CMMC Assessment Guide

August 23, 2024

All contractors doing business with the DoD will need to achieve CMMC compliance to remain eligible for contracts. CMMC requires that contractors undergo assessments to verify they comply with DoD security regulations. The law is expected to be codified in Q4 2024 and enter into contracts in early 2025.

CMMC Assessment Overview

CMMC gives teeth to NIST 800-171, doing away with self-assessment in favor of rigorous third-party assessments for all organizations handling FCI & CUI.

There are 3 levels of CMMC, based on the maturity level indicated in a company’s contract.

Companies handling exclusively FCI only need to meet Level 1 (Foundational). Level 1 is based on the requirements of FAR 52.204.21 and is the only level that remains fully eligible for self-assessment.
Any company handling CUI must meet at least Level 2 (Advanced). Level 2 is based on the 110 controls of NIST SP 800-171. A small fraction of these companies will be allowed to perform self-assessment, but over 95% will require third party assessment by a CMMC Third Party Assessment Organization (C3PAO).
Companies handling the most sensitive information will need to meet Level 3 (Expert). This is based on the 110 controls of NIST SP 800-171 as well as a subset of requirements from NIST SP 800-172. To achieve Level 3, OSCs will first need to pass a level 2 assessment by a C3PAO. The OSC will then be assessed for Level 3 readiness directly by the government.

Read PreVeil’s Guide to CMMC, used by 5,000 defense contractors

CMMC Level 1: Self-Assessments

If you’re an Organization Seeking Compliance (OSC) with CMMC Level 1 or if a small subset of Level 2 OSCs handling information not deemed critical to national security, you can rely on a self-assessment to determine CMMC eligibility.

For Level 1 organizations, the assessment will evaluate how the OSC protects FCI against the 17 NIST 800-171 controls that apply to Level 1. Each control is broken down into multiple objectives and all objectives must be met.

Level 2 OSCs will need to assess against NIST 800-171 (A) and meet all the assessment objectives for the 110 controls. To be successful, Level 2 OSCs need to ensure that they have a System Security Plan (SSP) that explains how their policies, procedures, and technologies meet each assessment objective.

Level 1 and 2 OSCs will be required to conduct self-assessment on an annual basis, producing an annual affirmation from a senior company official stating that the company is meeting all requirements for compliance. They will need to register these self-assessments and affirmations in the DoD’s SPRS.

Companies handling CUI must also demonstrate they (1) are employing FIPS 140-2 validated cryptography, (2) are compliant with DFARS 252.204-7012 c-g, which instructs how to report cyber incidents, and (3) ensure any cloud service providers (CSPs) meet FedRAMP Moderate or equivalent.

CMMC Level 2: Third Party Assessments from C3PAOs

Most Level 2 OSCs and all Level 3 OSCs will be subject to 3rd party assessment.

The CMMC Accreditation Board (CyberAB) has authored the CMMC Assessment Process (CAP) handbook to explain the roles, responsibilities, requirements, and timeline. The CyberAB also authorizes the CMMC Third Party Assessor Organizations (C3PAOs) that conduct the assessments.

These assessments are made up of four phases.

Phase 1: Plan and prepare the assessment

In this phase, the OSC and C3PAO establish roles and responsibilities and the assessment scope.

The C3PAO will check if the OSC is using any external CSPs and, if so, that they meet the requirements established in DFARS 252.204-7012. It confirms the OSC has evidence to meet a substantial number of assessment objectives. The OSC will need to provide the results of a self-assessment along with a list of evidence, a robust SSP, a list of all the personnel involved in the procedures evaluated, and any other relevant documentation.

If the OSC has not adequately prepared for assessment, then the process will pause until the OSC can provide the above assurances of readiness.

Phase 2: Conduct the assessment

In the assessment, the C3PAO will check the OSC’s fulfillment of every single compliance objective and control in NIST 800-171A. The C3PAO will collect, examine, and analyze the evidence provided by the OSC, as well as conduct interviews with OSC personnel in order to determine whether the practices in place meet the required standards. The assessment team will record any gaps between the OSC’s practices and CMMC model practices.

