Understand CMMC requirements.
You’ve already started to take this step by reading this and related articles from Onspring about CMMC. But for specific information about what you’ll need to do to achieve the certification level you want, we recommend reading the latest CMMC model and assessment guides available on the website of OUSD (A&S).
Identify your scope.
Enterprise, Organization Unit or Program Enclave: Although worded ungrammatically, this step reminds OSCs that they can seek certification for their entire company or just the part of their business where “the information to be protected is handled and stored.”
Identify the desired maturity level.
As we mentioned before, there’s no point in getting a level of certification higher than you’ll need for the types of projects you plan to bid on or be a subcontractor for. And we hate to break it to you, but as of mid-2021 the CMMC-AB has only posted assessment guides for levels 1 and 3. Check with your Registered Provider Organization for more information.
Pre-Assess with an RPO or C3PAO.
This step is optional, but it could help you identify gaps in your readiness. Of course, you could do this step on your own if you had the right tools and know-how, like software that defines and documents everything necessary to reach your desired maturity level, from domains to controls.
Close any identified gaps.
It’s listed as one step, but this simple, breezy phrase could represent considerably more work than those four words represent. Again, consult with an RPO or try to find some sort of tool that can help you break down the concrete steps you have to take, something that goes beyond a big, ugly spreadsheet we’ve seen a lot of companies using.
Find a C3PAO in the CMMC-AB marketplace.
Now that you know the lingo, this one shouldn’t be hard to interpret. You need an assessor to get the certification, and the marketplace section of the CMMC-AB site lists nearly 500 options for that service alone.
Conduct the assessment with the C3PAO’s Certified Assessment team.
It’s showtime, and you’re ready to turn over all your documentation and proof of compliance with all the standards embedded within CMMC requirements to the assessment team.
Allowance of up to 90 days to resolve findings (if any).
According to one expert, this step isn’t quite as simple as it looks. CMMC requires sustained implementation of practices, and you can’t just whip something together if you don’t already have it going on. Instead, this step is meant for things like giving you time to produce supporting documentation or arrange for interaction with personnel who were not initially available to the assessors. Again, your RPO should be able to guide you through this step.
CMMC-AB reviews submitted assessment.
If you’ve done your job correctly, and your C3PAO has done theirs, the next step should be . . .
Upon approval, 3-year certification issued.
This is the big prize, the point of all the hard work that will qualify your company to bid on DoD solicitations at whatever level you’ve earned.
And remember, keeping the certification for the whole three-year term is dependent on your organization maintaining what you’ve documented. So keep your virtual hiking boots laced up and your cybersecurity campsite tidy as you ponder and profit from the journey you’ve completed.