If you are a contractor in the Aerospace and Defense Industry, you likely have heard a lot about the issues we allude to in the article you just read in Aerospace and Defense Technology Magazine. If you are similar to so many other contractors we have spoken with over the last year, you likely also have many questions. Here are some answers to questions we are frequently asked by our clients and prospects.

How do I know if I have CUI?

CUI, or Controlled Unclassified Information, is not classified but rather is highly sensitive. This might include blueprints for a fighter plane or specific information needed to manufacture weaponry.

The first thing to know is you are within your rights to contact your contracting officer and ask questions. Ask specifically if your contract includes CUI flowdown and what kind of CUI you are receiving. You can also look at your contract and see if there is a DFARS 252.204-7012 clause in it. If there is, you likely will be working with CUI.

Not all contracts are marked correctly so do your due diligence. In an effort to protect information, the Department of Defense and their primes have started to mark everything as DFARS 7012 when there is no CUI involved. Ask questions to be sure.

What is the difference between NIST 800-171 and CMMC?

This question comes up often. The important thing to remember is you must comply with the NIST SP 800-171 controls. CMMC, once it goes into effect, will be a certification that a third party assessed you and found you to be compliant with NIST 800-171. You cannot technically "comply" with CMMC because it is not a rule. It is a statement that you are compliant with the NIST security standard.

What is a C3PAO?

C3PAO stands for CMMC Third-Party Assessor Organization. Much like companies get accredited by organizations like the ANAB to certify companies are complying with ISO standards, C3PAOs are accredited by CyberAB to implement CMMC certifications. It is important to remember that a C3PAO cannot also offer consultation/remediation services. If a C3PAO runs through a mock assessment with your company, they cannot then work as your C3PAO for the actual assessment.

Can I pick my own C3PAO?

Yes, companies can select their own C3PAOs. You don't need to go any further than this website to find yours.

Show Policy

My prime says I need to be NIST-compliant but I have doubts. What do I do?

Prime contractors are under immense pressure to protect sensitive information, which means along with flowing down CUI, they will also flow down that pressure to their network of subcontractors. If you are being told that you will be handling CUI but you do not understand how that is possible, the best action is to speak with your contracting officer. Feel free to schedule a meeting with us first to run through your questions.

How much does a NIST SP 800-171 Assessment cost?

At Smithers, pricing is based on a number of factors unique to your organization. Having worked as an ISO certification body for more than three decades, we approach our assessments for NIST in a similar manner. There are some key questions we need to talk to you about before we can give you an accurate and fair quote. Once you have that pricing, there will be no surprises.