CMMC is the abbreviation for the Cybersecurity Maturity Model Certification.
“CMMC compliant” means the Accreditation Body (AB) has certified that your organization meets the cybersecurity practice requirements outlined in Level 1, 2, or 3 of the Cybersecurity Maturity Model Certification 2.0 release.
At the time of writing, there are no CMMC compliant contractors.
The Department of Defense (DoD) has not yet finalized CMMC 2.0. But, DoD has forecasted rulemaking to occur between July 2022 and December 2023.
In the meantime, it’s not a bad idea to get an introductory understanding of what it means to be “CMMC compliant”. If you plan on doing any business with the DoD, it’s a phrase you’re going to have to get familiar with. There’s a lot of planning and costs associated with landing that status, even if you’re a small business.
Table of Contents
Understanding The Ecosystem
There are a handful of certified third-party assessor organizations (C3PAOs).
These organizations have completed an evaluation proctored by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Over 195 C3PAOs are waiting for the same DIBCAC evaluation.
As it stands, there aren’t any certified assessors (CAs) or certified CMMC professionals (CCPs). Training for CCP started in October 2021, with 20+ Licensed Training Partners now offering CCP training courses in the CMMC Marketplace. Exams for CCP, which will be a prerequisite for CAs, have been delayed with the release of CMMC 2.0.
Not everything in the CMMC landscape is still under development, though. There are over 100 provisional assessors (PAs).
PAs completed training provided by the CMMC-AB so those pilot assessments can launch prior to CMMC rulemaking. The release of CMMC 2.0 has put any new pilot assessments on hold for now.
There are now over 500 registered provider organizations (RPOs).
RPOs paid an application fee and went through a basic business background check. In a nutshell, RPOs are consulting companies that help organizations seeking certification (OSCs) prepare.
There are over 2,000 registered practitioners (RPs).
RPs are the consultants who’ve passed a series of CMMC modules and a basic background check. RPs work for RPOs as well as C3PAOs.
The ecosystem is set up to enable RPs to help with preparation efforts. C3PAOs are the only organizations that can contract with an organization seeking certification to conduct a third-party assessment. C3PAOs can provide consulting services, but not to any OSC they’re also assessing.
Pre-Assessment Readiness Review
Many contractors will likely complete a pre-assessment readiness review before engaging a C3PAO. The readiness review ensures that the client has identified the required evidence.
This process will also help streamline everything, so it’s a necessary step in the entire process.
The contractor can perform the pre-assessment readiness review themselves.
When evaluating compliance with the NIST SP 800-171A controls (the underlying framework for Level 2 under CMMC 2.0), compliance must be achieved at the assessment objective level for all scoped items. If all items within scope demonstrate compliance with each assessment objective, then the practice is performed.
The CMMC-AB marketplace lists these service provider organizations. They can also use someone not registered or certified in the CMMC ecosystem.
There’s a lot of value in using someone who has completed the certified programs but it’s not required.
The readiness review involves collecting two forms of evidence for each control. These include documentation, interviews, or testing. You should also have a written description of how the evidence shows adoption.
Hurry Up and Wait
Although contractors should start preparing now, certification is still down the road.
There are only a handful of C3PAOs and no certified assessors.
The DoD has discussed exploring incentives for organizations to contract for a certification assessment prior to rulemaking but nothing has been offered at this point.
Self Certification
CMMC 2.0 allows for self attesting to the cybersecurity requirements at Level 1, which applies to suppliers and contractors dealing only with Federal Contract Information (FCI).
The requirements for Level 1 match the current cybersecurity requirements in Federal Acquisition Regulation (FAR) 52.204-21.
Contractors and suppliers dealing with Controlled Unclassified Information (CUI) and certifying at Level 2 under CMMC 2.0 may also be able to self-attest. DoD will bifurcate contracts based on the criticality of CUI in relation to national security.
DoD expects that roughly 10,000 companies that receive or create CUI will have to self-attest. Meanwhile, another 40,000 will need to contract with a C3PAO to complete a third-party assessment.
Contracting With a C3PAO
The following is the anticipated formal process after rulemaking is complete.
OSCs will be able to identify a C3PAO using whatever means they wish. The CMMC-AB marketplace lists all C3PAOs in good standing.
The OSC and C3PAO negotiate staffing, duration and pricing. The CMMC-AB doesn’t set any of these.
The C3PAO team includes people who have appropriate domain knowledge. The OSC should review the certifications of the C3PAO and team members.
During negotiations, the C3PAO’s lead assessor and OSC also define the scope.
The lead assessor is responsible for reviewing the output readiness processes that might’ve already taken place. Since some of these materials may contain client-sensitive information, the OSC can negotiate and set access controls on the lead assessor.
For example, the assessor may view the information without being able to download it.
