The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense’s (DoD’s) new cybersecurity regulation for the defense industrial base (DIB). The goal of CMMC is to improve the protection of confidential unclassified information (CUI) entrusted to DIB contractors as part of their duties.
CMMC is still being rolled out, which means that the process is still evolving. The CMMC Accreditation Body (CMMC-AB) provides regular CMMC updates describing where they are in the process.
Recent updates regarding CMMC have largely focused on how the assessor certification process has been progressing. Some of the major updates include:
A Certified Third-Party Assessment Organization (C3PAOs) is an organization authorized by the CMMC-AB to conduct compliance audits. As of the August CMMC Town Hall, three organizations have been certified as C3PAOs.
The CMMC-AB is responsible for defining the training and examination requirements for CMMC consultants and auditors. Currently, the expectation is that training for CMMC Certification Professionals (CCPs) – who have CMMC knowledge and are part of an audit team – will be available no later than November 1 and that the certification exam will be officially launched in early February 2022.
CCPs must operate under the supervision of a CMMC Assessor during an audit. Currently, the Level 1 and Level 3 CMMC Auditor exams are still being scoped.
As of the previous town hall, even the three authorized C3PAOs are not permitted to perform official CMMC compliance audits. However, this is expected to change this month, making it possible for companies to start seeking CMMC compliance.
Companies can start the audit process today by going through the preparatory and pre-audit process. Once audits have been authorized, they typically take 1-2 weeks according to the experiences of the CMMC-AB and authorized C3PAOs.
Many of the current updates to CMMC are focused on the providers of CMMC services. The status of training materials and the assessor certification process are mostly relevant to those organizations looking to achieve those certifications.
That said, the timelines and milestones laid out by the CMMC-AB in their recent town halls have certain implications for companies looking to achieve CMMC compliance as well. These include:
In short, the road to CMMC has been a long one, but is coming to an end. Within the next few months, CMMC audits will begin, and access to trained CMMC consultants and assessors will expand dramatically.
The path to the CMMC has been a long one, and the process has not moved as quickly as originally planned. However, recent updates from the CMMC-AB have shown promising progress, and companies will soon be able to undergo CMMC audits and achieve CMMC compliance.
However, many companies are not ready to immediately undergo a CMMC compliance audit. Their existing security controls, policies, and processes may not fulfill the requirements for CMMC compliance, and the organization may not be able to easily demonstrate how they fulfill every CMMC requirement.
The CMMC-AB recommends that companies looking to achieve CMMC compliance should partner with a CMMC Registered Provider Organization (RPO). CMMC RPOs are authorized to provide consulting and support for preparation for a CMMC compliance audit, and must be distinct from the C3PAO that an organization engages for its official CMMC compliance audit.
Hyper Vigilance is an authorized RPO on the CMMC Marketplace, meaning that we can provide consulting and services to organizations looking to achieve CMMC compliance. This includes a CMMC compliance assessment for organizations looking to identify compliance gaps and CMMC compliance management services to help organizations to achieve and maintain CMMC compliance. Contact us today to get started.