Tap to call
Protect The Mission (703) 760-3801
Contact Us
Contact Us

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) framework is a verification mechanism designed to measure an organization’s maturity regarding the protection of unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 is a new set of cybersecurity standards that encompasses various cybersecurity standards, references, and other best practices. It comprises a number of processes and practices which are mapped across three (3) cumulative certification levels. 

The CMMC model is developed and managed by the Department of Defense (DoD) and is considered to be the DoD’s response to potential compromises of sensitive information that resides on Defense Industrial Base (DIB) systems and networks. The Cyber-AB, the CMMC accreditation body, is the sole authoritative source for the operationalization of CMMC assessments and training.

Third-Party Assessments

A CMMC self-assessment is acceptable only for those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted. Organizations conducting self-attestations for CMMC Level 1 will require an annual self-assessment and an annual affirmation by a senior company official.

search icon

Security Practice Alignment

CMMC 2.0 is closely aligned with NIST 800-171 and NIST 800-172. Complying with these frameworks will make significant progress towards future CMMC compliance.

medal icon

Increased Vigilance

Instead of check-the-box compliance, organizations must think more in-depth about becoming secure and staying that way. Increased vigilance will likely be necessary to achieve and maintain cyber maturity.

partners discussing computer data

How To Determine Which CMMC Level Your Organization Needs

CUI (Controlled Unclassified Information): Depending on the information you handle, you will need to qualify for at least one of the three (3) certification levels.

  • CMMC Level 1 is the minimum requirement for all defense contractors that handle Federal Contract Information (FCI). It establishes best practices for basic cyber hygiene.
  • CMMC Level 2 is intended for those companies that store, process, and/or handle Controlled Unclassified Information (CUI).
  • CMMC Level 3 is aimed at reducing the danger of Advanced Persistent Threats (APTs). It is intended for companies that collaborate with CUI on the Department of Defense’s highest-priority programs.

Status of existing infrastructure: The degree of cyber maturity exhibited by the organization can also have an impact.

Number of locations: Companies with multiple branches are likely to have different timeline requirements than those with only one facility.

Context: Every environment is different and requires a custom approach.

Preparing for Your CMMC Assessment

Working with an experienced CMMC advisory firm like Coalfire Federal can significantly shorten your timeline to achieve CMMC Certification. Our experienced CMMC team has been providing CMMC advisory services since early 2020, helping clients become CMMC Certification Ready.

  • Gap Analysis: The first step in our CMMC preparation methodology is a CMMC gap analysis to quickly determine your CMMC Certification readiness state.
  • Remediation: The purpose of this remediation step is to close the gaps identified during the assessment. This process can take 6-8 months for Level 1 and up to 9-12 months for Levels 2-3.
  • CMMC Mock Assessment: Coalfire Federal can help your organization prepare for its Certification Assessment by conducting an unofficial Mock Assessment. Let our trained assessors help you determine if you’re prepared for your CMMC Certification Assessment.
  • CMMC Official C3PAO Assessment: Official C3PAO Assessment, recognized by the Cyber AB and Department of Defense, to determine CMMC Level compliance.

CMMC Assessment and Audit Procedure

 

Embracing Early Adoption and AB Involvement

Taking a proactive stance, the Department of Defense (DoD) urges early CMMC adoption through assessments conducted by approved third-party assessment organizations (C3PAOs). Since August 2022, voluntary assessments, executed jointly by C3PAOs and the Defense Contract Management Agency (DCMA), have commenced. These evaluations pave the way for seamless conversion into coveted CMMC Level 2 certifications, poised for implementation.

Anticipating the inclusion of CMMC requirements in contracts hinges on two likely scenarios:

    1. Proposed Rule Publication: With a 60-day public comment period and subsequent review, CMMC’s transition into a final rule is expected by Q1 2025. This heralds the infusion of CMMC requirements into contracts.

    2. Interim Final Rule: In a swift move, CMMC could be published as an Interim Final Rule. This scenario circumvents the comment addressing process, ushering in CMMC requirements immediately. Organizations lagging in CMMC Level 2 compliance could face contract eligibility obstacles for over a year.

As the CMMC journey continues to unfold, equipped with the insights of impending contract implications, organizations can brace for the evolving landscape. While the process can seem daunting, we’re here to help you through it all. 

CMMC Rollout Timeline

Anticipating CMMC Rule Review and Publication

After submission to the Office of Information and Regulatory Affairs (OIRA), a customary 90-day review period awaits the CMMC rule. While historical patterns suggest quicker turnarounds, we’re looking at an estimated publication window of September to October 2023.

Engaging the Public and Crafting Final Rules

At the heart of this process lies a vital 60-day public comment period, usually ignited upon the rule’s appearance in the Federal Register. This crucial phase encourages stakeholders like you to voice opinions and foster meaningful discussions. Following this, the journey to “final rules” involves a secondary publication that encapsulates government responses to received comments and subsequent adjustments. You can anticipate this insightful public discourse from October to December 2023.

Deciphering CMMC’s Role in Contracts

The classification of the CMMC rule as either an “interim final rule” or a “proposed rule” holds key implications for its integration into contracts. An interim final rule takes effect before final rule agency responses, while a proposed rule becomes effective after incorporating public feedback into the final rule. The estimated timeline for DoD proposed rules evolving into final rules averages close to a year, hinting at the CMMC rule’s completion and contract integration around February to April 2025. However, if the CMMC rule receives interim final status, its presence in contracts could materialize as early as Q1 2024. Worth noting, the November 2021 CMMC rule was implemented as an interim rule.

Strategic Phased Roll-Out and Contractual Harmony

Elevating integration’s seamlessness, the DoD is embarking on a three-year “phased roll-out” of contract clauses. Aligned with the CMMC 1.0 approach, this strategy aims to gradually incorporate DFARS 252.204-7021 into distinct contract groups over the stipulated period. The ultimate goal? Encompassing all relevant DoD contracts by 2028, in a concerted effort to ensure compliance harmonization.

 

How Long Does Certification Last?

Once CMMC 2.0 is implemented, annual self-assessments will be required (when permitted based on certification level). Additional assessments are required every three years for Level 2 (by a certified third-party assessment organization or C3PAO) and Level 3 (government assessment) certification.   

As your trusted advisor, we’ll continue to illuminate the CMMC rule’s journey. Stay tuned for updates that empower your compliance strategy and navigate these transitions with confidence.

Certifications:

CyberAB RPO Badge 2022 - Transparent BG