CMMC 2.0 How to Get Started on This Vital Journey

In June 2021, Redspin became the first organization to earn authorization from the Cyber AB to conduct formal assessments for the Cybersecurity Maturity Model Certification (CMMC) program, earning Redspin the designation of a C3PAO. 

 But what exactly is a C3PAO and what do they do?

 A C3PAO is a CMMC Third-Party Assessor Organization. This means that as a C3PAO company, Redspin has demonstrated to the Cyber AB, the governing body that oversees CMMC accreditations, that it has successfully mastered the security processes and practices at CMMC Level 3 under the CMMC v1 model and current CMMC v2. With this Authorized C3PAO designation, Redspin can either help your organization prepare for CMMC or, when ready, conduct a formal CMMC third-party assessment to determine if you’ve met all the compliance requirements for a CMMC certification. C3PAOs hold the exclusive authority and are the only entities authorized to conduct formal CMMC assessments and issue a CMMC certification.

What is CMMC?

But first, what is CMMC and why does it matter? In January 2020, the U.S. Department of Defense (DoD) released the first version of the CMMC program designed to streamline standards and assessment processes for all organizations bidding on or renewing DoD requests for proposals (RFPs) or requests for information (RFI) for DoD programs. 

Before CMMC, organizations could self-attest that they met NIST 800-171 standards per DFARS 7012 in order to be eligible for DoD contracts. Unfortunately, attestation scores varied so greatly from DoD independent audits that the DoD initiated the CMMC program to standardize compliance validation. This resulted in CMMC 1.0. The CMMC program is in alignment with the information security requirements set by the DoD for its partners within the Defense Industrial Base (DIB). Its core objective is to secure sensitive information exchanged between the DoD and its contractors and subcontractors. Through the implementation of CMMC, the DoD seeks to bolster its confidence in the cybersecurity measures adopted by these entities, ensuring their adherence to essential security standards vital for protecting national security interests.

Initially, CMMC 1.0 spanned five certification Levels, with the expectation all organizations meet at least Level 1. The Level that an organization needed to obtain depended on RFP or RFI requirements based on protecting the Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in each contract. 

The DoD estimates as many as 300,000+ contractors could need CMMC 2.0 certification at least at Level 1.

But, there was pushback from contractors, citing issues with implementation and assessment costs. The DoD responded by beginning a review process on the requirements that DIB organizations had to be assessed against. Launched in 2021 as CMMC 2.0, the rulemaking process was expected to take about two years, although there have been several timeline adjustments since the CMMC 2.0 process began. 

 CMMC 2.0 aims to decrease program complexities, primarily by reducing the number of compliance levels from five to three. Like version 1.0, all organizations will need certification (Levels 2-3) or at least a Level 1 (self-attestation), with higher levels required for CUI projects and environments. CMMC 2.0 requirements may begin to appear in RFIs and RFPs at any time. If the rule is released as an interim final, it could start being included immediately upon its release. However, if it’s introduced as a proposed rule, it might start being incorporated into all contracts requiring compliance as early as 2024.

CMMC 2.1 and beyond

In a recent leak, drafts of the updated CMMC 2.1 model and assessment guides were inadvertently shared and posted to reginingo.gov. The documents, which were quickly removed, offered insight into the long-awaited rulemaking process.

CMMC 2.0 applies to all DIB contractors and subcontractors that process, store, and/or transmit FCI/CUI. If your organization falls into this category, it’s essential to start working towards CMMC compliance and validating your DFARS 7012 requirements right away, even if the official implementation is scheduled for the future.

All DoD contractors are required tomaintain the appropriate CMMCLevel for the lifecycle of each of their contracts. Prime contractors are required to ensure all of their subcontractors meet the appropriate CMMC requirement based on the type of data these subcontractors are storing, processing, or transmitting.

So, how do you do that? How do you ensure you’re compliant and ready to bid on those contracts? This is where you’ll need a C3PAO.

What is a C3PAO?

A C3PAO is an organization the Cyber AB has, currently, authorized to conduct an official third-party CMMC assessment. 

 What is the Cyber AB?

The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) program. It is the only organization authorized to implement and oversee the CMMC standards. The Cyber AB authorizes and accredits C3PAOs so they can conduct formal CMMC assessments and certifications. Initially, the Cyber AB (formerly known as the CMMC AB) oversaw the examination processes for all CMMC assessors and instructors. These responsibilities have shifted to the Cybersecurity Assessor and Instructor Certification Organization (CAICO).

