How Do I Become CMMC Certified?

October 26, 2022

Last week, we learned what CMMC is, all the revisions you’ve been hearing about, and when all defense industrial case (DIB) contractors are required to be CMMC 2.0 compliant. By the way, it’s May 2023. Today, we’re going to walk through what controls and requirements are, and how to get CMMC 2.0 certified. Creating a CMMC framework, adhering to it, and employing CMMC best practices are typically how this is accomplished.

What are the Controls and Requirements?

There are three compliance levels in CMMC 2.0. Each are explained below:

Level 1 – “Foundational“

CMMC 2.0 - Level 1 must match the same fifteen controls as FAR52.204-21 “basic” controls to protect Federal Contract Information (FCI) and controlled unclassified information (CUI). There are annual certifications and self-assessments by organizational leadership. This is essentially the same as the CMMC 1.0

Level 2 – “Advanced”

CMMC 2.0 - Level 2 is based upon the original CMMC 1.0 - Level 3. However, the new Level 2 lowered the number of required controls from 130 down to 110 controls in the SP 800-171 Revision. There is a division between “prioritized” and “non-prioritized” contracts based on the sensitivity of information involved. Information that is critical to national security = prioritized, whereas information that isn’t a national security threat = non-prioritized. Examples? Nuclear program details = prioritized. Military uniforms = non-prioritized. Prioritized acquisitions require a third-party assessor (3PAO) to evaluate the contracting organization every three (3) years, whereas non-prioritized acquisitions only require an annual self-assessment and certification. Majority of organizations still prefer a guided approach for non-prioritized acquisitions. 

Level 3 – “Expert”

Level 3 of CMMC 2.0 replaced Levels 4 and 5 of CMMC 1.0. Most importantly, contracts at the new Level 3 will require triennial government-led assessments, yes three times per year. In addition to the 110 controls that are required for the new Level 2 certification, Level 3 requires compliance with NIST SP 800-172.

How do I get CMMC certified?

Any contractor with a Defense Federal Acquisition Regulation Supplement (DFARS) clause in their contract will need to meet Level 3 requirements. The sooner your organization understands and complies with CMMC 2.0, the better. Below are eight (8) steps to achieve certification:

  1. Implement and Assess Information Security Processes
    • Develop a System Security Plan (SSP) and conduct a self-assessment to NIST 800-171 standards.
  2. Improve Processes and Submit Your Score
    • Based on the results of your self-assessment, create a Plan of Actions & Milestones (POA&M) with target dates to achieve a maximum score of 110. Next, submit the score into the DoD’s Supplier Performance Risk System (SPRS).
  3. Identify Your Scope
    • Scope can be an Enterprise, Organization unit, or Program enclave. Note that the CMMC-AB, the accreditation body authorized to oversee all CMMC assessments and training, has only released the assessment guide for CMMC Levels 1-3 so far.
  4. Perform a Preliminary Gap Assessment
    • This is an optional step, but still recommended. Schedule a preliminary gap assessment with an advisory firm like Idenhaus, to identify gaps in your information security process.
  5. Address Gap Assessment Findings
    • Using the analysis provided by the advisory firm, fix identified information security gaps and implement these changes in your organization. Idenhaus can help with that!
  6. Choose a C3PAO
    • With those information security gaps identified and corrected, use the CMMC Accreditation Body (CMMC-AB) Marketplace to identify a C3PAO to schedule your CMMC assessment. What is that you ask? A C3PAO is a service provider organization that the CMMC-AB has accredited and authorized to conduct CMMC audits and submits findings and certifies that Organizations Seeking Certification (OSCs) comply with the CMMC 2.0 Maturity Level 1 - 3 to perform in a given DoD contract. Idenhaus, through partnering with C3PAOs, can act as your advisor through the selection process.
  7. Undergo the CMMC Assessment
    • Conduct your CMMC assessment with your selected C3PAO. Many clients choose to have Idenhaus alongside them in the audit trenches. Expect the assessment to consist of four (4) phases:
  • Phase 1 kicks off with pre-assessment planning and includes gathering initial scope information, completing the artifact intake form, identifying assessment team members, developing a rough order of magnitude (ROM) and assessment plan, completing and approving the assessment plan and doing a readiness review with Idenhaus.
  • Phase 2 is when the C3PAO conducts the CMMC assessment. This starts with an opening meeting between your organization and the Idenhaus-CMMC assessment team. What follows is an analysis and review of objective evidence related to the CMMC processes and practices, discussion of any preliminary findings and then a final output.
  • Phase 3 covers post-assessment reporting. Results gathered by the assessment team are submitted to Idenhaus, who performs a quality assurance (QA) review and forwards a recommendation to the OSC Sponsor and the CMMC-AB, which triggers a CMMC-AB QA review. Based on the review, the CMMC-AB issues or denies CMMC level recommendation.
  • Phase 4 may require remediation if the assessment identifies that an organization falls a few practices short of the target CMMC performance level needed. Idenhaus forwards the remediation request to CMMC-AB for approval. CMMC-AB approves or denies the request.
  • If approved, the 90-day clock for remediation starts. This time allows addressing any shortfalls in performance.

8. Get Certified

  • The CMMC-AB reviews the assessment submitted by the C3PAO and makes a final decision on certification for your organization. Once the CMMC-AB decides to approve a submitted assessment, the accreditation body notifies both your organization and the C3PAO. If all goes well, your organization is awarded a three-year CMMC certification.

For questions about CMMC, DFARS, NIST, or anything else, reach out. Idenhaus Consulting keeps organizations compliant through current / future state assessments, System Security Plan (SSP) / POA&M creation, as well as maintenance, and proven methodologies with decades of experience. Our consultants deliver quality work, on time, with a smile. Tune in next week for the details on how to get CMMC 2.0 compliant. The deadline is approaching fast! 

Schedule a 15-minute introductory call with one of our consultants today. Want to know more without a consult? Stay tuned to Idenhaus for more practical tips to keeping your cybersecurity on track. 

More News