CMMC Certification Process
How To Determine Which CMMC Level Your Organization Needs
CUI (Controlled Unclassified Information): Depending on the information you handle, you will need to qualify for at least one of the three (3) certification levels.
- CMMC Level 1 is the minimum requirement for all defense contractors that handle Federal Contract Information (FCI). It establishes best practices for basic cyber hygiene.
- CMMC Level 2 is intended for those companies that store, process, and/or handle Controlled Unclassified Information (CUI).
- CMMC Level 3 is aimed at reducing the danger of Advanced Persistent Threats (APTs). It is intended for companies that collaborate with CUI on the Department of Defense’s highest-priority programs.
Status of existing infrastructure: The degree of cyber maturity exhibited by the organization can also have an impact.
Number of locations: Companies with multiple branches are likely to have different timeline requirements than those with only one facility.
Context: Every environment is different and requires a custom approach.
CMMC Assessment and Audit Procedure
Embracing Early Adoption and AB Involvement
Taking a proactive stance, the Department of Defense (DoD) urges early CMMC adoption through assessments conducted by approved third-party assessment organizations (C3PAOs). Since August 2022, voluntary assessments, executed jointly by C3PAOs and the Defense Contract Management Agency (DCMA), have commenced. These evaluations pave the way for seamless conversion into coveted CMMC Level 2 certifications, poised for implementation.
Anticipating the inclusion of CMMC requirements in contracts hinges on two likely scenarios:
Proposed Rule Publication: With a 60-day public comment period and subsequent review, CMMC’s transition into a final rule is expected by Q1 2025. This heralds the infusion of CMMC requirements into contracts.
Interim Final Rule: In a swift move, CMMC could be published as an Interim Final Rule. This scenario circumvents the comment addressing process, ushering in CMMC requirements immediately. Organizations lagging in CMMC Level 2 compliance could face contract eligibility obstacles for over a year.
As the CMMC journey continues to unfold, equipped with the insights of impending contract implications, organizations can brace for the evolving landscape. While the process can seem daunting, we’re here to help you through it all.