When your organization wants to become CMMC certified, you’re considered an Organization Seeking Certification (OSC). All organizations that process, store, and/or transmit FCI/CUI are required to meet at least Level 1 of CMMC. If CMMC Level 1 (and in limited cases Level 2) is required, your organization can perform a self-assessment following the CMMC Assessment Guide for the appropriate CMMC Level. Subsequently, you should report your findings through the Supplier Performance Risk System (SPRS).

If you need a Level 2 certification, you’ll need to work with a C3PAO for this process. And, while Level 3 requires a DoD assessment, first, you must successfully complete Level 2 with a C3PAO. It’s important to note that the same C3PAO cannot provide consultation for the implementation of Level 3 requirements after assessing Level 2.

No matter the level, all organizations will find it beneficial to work with a C3PAO, even OSCs needing only a Level 1 self-attestation may find it beneficial to work with a C3PAO. A C3PAO can look into your program with a subject-matter expert (SME) perspective to ensure you’re not overlooking requirements, identify gaps, and help develop a roadmap to mature your CMMC practices to successfully scale to higher Levels as you need them.

After your C3PAO completes its assessment, if you have successfully met all of the CMMC requirements for the specified Level, the C3PAO will issue its findings and certify you’re in compliance. The C3PAO will submit your assessment data and certification to the DoD’s CMMC Enterprise Mission Assurance Support Services (eMASS) database. While your assessment information is not public, you may certainly find it beneficial to include your CMMC certification in your publicity, sales, and marketing efforts to demonstrate you’ve successfully implemented industry-recognized best practices for protecting sensitive data. 

A CMMC certification is currently stated as valid for three years; however, each year you must attest your organization is still CMMC compliant before undergoing a new assessment triennially. Although not required, your annual reviews are also a great time to work with a C3PAO or Registered Practitioner Organization (RPO) partner, especially if your environment or operations have changed during that time period. These SMEs can help identify potential deficiencies your internal teams might overlook.

What is an RPO?

It’s crucial to emphasize that if a C3PAO provides consultation services to your organization regarding CMMC compliance, this involvement disqualifies them from subsequently conducting a CMMC assessment for your organization. In other words, a C3PAO cannot both advise on compliance and assess your organization’s compliance in a CMMC assessment. This separation of roles is important to ensure the integrity and impartiality of the assessment process.

A CMMC RPO, or Certified CMMC Registered Practitioner Organization, is a specialized entity that has obtained official recognition for its expertise in assisting organizations with achieving compliance under the CMMC framework. These organizations employ professionals who are certified and skilled in guiding businesses through the complex process of aligning their cybersecurity practices with CMMC requirements. CMMC RPOs offer valuable services such as consulting, training, and advisory support. RPOs are not authorized to conduct actual CMMC assessments. The RPO role exists exclusively to provide CMMC guidance and support to OSCs in the DIB. Working with a CMMC RPO can be a strategic choice for organizations seeking to meet CMMC standards efficiently and effectively.

Who conducts CMMC assessments within a C3PAO?

C3PAOs use Certified CMMC Assessors (CCAs) to conduct assessments. CCAs may be supported by a Certified CMMC Professional (CCP), an entry-level designation all individuals must obtain before becoming a CCA. The CCP exam spans three-and-a-half hours with 170 multi-choice questions. Candidates must score 500-plus to pass. 

CCPs in good standing are authorized to provide consultancy services to support OSCs seeking to implement CMMC Level 1 and CMMC Level 2. CCPs are also authorized to participate as an official assessment team member reviewing the Level 1 CMMC practices.

Both CCPs and CCAs undergo rigorous training, obtaining certification through a Licensed Training Provider (LTP) using the Cyber AB Authorized Training Material (CATM) accredited course. CCPs and CCAs must meet all defined pre-requisites for the designated role, pass the exam, and obtain a favorable suitability.

Does my organization need a C3PAO?

All DIB organizations will have to go through CMMC at some level. If your organization processes, stores, and/or transmits FCI/CUI, and you wish to maintain existing DoD contracts or bid on new DoD opportunities, your organization will likely require an independent 3rd party CMMC certification. Level 2 certification will need to work with a C3PAO for an authorized assessment to get CMMC certified. While not required Level 1, organizations can benefit from working with a C3PAO to identify program or control deficiencies and to help establish a remediation plan for issues before completing a self-attestation. Similarly for Level 3, which is subject to a DoD assessment, Level 3 candidates can work with a C3PAO to ensure pre-audit compliance. It’s crucial to reiterate that a C3PAO is not permitted to offer consulting services and conduct an assessment for the same organization.

 Your organization, regardless of certification Level, may also find it beneficial to work with a C3PAO for a third-party assessment to ensure you’re in compliance with your annual attestation to maintain your CMMC certification.

What happens during a CMMC 2.o assessment?

