CMMC

Navigating the CMMC Certification Journey

December 25, 2024

Introduction: Navigating the CMMC Certification Journey

Overview of Cybersecurity Maturity Model Certification (CMMC)

The CMMC framework is comprised of security requirements from the NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and a subset of requirements from the NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information. For a Level 1 assessment the CMMC framework organizes these security requirements and practices into six domains which maps directly back to the NIST SP 800-171 Rev 2.

In all, there are three levels within the CMMC framework, Level 1, Level 2, and Level 3, but for the purposes of this article as we enter Phase 1 of CMMC 2.0 implementation, the focus will be on the assessment process and how to use the CMMC Assessment Process (CAP) as a guide to help you prepare for a Level 2 assessment by a CMMC Third-Party Assessor Organization (C3PAO).  

Significance of Phase 1 in the CMMC Assessment Process

Phase 1 of the CAP represents a significant portion of the overall CAP process as it makes up more than 50% of the overall context of phases 1-4. Any strong and effective assessment begins with a well-organized plan and preparation effort and critical for building a foundation for success for the Organization Seeking Certification (OSC).

The Cornerstone of CMMC Compliance: Planning and Preparation

Importance of strategic preparation for CMMC Certification

Strategy is important moving forward into the implementation of CMMC 2.0 as an OSC is generally the one that initiates the engagement for a prospective CMMC assessment by contacting an authorized C3PAO. In your case, you are an OSC that has already conducted a Level 1 Self-assessment and are proactively preparing your organization to move into Phase 2 of the CMMC implementation when new DoD solicitations will start to require Level 2 assessments.

Key players: C3PAOs and Organizations Seeking Certification (OSCs)

It comes as no surprise that the key players here are you, the OSC, and the C3PAO. An authorized C3PAO can be found by on the CMMC Marketplace, where The Cyber AB maintains an updated registry of C3PAOs that are in good standing.

Initiating the CMMC Assessment Process

  • How OSCs request a CMMC Assessment: An OCS can contact a C3PAO found on the CMMC Marketplace using an online intake form or by direct email or phone. The contact may be initiated by either the C3PAO or the OSC but in no situation will any party or individual from the Cyber AB nor the Department of Defense serve in an introductory or facilitation role.
  • C3PAO response timeline and initial coordination: Once the request has been made from the OSC to the C3PAO, the general guideline is that the C3PAO should respond within five business days, acknowledging the request for an assessment and setting up a date and time to conduct an initial coordination call or virtual meeting. During this meeting the C3PAO should confirm the requested timelines, location(s) of the assessment, and general preparedness of the OSC.

Critical Roles in the CMMC Assessment

  1. Organization Seeking Certification (OSC) and OSC Assessment Official: The OSC is the company, organization, university or college, legal entity, or discrete business division or practice area that is pursuing CMMC Certification by contracting with a C3PAO and proceeding with a CMMC Assessment. The OSC Assessment Official is an employee and usually the most senior representative from the OSC who is directly and actively responsible for leading and managing engagement in the assessment and also possesses decision-making authority for the OSC regarding the CMMC Assessment.
  2. OSC Point of Contact (POC): Is the individual within the OSC who provides daily coordination and liaison support between the OSC and the C3PAO Assessment Team. (The OSC POC does not necessarily need to be an employee of the OSC)
  3. CMMC Third-Party Assessment Organization (C3PAO): An authorized and independent assessment body that contracts with the OSC to conduct CMMC Assessments and issues the CMMC Certification.
  4. Lead Assessor in CMMC: The CMMC Certified Assessor (CCA) who oversees and manages a dedicated CMMC Assessment Team for the Assessment of an OSC.
  5. CMMC Quality Assurance Professional (CQAP): Is a formally trained individual who is responsible for ensuring assessment documentation completeness and accuracy. Each C3PAO is required to have at least one (1) CQAP on staff for ensuring all Assessment packages are reviewed and validated for procedural integrity prior to upload into eMASS or any other official CMMC repository system or application.

CMMC Documentation and Templates: The Blueprint for Success

Essential CMMC assessment doctrine
  • Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.0
  • CMMC Assessment Guide, Level 2, Version 2.0
  • CMMC Assessment Scope, Level 2, Version 2.0
  • CMMC Artifact Hashing Tool User Guide, Version 2.0
  • CMMC Assessment Process (CAP)
    • https://cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf?ver=fEk1pUK1Fg26fVtopxv_DA%3d%3d

Many of the listed documents are available for download at the Department of Defense’s CMMC Program website: https://dodcio.defense.gov/CMMC/Resources-Documentation/

Framing the CMMC Assessment

  • Distinguishing between assessment framing and CMMC Assessment Scope: The C3PAO should work with the Affirming Official and/or the OSC POC to determine the scope and planning details of the assessment. This shall include discussing a schedule, the size of the organization and information system to be assessed, personnel, logistics, relevant contractual requirements, and the prospective CMMC Assessment Scope. The CMMC Assessment Scope identifies all of the assets in the OSC’s environment that will be assessed and must be specified prior to the commencement of the assessment.

