How Do I Get CMMC Certified?
Prior security standards from NIST were self-attested, meaning you could simply say you were compliant and be compliant.
CMMC shifts the burden of proving cybersecurity compliance from self-assessment to external assessments conducted by Third Party Assessment Organizations (C3PAOs).
Self-assessments should be conducted prior to working with C3PAOs, as these evaluations could yield findings that require you to develop a POAM, or Plan of Action and Milestones. This document details the specific measures your company will take to correct deficiencies found during a security control assessment, including tasks and the resources required to make the plan work.
Under NIST SP 800-171, companies that accessed or stored Controlled Unclassified Information (CUI) could substitute POAM—a plan of action—for actual completion of requirements. That’s no longer the case with CMMC.
A POAM can be valuable for driving your team’s preparation toward higher levels of cybersecurity maturity, but now you’ll have to actually meet the requirements of each maturity level to get that level of certification—not just promise you’re working on it via a POAM.
But before you’re ready for evaluation, there’s documentation to complete, technology to deploy, domains to learn about, processes and capabilities and controls to put in place, acronyms to make sense of . . . Deep breath. You can do this. And we can help.