What is CMMC 2.0? Breaking Down the CMMC Assessment Process

Compliance,Cybersecurity,CMMC,Cybersecurity Maturity Model Certification

Discover the essentials of the Cybersecurity Maturity Model Certification (CMMC) 2.0 and learn how its assessment process ensures cybersecurity compliance within the Defense Industrial Base (DIB).

Understanding CMMC 2.0: A Necessary Update for Cybersecurity

CMMC 2.0 is the U.S. Department of Defense’s (DoD) revamped initiative aimed at enhancing the cybersecurity posture of the Defense Industrial Base (DIB). With threats evolving, this update ensures controlled unclassified information (CUI) and federal contract information (FCI) are safeguarded more effectively. It introduces streamlined and tiered processes that align more closely with the National Institute of Standards and Technology (NIST) guidelines, specifically NIST SP 800-171.

Overseen by the Office of the DoD Chief Information Officer, CMMC 2.0 is administered by the CMMC Program Management Office. The CyberAB, designated as the sole accreditation body for the CMMC Program, supports it through a no-cost contract with DoD. The updated model emphasizes clarity and simplicity to align with the NIST requirements to achieve a level of required maturity depending on the type of information handled.

Who Needs CMMC 2.0 Certification?

CMMC 2.0 certification is mandatory for all contractors and subcontractors within the DIB that handle CUI or FCI. This includes a wide range of entities, from large defense contractors to small- and medium-sized enterprises that provide products and services to the DoD.

The certification ensures these organizations adhere to stringent cybersecurity standards, thereby protecting sensitive information from cyber threats. Companies must achieve the appropriate level of certification to bid on and secure DoD contracts. This requirement aims to create a unified standard for cybersecurity across the DIB, enhancing overall national security.

Scoping CMMC: Levels and Requirements

CMMC 2.0 introduces three levels of certification, each with specific requirements tailored to the sensitivity of the information handled.

Level 1—Foundational: Self-assessment is allowed, however, some organizations may still choose to use a C3PAO. Level 1 applies to companies that handle FCI and requires basic safeguarding practices.
Level 2—Advanced: This level applies to companies dealing with CUI and requires organizations to implement all 110 security controls specified in NIST SP 800-171.
Level 3—Expert: Performed by the DIB Cybersecurity Assessment Center, this level is intended for the highest priority programs and involves more rigorous controls aligned with NIST SP 800-172.

Scoping for CMMC involves defining the assessment boundaries, which include identifying the systems and assets that store, process, or transmit CUI and FCI. Organizations must ensure their cybersecurity practices meet the requirements of their designated level to achieve certification. This scoping process ensures the assessment covers all relevant areas, providing a comprehensive evaluation of the organization’s cybersecurity posture.

A Step-by-Step Breakdown of the CMMC Assessment Process

The CMMC Assessment Process is divided into four phases, each designed to methodically evaluate and certify an organization’s cybersecurity practices. The process begins with preliminary proceedings, where the Organization Seeking Certification (OSC) initiates contact with a CMMC Third-Party Assessment Organization (C3PAO) and frames the assessment scope.

Phase 0: Preparing for assessment could take several months and should be treated as a “phase 0.” If your organization does not have an internal CMMC expert, we recommend engaging a qualified CMMC implementation specialist to guide the effort. By the time phase 1 begins, we, as assessors, expect all preparations to be complete, which includes a defined scope, collected evidence, and full readiness for evaluation.
Phase 1: Involves conducting a pre-assessment to review the System Security Plan and validate the assessment scope.
Phase 2: Focuses on assessing conformity to security requirements through methods such as examination, interviews, and testing.
Phase 3: Involves compiling and reporting the assessment results, followed by a quality assurance review and an Out-Brief Meeting to convey the findings.
Phase 4: Encompasses issuing the Certificate of CMMC Status and closing out any Plan of Action and Milestones (POA&Ms).

Projecting Timelines for CMMC Assessment Completion

An organization’s size, complexity, and desired certification level all influence the time it takes to complete a CMMC assessment. The process typically begins with initial preparation and scoping, which can take several weeks. Following this, the pre-assessment phase may take a few days to a week, depending on the readiness of the OSC.

The actual assessment phase, Phase 2, can range from a few days to several weeks, contingent on the depth and breadth of the evaluation required. Reporting and quality assurance reviews in Phase 3 add additional time, leading to the final phase of certificate issuance and POA&M closeout. Overall, organizations should plan for a multi-month process, ensuring ample time for preparation, assessment, and remediation where necessary.