Determining the CMMC Assessment Scope

  • Definition and importance in CMMC Compliance: The scope is the scale or extent of what will be evaluated for conformity, which includes those assets (people, facilities, technology) withing the OSC’s environment that are targeted for CMMC assessment because they interact with sensitive information.
  • OSC's role in initial scope determination: Proper scoping ensures the OSC is protecting every system they really need to protect and is not wasting resources building up security on systems that do not need it.

Preparing for CMMC Assessment Success

  • OSC readiness and its impact on efficiency: This is a critical step as the Lead CCA for the assessment team will make the determination as to the readiness of the OSC to proceed with the CMMC Level 2 certification assessment. The determination will be made on the reviews and confirmations conducted in Phase 1 as well as a general confidence that the OSC is overall prepared for the assessment. This readiness determination is not to identify if the OSC will meet any targeted CMMC Level or be successful in attaining certification but rather to ascertain that both parties are sufficiently prepared to conduct the assessment.
  • The role of effective communication in the CMMC Assessment Process: The Lead CCA should convey to the OSC that various assessment methods (e.g., reviewing, inspecting, observing, studying, analyzing, discussing, and exercising assessment objects) will be employed and may include assessment methods and associate attributes of depth and coverage as outlined in:
    • NIST SP 800-171A, Appendix D, “Assessment Methods”
    • NIST SP 800-53A, 3.2.3.2 - “Depth- and Coverage-Related Considerations”
    • NIST SP 800-53A, Appendix C, “Assessment Method Descriptions”
  • Any in-person observations of security requirement objectives as discussed in activity P.11

Cybersecurity Best Practices for OSCs

Common challenges in Phase 1 of CMMC
  • Communication and Coordination: Effective communication between the C3PAO and OSC can become difficult which could result in delays.
  • Understanding the CMMC Assessment Scope: OSC’s not distinguishing properly between assessment framing and the CMMC Assessment Scope can lead to improper systems being assessed.
  • Documentation Preparation: Preparing and organizing the required documentation can be overwhelming time consuming.
  • OSC Readiness: OSC's lack of preparation can significantly slow down the assessment process.
  • Conflict of Interest: Ensuring no conflicts of interest exist between the C3PAO and OSC.

Strategies for smooth planning and preparation
  • Establish clear lines of communication early and conduct regular check-ins and define the roles of all interested parties to facilitate smoother communications and coordination.
  • The OSC having an independent CCP on staff to help identify assessment framing (size, scale, and logistics of the assessment) and CMMC assessment scope (identified assets within the OSC’s environment that will be assessed) can alleviate confusion and help with the assessment.
  • Use provided templates and pre-assessment forms available to assist with proper documentation and know where they are.
  • Having conducted a CMMC Assessment Readiness Review using a checklist before proceeding with a Level 2 assessment will ensure the OSC identifies any potential issues or gaps before the assessment commences.
  • Ensure the C3PAO and OSC work together to develop a mitigation plan for any identified conflicts of interest.

Conclusion: Setting the Stage for CMMC Certification

Recap of Phase 1's critical role in the CMMC Assessment Process
  • It initiates the engagement between the Organization Seeking Certification (OSC) and the CMMC Third-Party Assessment Organization (C3PAO), setting the tone for the entire process.
  • This phase focuses on thorough planning and preparation, which can significantly impact the efficiency and effectiveness of the subsequent assessment phases.
  • It clarifies roles and responsibilities, ensuring all parties understand their part in the process, from the OSC Assessment Official to the CMMC Quality Assurance Professional (CQAP).
  • Phase 1 involves crucial documentation preparation, utilizing essential CMMC assessment doctrine and templates to ensure compliance and readiness.
  • It addresses the critical task of determining the CMMC Assessment Scope, which is vital for focusing the assessment on the relevant assets and systems.

Preparing for subsequent phases of CMMC Certification
  • Conduct a CMMC Assessment Readiness Review (CA-RR) to identify and address potential issues early.
  • Establish clear communication channels between the OSC and C3PAO to facilitate smooth information exchange throughout the process.
  • Ensure all required documentation is organized and readily available, using provided templates and pre-assessment forms.
  • Familiarize the team with various assessment methods that will be employed in later phases, including reviewing, inspecting, observing, and analyzing assessment objects.
  • Address any potential conflicts of interest between the C3PAO and OSC to maintain the integrity of the assessment process.

Need expert guidance on your CMMC certification journey? Contact 9brains today for comprehensive support through every phase of the process.

Start your journey now
Get in touch with us
ServicesJoin the TeamMeet the TeamLearning CentreAbout Us
© Copyright ©2024 9brains.
Terms of service
Privacy policy