The Cybersecurity Maturity Model Certification (CMMC) framework is a verification mechanism designed to measure an organization's maturity regarding the protection of unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 is a new set of cybersecurity standards that encompasses various cybersecurity standards, references, and other best practices. It comprises a number of certification processes and practices which are mapped across three (3) cumulative certification levels.
The CMMC model is developed and managed by the Department of Defense (DoD) and is considered to be the DoD’s response to potential compromises of sensitive information that resides on Defense Industrial Base (DIB) systems and networks. The Cyber AB, the CMMC accreditation body, is the sole authoritative source for the operationalization of CMMC assessments and training.
Certifications
A CMMC self-assessment is acceptable only for those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted. Organizations conducting self-attestations for CMMC Level 1 will require an annual self-assessment and an annual affirmation by a senior company official.
CMMC 2.0 is closely aligned with NIST 800-171 and NIST 800-172. Complying with these frameworks will make significant progress towards future CMMC compliance.
Instead of check-the-box compliance, organizations must think more in-depth about becoming secure and staying that way. Increased vigilance will likely be necessary to achieve and maintain cyber maturity.
CUI (Controlled Unclassified Information): Depending on the information you handle, you will need to qualify for at least one of the three (3) certification levels.
Status of Existing Infrastructure: The degree of cyber maturity exhibited by the organization can also have an impact.
Number of Locations: Companies with multiple branches are likely to have different timeline requirements than those with only one facility.
Context: Every environment is different and requires a custom approach.
Working with an experienced CMMC advisory firm like Coalfire Federal can significantly shorten your CMMC certification process. Our experienced CMMC team has been providing CMMC advisory services since early 2020, helping clients become CMMC certification ready. Based on our experience, companies typically spend 6 to 18 months preparing for the official CMMC certification assessment.
Gap Analysis: The first step in our CMMC preparation methodology is a CMMC gap analysis to quickly determine your CMMC certification readiness state.
Remediation: The purpose of this remediation step is to close the gaps identified during the assessment. The certiprocess can take 6-8 months for Level 1 and up to 9-12 months for Levels 2-3.
CMMC Mock Assessment: Coalfire Federal can help your organization prepare for its certification assessment by conducting an unofficial mock assessment. Let our trained assessors help you determine if you’re prepared for your CMMC certification assessment.
CMMC Official C3PAO Assessment: Official C3PAO assessment, recognized by the Cyber AB and Department of Defense, to determine CMMC Level compliance.
Embracing Early Adoption and AB Involvement
Taking a proactive stance, the Department of Defense (DoD) urges early CMMC adoption through assessments, conducted by approved third-party assessment organizations (C3PAOs). Since August of 2022, voluntary assessments, executed jointly by C3PAOs and the Defense Contract Management Agency (DCMA), have commenced. These evaluations pave the way for seamless conversion into coveted CMMC Level 2 certifications, poised for implementation.
Anticipating the inclusion of CMMC requirements in contracts hinges on two likely scenarios:
1. Proposed Rule Publication: With a 60-day public comment period and subsequent review, CMMC’s transition into a final rule is expected by Q1 of 2025. This heralds the infusion of CMMC requirements into contracts.
2. Interim Final Rule: In a swift move, CMMC could be published as an Interim Final Rule. This scenario circumvents the comment addressing process, ushering in CMMC requirements immediately. Organizations lagging in CMMC Level 2 compliance could face contract eligibility obstacles for over a year.
As the CMMC journey continues to unfold, equipped with the insights of impending contract implications, organizations can brace for the evolving landscape. While the certification process can seem daunting, we’re here to help you through it all.
After submission to the Office of Information and Regulatory Affairs (OIRA), a customary 90-day review period awaits the CMMC rule. While historical patterns suggest quicker turnarounds, we’re looking at an estimated publication window of September to October 2023.
At the heart of the certification process lies a vital 60-day public comment period, usually ignited upon the rule’s appearance in the Federal Register. This crucial phase encourages stakeholders like you to voice opinions and foster meaningful discussions. Following this, the journey to “final rules” involves a secondary publication that encapsulates government responses to received comments and subsequent adjustments. You can anticipate this insightful public discourse from October to December 2023.
The classification of the CMMC rule as either an “interim final rule” or a “proposed rule” holds key implications for its integration into contracts. An interim final rule takes effect before final rule agency responses, while a proposed rule becomes effective after incorporating public feedback into the final rule. The estimated timeline for DoD proposed rules evolving into final rules averages close to a year, hinting at the CMMC rule’s completion and contract integration around February to April 2025. However, if the CMMC rule receives interim final status, its presence in contracts could materialize as early as Q1 of 2024. Worth noting, the November 2021 CMMC rule was implemented as an interim rule.
To elevate the integration’s seamlessness, the DoD is embarking on a three-year “phased roll-out” of contract clauses. Aligned with the CMMC 1.0 approach, this strategy aims to gradually incorporate DFARS 252.204-7021 into distinct contract groups over the stipulated period. The ultimate goal? Encompassing all relevant DoD contracts by 2028, in a concerted effort to ensure compliance harmonization.
Once CMMC 2.0 is implemented, annual self-assessments will be required (when permitted based on certification level). Additional assessments are required every three years for CMMC Level 2 (by a certified third-party assessment organization or C3PAO) and Level 3 (government assessment) certification.
As your trusted advisor, we’ll continue to illuminate the CMMC rule’s journey. Stay tuned for updates that empower your compliance strategy and navigate these transitions with confidence.
Please note that this FAQ is a summary and should be used in conjunction with the official CMMC documentation for precise guidance and compliance instructions.
CMMC 2.0 is a set of cybersecurity standards developed by the Department of Defense (DoD) to verify organizations’ maturity in protecting unclassified information. It covers various cybersecurity standards, references, and best practices, mapped across three cumulative certification levels.
CMMC certification is the DoD’s response to potential compromises of sensitive information in Defense Industrial Base (DIB) systems and networks. It aims to ensure the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Your organization’s qualification for a CMMC level depends on the type of information you handle and your existing cyber maturity. The number of locations and your unique context also play a role in this determination.
Working with experienced CMMC advisory firms can expedite your CMMC certification process. Steps include:
Embracing early adoption through assessments by approved third-party assessment organizations (C3PAOs) is encouraged by the DoD. Voluntary assessments in collaboration with the Defense Contract Management Agency (DCMA) have begun. The certification process includes embracing early adoption and anticipation of CMMC requirements in contracts through proposed rule publication or an interim final rule.
Collaborating with experienced CMMC advisory firms, conducting gap analysis, and addressing remediation promptly can expedite your journey towards CMMC certification.