CMMC Questionnaire
Supplier Information
Company Name
*
Name
Company Address
*
Street Address
Street Address Line 2
City
State / Province
Postal / Zip Code
Point of Contact
*
First Name
Last Name
Phone Number
*
Please enter a valid phone number.
Email
*
example@example.com
Back
Next
CMMC Questionnaire
I. Introduction
It is the policy of PRECISION, and a requirement of PRECISION’s prime Contracts with its Government Customers, that Controlled Unclassified Information (CUI) provided, developed, received, transmitted, used, or stored in support of the performance of PRECISION’s Contracts with the U.S. Government must be subject to adequate protections and safeguards. CUI consists of information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or Government-wide policy, as described in the CUI Registry at http://www.archives.gov/cui/registry/category-list.html. Third party information systems that process, store or transmit CUI on behalf of PRECISION or PRECISION’s Customer (Covered Information Systems) must be sufficiently protected. In the majority of cases, such Covered Information Systems are subject to the security requirements set forth in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
II. Implementation of NIST SP 800-171 Controls
1. Company has reviewed and understands the information security standards set forth in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171and agrees to protect any CUI provided, developed, received, transmitted, used, or stored in support of its contracts with PRECISION in accordance with those standards.
*
Yes
No
2. Company has fully implemented information security standards set forth in National Institute of Standards and Technology Special Publication (SP) 800-171 for any information systems that process or transmit information received from PRECISION that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html
*
Yes
No
2A. If No to Q2. Has Company implemented all 31 Basic Security Requirement controls of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171?
*
Yes
No
N/A: Company has fully implemented (NIST) 800-171 security standards
If No, please list any missing basic security controls
3. Company has developed a System Security Plan (SSP) describing how the requirements of NIST SP 800-171 are met, or how Company plans to meet those requirements, for any Covered Information Systems.
*
Yes
No
4. For any NIST SP 800-171 controls that Company has not fully implemented, Company has developed and implemented Plans of Action and Milestones (POAMs) designed to correct deficiencies and reduce or eliminate vulnerabilities in its Covered Information Systems
*
Yes
No
N/A: NIST SP 800-171 controls are fully implemented
5. For any NIST SP 800-171 controls that Company has identified as enduring exceptions, enduring exceptions are identified in Company’s SSP, with a rational for the declaration as enduring non-conformances
*
Yes
No
N/A: Company has not identified any enduring non-conformances
6. If requested, Company agrees to make available its SSP and any associated POAMs to PRECISION or t’s Government Customer for review and evaluation
*
Yes
No
7. Company agrees to notify PRECISION of any request to vary from a NIST SP 800-171security requirement, and any variances that have previously been adjudicated by the DoD CIO
*
Yes
No
8. Company agrees to report any cyber incident in accordance with the requirements of DFARS 252.204-7012, and to provide an incident report number to PRECISION as soon as practicable.
*
Yes
No
9. Company has completed at least a Basic NIST SP 800-171 DoD Assessment as described in DFARS 252.204-7020 for all Covered Information Systems and submitted summary level scores to the Supplier Performance Risk System(SPRS).
*
Yes
No
Date of Assessment
10. The Cybersecurity Maturity Model Certification (CMMC) is a framework that measures a contractor's cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/cmmc/index.html).Is your company planning on obtaining a CMMC Certification under CMMC V 2.0?
*
Yes
No
If Yes, what level certification? 1, 2 or 3
10A. If no to Q10, please explain.
Back
Next
CMMC Questionnaire
III. Minimum Basic Controls
If Company has not yet fully implemented the controls set forth in NIST SP 800-171, including in cases where Company has enduring exceptions or open POAMS, at a minimum, Company must apply the following basic safeguarding controls to any information systems that process or transmit information received from PRECISION that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, as described in the Controlled Unclassified Information (CUI)Registry at http://www.archives.gov/cui/registry/category-list.html.
Company certifies that it has sufficient controls to ensure that its information systems can: 1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). For the purposes of data provided by PRECISION, authorized users shall be limited to U.S. Persons, unless Company has obtained appropriate export authorization from the U.S. Government or has otherwise obtained written consent from PRECISION. 2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 3. Verify and control/limit connections to and use of external information systems. 4. Control information posted or processed on publicly accessible information systems. 5. Identify information system users, processes acting on behalf of users, or devices. 6. Authenticate(or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 7. Sanitize or destroy information system media before disposal or release for reuse. 8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. 9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. 10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. 11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. 12. Identify, report, and correct information and information system flaws in a timely manner. 13. Provide protection from malicious code at appropriate locations within organizational information systems. 14. Update malicious code protection mechanisms when new releases are available. 15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Yes
No
Back
Next
CMMC Questionnaire
IV. Certification
The above-listed Company is a current or potential supplier of Precision Companies and CERTIFIES THAT ITS RESPONSES SET FORTH ABOVE ARE COMPLETE AND CORRECT. PRECISION MAY RELY ON THIS CERTIFICATION WHEN PLACING ANY CONTRACT, AGREEMENT, OR ISSUING ANY QUOTATION, REQUEST FOR QUOTATION, REQUEST FOR PROPOSAL OR SOLICITATION. COMPANY SHALL IMMEDIATELY NOTIFY PRECISION OF ANY CHANGE OF STATUS WITH REGARD TO ITS RESPONSE
Name
First Name
Last Name
Date
-
Month
-
Day
Year
Date
Signature
Continue
Continue
Should be Empty: