Skip to content
ISI has rebranded and updated to a new URL—if you are here from dodsecurity.com you are in the right place!

Frequently Asked Questions

CMMC Compliance

How do I know if compliance is a requirement of my work with the DoD or a DoD Prime Contractor?

The quickest way to tell if compliance is a requirement of your contracts is to look for the DFARS clauses governing the protection of CUI in your contracts. They are:

  • DFARS 252.204-7012: Requirement for NIST 800-171a Compliance
  • DFARS 252.204-7019: Requirement to submit self-assessment score for NIST 800-171a to the SPRS database
  • DFARS 252.204-7020: Requirement for contractors to have an SSP (System Security Plan) and a self-assessment score no more then 3 years old
  • DFARS 252.204-7021: Contractor must be CMMC certified to the level specified by the contract at the time of  award
I heard CMMC is not rolling out yet, that means I don’t have to worry about compliance just yet, right?
Unfortunately not, but this is a common misconception. CMMC is not the requirement to meet the NIST 800-171a compliance standard, CMMC is the requirement that contractors must be assessed and certified by a third-party. The requirement to be compliant with NIST 800-171a was instituted with DFARS 252.204-7012 which went into effect on December 31st, 2017.
My IT guy said we were fine, so I checked the box that we were compliant. That’s ok, right?
Possibly, but you will want to make sure that a FULL assessment was done. This process would take a few weeks minimum and would review all 110 controls required. More than likely you would end up with a POAM (Plan of Action and Milestones) as a remediation plan for any missed controls.
Is the government actually enforcing CMMC compliance?

This is a fair question as, historically, governance on the submission of compliance attestations has been few and far between but that’s changing. Yes, CMMC is coming which will require a thorough check by a third-party to confirm your compliance, but the DoD isn’t waiting for that. Recently “5 Day Audits” were begun on select contractors submitting to the SPRS database. The DoD’s initial findings showed that a majority of company’s actual posture did not meet their submitted score, which has caused audit efforts to ramp up.

Is there a single solution I can buy to be compliant?

No. Compliance is a multi-phased approach which covers all aspects of your IT infrastructure and internal processes. ISI has engineered a security stack and remediation approaches to simplify the path to compliance as much as possible.

So, can ISI completely take care of CMMC compliance for me?

Unfortunately, not, but we can do the bulk of the heavy lifting. Compliance includes the processes and procedures that govern your business so there will always be some responsibility on the end user. Furthermore, maintaining compliance requires buy-in from your staff to ensure compliant policies and procedures are followed.

This is going to change everything and make our day-to-day work so much more cumbersome, isn’t it?

No. While proper security and meeting compliance usually involves changing some of your current processes, ISI strives to help it’s clients meet compliance with as little detriment to their current way of being as possible. Some things, like MFA and complex passwords, are unavoidable to stay safe in today’s world but we will work to ensure the implementation of these processes is as smooth and pain-free as possible.

Security Clearances

Why is my clearance taking so long to complete?

NBIB the investigating agency has had a significant backlog over the years. Some of the most common items that can cause a delay in the expeditiousness of the investigation are foreign contacts/involvement/travel, criminal history, financial problems, and drug/alcohol usage

Why is it taking so long for my clearance to be crossed over from NSA? CIA? DoS?

Each Intelligence Agency only has a certain number of designated individuals that process reciprocity requests. The limited amount of resources coupled with the requirement to review the investigation completed by the originating agency can cause a reciprocity request to take up to 90 days.

Can I keep my Top Secret clearance even if I only need a Secret clearance?

Your eligibility may remain in the system of record so long as you are within scope on your investigation while only being indoctrinated at the Secret level

What is needed to sponsor / to be sponsored for an initial FCL or upgrade? (what comes first, the FCL or the contract)

The first item you need is a DD254 (contract) issued by a Prime Contractor or Government Customer. If you have a DD254 issued by the Prime Contractor, they must have the Government Customers concurrence to sponsor your facility clearance. The DD254 and the Sponsorship Request shall be initially submitted by the sponsoring organization via NISS

Security Control

How to report incidents/foreign travel in Security Control

Once logged into Security Control, from the Employee Portal click on MY REQUESTS AND REPORTS found on the left side panel. From there you can select the specific type of incident report you need to file.

