CMMC Certification Process
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) framework is a verification mechanism designed to measure an organization’s maturity regarding the protection of unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 is a new set of cybersecurity standards that encompasses various cybersecurity standards, references, and other best practices. It comprises a number of certification processes and practices which are mapped across three (3) cumulative certification levels.
The CMMC model is developed and managed by the Department of Defense (DoD) and is considered to be the DoD’s response to potential compromises of sensitive information that resides on Defense Industrial Base (DIB) systems and networks. The Cyber AB, the CMMC accreditation body, is the sole authoritative source for the operationalization of CMMC assessments and training.
Certifications
Third-Party Assessments
A CMMC self-assessment is acceptable only for those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted. Organizations conducting self-attestations for CMMC Level 1 will require an annual self-assessment and an annual affirmation by a senior company official.
Security Practice Alignment
CMMC 2.0 is closely aligned with NIST 800-171 and NIST 800-172. Complying with these frameworks will make significant progress towards future CMMC compliance.
Increased Vigilance
Instead of check-the-box compliance, organizations must think more in-depth about becoming secure and staying that way. Increased vigilance will likely be necessary to achieve and maintain cyber maturity.
How To Determine Which CMMC Level Your Organization Needs
CUI (Controlled Unclassified Information): Depending on the information you handle, you will need to qualify for at least one of the three (3) certification levels.
- CMMC Level 1 is the minimum requirement for all defense contractors that handle Federal Contract Information (FCI). It establishes best practices for basic cyber hygiene.
- CMMC Level 2 is intended for those companies that store, process, and/or handle Controlled Unclassified Information (CUI).
- CMMC Level 3 is aimed at reducing the danger of Advanced Persistent Threats (APTs). It is intended for companies that collaborate with CUI on the Department of Defense’s highest-priority programs.
Status of Existing Infrastructure: The degree of cyber maturity exhibited by the organization can also have an impact.
Number of Locations: Companies with multiple branches are likely to have different timeline requirements than those with only one facility.
Context: Every environment is different and requires a custom approach.
Preparing for Your CMMC Assessment
Working with an experienced CMMC advisory firm like Coalfire Federal can significantly shorten your CMMC certification process. Our experienced CMMC team has been providing CMMC advisory services since early 2020, helping clients become CMMC certification ready. Based on our experience, companies typically spend 6 to 18 months preparing for the official CMMC certification assessment.
- Gap Analysis: The first step in our CMMC preparation methodology is a CMMC gap analysis to quickly determine your CMMC certification readiness state.
- Remediation: The purpose of this remediation step is to close the gaps identified during the assessment. The certiprocess can take 6-8 months for Level 1 and up to 9-12 months for Levels 2-3.
- CMMC Mock Assessment: Coalfire Federal can help your organization prepare for its certification assessment by conducting an unofficial mock assessment. Let our trained assessors help you determine if you’re prepared for your CMMC certification assessment.
- CMMC Official C3PAO Assessment: Official C3PAO assessment, recognized by the Cyber AB and Department of Defense, to determine CMMC Level compliance.
CMMC Assessment and Audit Procedure
Embracing Early Adoption and AB Involvement
Taking a proactive stance, the Department of Defense (DoD) urges early CMMC adoption through assessments, conducted by approved third-party assessment organizations (C3PAOs). Since August of 2022, voluntary assessments, executed jointly by C3PAOs and the Defense Contract Management Agency (DCMA), have commenced. These evaluations pave the way for seamless conversion into coveted CMMC Level 2 certifications, poised for implementation.
Anticipating the inclusion of CMMC requirements in contracts hinges on two likely scenarios:
1. Proposed Rule Publication: With a 60-day public comment period and subsequent review, CMMC’s transition into a final rule is expected by Q1 of 2025. This heralds the infusion of CMMC requirements into contracts.
2. Interim Final Rule: In a swift move, CMMC could be published as an Interim Final Rule. This scenario circumvents the comment addressing process, ushering in CMMC requirements immediately. Organizations lagging in CMMC Level 2 compliance could face contract eligibility obstacles for over a year.
As the CMMC journey continues to unfold, equipped with the insights of impending contract implications, organizations can brace for the evolving landscape. While the certification process can seem daunting, we’re here to help you through it all.
