CMMC is the Cybersecurity Maturity Model Certification, which is in development to help protect the Department of Defense’s supply chain from cybersecurity related threats. The DoD is including the requirement for certification against the CMMC maturity model in future contracts, which includes subcontractors as well. The supply chain, referred to in DoD circles as the Defense Industrial Base or DIB, could potentially be the target of the nation’s adversaries because vendors in the DIB may have sensitive or confidential information related to the nation’s security. The idea is that without a secure foundation, all functions are at risk. Cybersecurity should serve as the foundation across all aspects of the nation’s defense industrial base.

What is the CMMC Certification Process?

The CMMC initiative is largely being driven by the DoD Office of the Under Secretary of Defense for Acquisition. Generally, the certification process will flow similarly to a lot of other certifications or cybersecurity assessments, such as ISO or FedRAMP. First, an accreditation body was put together in order to form the rules and framework around the entire assessment and certification process. Assessment bodies must then apply to the accreditation body to accredit their organization to be able to perform CMMC assessments and then train and certify their workforce to perform the assessment work. Once an assessment body completes the accreditation, training, and personnel certification process, then they will be able to perform CMMC assessments to certify clients.

Who are CMMC Assessors?

The process has been moving forward throughout 2020, beginning with the formation of the CMMC accreditation body, or CMMC-AB. The AB was initially compromised of a board made entirely of volunteers working to put together a framework for assessment bodies, professionals, and organizations seeking certification. The framework includes the standards themselves, the requirements for accreditation, the process for assessment and certification, and training. The CMMC-AB established a beta program of provisional assessors. These assessors are a select smaller pool from the assessment space that is currently being trained to perform assessments on a provisional basis. The DoD has selected very specific contracts that are currently going through the acquisition process with the new CMMC requirements to serve as a beta test for the beta/provisional assessments. This carefully thought out test step will allow compliance assessors, the accreditation body, industry, and the DoD CMMC PMO to perform a few assessments and then evaluate the process to determine what is going to work best.

After these provisional assessments occur, the CMMC-AB will move forward with larger-scale training availability, assessor firm accreditation, and finalization of requirements. Current projections and information from CMMC-AB indicate that assessor training will be available in the January 2021 timeframe.

When is CMMC going to be required?

Generally, CMMC is something you may need to worry about if you are a contractor or vendor to the DoD, or subcontractor to a DoD contractor. However, the DoD and CMMC accreditation body have indicated that the DoD will be deploying the requirement in new contracts over a period of years. The CMMC requirement is not expected to be inserted into active contracts. Even though you may not have to worry about it right this minute – it’s never too early to start considering your security posture.

Have questions about CMMC certification? LBMC can help your organization prepare for and obtain CMMC certification. Contact us now.