How do contractors get a CMMC assessment?

If you’re a small business owner working with the DoD, you’ve probably heard of CMMC assessments. The CMMC assessment is part of a program under development by the Department of Defense (DoD) to audit DIB cybersecurity practices. CMMC stands for the Cybersecurity Maturity Model Certification. It’s a three-leveled program with increasing security requirements the higher the level goes.

What is a CMMC assessment?

First, we need to go over a little more about the CMMC program. Its purpose is to ensure the Defense Industrial Base (DIB) is using adequate security measures to protect digital information. It defines requirements for companies handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). You can read more about the basics here.

The levels mentioned below set out requirements tailored to each level’s level of risk, the sensitivity of the information being handled,
and the type of information. Level 1 implements FAR Clause 52.204-21 requirements, Level 2 is the advanced model and implements NIST SP 800-171, and Level 3 is used for the most sensitive data. The level required will be specified in the contract solicitation.

In order to see if the requirements are met, the CMMC program requires thorough assessments of a company’s security measures. The method used to complete the assessments depends on the required security level. This is in part to keep the costs of running assessments down for small businesses and small contracts.

Who needs a CMMC assessment?

Once the DFARS final rules are complete, compliance will be a requirement for most DoD contracts. Moreover, most contractors will need to complete CMMC assessments showing they’re meeting the requirements and have a score of 110 added to the DoDs Supplier Performance Risk System (SPRS).

Even though the CMMC program isn’t finalized yet, many contracts already require compliance with the National Institute of Standards and Technology (NIST) SP 800-171 – the Level 2 cybersecurity requirements. The DoD recommends that contractors prepare to be compliant even if the current contract doesn’t specify this as a requirement.

How to get a CMMC assessment

The process for getting a CMMC assessment will depend on the level. Level 1 companies, or companies that will be handling FCI but not CUI on their networks, will need to complete a self-assessment annually. This assessment will need to be affirmed by a senior company official.

Level 2 requires assessments to be conducted every three years by a third party organization, referred to as CMMC Third-Party Assessor Organizations (C3PAOs). C3PAOs must complete their own training and certification before they can conduct assessments for other companies. We’ll discuss these requirements more later.

Level 3 requires the assessment to be conducted by the federal government. In addition, the rules and processes for this level are still being determined. They’re the most stringent requirements of all three levels since they are designed to protect the most vulnerable data.

DoD Joint Voluntary Surveillance Program

To help ease the transition to needing CMMC certification, the DoD has created the Joint Voluntary Surveillance Program. This program involves contractors voluntarily having a C3PAO and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) inspect their data security practices. Also, once the CMMC 2.0 rules go into effect, these assessments are expected to be converted into a CMMC assessment with SPRS score – good for three years.

Where can I find a C3PAO?

In order to verify a company is meeting the CMMC rules, C3PAOs employ people with a thorough understanding of the rules. Only people who have completed the tests and gotten certified can conduct third party assessments. C3PAOS, Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs) are listed on the CyberAB marketplace for companies to find a third party assessor.

The Cyber AB is a non-profit organization based in Maryland designed to accredit people working in the CMMC ecosystem. Also, it’s not a government-run organization. Instead, they work with the DoD and the DIB to help set up the CMMC program and conduct the testing required.

How can I conduct a self-assessment?

To conduct a self-assessment, it’s recommended to work with experts in the CMMC requirements. Some of the steps you’ll need to follow include:

  • Know what CUI and FCI you have and where it is stored, processed, and transmitted
  • Taking stock of your current cybersecurity practices and workforce training
  • Understanding which parts of the CMMC program apply to your company
  • Evaluating if your organization has gaps in your cyber hygiene
  • Making plans to upgrade and improve your IT infrastructure
  • Improving physical security measures

Get help with CMMC certification and assessment

If you’re not sure what your next steps are as a DoD contractor, reach out to us! We’re experts in helping small and medium businesses put CMMC into practice, whether you need help figuring out the requirements or upgrading your IT practices.

Download our FREE Self-Assessment Workbook

Stay up-to-date!
Get insights and tips from experts