The C3PAO will then determine the final CMMC results on a binary scale of met / not met.

If the OSC passes assessment by earning a ‘met’ score, the C3PAO will allow the use of Plans of Actions and Milestones (POA&Ms) as temporary stopgap measures for any eligible controls that are not yet fully satisfied. To be eligible for POA&Ms, the organization must meet at least 80% of all CMMC Level 2 practices, or 88 out of 110 NIST 800-171 controls. Further, eligibility for POA&Ms depends on which specific controls are unmet.

The 110 controls of NIST 800-171 are each weighted either 1, 3, or 5 points. Only select 1 point controls are eligible for POA&Ms. If any of the 3 or 5 point controls are not completely satisfied at the time of assessment, the OSC will not achieve CMMC compliance and will be graded ‘not met.’

Phase 3: Report assessment results

The C3PAO will deliver the assessment results to the OSC and give their verdict of met / not met. If the OSC achieves ‘met’ through the use of POA&Ms, the Lead Assessor will list those POA&Ms at this time.

The C3PAO will review any listed POA&Ms to ensure that the OSC meets the 80% ‘met’ minimum requirement to proceed to the POA&M Close-Out Assessment option. If the POA&Ms cannot be closed out, the OSC will not be recommended for certification. If POA&Ms are needed for any 3 or 5 point controls the OSC will likewise not be recommended for certification.

Phase 4: Close out POA&Ms and assessment

If the OSC received a conditional CMMC Level 2 certification during phase 3, then the final step is to close any open POA&Ms within 180 days. In order to receive CMMC Level 2 certification, the OSC must close all open POA&Ms within 180 days and have a C3PAO verify that they’re closed out.

CMMC Level 3: DIBCAC Assessments

The OSCs handling the most sensitive CUI must first meet Level 2 CMMC in order to become eligible for Level 3 review. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) itself will conduct level 3 assessments, which will include all 110 NIST 800-171 controls plus an additional subset of NIST 800-172 controls.

The DoD has not yet published an assessment guide for Level 3 assessments. According to the DoD assessment requirements are currently under development. Level 3 OSCs should prepare to meet Level 2 compliance at this time, and remain ready to undertake additional preparations when further information is released.

Getting Ready for CMMC

It is important to get ready for assessment now. CMMC is on track to become law in Q4 2024 & enter into contracts by Q1 2025. Achieving compliance takes 9-12 months, and you won’t want to become ineligible for government contracts if CMMC goes into effect and you can’t finish your preparations in time.

Begin by familiarizing yourself with the CMMC framework. Determine which CMMC level your organization needs to achieve and scope your compliance boundary. The more you can limit your boundary, the more economically you’ll be able to achieve compliance, in terms of both money and time.

For a detailed step-by-step overview of how to prepare, see our CMMC Compliance Checklist.

How PreVeil can help achieve CMMC compliance

PreVeil is the leading solution for CMMC compliance. Trusted by over 1,200 small and midsize defense contractors, PreVeil’s solution has proven successful in getting a dozen contractors and C3PAOs perfect 110 scores in tough DoD audits.

Our 3-part solution includes:

An email + file sharing platform to protect CUI, built on AWS GovCloud
Pre-filled CMMC documentation
Certified consultants and assessors

This saves defense contractors over 75% vs GCC High while securing their data with end-to-end encryption.

Take Action:

Schedule a demo
Schedule a free 15 minute consultation with PreVeil’s compliance team.
Download our CMMC Guide, which has been downloaded by over 5,000 defense contractors

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is PreVeil's Compliance Officer and CMMC Certified Professional (CCP) with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her M.S. in Information Technology and holds certifications from the CMMC Accreditation Body (CyberAB), Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.

Related Blog

See All Blog

November 12, 2024

6 Ways to Save Money on CMMC Costs

CMMC

October 25, 2024

Top Cybersecurity Events

October 17, 2024

The CMMC Final Rule is Published: What Contractors Need to Know

CMMC