Proper scoping is critical to success. The OSC defines what equipment, locations, accounts are in and out of scope. The pre-assessment readiness review process helps document the scope.
However, the lead assessor must agree with the scope definition or the C3PAO may decline to move forward with its efforts.
The location of FCI and CUI, who has access to it, how they access it, are variables that determine the scope.
The assessment can fail if the lead assessor identifies items that should be in scope.
The scope must include all the equipment on the network which stores FCI or CUI. It also includes the location of any hard copy documents and wireless access points.
The duration of the assessment will vary based on a variety of factors…
Documentation provided in a readiness review
Scope
Seam size
Once the C3PAO and OSC agree on terms, they enter into a contract.
The C3PAO then registers the assessment with the CMMC-AB.
This registration includes information about OSC and its participating team members. The CMMC-AB issues the C3PAO an ID to track progress.
The Assessment
The lead assessor will create a plan after an agreement is in place. This plan defines the roles of the team members involved. The current guidance indicates that at least 4 certified assessors will participate on an assessment team. The assessment plan also defines the scope and identifies needed artifacts such as interviews or tests.
From there, the assessment team conducts an opening briefing. Meanwhile, the OSC reviews its organization chart and identifies the targeted maturity level.
Next, the team…
Reviews the process
Introduces its embers
Discusses expectations for data collection methods
The OSC and assessment team will then agree upon the scope and schedule
Testing includes an on-site visit. This is necessary to confirm the controls in the physical protection domain.
The OSC can expect the need to observe the work performed by certain employees. More specifically, the team will need to...
Walk around the facility
Work in a separate, private space to use as a base of operations
Have access to one or more private spaces to conduct interviews
OSC staff should be forthcoming with information throughout the entire evaluation. All interviews should take place in a private setting. OSC employees should plan to be available at the scheduled times, regardless of workload.
Every day, the assessment team will also conduct a debrief with the OSC. During which, they’ll discuss the progress made and any questions. They’ll list the controls reviewed each day. They’ll also include a discussion of the schedule for the next day and any roadblocks that have arisen. This process will continue each day, until completion.
This is a good place to note that the team cannot provide consulting advice during or after their evaluation. This includes minor changes that could benefit the OSC.
At the end of the assessment, a formal report will get generated and provided to the OSC. This report identifies any controls that remain other than satisfied. It also includes a recommendation and a submission timeline to the DoD.
The release of CMMC 2.0 indicated that the assessment report is submitted directly to DoD through the Enterprise Mission Assurance Support Service.
Remediation
The OSC will have an opportunity to review the report.
If the OSC wasn’t able to show satisfactory practice adoption, they have 90 days to remedy the issue.
The ability to remediate is at the discretion of the lead assessor. The lead assessor must agree the nature of the issues allows remediation.
The release of CMMC 2.0 also allows for the limited use of a Plan of Action and Milestones (POA&M) for practices not yet performed. POA&Ms will be limited based on the practice scoring weight in the current supplier risk performance system (SPRS) and a minimum overall SPRS score is expected to be required.
C3PAO Review
Once remediation is complete, the lead assessor submits the final report to the C3PAO.
The report will contain a certification recommendation.
From there, the C3PAO conducts an internal review of the assessment report. If it passes their review, they’ll send it to the CMMC-AB along with their certification recommendation.
CMMC-AB Review
After receiving, the CMMC-AB performs a quality assurance (QA) review of the C3PAO’s recommendation.
This is an important step because it determines whether the evidence provided in the report is enough.
The CMMC-AB provides accreditation by approving certification recommendations made by C3PAOs.
Disputes
If certification isn’t recommended by the C3PAO, then the CMMC-AB won’t perform a QA review.
If the OSC disputes the recommendation, they need to file an adjudication request. But there’s a time limit, the OSC has 14 days from the completion of the report to submit this request. The written request should include evidence along with the controls in question.
The CMMC-AB then assigns a certified quality auditor (CQA) to the adjudication request. The CQA acknowledges receipt of the request and looks at the C3PAO.
The CQA verifies standing and adherence to the code of professional conduct by interviewing both the OSC and Certified Assessor (CA).
Based on the initial review, a CQA can overturn a C3PAO recommendation. If the CQA agrees with the C3PAO, the OSC can request a second, more detailed evaluation.
The CQA will perform a delta evaluation that only looks at disputed controls. This evaluation takes around 90 days and its results are final.
Certifications
CMMC certifications are entity level. They’re an indicator of the kinds of information that an organization can receive.
Most organizations shouldn’t need more than one CMMC certification.
Certifications are valid for three years. However, changing a control process may require the organizations to go through another evaluation.
Organizations should identify the roles assigned to each statement within the policy. Mapping policy commitments to requirements and roles creates a shared responsibility matrix.