CMMC Certification Process
What is new about the CMMC Assessment Process?
The Cybersecurity Maturity Model Certification (CMMC) is a three (3) level cybersecurity standards program, so the first step is identifying which level your organization is setting out to achieve.
Third-Party Assessments
A CMMC self-assessment is acceptable only for those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted. Organizations conducting self-attestations for CMMC Level 1 will require an annual self-assessment and an annual affirmation by a senior company official.
Security Practice Alignment
CMMC 2.0 is closely aligned with NIST 800-171 and NIST 800-172. Complying with these frameworks will make significant progress towards future CMMC compliance.
Increased Vigilance
Instead of check-the-box compliance, organizations must think more in-depth about becoming secure and staying that way. Increased vigilance will likely be necessary to achieve and maintain cyber maturity.
Factors to Consider When Determining Which CMMC Level Aligns With Your Organization’s Business
CUI (Controlled Unclassified Information): Depending on the information you handle, you will need to qualify for at least one of the three (3) certification levels.
- CMMC Level 1 is the minimum requirement for all defense contractors that handle Federal Contract Information (FCI). It establishes best practices for basic cyber hygiene.
- CMMC Level 2 is intended for those companies that store, process, and/or handle Controlled Unclassified Information (CUI).
- CMMC Level 3 is aimed at reducing the danger of Advanced Persistent Threats (APTs). It is intended for companies that collaborate with CUI on the Department of Defense’s highest-priority programs.
Status of existing infrastructure: The degree of cyber maturity exhibited by the organization can also have an impact.
Number of locations: Companies with multiple branches are likely to have different timeline requirements than those with only one facility.
Context: Every environment is different and requires a custom approach.
Preparing for Your CMMC Assessment
Working with an experienced CMMC advisory firm like Coalfire Federal can significantly shorten your timeline to achieve CMMC Certification. Our experienced CMMC team has been providing CMMC advisory services since early 2020, helping clients become CMMC Certification Ready.
- Gap Analysis: The first step in our CMMC preparation methodology is a CMMC gap analysis to quickly determine your CMMC Certification readiness state.
- Remediation: The purpose of this remediation step is to close the gaps identified during the assessment. This process can take 6-8 months for Level 1 and up to 9-12 months for Levels 2-3.
- CMMC Mock Assessment: Coalfire Federal can help your organization prepare for its Certification Assessment by conducting an unofficial Mock Assessment. Let our trained assessors help you determine if you’re prepared for your CMMC Certification Assessment.
- CMMC Official C3PAO Assessment: Official C3PAO Assessment, recognized by the Cyber AB and Department of Defense, to determine CMMC Level compliance.