With the implementation of the 32 CFR Part 170 rule on December 16, 2024, Cybersecurity Maturity Model Certification (CMMC) Level 2 certification assessments with CMMC Third Party Assessment Organizations (C3PAOs) are fully underway.
As one of the largest and earliest Authorized C3PAOs, our CMMC Assessment team at Forvis Mazars has significant experience with complex assessments and assessments of smaller and medium-sized environments.
Similar to previous FAQs related to government contractors, consider the responses below from national and global contractors we connect with regularly regarding CMMC readiness assessments.
1. Do I need to undergo a Level 2 assessment with a C3PAO, or can I conduct a self-assessment?
Self-assessments are required at Level 1, but Level 2 requirements are bifurcated into C3PAO assessment and self-assessment. Any prime or subcontractor to a U.S. Department of Defense (DOD) contract requires at least a Level 1 self-assessment to protect Federal Contract Information (FCI). If your organization transmits, processes, or stores Controlled Unclassified Information (CUI), then it will be required to meet Level 2 and the control requirements defined in the NIST 800-171 framework.
It is unclear which contracts permit self-assessment instead of a C3PAO Level 2 assessment, but we encourage considering working toward a C3PAO Level 2 assessment. In addition to the lack of clarity around upcoming contractual requirements, we are seeing prime contractors require their supply chains to obtain Level 2 with a C3PAO to validate their full compliance in advance of any potential DOD solicitations that could come down the road. In addition, achieving Level 2 with a C3PAO demonstrates early commitment to DOD requirements and cybersecurity best practices.
2. How long does a CMMC Level 2 assessment generally take?
The assessment process typically takes six to eight weeks for the average organization from the initial kickoff call to the issuance of the final deliverable. There is a readiness review period during which your system security plan is reviewed. This is conducted to understand the controls used to meet the 110 requirements of NIST 800-171.
Then, there is a week for the assessment, which may or may not include an onsite assessment (depending upon whether you handle physical CUI). That is the most time-intensive week for contractors, as we meet with the control owners for all 110 requirements and walk through the operation of technology and processes noted in the system security plan. We schedule these well in advance based on the control family to be conscious of time and availability.
3. What does your backlog for assessments look like?
As one of the earliest and largest Authorized C3PAOs, our firm has invested significantly in our CMMC capabilities and continues to build to scale to anticipated demand. While many C3PAOs leverage contractor Certified CMMC Assessors (CCAs), we already have a large team of full-time CCAs and continue training and credentialing new assessors. We have pockets of availability throughout this year and work hard to accommodate our clients’ desired timelines.
4. What if I undergo an assessment with a C3PAO but don’t achieve a perfect score of 110? What are my options?
The CMMC framework does permit the use of plans of action and milestones (POAMs) for certain controls if they are not found to be “met” during the initial assessment. It is important to note that there is a scoring system, and certain controls (those with weights of three and five) cannot be assigned a POAM, and failing these controls would result in a failed assessment. In addition, a total score of 88 (80%) must be met at the end of the initial assessment for the assessment to be eligible to leverage POAMs.
If a score below 110 but above 88 is achieved, contractors can establish POAMs to remediate deficiencies within 180 days and work with their C3PAO to schedule a POAM closeout assessment. The C3PAO will issue a Conditional Level 2 Certificate of Status following the initial assessment and can come back to conduct a POAM closeout assessment. If all deficiencies are sufficiently remediated to increase the organization’s score to 110, the C3PAO will then issue a Final Level 2 Certificate of Status. Keep in mind that the POAM closeout assessment is only a delta assessment of requirements that initially failed, not a completely new assessment of all 110 requirements.
5. What are some of the most important considerations to have when selecting a C3PAO?
The C3PAO role is essential to CMMC assessment success and finding the right option for your organization is of the utmost importance. Certainly, industry reputation is key; make sure your C3PAO is well-established and has experience with organizations of your size, industry, and the technologies you leverage in your environment. It is also important to study their approach and project management of the assessment process. Are their milestones clear and reasonable? Are you communicating with individuals who will be part of your assessment team, or will there be completely new faces during assessment time?
6. Do I need to be preparing for CMMC Level 3?
Level 3 is reserved for highly sensitive programs and builds on Level 2 with additional controls from the NIST SP 800-172 control framework. Expected to be extremely limited, these assessments will be conducted by the DOD’s Defense Contract Management Agency (DCMA). While not yet underway, Level 3 will be outlined in the DOD solicitation and contract of interest. Consider the nature of your business and your organization’s CUI to gauge if Level 3 is a requirement.
7. Do I need to be preparing for Revision 3 of NIST SP 800-171?
While the current Revision 2 of NIST SP 800-171 is written into the 32 CFR Part 170 rule and is what Level 2 assessments are conducted against, DOD has indicated it will issue future rulemaking to move the standard to Revision 3. Revision 3 introduces new and amended control requirements and is expected to require additional effort from contractors. As a result, DOD delayed the implementation of Revision 3 into its CMMC framework.
DOD leadership has frequently stated they expect to implement Revision 3 within 12 to 18 months (from this publication date). If you are currently preparing for CMMC, you may consider a gap assessment against Revision 3 and work toward implementation. If you complete an assessment sometime before the new rulemaking, you may be able to hold off on implementing the requirements until your next certification assessment, as the CMMC Level 2 certification life cycle is three years.
Conclusion
CMMC assessments are complex and take time and attention to detail. Our team is ready to assist you with any questions and requirements regarding complex and small to midsize organization assessments. As one of the largest and earliest Authorized C3PAOs, our professionals hold deep industry knowledge to help you during these challenging processes.
If you have any questions related to this CMMC guidance, please reach out to a professional at Forvis Mazars.
The FAQs provided are for general informational purposes only and are not intended to be legal advice.