CMMC Assessment Explained – 2023 Update
In early 2020, the Department of Defense (DoD) unveiled Cybersecurity Maturity Model Certification (CMMC). This strict cybersecurity standard exists to protect sensitive government information among defense contractors. If you want to work with the DoD, you need to prove your compliance with the CMMC requirements.
The latest version of CMMC (CMMC 2.0) was announced in November 2021. This new version cuts down on some of the requirements, but many contractors will still require an official third-party CMMC assessment to keep their contracts.
So what is CMMC assessment? What will the assessment involve? And how can your business prepare?
What Is a CMMC Assessment?
CMMC assessment is an official process to evaluate your cybersecurity maturity.
Hackers know that it’s much easier to steal sensitive information from government contractors than from the government’s own highly protected systems. That’s why the DoD now requires specific cybersecurity controls based on the sensitivity of the information you handle.
CMMC Level 1
If you only handle federal contract information (FCI), you only require CMMC Level 1, and you will not need an official CMMC assessment.
CMMC Level 2
But if you handle any controlled unclassified information (CUI), you will require CMMC Level 2. Most if not all Level 2 contractors will need to undergo an official assessment before certification.
Learn more about the difference between FCI and CUI.
What is a C3PAO?
To receive the assessment, you must hire a CMMC Third-Party Assessor Organization (C3PAO). These companies have been authorized by the CMMC Accreditation Body (CMMC-AB) to perform official CMMC assessments. The CMMC-AB will issue a certificate based on the results of your assessment.
Webinar
CMMC Assessments – What to Expect
To become CMMC Level 2 certified, you’ll need to pass a CMMC assessment by a 3rd-party assessment company called a C3PAO. CMMC assessments are highly detailed and require demonstrable evidence that you meet each of the NIST SP 800-171 controls. In order to be certified, all 320 control objectives must be met.
In this session, we pull back the curtain on a CMMC assessment. Join us as we peek into the details of a CMMC assessment to help you be well-prepared.
What Does the CMMC Assessment Process Involve?
The third-party CMMC assessor will follow a series of steps to ensure your compliance. Here’s a look at some of the areas the assessor will consider:
Scope of Business
Most DoD contractors do more than just DoD contracting work. Some parts of your organization might fall outside the scope of CMMC requirements. You can save time and money by excluding parts of your business that don’t require official assessment,
It’s your responsibility to determine which parts of your organization must undergo the assessment process. The C3PAO is responsible for validating that scope.
Technical Scope Determination
This step, known as the “Authorization Boundary,” is a complicated part of the assessment process. The boundary might encompass your entire business, or it might cover a subset of your network. It all depends on the size of your business and the information you handle.
What government information lives on your network? How does it travel? These questions will affect your technical scope.
Review of Currently Implemented Cybersecurity Controls
The assessment will include an evaluation of all the cybersecurity controls you’ve implemented. This part of the assessment will focus on your technical scope, where most of your government information is handled.
Here, documentation will be key. To demonstrate ongoing compliance, you will need to show your assessor the required documents.
After identifying the controls you’ve implemented, the assessor will make sure they’ve been implemented correctly. This involves a variety of testing methods.
Reviewing Plans of Action and Milestones
Before the CMMC 2.0 update, all contractors were expected to achieve a perfect 100% assessment score to receive certification. Now contractors can submit a time-bound Plan of Action and Milestones (POAM) for less essential items. This allows you to present a definite plan to cover requirements you haven’t met.
A POAM makes cybersecurity more realistic. This plan can help you prepare for ongoing technology requirements in areas like end-of-life hardware, software upgrades, and control implementation.
But remember: many requirements will be deemed too essential for a POAM to cover. It’s best to prepare for full compliance.
Issuing your Certification
After the assessment, the C3PAO will submit an official report to the CMMC-AB for final review. This document will include all the details of the assessment, showing whether you have met the requirements for your necessary certification level. The CMMC-AB will conduct a quality assurance check to confirm the assessor’s findings.
After this check, the CMMC-AB will issue its own report. It will either confirm your certification or identify deficiencies to be corrected. If you’ve met the requirements, you will receive your certification.
How to Prepare for a CMMC Assessment
If you’re planning for CMMC certification, appropriate preparation is crucial. The following tips can help you get ready for the assessment process.
Start Early
Even if you already have a mature cybersecurity program in place, you should start the preparation process well before the assessment date. The CMMC-AB recommends allowing at least six months of preparation time.
But if you work with cybersecurity experts who know CMMC, you can significantly cut down this prep time. Our expert-driven CORE Vault™ solution has helped contractors achieve compliance with all the technical controls in as little as 30 days.
Clearly Define your CUI Scope
Determine which assets and systems fall within the CMMC scope. This depends on which assets and systems interact with controlled unclassified information (CUI).
You can identify this scope by conducting an internal assessment or hiring a Registered Provider Organization (RPO) like Core Business Solutions to manage the process for you.
Conduct a Comprehensive Readiness Assessment
DFARS has already included cybersecurity requirements for some time, but many contractors still aren’t ready for CMMC. A readiness assessment with a thorough gap analysis can help you identify the areas you’ll need to upgrade to meet the certification requirements. This evaluation should focus on your current CUI storage, transmission, and management practices.
Identify and Implement Remediation Steps
Once you’ve identified the gaps in your current program, assign the level of risk associated with each one. You can use this ranking system to prioritize which shortfalls to address first and develop an action plan to remedy them before the assessment. This helps you choose high-impact areas that boost your operations toward compliance.
How Much Does a CMMC Assessment Cost?
Assessment preparation costs can range from $15,000 to $100,000 or more, depending on the certification level you need and the scope of your project. The cost of an actual assessment is still unknown. Some estimates put it between $10,000 and $40,000.
How Can CORE Help?
At Core Business Solutions, we aim to help DoD contractors like you navigate CMMC assessment as smoothly and seamlessly as possible. As an authorized CMMC-AB Registered Provider Organization (RPO), we understand what it takes to meet the requirements and achieve certification.
We offer technical solutions, policy templates, and other resources to make compliance simple and effective. With CORE Vault™, you can access CUI from a secure, cloud-based environment ready-made for compliance. This allows you to limit the scope of your project to a manageable level.
Our own experts manage CORE Vault™ and walk you through the non-technical requirements, making certification a smooth and cost-effective process. We’ll handle compliance so you can focus on what matters most: running your business.
Learn more about the CORE Vault™ today to see how Core can handle the CMMC burden for your organization.
Core Business Solutions, established in 2000, is a Registered Practitioner Organization through the Cyber AB and has been providing consulting and technical solutions for NIST/CMMC for over 5 years. Rick Krick is the Director of Security Solutions for Core Business Solutions and directs our Cybersecurity Services solutions including CMMC. Rick has over 25 years of experience in Management System implementations, software development, IT services, and certifications.