CMMC Rollout Timeline
Phase I – Anticipating CMMC Rule Review and Publication
After submission to the Office of Information and Regulatory Affairs (OIRA), a customary 90-day review period awaits the CMMC rule. While historical patterns suggest quicker turnarounds, we’re looking at an estimated publication window of September to October 2023.
Phase II – Engaging the Public and Crafting Final Rules
At the heart of the certification process lies a vital 60-day public comment period, usually ignited upon the rule’s appearance in the Federal Register. This crucial phase encourages stakeholders like you to voice opinions and foster meaningful discussions. Following this, the journey to “final rules” involves a secondary publication that encapsulates government responses to received comments and subsequent adjustments. You can anticipate this insightful public discourse from October to December 2023.
Phase III – Deciphering CMMC’s Role in Contracts
The classification of the CMMC rule as either an “interim final rule” or a “proposed rule” holds key implications for its integration into contracts. An interim final rule takes effect before final rule agency responses, while a proposed rule becomes effective after incorporating public feedback into the final rule. The estimated timeline for DoD proposed rules evolving into final rules averages close to a year, hinting at the CMMC rule’s completion and contract integration around February to April 2025. However, if the CMMC rule receives interim final status, its presence in contracts could materialize as early as Q1 of 2024. Worth noting, the November 2021 CMMC rule was implemented as an interim rule.
Phase IV – Strategic Phased Roll-Out and Contractual Harmony
To elevate the integration’s seamlessness, the DoD is embarking on a three-year “phased roll-out” of contract clauses. Aligned with the CMMC 1.0 approach, this strategy aims to gradually incorporate DFARS 252.204-7021 into distinct contract groups over the stipulated period. The ultimate goal? Encompassing all relevant DoD contracts by 2028, in a concerted effort to ensure compliance harmonization.
How Long Does the CMMC Certification Last?
Once CMMC 2.0 is implemented, annual self-assessments will be required (when permitted based on certification level). Additional assessments are required every three years for CMMC Level 2 (by a certified third-party assessment organization or C3PAO) and Level 3 (government assessment) certification.
As your trusted advisor, we’ll continue to illuminate the CMMC rule’s journey. Stay tuned for updates that empower your compliance strategy and navigate these transitions with confidence.
CMMC Certification Process FAQs
Please note that this FAQ is a summary and should be used in conjunction with the
official CMMC documentation for precise guidance and compliance instructions.
1. What is CMMC 2.0 and What Does it Encompass?
CMMC 2.0 is a set of cybersecurity standards developed by the Department of Defense (DoD) to verify organizations’ maturity in protecting unclassified information. It covers various cybersecurity standards, references, and best practices, mapped across three cumulative certification levels.
2. What is the Purpose of CMMC Certification?
CMMC certification is the DoD’s response to potential compromises of sensitive information in Defense Industrial Base (DIB) systems and networks. It aims to ensure the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
3. What Are the CMMC Certification Levels and Their Requirements?
CMMC Level 1: Basic cyber hygiene practices for defense contractors handling FCI.
CMMC Level 2: For companies that store, process, and/or handle CUI.
CMMC Level 3: Designed to reduce the risk of Advanced Persistent Threats (APTs) for companies involved in the DoD’s highest-priority programs.
4. How Do I Determine Which CMMC Level My Organization Needs?
Your organization’s qualification for a CMMC level depends on the type of information you handle and your existing cyber maturity. The number of locations and your unique context also play a role in this determination.
5. What Are the Steps to Prepare for a CMMC Assessment?
Working with experienced CMMC advisory firms can expedite your CMMC certification process. Steps include:
Gap Analysis: Determine your CMMC Certification readiness state.
Remediation: Close identified gaps.
CMMC Mock Assessment: Prepare with an unofficial Mock Assessment.
CMMC Official C3PAO Assessment: An official assessment to determine CMMC Level compliance.
6. What is the CMMC Assessment and Audit Procedure?
Embracing early adoption through assessments by approved third-party assessment organizations (C3PAOs) is encouraged by the DoD. Voluntary assessments in collaboration with the Defense Contract Management Agency (DCMA) have begun. The certification process includes embracing early adoption and anticipation of CMMC requirements in contracts through proposed rule publication or an interim final rule.
7. How Can I Speed Up My CMMC Certification Process?
Collaborating with experienced CMMC advisory firms, conducting gap analysis, and addressing remediation promptly can expedite your journey towards CMMC certification.