified Registered Practitioner. The assessment will help your organization identify gaps and prepare the organization for CMMC 1.0 compliance.
iQuasar Cyber has Registered Practitioners on staff and will help prepare CMMC 1.0 certification. Please contact iQuasar Cyber consultant for more information at info@iquasarcyber.com

Q: What can I expect from a CMMC 1.0 assessment?

A: As per DoD mandate, the assessor will conduct a comprehensive review of all security and processes for the required CMMC 1.0 level. Unless all compliance requirements are met as per the assessor and the CMMC 1.0 CAB, a CMMC 1.0 compliance certificate will not be issued.

Q: Will iQuasar Cyber prepare me for CMMC 1.0 certification?

A: Yes, iQuasar Cyber will review your CMMC 1.0 needs and requirements so that your organization is prepared for CMMC 1.0 assessment. While iQuasar Cyber won’t conduct the assessment, it will prepare you to be ready for the CMMC 1.0 assessment. iQuasar’s Cybersecurity and Risk consultants (CMMC 1.0 certified) have extensive experience in NIST, ISO, CIS, CSF and other standard based frameworks to assess any organization’s security controls.