Key Takeaways
- The CMMC assessment process varies by level, requiring either self-assessments or third-party/government-led evaluations.
- Contractors must submit annual affirmations in the Supplier Performance Risk System (SPRS) to maintain compliance.
- Non-compliance can result in lapsed certification, contract ineligibility, and enforcement actions under DFARS 252.204-7020.
Understanding the CMMC Assessment Process
The Cybersecurity Maturity Model Certification (CMMC) program is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It ensures that defense contractors adhere to specific cybersecurity practices through structured assessments. The assessment type and frequency depend on the CMMC Level assigned to the organization.
Learn more about the basics of CMMC here.
CMMC Levels and Assessment Types
| Level | Assessment Type | Conducted By | Frequency |
|---|---|---|---|
| Level 1 (Self) | Self-Assessment | Organization Seeking Assessment (OSA) | Annually |
| Level 2 (Self) | Self-Assessment | Organization Seeking Assessment (OSA) | Every 3 years |
| Level 2 (C3PAO) | Third-Party Assessment | Certified Third-Party Assessment Organization (C3PAO) | Every 3 years |
| Level 3 (DIBCAC) | Government-Led Assessment | DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) | Every 3 years |
Key Steps in the Assessment Process
1. Pre-Assessment Preparation
- Identify the applicable CMMC Level based on contractual requirements.
- Define the assessment scope, focusing on systems handling FCI or CUI.
- Ensure compliance with NIST SP 800-171 R2 (Level 2) or NIST SP 800-172 (Level 3).
- Develop a System Security Plan (SSP) to document security policies and procedures.
Need clarity on NIST SP 800-171 or 172 changes?
2. Self-Assessment (Levels 1 & 2 Self)
- Conduct an internal review of security controls.
- Enter results into SPRS.
- Submit an affirmation of compliance.
3. Third-Party Assessment (Level 2 C3PAO)
- Engage a C3PAO to conduct an independent review.
- Record assessment findings in CMMC eMASS and SPRS.
- Address any unmet requirements through a Plan of Action & Milestones (POA&M).
4. Government-Led Assessment (Level 3 DIBCAC)
- DIBCAC assesses compliance with 24 additional controls from NIST SP 800-172.
- Limited validation of NIST SP 800-171 controls is also conducted.
5. Assessment Results and Certification Status
- Final Certification: Granted if all requirements are met.
- Conditional Certification: If 80% compliance is achieved, a POA&M must address remaining gaps within 180 days.
6. POA&M Closeout Assessment
- Contractors must remediate any deficiencies within 180 days.
- A reassessment confirms compliance before Final Certification is granted.
Ready for a more organized assessment process?
Sign up to get notified when our collaborative compliance tool launches. We’ll help you track tasks, meet deadlines, and keep your CMMC certification active.
Affirmation Requirements & Maintaining Compliance
Affirmation Process
- Annually for Level 1 and Level 2 (Self) assessments.
- Alongside each assessment for Level 2 (C3PAO) and Level 3 (DIBCAC).
- The affirmation confirms continued compliance with CMMC requirements.
Maintaining Certification
- Reassessments: Level 1 and Level 2 (Self) – Annually and every three years, respectively; Level 2 (C3PAO) and Level 3 – Every three years by C3PAO or DIBCAC.
- Ongoing Compliance: Ensure all security controls remain effective, assess changes in systems processing FCI or CUI, and develop corrective action plans if any non-compliance is detected.
Consequences of Non-Compliance
- Failure to submit annual affirmations results in a lapsed certification.
- Failure to remediate POA&M items within 180 days leads to expiration of Conditional Status.
- Contractual Remedies: Non-compliance can lead to loss of contract eligibility and enforcement actions under DFARS 252.204-7020.
Flow-Down Requirements
Prime contractors must ensure their subcontractors comply with CMMC requirements. Subcontractors must affirm compliance annually and undergo required assessments.
| Prime Contractor Level | Minimum Subcontractor Level |
|---|---|
| Level 1 (Self) | Level 1 (Self) |
| Level 2 (Self) | Level 1 (Self) for FCI, Level 2 (Self) for CUI |
| Level 2 (C3PAO) | Level 1 (Self) for FCI, Level 2 (C3PAO) for CUI |
| Level 3 (DIBCAC) | Level 1 (Self) for FCI, Level 2 (C3PAO) for CUI |
Conclusion
The CMMC program ensures DoD contractors maintain strong cybersecurity protections for FCI and CUI. Organizations must: 1. Undergo regular assessments based on their CMMC Level. 2. Submit annual affirmations in SPRS. 3. Maintain continuous compliance through reassessments and POA&M remediation.
Failure to comply can result in lapsed certification, contract ineligibility, and enforcement actions. To simplify compliance management and ensure audit readiness, organizations should leverage CMMC dashboards and tools designed to track and maintain security controls efficiently.
Subscribe now and be among the first to access our upcoming portal, your fast, coordinated way to manage all CMMC requirements in one place.
