In November 2021, the Department of Defense (DoD) announced Cybersecurity Maturity Model Certification (CMMC) 2.0, a program meant to assess an organization’s cybersecurity program maturity. The CMMC program is designed to achieve the following goals:
- “Safeguard sensitive information to enable and protect the warfighter”
- “Enforce Defense Industrial Base (DIB) cybersecurity standards to meet evolving threats”
- “Ensure accountability while minimizing barriers to compliance with DoD requirements”
- “Perpetuate a collaborative culture of cybersecurity and cyber resilience”
- “Maintain public trust through high professional and ethical standards”
The CMMC framework organizes 110 security practices into a set of 14 domains, which map directly to the NIST (National Institute of Standards and Technology) SP 800-171 Rev 2 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) families. There are three levels within CMMC — Level 1, Level 2, and Level 3. This article will focus on Organizations Seeking Certification (OSCs), specifically CMMC level 2 certification.
What Are the Current CMMC Timeline & Expectations?
The current CMMC 2.0 rule was released on December 26, 2023, and is currently in the rule-making stage. Once rule-making has concluded and CMMC 2.0 becomes official, all organizations providing products or services to the DoD must comply with the CMMC requirements that are applicable to their CMMC level. Currently, it is anticipated that the rule will become final in Q1 2025. As we get closer to that date, more organizations come to us with questions about CMMC and the certification process. Specifically:
- How do you conduct a CMMC assessment?
- What is the score for the CMMC assessment?
- What is a CMMC self-assessment?
- What is the CMMC readiness assessment?
- What are the 3 levels of CMMC?
- What level of CMMC do I need?
- Can you self-certify CMMC?
- How long does a CMMC assessment take?
- What is the CMMC 2.0 rule?
While this article attempts to summarize the CMMC level 2 assessment process (CAP), OSCs should familiarize themselves with the entire CAP in addition to the following documents:
- Cybersecurity Maturity Model Certification (CMMC) Model Overview
- CMMC Assessment Scope (Level 2)
- CMMC Assessment Guide (Level 2)
Phase 1 – Plan & Prepare the Assessment
Benjamin Franklin once said, “By failing to prepare, you are preparing to fail.” Those words ring true to anyone who has ever been involved in project management or played a role in supporting the completion of a project. The quote carries even more significance for those who bear the scars from failed projects that resulted from poor planning. It probably goes without saying that Phase 1 is the largest section of the CAP.
The first four sections of Phase 1 describe the formal CMMC assessment request process, OSC and CMMC Third-Party Assessment Organization (C3PAO) roles and responsibilities, and a list of templates (mandatory and non-mandatory) that will be used throughout the CMMC assessment process. OSCs should spend time familiarizing themselves with CMMC roles and responsibilities as well as the referenced templates.
Assessment framing and defining the assessment scope are critical steps in Phase I. Framing the assessment includes identifying the size, scale, date, time, place, manner, resources, and level of effort that will be included in the assessment. Defining the assessment scope includes defining the boundaries within an organization’s networked environment that contain all the assets that will be assessed.
Identifying External Cloud Service Providers
One important step involved in the assessment scoping process includes the identification of all external cloud service providers. External cloud service providers may include cloud service providers, managed service providers, or other entities that provide services to the OSC. If external cloud service providers process, store, or transmit Controlled Unclassified Information (CUI), the C3PAO will need to demonstrate that the provider’s security practices are equivalent to Federal Risk and Authorization Management Program (FedRAMP) moderate baseline security requirements.
One of the final steps in Phase 1 includes the verification of CMMC readiness to conduct the assessment. This last and final step is conducted by the C3PAO lead assessor and includes determining whether or not the assessment should proceed. A critical step in this process includes verification that evidence exists and is ready for review. At this stage, evidence will only be verified and not examined. This step cannot be considered a CMMC readiness review where advice or recommendations are made by the CMMC assessment team, or where the evidence will be evaluated for adequacy and sufficiency. It is merely an opportunity for the CMMC assessment team to determine that the evidence provided is available and accessible for review.
Once the OSC’s CMMC readiness has been evaluated, the C3PAO lead assessor will determine if the assessment should proceed as planned, and if the assessment should be replanned, rescheduled, or if the assessment should be canceled. At the conclusion of Phase I, the completed pre-assessment form (mandatory) will be verified by the C3PAOs Quality Assurance Professional (CQAP) and uploaded to CMMC Enterprise Mission Assurance Support Service (eMASS).
Phase 2 – Conduct the Assessment
Phase 2 of the assessment process involves an assessment of the OSC’s implementation of 110 required CMMC level 2 practices. The assessment team will examine evidence, interview OSC personnel and conduct testing to ensure practices have been implemented. Any noted gaps are presented to the OSC during daily checkpoints to validate findings with the OSC and provide opportunities to locate and present additional evidence that may result in changes to recorded practice scores and findings.
