Since the initial announcement of CMMC, suppliers working in federal supply chains have been anxious to take the steps required to achieve CMMC compliance. Unfortunately, it's been a "hurry up and wait" situation. Until now.
With the announcement of CMMC 2.0 on November 4, 2021, the DoD has introduced changes in the methods to achieve CMMC compliance, which includes new options for self-attestation for some companies.
At the same time, the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is starting to approve Certified 3rd Party Assessor Organizations (C3PAO) as authorized C3PAOs. As more candidate C3PAOs become authorized C3PAOs, Organizations Seeking Compliance (OSC) will be able to step up their compliance efforts and get a CMMC assessment.
The CMMC framework contains 3 maturity levels.
Although there were 5 levels in Version 1.0 of CMMC, that has changed to 3 levels with the announcement of CMMC 2.0.
The level of CMMC you need to meet depends on the contract under which you are working.
You do not necessarily need to meet the same level of CMMC as the contractor under which you are working. It is possible you may only need to meet Level 1, while the contractor under which you are working may need to be at Level 2.
Typically, prime contractors are notified by the Department of Defense (DoD) directly that they need to comply with CMMC. Flow-down clauses within the contract will stipulate that any subcontractors of the prime also need to comply.
The DoD is in the process of migrating from NIST 800-171 to the CMMC framework and by October 1, 2025, all new DoD contracts will require CMMC. No existing contracts will have CMMC requirements inserted into them.
If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
If there are future contracts for which you plan to bid, you will want to be certified to the level of cybersecurity required by the contract, RFI, or RFP. You can also base your decision as to which level to certify on internal business goals.
Since CMMC focuses on the protection of CUI, it makes sense to limit the exposure.
Determine where you currently store CUI within your company and its systems. Look for ways to reduce the amount of CUI you have. If a prime contractor or other contractor sends you CUI, try to limit the amount of CUI you receive to only the data required for you to do your work.
The less CUI you have, the easier it will be to protect it.
Before a C3PAO assessment, you can internal review your IT environment or hire an outside company to do this for you.
The pre-assessment will identify areas for remediation.
To show compliance with NIST 800-171 and prepare for CMMC, you develop and maintain formal documents for submission to DoD prime contractors or subcontractors upon contract initiation or renewal. These documents include a System Security (SSP) and Plan of Action with Milestones (POA&M).
A POA&M identifies areas for remediation and how you plan to correct deficiencies.
You can hire an outside company, such as Corserva, to perform a pre-assessment of your IT environment and develop SSPs and POA&Ms for you.
Once you have determined what remediation needs to take place in order for your company to comply with CMMC, you implement the process and technology changes required.
Your POA&M serves as a roadmap of where you have gaps that need to be filled.
You can perform the remediation with internal resources or hire an outside IT company, such as Corserva, to execute the process and technology changes needed.
Level 1 companies can self-certify to CMMC compliance annually.
Some Level 2 companies will be able to self-certify to CMMC compliance, and others will require an outside third-party assessment.
All Level 3 companies require a government-led assessment every three years.
Companies working in federal supply chains can achieve CMMC compliance by completing a CMMC assessment performed by a Certified 3rd Party Assessor Organization (C3PAO).
As the Organization Seeking Compliance (OSC), your company hires the C3PAO to perform your CMMC assessment.
C3PAOs are authorized by the CMMC-AB to perform assessments.
The CMMC-AB Marketplace lists C3PAO companies. Only the companies listed here as authorized C3PAOs are approved by the CMMC-AB to perform assessments.
Companies listed in the CMMC-AB Marketplace as candidate C3PAOs have begun the process to become an authorized C3PAO, but have not yet completed the process.
Use the CMMC-AB Marketplace to research potential C3PAOs. Only hire a C3PAO that is listed as an authorized C3PAO on the Marketplace.
The CMMC-AB is the only organization that can qualify a C3PAO to perform CMMC assessments. Note that the CMMC-AB does not perform assessments directly. Instead, C3PAO companies are certified by the CMMC-AB to perform assessments.
The cost for a CMMC assessment will depend upon several factors, including your IT infrastructure's certification level and complexity.
Once you've hired a C3PAO company, you will schedule the assessment with the C3PAO.
The process for a CMMC assessment is as follows:
To be eligible for a contract, your CMMC certification will be needed at the time of the award.
There are no fines for non-compliance; however, you will be unable to participate in DoD contracts.
As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to DoD contractors and other Organizations Seeking Certification (OSC).
Corserva has created an easy process to enable you to get ready for a CMMC assessment and protect your government contracts. These are the steps we follow:
The end deliverable to you is a clear set of corrective actions to take to comply with CMMC.
Get started today by requesting a quote.
Get started today. Talk to a CMMC compliance expert by requesting a quote for CMMC consulting.