We recently had the pleasure of attending a webinar hosted by Ty Schieber, CMMC Accreditation Board Chairman; and Mark Berman, who sits on the CMMC board of directors and also chairs its communications committee. The insightful webinar sought to provide an update on the current state of the cybersecurity maturity model certification (CMMC), as well as the path forward for those that wish to become certified third-party assessment organizations (C3PAOs) and assessors. It provided some interesting takeaways that we thought might be helpful to our clients and defense contractor community, so we’ve distilled them here. 

First things first: CMMC is still very much on track for rollout this year. Some had speculated that the widespread reshuffling caused by the COVID-19 pandemic would slow the Department of Defense (DoD)’s momentum, but Schieber and Berman emphasized that it’s full steam ahead! In fact, they explained that, as soon as this week, they will be unveiling the criteria for interested parties that wish to apply as a C3PAO. Shortly thereafter, they will begin accepting applications for C3PAOs and assessors. 

As a reminder, third-party assessment organizations (C3PAOs) will hire and train certified assessors. In turn, defense contractors will engage these C3PAOs – who are accountable to the accreditation body – to achieve CMMC certification. As we discussed in a recent article for Fifth Domain, contractors will be able to identify the CMMC level required for a contract in request for proposal (RFP) sections L and M, and use that as “qualification-to-bid” criteria in the proposal process. In short, CMMC is something you can’t avoid if you want to continue doing business with the DoD, and the message was loud and clear that organizations seeking certification (OSCs) – essentially, every organizations that sells to, or provides services to, the DoD–should embark upon the certification process as early as possible. 

In addition to outlining the process for prospective C3PAOs and assessors, Schieber and Berman offered a general overview of how the introduction of CMMC will affect the request for proposal (RFP) process for defense contractors. Here’s what we learned: 

The Path to Becoming an Assessor:

  1. CMMC assessors should undergo training via a CMMC Accreditation Board licensed provider. This training aims to ensure that they acquire a clear understanding of CMMC’s aims, as well as the various practices and processes that organizations are required to implement at each phase (“maturity level”) of the certification process. 

It’s important to note that the path to becoming an assessor is somewhat staggered, meaning that an individual must complete each level of training before they are able to advance to the next. For example, they will begin with Maturity Level 1 and learn how to conduct assessments at that level specifically, before being able to move onto the next stage. At this point, Maturity Level 5 assessment will not be available–as one might imagine, this requires quite an advanced level of training. 

  1. At this early stage, the prospective assessor must also sign a license agreement and pay the fee associated with procurement of their license. 
  2. After completion of their training, the assessor will then conduct their first assessment under contract with a C3PAO. This assessment will be observed in full by an Accreditation Board professional, with a subsequent report being submitted to the CMMC Accreditation Board for review. 
  3. Once approved to move forward, the assessor should approach the CMMC Accreditation Body to seek testing. At this stage, a background check will be conducted: a commercial check is required for Maturity Level 1, whereas Maturity Level 3 and above will necessitate either National Agency Check with Inquiries (NACI) clearance or some other governmental background check, as established by the Accreditation Board.

The Path to Becoming a C3PAO:

  1. The first step for prospective C3PAOs is to complete an application online, and pay the corresponding, non-refundable application fee (the amount of which is yet to be announced). 
  2. The CMMC Accreditation Board will then review and interview the applicant’s executive team as part of the approval process.
  3. If approved, the newly minted C3PAO must review and sign a license agreement, code of professional conduct and conflict of interest agreement. At this time, they will also pay their annual license fee.
  4. Finally, the new C3PAO will become listed in the marketplace, and their certified assessors will show as being affiliated with their organization. The private marketplace, which will offer competitive pricing, will enable contractors to select and schedule their assessments directly with their chosen C3PAO.

How will CMMC affect the RFP process for defense contractors? 

Future DOD contracts will explicitly identify the maturity level required for bidders, but contractors handling basic controlled unclassified information (CUI) will need to achieve Maturity Level 3 certification or above. However, it’s worth noting that contract and trusted supplier information is not considered CUI at Maturity Level 3–therefore, if the only CUI you hold is your actual contract information, you may be able to circumvent this requirement. In short: CMMC Maturity Level 1 will be a prerequisite but, if you can verify that you won’t be handling CUI, Maturity Level 3 might not be necessary just yet. 

It’s unlikely that you’ll have much lead time here, since RFPs are unlikely to be released six months in advance of the contract start date. To that end, Schieber and Berman advised contractors to engage in conversations with their procurement officers and/or prime contractors to determine whether they will be handling CUI, and whether it’s possible to complete the work without receipt of CUI. 

Finally, Schieber and Berman reiterated that, despite the recent emphasis on CMMC requirements, NIST 800-171 is not going anywhere, and will remain a core requirement for contractors wishing to do business with the U.S. government. 

What else do we need to know? 

There were a few important questions that were addressed within the webinar, and so we thought it was worth highlighting Schieber and Berman’s responses: 

  • Contractors will have up to 90 days to resolve any issues that manifest prior to closing the assessment, allowing a limited time for remediation by OSCs. This is both good and bad news, as there will be time to remediate if an OSC falls short of the desired level, but the time will be limited. Therefore, OSCs should take all necessary steps to ensure that they are ready to undergo an assessment. 
  • For each maturity level that you are seeking, you should have a robust plan – including assigned timelines – that speaks to how you will meet certain best practices. This is called a “Plan of Action & Milestones” (POA&M), and must be in place before CMMC certification can be granted. 
  • CMMC assessors may also act as consultants as part of their practices, but if you select a C3PAO for your assessment, they are not authorized to prepare you for that assessment or advise you on remedial measures with respect to that assessment. Therefore, if any issues are flagged and require addressing, you will need to identify and hire another qualified third party to counsel you surrounding the next steps required to achieve compliance.  
  • An organization’s certification under CMMC will be good for three years, meaning that, once they have been audited and certified at a certain maturity level, the organization retains that level of certification for a period of three years before they are required to undergo another audit. However, it’s important to think of compliance as an ongoing, continuous process – as longtime corporate lawyers, we’ve seen clients learn first-hand that preventative measures are often more effective (and less costly) than remedial ones. Schieber and Berman also explicitly stated that theDepartment of Defense expects that all CMMC-certified companies shall remain compliant on an ongoing basis during the term of their certification, so if a mid-cycle audit occurs, you will have to be prepared to substantiate your ongoing compliance.
  • The recertification process will likely be identical to the certification process, so you don’t want to be scrambling at the last minute to bring yourself up to compliance with the latest standards. You should look to remain continually apprised of, and in compliance with, the latest parameters. 

We hope this recap has provided helpful– InFront Compliance is committed to working closely with organizations in the defense industrial base (DIB), helping them navigate the rapidly unfolding CMMC parameters and remain competitive. Our built-in collaboration tools reduce human error and keep critical control items from falling through the cracks to drive confidence and defensibility in CMMC requirements as they continue to evolve. Interested in learning more? Reach out via our website at www.infrontcomliance.com.