How to report new hires in Security Control

The best way to report new hires to us is by using the Quick Request/Actions button in the upper right of the Main Page of the Employee Portal. When you click on that button you will see a number of options available to include the Report New Hire.requirement to meet the NIST 800-171a compliance standard, CMMC is the requirement that contractors must be assessed and certified by a third-party. The requirement to be compliant with NIST 800-171a was instituted with DFARS 252.204-7012 which went into effect on December 31st, 2017.

Can certain notifications that are sent to our employees be turned off?

Not on an individual basis but most (but not all) of the notifications can be turned off company wide needed

Can I give anyone client manager access to Security Control for my company?

The Client Manager role allows us to customize the permissions for users, however, to view personnel records we do require that the user have at least an Interim Secret clearance.

Do all of my employees need to have a Security Control account?

We currently only provide logins to cleared personnel, however, a company can keep records on uncleared employees if they chose as well but they do not receive a login.

Fingerprinting

I already have fingerprints. Why do I have to get it done again?

Fingerprints can be required if you have had a 2 year lapse in your security clearance access, a re-investigation is needed due to an incident report, or it is an initial investigation. Fingerprints taken for security clearances are not transferred to other agencies for other security clearances.

How do I get fingerprints done?

A: On-site: We do the fingerprinting electronically. You may come to our office located at 250 Exchange Place, Suite E Herndon, VA. 20170 (Located near Dulles Airport).

Off-site: If you are not located in the Northern Virginia area, for fingerprinting you can go to a local Police Department or Sheriff’s office and get fingerprinted. After you get fingerprinted please visit our website: www.dodsecurity.com to place the order online. Select “I will mail in my fingerprint cards.”

Electronic submission: If you have had your fingerprints electronically done by an organization that does not have the capability to submit through SWFT to OPM, You can request that they send you the file and you can go to our web site and select the “I will Electronically submit an EFT and upload the file”.

How do I book an appointment for fingerprints?

Please visit our website: https://isidefense.com/resources/swft-fingerprinting to place the order online. Under services select the tab for SWFT Fingerprinting Services. Select the click here box as shown below:

General Questions

for NIST 800-171 R2 & CMMC 2.0 Compliance for DoD Contractors

What is NIST 800-171 R2?

NIST 800-171 R2 is a set of standards that outlines how federal contractors must handle Controlled Unclassified Information (CUI) in non-federal systems and organizations to protect the confidentiality of this information.

What is NIST 800-171 R3?

NIST 800-171 R3 is the upcoming revision of the NIST 800-171 standard, expected to include updates and changes to improve and clarify the requirements for protecting CUI in non-federal systems. Contractors should stay informed about these changes to ensure ongoing compliance.

What is CMMC 2.0?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is a framework that measures the cybersecurity maturity of DoD contractors. It ensures that contractors implement adequate cybersecurity practices and processes to protect Federal Contract Information (FCI) and CUI.

Why do DoD contractors need to comply with NIST 800-171 R2/R3 and CMMC 2.0?

Compliance is mandatory for DoD contractors to ensure the security of sensitive information. Non-compliance can result in loss of contracts, legal penalties, and damage to reputation.

Choosing an MSP

What should I look for in an MSP regarding NIST 800-171 R2/R3 and CMMC 2.0 compliance?

Look for an MSP that has experience with DoD contractors, understands the requirements of NIST 800-171 R2/R3 and CMMC 2.0, and offers services tailored to meeting these standards. They should provide compliance assessments, remediation services, and continuous monitoring.

How can an MSP help my company achieve compliance?

An MSP can help by conducting gap analyses, developing, and implementing security policies, providing necessary IT infrastructure and tools, and offering ongoing monitoring and support to ensure continued compliance.

What certifications should my MSP have?

Ensure your MSP is a Registered Provider Organization (RPO) with the Cyber-AB (formerly the CMMC Accreditation Body) and has Registered Practitioners (RPs) on staff who are trained to assist with CMMC preparation. Additionally, verify if the MSP is working towards their own CMMC certification to demonstrate their commitment to compliance.

