Frequently Asked Questions
ISO 9001 – ISO 27001 – CMMC
Cyber Security – AS9100 – ISO 13485
- All
- Checklist for your CMMC Certification Journey
- Effective Management Systems for Small Business
- ISO 9001 Basics
- ISO Audit Emergency
- No Certificate
- Onsite & Remote ISO 9001 Certification Audits
- Unique Advantages of CPI Systems
- Why ISO Certification
No. By itself, passing a CMMC audit does not mean you are compliant with NIST 800-171. If you look in Appendix D of NIST 800-171, you will see it contains 110 Controlled Unclassified Information (CUI) and in Appendix E there are also 63 Non-Federal Organization (NFO) controls. While NIST 800-171 is primarily focused on protecting CUI wherever it is stored, transmitted, and processed, your organization still needs to comply with both the CUI and NFO controls.
CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.
Check your DoD or Prime Contractor contract for FAR Clause 52.204-21 (Level 1) and DFARS Clause 252.204.7012, 7019, 7020, or 7021 (CMMC Level 2). The DoD may also specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs). The DoD may also specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).
If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
Yes, so long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor. Existing contracts with the department will not have CMMC requirements inserted into them. Subcontractors to a prime contractor will not all need to have the same level of CMMC certification to win a contract. “Depending on how controlled unclassified information flows between parties involved in a contract, subcontractors might need only be a CMMC Level 1 company.”
All contractors who provide products and services for the DoD supply chain will require CMMC certification. This includes small businesses and subcontractors. Contract extensions and renewals typically cycle through each 5 years, so approx. 300,000 contracts will be affected within the next 5 years.
The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks. The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].
The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cybercrime – No Slowing Down” in February 2018].
The requirement for Risk approach to planning is found in both ISO 9001 and ISO 13485. ISO 13485 requires a risk management plan. ISO 9001 does not. The challenge is to show the auditor you are considering both internal and external risks when evaluating your processes, incidents, and performing management review. This video answers the question “How do you look at risks and manage them in an ISO 9001 – ISO 13485 Quality Management System?”
The supply chain presents a major risk for ISO certified companies. They can severely affect your ability to deliver your customer’s requirements on-time. This video explains what options you must bring your supply chain into compliance.
The biggest question in a Quality Manager’s mind before an ISO certification audit is “How do I avoid failing the ISO audit?” This video describes what must be done to ensure a successful ISO 9001 audit.
For small and medium sized businesses, certification costs vary greatly. They can be anywhere from only a couple thousand dollars to tens of thousands by the time all processes, and needed resources are put in place. At times, certification costs are covered or partially covered through a contracting organization which requires the certification to do business with you.
CPISYS exists to bring simple, effective, and affordable ISO and CMMC solutions to small and medium sized businesses primarily in to manufactures, machine shops, electro-mechanical assemblers, engineering services & design, equipment calibration, and construction. This is done through education, authorized certifying partnerships, industry partnerships, and ongoing management services. Continuous Process Improvement Systems serve as a first go-to resource for all things ISO and CMMC Levels 1-3.
Yes and No. There is some work, processes, and documentation which can only take place in house, even if you are a one employee organization. However, CPISYS offers Compliance Management as a Service (CMaaS℠ ) which can outsource the vast majority of your quality management work.
Usually, an auditor will be onsite. Due to COVID-19 some audits or parts of audits were able to be done virtually with live video. It is expected that this option will continue as a remote audit solution.
CPISYS has a streamlined one-document solution to easily manage all documentation needed for certifications. Yes, the document can be long, but it is easy to manage.
There is a lot of confusion about ISO 9001 and ISO 13485 Accreditation Bodies and Certification Bodies. Are they the same or is there a difference? This video explains the difference to help you chose a certification body and understand who accredits them.
The biggest question in a Quality Manager’s mind before an ISO certification audit is “How do I avoid failing the ISO audit?” This video describes what must be done to ensure a successful ISO 9001 audit.