The Cyber AB’s CMMC Assessment Process (CAP) outlines the processes C3PAOs should undertake when conducting an official CMMC Level 2 assessment. While each C3PAO may have its own implementation strategy for these processes, the CAP spans four phases and outlines activities that align with each. Again, this is one of the key points of CMMC — to ensure consistent assessment processes across the entire DIB, regardless of who conducts the assessment.

The CAP looks like this:

    Plan and prepare
    Assess
    Report
    Address and resolve (if needed) a Plan of Action and Milestones (POA&M)

If your CMMC assessor does not discover any deficiencies, you won’t need a POA&M and therefore your assessment will only comprise permitted in limited instances. In some cases, the DoD may award a contract with a set-time POA&M in place. As of the time of this blog, if this is the case, an contractor would be issued an interim certificate until all the POA&M items are closed out as part of phase 4. The certificate is issued by the C3PAO under official CMMC assessments. When rulemaking is complete, there is likely to be additional guidance on the minimum number of requirements that must be met and those that cannot be left out before using a POA&M for contract awards.

During your assessment, the assessor will review your standards, implementations, policies, and procedures to ensure you meet all the requirements for the appropriate certification Level:

Level 1, basic cyber hygiene: 17 practices
Level 2, Intermediate cyber hygiene: 110 practices that align with NIST 800-171
Level 3: As of now, the DoD has not completed the finalization of all the requirements for CMMC 2.0 Level 3. However, Level 3 will probably incorporate NIST 800-172.

For Level 1 self-attestation, or Level 2 and 3 third-party assessments, you must implement all prescribed practices for each Level to pass your assessment.

Until the finalization of the CMMC rulemaking process, OSCs have the option to voluntarily participate in the Joint Surveillance Voluntary Assessment Program (JSVAP). The JSVAP is administered by a C3PAO in collaboration with the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This assessment evaluates the OSC’s adherence to NIST 800-171 practices, and successful organizations receive a DIBCAC High certificate. This certificate will later be replaced by a CMMC Certificate once the official rule is established and will be valid for three years.

Benefits of working with a C3PAO?

Because of CMMC’s evolving timeline and requirements, it can be difficult to keep up with everything happening, much less develop, implement, and manage a CMMC program when the final rulemaking is not complete. This is one of the many benefits of working with a C3PAO on your CMMC compliance journey.

  Other benefits of working with a C3PAO include:

Keeping track of all the changes and timelines so you don’t have to
Experts are well-versed in industry-standard best practices and can apply them throughout the organization.
Pre-assessments to help proactively identify and resolve issues before your formal assessment
Offers pathways to advanced practices.
Holistic oversight of your entire initiative, beyond mere compliance checkboxes.
Alignment of CMMC requirements with your other security and compliance frameworks and controls
Assurance that FCI and CUI remain secure.
Enhances your business growth by pursuing a broader range of contracts as your enterprise expands.
Risk assessments and business impact analysis to understand the impact on critical operations
Continuous risk oversight to consistently uphold CMMC standards.
Help plan risk response strategies and evaluate the effectiveness of current plans
The ability to automate manual processes to streamline efficiencies and reduce costs
As a third party, the C3PAO may identify risks and other issues that those doing the day-to-day work might miss
Help to identify deficiencies and develop a POA&M with resolution support and timelines

How to choose a C3PAO for CMMC certification ?

Today, there are fewer than 50 organizations the Cyber AB has authorized as C3PAOs. While each has demonstrated they’ve mastered CMMC assessment requirements, it can still be confusing to know how to choose a C3PAO for your CMMC certification. There are a range of factors to consider, everything from your budget and timeline, all the way through the ins and outs of service delivery. While each organization will have unique guide points for this process, there are some important things to think about before signing an SLA with your next assessor. Here are some things to look for in choosing a C3PAO:

Is listed in the Cyber AB Marketplace
Has experience in cybersecurity and compliance
Will collaborate with your teams to ensure the assessment process is efficient and successful/is a culture fit for your organization
Has certifications, experience, and other industry-recognized credentials, for example, NIST CSF, ISO 270001, HITRUST, PCI DSS, DoD and government clearances, etc.
Will share the number of, experience, and success of its CCAs, CCPs, and LTPs
Offers a readiness assessment
Has experience creating and closing out POA&Ms or other remediation services
Conducts gap assessments
Will guide you on documentation and evidence-gathering
Goes beyond a checkbox approach to ensure compliance
Has a transparent and easy-to-understand fee structure
Can tailor service offerings to your specific needs
Offers project/delivery timelines that align with your goals
Information about the number of successful CMMC or similar assessments already conducted
Use cases to illustrate successful engagements with other organizations
Positive customer reviews and testimonials

 And finally, look for a C3PAO who has deep knowledge of CMMC and your specific industry. Redspin’s SMEs, for example, have more than two decades of experience working with a range of organizations from small businesses to Fortune 500s across a range of industries such as government, aerospace, finance, technology, and manufacturing. The company has already successfully completed early JSVAP assessments while waiting for CMMC 2.0 finalization.