Compliance Process

What is involved in a compliance assessment?

A compliance assessment involves a thorough review of your current cybersecurity practices, identification of gaps relative to NIST 800-171 R2/R3 and CMMC 2.0 requirements, and recommendations for remediation

How long does it typically take to achieve compliance?

The timeline can vary depending on your organization's current state of cybersecurity. It can take anywhere from a few months to over a year, depending on the complexity of the required changes.

What are the costs associated with achieving compliance?

Costs can vary widely based on the size of your organization, the extent of necessary changes, and the specific services provided by the MSP. It's essential to get a detailed quote and understand the scope of work.

How much does a C3PAO audit cost?

The cost of a C3PAO (Certified Third-Party Assessor Organization) audit can vary based on the size and complexity of your organization, as well as the scope of the audit. It's important to obtain quotes from several C3PAOs to understand the potential costs involved.

How long is the CMMC certification valid for?

CMMC certifications are valid for three years. After this period, organizations must undergo a new assessment to maintain their certification status.

Does CMMC 2.0 Level 1 require an assessment?

Under CMMC 2.0, Level 1 does not require a third-party assessment. Instead, it relies on annual self-assessments and affirmation by a senior company official.

What if I don’t handle CUI on my internal systems and work off GFE equipment? Do I still need to be compliant?

If you do not handle CUI on your internal systems and only work off Government Furnished Equipment (GFE), you may still need to comply with certain aspects of NIST 800-171 and CMMC depending on your contract requirements. It’s important to review your specific contract obligations and consult with your MSP or legal advisor to ensure compliance.

Additional Considerations

What if my company fails to meet compliance requirements?

Failing to meet compliance requirements can lead to losing DoD contracts, facing legal penalties, and suffering reputational damage. An MSP can help you quickly address and remediate any compliance issues.

Can an MSP provide documentation and evidence of compliance for audits?

Yes, a reputable MSP should help you prepare and maintain all necessary documentation and evidence required for audits and assessments.

How do changes in regulations affect my compliance status?

Regulatory changes can impact your compliance status, so it’s crucial to work with an MSP that stays up-to-date with the latest regulations and can help you adapt your practices accordingly.

Can an MSP assist with employee training on compliance?

Yes, many MSPs offer training programs to educate your employees about compliance requirements and best practices for maintaining cybersecurity.

What should I do if I suspect a security breach?

Contact your MSP immediately if you suspect a security breach. They should have an incident response plan in place to help you manage and mitigate the breach's impact.

How can my MSP ensure our data is securely stored and handled?

Your MSP should implement robust data protection measures, including encryption, access controls, and regular backups, to ensure your data is securely stored and handled.

How do I verify the MSP's track record in handling compliance for other DoD contractors?

You can verify an MSP's track record by asking for references and case studies from other DoD contractor clients. Additionally, check for any certifications, such as being an RPO with the Cyber-AB, and look for reviews or testimonials that highlight their experience and success in achieving compliance.

What role does my organization play in achieving and maintaining compliance?

Your organization plays a crucial role by collaborating closely with the MSP. This includes providing access to necessary systems and data, ensuring your staff is trained and follows security policies, and being proactive in implementing the recommendations provided by the MSP. Regular communication and commitment to maintaining a culture of cybersecurity are essential for ongoing compliance.

Why is it important for my MSP to have their own CMMC certification?

Having their own CMMC certification demonstrates that the MSP not only understands the compliance requirements but also adheres to the same rigorous standards. This can provide additional assurance that they are capable of guiding your organization through the compliance process effectively and maintaining high cybersecurity standards.

What is Microsoft GCC and GCC High, and why are they important?

Microsoft GCC (Government Community Cloud) and GCC High are versions of Microsoft's cloud services tailored for government use. GCC is designed for federal, state, and local governments, providing enhanced security and compliance features. GCC High is intended for federal contractors handling controlled unclassified information (CUI) and International Traffic in Arms Regulations (ITAR) data, offering even stricter compliance and security measures. Ensuring your data is hosted in the appropriate environment is crucial for meeting regulatory requirements.