Project Description

Charting Your CMMC Path

CMMC Knowledge Hub

Get to know the clearly documented steps that can take you through assessment and certification.

As we’ve already discussed, getting some level of CMMC certification will by 2025 be required for all organizations seeking contracts from the U.S. Department of Defense.

We’ve talked about the basics of the Cybersecurity Maturity Model Certification and how the higher levels of maturity in the five-level certification model build on the ones below. For organizations that plan to respond to DoD solicitations, it’s essential to understand the terminology used in the model, and how the elements within it relate to each other, which we cover in the related article, “The CMMC Roadmap to DoD Opportunity.”

But it’s also valuable for those seeking certification to get acquainted with the varied organizations and roles that can support them within the CMMC ecosystem. And when it’s time to set out on your CMMC journey, you should get acquainted with the experienced guides standing by to help, and take a trail map that represents the practical steps leading to certification.

So let’s get familiar with:

Who Determines CMMC Requirements?

In military actions, the President of the United States calls the shots as commander in chief.

In military purchasing, the DoD group known as the “Office of the Under Secretary of Defense for Acquisition & Sustainment” is in charge. See their And the framework of the CMMC was developed and released by this organization, which goes by the snappy initialism “OUSD (A&S).”

But they didn’t do it alone. According to version 1.02 of the CMMC standard released by OUSD (A&S) on March 18, 2020, the model was built “in concert with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the DIB sector.”

As the branch of the DoD responsible for buying defense-related things, OUSD (A&S) is responsible for upgrading and validating the security of suppliers who sell them things “to enhance the protection of controlled unclassified information (CUI) within the supply chain.”

And once again, they’re not taking on this big task alone.

To be even more specific, “The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.”

In a nutshell: Accrediting Body Certifies. ABC.

Though CMMC-AB says they’re still building the organization “from the ground up,” they have already defined a variety of supporting organizations and roles in the certification ecosystem. Let’s meet the players.

The ABCs of AB

In military actions, the President of the United States calls the shots as commander in chief.

Behind every teacher, engineer, college, and hospital—plus many other critical roles and institutions—stands a third party that sets up, oversees and validates credentials that back up someone or something’s claims of legitimacy, fitness or quality based on formal standards.

And CMMC has one, too: the CMMC Accrediting Body, or CMMC-AB.

As soon as it released the CMMC standard, OUSD (A&S) gave an exclusive contract to a Maryland-based not-for-profit group that formed under the name CMMC-AB, an organization whose core mission is to implement the CMMC objectives for DoD.

To be even more specific, “The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.”

In a nutshell: Accrediting Body Certifies. ABC.

Though CMMC-AB says they’re still building the organization “from the ground up,” they have already defined a variety of supporting organizations and roles in the certification ecosystem. Let’s meet the players.

CMMC Organizations and Roles

The CMMC ecosystem has no shortage of stakeholders. Let’s start with the most important (you) along with three others you’re likely to encounter along the way. Hover over each box for a brief description.

OSC

At the center of it all is you, the OSC, or Organization Seeking Compliance. OSCs can take advantage of all the resources listed above, or figure it out on their own. Although it’s not scheduled to roll out until late 2021, CMMC-AB is also working on a Licensed Software Provider program and some vendors are already going to market with solutions that can provide automated assistance for users preparing for assessment.

Registered Provider Organization

The RPOs and the Registered Practitioners within them (RPs) provide advice, consulting, and recommendations to their clients. While they can help you implement CMMC, they don’t conduct Certified CMMC assessments. They’ve received the required basic CMMC-AB training and adhere to the CMMC-AB Code of Professional Conduct, “the performance standards by which the roles of the CMMC ecosystem will be held accountable, and the procedures for addressing violations of those performance standards.”

LTP

There’s a lot to learn about CMMC, so CMMC-AB created the Licensed Training Provider program for the universities, community colleges, and other learning institutions who train Certified CMMC Professionals and Certified CMMC Assessors. LTPs might also be part of internal corporate training departments, or even direct-to-consumer training providers.

C3PAO

Ever get the feeling that Star Wars fans have infiltrated every sector of society? There’s some evidence in the abbreviation “C3PAO” used to refer to Certified Third-Party Assessment Organization. To fulfill the need of organizations seeking assessment, C3PAOs hire and train Certified CMMC Assessors (ensuring that they adhere to the Code of Professional Conduct), schedule assessments through the CMMC-AB portal, and review and submit completed assessments for certification by the CMMC-AB.

Steps for DoD CMMC Certification

The CMMC Accrediting Body publishes a simple diagram showing the steps that lead to certification. Its sequence of color squares looks like the path on a simple children’s game—but there’s no spinner, or dice, or stack of cards to draw. So let’s instead consider it a sort of trail map that can lead you on an invigorating hike to the picturesque summit of certification.

01 /

Understand CMMC requirements.

You’ve already started to take this step by reading this and related articles from Onspring about CMMC. But for specific information about what you’ll need to do to achieve the certification level you want, we recommend reading the latest CMMC model and assessment guides available on the website of OUSD (A&S).

02 /

Identify your scope.

Enterprise, Organization Unit or Program Enclave: Although worded ungrammatically, this step reminds OSCs that they can seek certification for their entire company or just the part of their business where “the information to be protected is handled and stored.”
03 /

Identify the desired maturity level.

As we mentioned before, there’s no point in getting a level of certification higher than you’ll need for the types of projects you plan to bid on or be a subcontractor for. And we hate to break it to you, but as of mid-2021 the CMMC-AB has only posted assessment guides for levels 1 and 3. Check with your Registered Provider Organization for more information.

04 /

Pre-Assess with an RPO or C3PAO.

This step is optional, but it could help you identify gaps in your readiness. Of course, you could do this step on your own if you had the right tools and know-how, like software that defines and documents everything necessary to reach your desired maturity level, from domains to controls.

05 /

Close any identified gaps.

It’s listed as one step, but this simple, breezy phrase could represent considerably more work than those four words represent. Again, consult with an RPO or try to find some sort of tool that can help you break down the concrete steps you have to take, something that goes beyond a big, ugly spreadsheet we’ve seen a lot of companies using.

06 /

Find a C3PAO in the CMMC-AB marketplace.

Now that you know the lingo, this one shouldn’t be hard to interpret. You need an assessor to get the certification, and the marketplace section of the CMMC-AB site lists nearly 500 options for that service alone.

07 /

Conduct the assessment with the C3PAO’s Certified Assessment team.

It’s showtime, and you’re ready to turn over all your documentation and proof of compliance with all the standards embedded within CMMC requirements to the assessment team.

08 /

Allowance of up to 90 days to resolve findings (if any).

According to one expert, this step isn’t quite as simple as it looks. CMMC requires sustained implementation of practices, and you can’t just whip something together if you don’t already have it going on. Instead, this step is meant for things like giving you time to produce supporting documentation or arrange for interaction with personnel who were not initially available to the assessors. Again, your RPO should be able to guide you through this step.

09 /

CMMC-AB reviews submitted assessment.

If you’ve done your job correctly, and your C3PAO has done theirs, the next step should be . . .

10 /

Upon approval, 3-year certification issued.

This is the big prize, the point of all the hard work that will qualify your company to bid on DoD solicitations at whatever level you’ve earned.

And remember, keeping the certification for the whole three-year term is dependent on your organization maintaining what you’ve documented. So keep your virtual hiking boots laced up and your cybersecurity campsite tidy as you ponder and profit from the journey you’ve completed.

Schedule a demo

Find your CMMC compass

Onspring is your tool for the CMMC process and continued compliance. 
Schedule a demo