The 47-page CMMC Process guide (the CAP Guide) outlines the assessment process for organizations seeking certification (OSCs) at CMMC Level 2 certification, the required level for all DIB contractors who expect to receive or store Controlled Unclassified Information (CUI).
The CAP Guide states that Level 2 assessments will be conducted by CMMC Third-Party Assessment Organizations (C3PAOs). You can find authorized C3PAOs in good standing on The Cyber AB’s marketplace. The CMMC AB will only accept assessments from authorized C3PAOs that are in good standing, so it is important to confirm authorization and standing status before beginning the assessment process.
OSCs must designate an Assessment Official (AO) and Point of Contact (POC) for the CMMC assessment. The AO should be a senior representative of the contractor who is a decision-maker responsible for leading the OSC’s CMMC assessment. The POC should provide the daily coordination and liaison support between the OSC and the C3PAO assessment team.
The CAP Guide also directs that only the parts of the OSC’s work involving DoD contracts and accessing controlled unclassified information needs to be assessed. In some organizations, this direction would require the entire organization be assessed, and in other organizations, only a division or operational unit would require assessment. Additionally, OSCs should inform their C3PAOs of any third-party personnel, procedures or technologies they rely on to perform DoD contracts.
One of the most frequent questions defense contractors ask is related to scoring. As outlined in the CAP Guide under sections 2.3.2 and 2.4.1, limited plans of action and milestones (POAMs) are permitted, but contractors must achieve a minimum assessment score or 80% or 88 out of a total of 110 points per CMMC practice CA.L2-3.12.2. And none of the high-weighted (3 or 5 points) practices are eligible to be on the contractor’s POAM list. For scoring specifics related to the weighting of practices, refer to NIST 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020. Here is the link.
Our CMMC Academy team strongly recommends you read the draft version of the CAP Guide carefully, and be sure to send any comments to the The Cyber AB/DoD.
The CMMC Academy, powered by Celerium, delivers tangible, FREE CMMC 2.0 benefits. Its services, experts and content help prepare your business to do business with the Department of Defense.
As an academy member, you can:
As a member of the CMMC Academy, you enjoy these benefits and more.
The ever-evolving rollout of CMMC 2.0 may have you wondering if your understanding of the 2.0 program is up to date. To level set you on the 2.0 program and requirements, practices, and processes, please watch this video. Celerium's Cheif Operations Officer, Chris Cundel, provides what you need to know, and do, to enable your company to do business with the DoD.
Sponsored by Celerium
Implementing CMMC will be different for every company. And with the U.S. government doubling down on cybersecurity, it's important to get it right. So where is the best place to start?
Our CMMC Insights courses were created to help companies looking to comply with CMMC understand how to implement the practices. Our team has years of experience implementing NIST 800-53.
One-year access to the learning portal is provided, and we will provide updates on changes to CMMC as clarity is provided on items such as reciprocity. Don't wait -- get started on your CMMC assessment preparation now.
Copyright © 2022 Celerium. All Rights Reserved.