The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense’s (DoD’s) new cybersecurity regulation for the defense industrial base (DIB). The goal of CMMC is to improve the protection of confidential unclassified information (CUI) entrusted to DIB contractors as part of their duties.
CMMC is still being rolled out, which means that the process is still evolving. The CMMC Accreditation Body (CMMC-AB) provides regular CMMC updates describing where they are in the process.
What are recent CMMC updates?
Recent updates regarding CMMC have largely focused on how the assessor certification process has been progressing. Some of the major updates include:
A Certified Third-Party Assessment Organization (C3PAOs) is an organization authorized by the CMMC-AB to conduct compliance audits. As of the August CMMC Town Hall, three organizations have been certified as C3PAOs.
CMMC Training Progress
The CMMC-AB is responsible for defining the training and examination requirements for CMMC consultants and auditors. Currently, the expectation is that training for CMMC Certification Professionals (CCPs) – who have CMMC knowledge and are part of an audit team – will be available no later than November 1 and that the certification exam will be officially launched in early February 2022.
CCPs must operate under the supervision of a CMMC Assessor during an audit. Currently, the Level 1 and Level 3 CMMC Auditor exams are still being scoped.
As of the previous town hall, even the three authorized C3PAOs are not permitted to perform official CMMC compliance audits. However, this is expected to change this month, making it possible for companies to start seeking CMMC compliance.
Companies can start the audit process today by going through the preparatory and pre-audit process. Once audits have been authorized, they typically take 1-2 weeks according to the experiences of the CMMC-AB and authorized C3PAOs.
What do these CMMC updates mean to me?
Many of the current updates to CMMC are focused on the providers of CMMC services. The status of training materials and the assessor certification process are mostly relevant to those organizations looking to achieve those certifications.
That said, the timelines and milestones laid out by the CMMC-AB in their recent town halls have certain implications for companies looking to achieve CMMC compliance as well. These include:
- Certified C3PAOs: Currently, the CMMC-AB has certified three C3PAOs out of hundreds of applicants. While this means that the process is largely finalized for accomplishing this, it can be time-consuming to complete. As a result, significant competition will likely exist for the services of C3PAOs in the short term. Organizations looking to achieve CMMC compliance should start today and expect competition or high fees.
- Authorized Assessments: While a few C3PAOs have been certified for a month or so, they have not been permitted to perform official assessments. However, this is soon going to change, which means that organizations will be able to undergo official audits. Companies looking to be among the first to achieve CMMC compliance or who believe that compliance can impact their competitiveness in the marketplace should start the CMMC process today.
- CMMC Training Schedule: Within the next few months, it will be possible for individuals to become certified CCPs, and the scope will likely be defined for CMMC Assessors as well. As more CCPs—and eventually CMMC Assessors—enter the marketplace, it will become faster and easier for companies to find support in preparing for and achieving CMMC certification.
In short, the road to CMMC has been a long one, but is coming to an end. Within the next few months, CMMC audits will begin, and access to trained CMMC consultants and assessors will expand dramatically.
Preparing for CMMC Certification
The path to the CMMC has been a long one, and the process has not moved as quickly as originally planned. However, recent updates from the CMMC-AB have shown promising progress, and companies will soon be able to undergo CMMC audits and achieve CMMC compliance.
However, many companies are not ready to immediately undergo a CMMC compliance audit. Their existing security controls, policies, and processes may not fulfill the requirements for CMMC compliance, and the organization may not be able to easily demonstrate how they fulfill every CMMC requirement.
The CMMC-AB recommends that companies looking to achieve CMMC compliance should partner with a CMMC Registered Provider Organization (RPO). CMMC RPOs are authorized to provide consulting and support for preparation for a CMMC compliance audit, and must be distinct from the C3PAO that an organization engages for its official CMMC compliance audit.
Hyper Vigilance is an authorized RPO on the CMMC Marketplace, meaning that we can provide consulting and services to organizations looking to achieve CMMC compliance. This includes a CMMC compliance assessment for organizations looking to identify compliance gaps and CMMC compliance management services to help organizations to achieve and maintain CMMC compliance. Contact us today to get started.