Latest CMMC Updates to Help You Prepare

Posted by Deltek on November 2, 2020

CMMC Update

How prepared are you for Cybersecurity Maturity Model Certification (CMMC)? Review the latest updates and guidelines you will need to prepare for CMMC requests for proposal requirements and the corresponding assessments. 

What is CMMC?

Cybersecurity Maturation Model Certification is a combination of various cybersecurity standards and best practices. The model’s creation was supported by the Department of Defense (DoD) and built upon existing regulations where compliance is based on trust and a verification component. Most organizations receiving funding from the DoD will need to be certified to qualify for future Department acquisitions, with the potential exception for commercial items.

Access additional details on what to expect with the resource Cybersecurity Maturity Model Certification is Here.


Your CMMC Timeline: Expert Guidance for Today and Preparing for Tomorrow

Webinar featuring the Chief Information Security Officer for Acquisition and Sustainment to the Under Secretary of Defense for Acquisition and Sustainment

Access Now


Key CMMC Players

Assessors: Individuals who have successfully completed the background, training and examination requirements as outlined by the CMMC Accreditation Body (AB), and to whom a license has been issued. Assessors are not employed by the CMMC AB and may or may not be employed by the Certified Third Party Assessment Organization (C3PAO).

Certified Third Party Assessment Organization (C3PAO): An entity with which at least two assessors are associated and to which a license has been issued to engage with organizations seeking certification (OSC) to complete their associated CMMC assessment.

CMMC Accreditation Body (AB): The accreditation body that establishes and oversees a qualified, trained and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the CMMC program.

Organizations Seeking Certification (OSC): The organization that is going through the CMMC assessment process to receive a level of certification for a given environment.

CMMC Timeline Update

While COVID-19 did put a wrench in the original timeline released in January 2020, admirably, the DoD and CMMC AB have continued to push along with very few delays, staying on track. The first round of CMMC Provisional Assessors was selected and trained at the end of August 2020. Assessors are currently out in the field, and as of the end of September, there are interim rules in place, and the CMMC Assessment Guide from the CMMC AB should be coming out before December 1, 2020. As early as December, contractors will see requests for proposals with the inclusion of CMMC. The initial assessments are likely to be considered “provisional,” and there will be a grace period with a phased and structured timing. CMMC assessments will continue to increase in 2021.

What Assessment Levels Will You See First

Initially, contractors will see Level 1 through Level 3 assessments occurring during Fall/Winter 2020 into 2021. Level 1 is required for anyone handling federal contract information (FCI), and Level 3 is required for anyone handling controlled unclassified information (CUI).

CMMC Provisional Assessor, and Principal at Baker Tilly, Matt Gilbert, said during a recent webinar, “I don’t expect the Levels 4 and 5 to come out for some time, the way the assessors are trained and credentialed, an assessor would have to complete 15 Level 3 assessments prior to applying to become a level 5 assessor. I don’t think the DoD is going to be able to have any RFPs with a Level 4 and 5 requirements initially because there are no assessors who will be able to do those assessments. Initially, you will see levels 1 and 3.”

How to Accelerate Your CMMC

Organizations seek certification should consider a cloud offering with a vendor who can accelerate their CMMC needs and inherit their controls.

Key considerations when looking at a vendor for a cloud solution:

  • Do they have a strong government contractor client base?
  • National Institute of Standards and Technology (NIST) 800-171: Can they demonstrate that those practices that they will perform on your behalf meet the requirements?
  • Understand what your vendor plans are for CMMC, and what level they strive to be. It’s important to remember that Level 3 is required to store CUI with that vendor’s solution.
  • Does your vendor have plans to achieve Federal Risk and Authorization Management Program (FedRAMP) certification or have they already secured it?

What’s Next?

Discover even more about what is to come with CMMC on November 5, during the webinar Your CMMC Timeline: Expert Guidance for Today and Preparing for Tomorrow. Hear directly from Katie Arrington, Chief Information Security Officer for Acquisition and Sustainment (CISO(A&S)) to the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)), and Matt Gilbert, CMMC Provisional Assessor and Principal at Baker Tilly, as they review guidelines you need to know to prepare for CMMC.