Frequently Asked Questions

CMMC

Q: What is CMMC, and does it apply to my business?

A: The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s framework for verifying that contractors and subcontractors protect federal contract information (FCI) and controlled unclassified information (CUI). If your business holds a DoD contract or subcontract, or supplies a company that does, CMMC likely applies to you, even if you’re small or don’t think of yourselves as a “defense contractor.”

Q: What’s the difference between Level 1 and Level 2?

A: Level 1 applies if you handle FCI and requires meeting 17 basic safeguarding practices through an annual self-assessment. Level 2 applies if you handle CUI and requires meeting all 110 NIST SP 800-171 security requirements, assessed through either self-assessment or a formal third-party (C3PAO) assessment depending on your contract.

Q: Do I need a third-party assessment, or can I self-assess?

A: It depends on your contract terms and the sensitivity of the information involved. Many Level 2 requirements can currently be met through self-assessment with an executive affirmation in SPRS, but a growing share of contracts, especially as CMMC Phase 2 rolls out, require certification by a C3PAO. Your contract documentation, and your prime if you’re a subcontractor, will specify which applies.

Q: Can Cryptid Cyber certify my company?

A: No, and it’s worth understanding why. Cryptid Cyber operates as a Registered Practitioner Organization (RPO), which means we help you prepare: gap analysis, readiness assessment, documentation, and remediation support. Formal certification, when required, is performed by an independent Certified Third-Party Assessor Organization (C3PAO). Keeping these roles separate is intentional, it’s part of how the CMMC ecosystem maintains assessor independence.

​

Q: How long does a readiness engagement typically take?

A: It depends heavily on your starting point. A company with mature IT practices might move from gap analysis to assessment-ready in a few months; an organization starting from scratch on documentation and technical controls might need six to twelve months or more. A gap analysis is typically the first step, and it gives you a realistic timeline specific to your environment.

Privacy

Q: We’re a US-based company...does GDPR or CCPA apply to us?

A. Possibly, and the answer is often less obvious than companies expect. GDPR can apply based on whether you process data of EU residents, regardless of where your company is located. CCPA and similar state laws apply based on factors like revenue, data volume, and where your customers live, not just where your company is incorporated. Applicability is worth confirming rather than assuming.

Q: What’s the difference between data security and data privacy?

A: Security is about protecting data from unauthorized access, loss, or misuse the “how do we keep this safe” question. Privacy is about how data is collected, used, shared, and retained in the first place, the “should we have this data, and what are we allowed to do with it” question. The two overlap heavily but aren’t the same, and a strong security program doesn’t automatically mean you’re privacy-compliant.

Q: Do we need a privacy policy on our website?

A: In most cases, yes, and increasingly, a generic template isn’t sufficient. Depending on what data you collect and which laws apply, your privacy policy may need to reflect specific disclosures, opt-out mechanisms, and data subject rights. It’s also a document that should match what your systems actually do, not just what sounds good.

Q: How does privacy compliance overlap with CMMC/CUI handling?

A: For defense contractors, CUI handling rules and privacy obligations often apply to overlapping,  but not identical, categories of information. Personal information about employees or individuals can be both CUI-relevant and subject to privacy law simultaneously, which means your data handling practices need to satisfy both frameworks, not just one.

​

Q: What’s a DPIA, and do we need one?

A: A Data Protection Impact Assessment (DPIA) is a structured evaluation of privacy risk associated with a particular processing activity,  often required under GDPR and similar laws for higher-risk processing such as large-scale monitoring, sensitive data categories, or certain AI use cases. Whether you need one depends on what you’re doing with the data in question, not just whether you’re “big enough” to worry about it.

AI Governance

Q: We don’t build AI products...do we still need AI governance?

A: Almost certainly yes, just in a different form. Most companies today are AI users, not AI builders, employees using tools like ChatGPT, Copilot, or AI features built into existing software. Governance for AI users is less about model development and more about deciding what data can go into these tools, which tools are approved, and how usage is monitored.

Q: Is using ChatGPT or Copilot at work a compliance risk?

A: It can be, depending on what’s being entered into the tool and what your organization is obligated to protect. For companies handling CUI, personal data subject to privacy regulation, or other sensitive information, an AI tool that wasn’t evaluated as part of your data flow can create a real gap even if no one intended any harm.

Q: What AI regulations actually apply to my business?

A: It depends on your location, your customers’ locations, your industry, and how you’re using AI, there’s no single answer. The EU AI Act, various U.S. state AI laws, and sector-specific guidance all have different triggers. An applicability assessment is usually the right starting point rather than assuming a particular law does or doesn’t apply.

Q: How does AI governance relate to our CMMC/CUI obligations?

A. Directly, if CUI ever touches an AI tool. Existing CMMC requirements around external systems, data flow control, and boundary protection apply the moment CUI is entered into an AI tool that isn’t part of your authorized system boundary — regardless of whether anyone thought of it as an “AI question” at the time.

Q: What is “shadow AI,” and why does it matter?

A: Shadow AI refers to AI tools employees are using without IT or compliance ever formally approving them — often because the tools are free, browser-based, or built into software employees already use. It matters because you can’t govern, secure, or account for data flows you don’t know exist. The first step in most AI governance engagements is simply finding out what’s actually being used.

General

Q: We’re a small business...are we really a target?

A: Yes, and often more so than larger companies realize. Smaller organizations are frequently targeted precisely because they tend to have fewer defenses, and because they’re often a stepping stone, attackers compromise smaller vendors and suppliers to reach larger targets further up the supply chain. Size doesn’t reduce risk; it often just changes the attacker’s strategy.

Q: What’s the difference between a vCISO and a full-time CISO...do we need either?

A: A Chief Information Security Officer (CISO) provides strategic security leadership: risk decisions, program direction, and board reporting. A virtual CISO (vCISO) provides that same function on a fractional, ongoing basis — often a better fit for organizations that need senior security guidance but don’t have the budget or workload to justify a full-time executive hire.

Q: How often should we do a security risk assessment?

A: At minimum, annually, but also whenever something material changes: new systems, new vendors, a significant change in headcount, or after any security incident. For organizations under frameworks like CMMC, risk assessment frequency is also a defined requirement, not just a best practice.

Q: What’s the difference between a vulnerability scan and a penetration test?

A: A vulnerability scan is an automated process that identifies known weaknesses across your systems broad, relatively fast, and typically run on a recurring schedule. A penetration test is a more hands-on, human-led exercise where testers actively try to exploit weaknesses to determine real-world impact. Both have a place, and they answer different questions.

​

Q: We have cyber insurance...doesn’t that cover us?

A: Cyber insurance can help offset the financial impact of an incident, but it isn’t a substitute for security controls, and increasingly, insurers require evidence of specific controls (MFA, backups, security awareness training, and so on) as a condition of coverage or as a factor in claims. A policy that assumes controls are in place that aren’t can create a gap at the worst possible time.