Each practice will be scored as MET, NOT MET, or Not Applicable (NA). The OSC will need a finding of “MET” or “Not Applicable” for each of the 110 practices in order to achieve CMMC level 2 certification. For each practice scored as “Not Applicable”, the C3PAO will be required to include a thorough statement that supports why the practice was marked as NA.
Phase 2 of the assessment will also include the evaluation of external cloud service providers and whether or not they meet the security requirements equivalent to the FedRAMP Moderate baseline. The OSC is responsible for preparing a body of evidence that demonstrates how the external cloud service provider complies with stated requirements.
During the assessment process, the assessment team may determine that a CMMC level 2 practice has been implemented, however, documentation supporting the control activity may be outdated or documented incorrectly. In cases such as this, a limited practice deficiency may be noted. For example, corrections can be made that will allow the OSC to receive a score of “MET” for the applicable practice. It’s important to note that the limited practice deficiencies are only allowed for 52 of the 110 CMMC level 2 practices and remediation must be verified by a date no later than 5 calendar days prior to the submission of the final findings report into CMMC eMASS.
What is a POA&M?
Plan of Action and Milestones (POA&Ms) present additional opportunities for OSCs to correct identified gaps and still achieve CMMC level 2 certification. In some cases, an OSC may come close to passing the CMMC level 2 assessment but noted deficiencies prevent them from being recommended for CMMC level 2 certification. In this case, an OSC may be able to qualify for a grace period to remediate noted deficiencies.
To be more specific, per the new CMMC guidance, if the overall scoring of the assessment after placing items on the Limited Practice Deficiency Correction program results in greater than or equal to 80% (88/110 practices “MET”) the OSC will be allowed to remediate identified security weaknesses through the POA&M process. If the OSC scores less than 80%, the OSC will not be able to utilize the POA&M process to remediate deficiencies, will not be recommended for CMMC level 2 certification, and will be required to reapply for another assessment after the identified deficiencies have been remediated.
It’s important to note that POA&MS will not be allowed for the highest-weighted CMMC level 2 requirements and confirmation of remediation will need to be confirmed no more than 180 days from the assessment final recommended findings briefing.
Phase 3 – Report Recommended Assessment Results
Phase 3 involves the presentation of the final recommended findings to the OSC and also includes the review and evaluation of evidence to support the close out of any noted limited practice deficiencies. If supporting evidence supports the close out of the deficiencies, the associated practice be scored as “MET”. If provided evidence is insufficient to support the close out of a limited practice deficiency, the score will remain as “NOT MET” and the lead assessor will recommend moving the deficiency to a POA&M.
Phase 3 also involves the verification of the assessment results package by the C3PAO CQAP prior to uploading to CMMC eMASS. Per the new CMMC guidance, “Reports must be uploaded to CMMC eMASS no later than 20 business days from the final findings briefing.”
Phase 4 – Close-out POA&Ms and Assessment
As previously noted, this phase is optional and is only applicable to OSCs where POA&Ms were created during the CMMC level 2 assessment process. Phase 4 must occur within 180 days from the assessment’s final recommended findings briefing. The close-out assessment needs to be completed by a C3PAO, but does not need to be performed by the same C3PAO that completed the initial assessment.
If any POA&Ms fail to achieve a score of MET, the C3PAO lead assessor will make the recommendation that the OSC not be recommended for CMMC level 2 certification. The OSC will need to remediate any identified deficiencies and reapply for certification.
Conclusion
As mentioned previously, the current CMMC rule (CMMC 2.0) is still in the rule-making stage and it is currently anticipated that it will become effective near the end of Q1 2025. Once rule-making has concluded, OSCs will need to work with a C3PAO to achieve CMMC level 2 certification.
Linford and Company is in the process of becoming an authorized C3PAO. We have certified CMMC professionals (CCP) on staff, and we will have certified CMMC assessors (CCA) on staff in the near future. We have conducted several NIST 800-171 assessments and are closely monitoring activity with the CMMC ecosystem.
If you have questions about the CMMC assessment process or CMMC in general, please contact us We’d be happy to address your needs.
Mark Larson started working in the technology industry in 1998 where he worked in a number of different roles prior to transitioning to the public accounting world in 2004 with Ernst & Young (EY). During his 6 years at EY, Mark provided both assurance and advisory services that spanned multiple industries for both public and private companies. After leaving EY, Mark filled leadership roles within Internal Audit, Technology, and Security functions for several companies. Mark specializes in SOC examinations and enjoys helping clients establish, formalize, and report on effective control environments while strengthening their security risk profile.