CMMC 2.0 FAQ

1. When will CMMC 2.0 be required for DoD contracts?

CMMC 2.0 won’t become a mandatory contractual obligation until the Department finishes the rulemaking process required for program implementation. The rulemaking procedure, along with its associated timelines, is expected to finalize in 2024. It is only after the rulemaking process reaches its conclusion that CMMC 2.0 will transition into a contractual requirement.

2. How long does a CMMC 2.0 assessment take?

There are a range of factors that will determine exactly how long your CMMC 2.0 assessment might take, for example, your organization size and industry, intended CMMC Level, and maturity of existing cybersecurity and compliance practices. However, it generally takes about eight months to around a year to address all necessary aspects. The official CMMC assessment process itself, encompassing Phase 1 to Phase 3, typically takes around four weeks. Subsequently, Phase 4 involves the creation and execution of a POA&M, which might extend up to approximately 180 days (about 6 months) following the presentation of the final findings report. It’s important to note that the definitive version of the CMMC Assessment Process (CAP) has not been formally released yet. This is the operational framework that has been utilized thus far.

3. Should I do a pre-assessment?

Yes. If you want to become CMMC certified, it’s a good idea to conduct a pre-assessment to identify gaps before your formal assessment. This is something you can do on your own, but you may find it more beneficial to work with a C3PAO who has expertise in this area and can identify issues commonly overlooked by internal teams.

4. What happens when there is a POA&M?

If your organization doesn’t successfully meet all of the practice requirements for your intended CMMC certification Level, you will not be issued a formal certification. Instead, the C3PAO’s findings will likely include a POA&M to address these issues. The POA&M should identify the problem, offer remediation strategies, and set a timeline for rectification. When all requirements of the POA&M are met, you can undergo another assessment for attestation and, if successful, receive your CMMC certification.

5. What is the process for starting a JSVAP?

The first step is to reach out to a C3PAO.

6. What CMMC 2.0 Level do I need?

When navigating the CMMC framework, it’s crucial to recognize that the selection isn’t always straightforward as one might hope and expect. For example, Level 1 is tailored for organizations that receive, store, process, or transmit Federal Contracting Information (FCI). Whereas, CMMC Level 2 is intended for organizations who receive, store, process, or transmit Controlled Unclassified Information (CUI) in support of a government contract.

To make an informed selection, organizations must understand their data type, sensitivity, context, and how this data moves through their organization. Understanding this aspect, helps organizations ensure they are not only selecting the appropriate CMMC level but that they are correctly defining the scope for their assessment.

7. Will prime & subcontractors be required to maintain the same CMMC Level?

If contractors and subcontractors are handling the same type of FCI and CUI, then yes the same CMMC Level will apply. However, in situations where the prime contractor only shares specific information, the subcontractor may be held to a different CMMC Level.

8. How do I know if I have FCI or CUI?

The Chief Information Officer, Department of Defense website states: The definition of FCI is in FAR 52.204-21 and CUI in 32 CFR Part 2002, respectively.

The DoD CUI Quick Reference Guide, located at https://www.dodcui.mil, includes information on CUI. In addition, the Defense Counterintelligence and Security Agency (DCSA) provides answers to Frequently Asked Questions, available at https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/21-10-13%20CUI%20FAQ%20FINAL.pdf.

These FAQs describe the difference between FCI and CUI as follows: “Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. However, while FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding and may also be subject to dissemination controls.”

If you have specific questions about CUI/FCI, we encourage you to reach out to a C3PAO!

9. Will my organization need to be certified if it does not handle FCI/CUI?

Contractors are already required to safeguard information by inclusion of contract clauses under FAR 52.204-21 (FCI) or DFARS 252.204-7012 (CUI).

The DoD’s intent under the CMMC program is to require assessment against t NIST SP 800-171 only when safeguarding of CUI is required. For some programs or some CUI, DoD will require certification based on assessment by a C3PAO or the Government, rather than relying on a self-assessment.

If a DIB company does not process, store, or transmit CUI on its unclassified network, but does process, store or handle FCI, then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.

10. How much will an assessment cost?

The cost of CMMC assessments relies on factors like the CMMC level, the complexity of the DIB company’s unclassified network within the certification boundary, and market conditions.