Preparing for CMMC Assessments

Posted by Deltek on July 29, 2021

Preparing for CMMC Assessments

Preparation for Cybersecurity Maturity Model Certification (CMMC) is not showing any signs of slowing down. As the importance of cyber hygiene increases in priority throughout the government contracting industry, CMMC is going to become more prominent. The General Services Administration (GSA) is beginning to adapt the Department of Defense’s (DoD) CMMC protocols to civilian agencies and other federal agencies are planning on rolling it out into fiscal year 2022. In addition, Section 4 of the Cyberspace Solarium Commission report stresses the need for a national cyber certification program built on the foundation set by the DoD. You can see the CMMC affect across the federal government with current proposals to include cybersecurity ratings and scores in an update to the Sarbanes-Oxley (SOX) Act and the recent release of Executive Order 14028 to expand cybersecurity efforts beyond the DoD. While there are many details left to be finalized, the next several years will likely result in additional security requirements and a more mature posture for businesses.

In this blog, you’ll learn about the top priorities government businesses of all sizes need to know to maintain a competitive edge and get on track for assessment success.

Provisional Assessors & C3PAOs

CMMC provisional assessors will use the assessment program, an extension of the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 which is subject to the security protocols outlined in National Institute of Standards and Technology (NIST) SP 800-171, to evaluate whether contractors have the appropriate cybersecurity protocols in place to qualify to do business with the DoD. These provisional assessors can accredit organizations and help gain license through a CMMC Third-Party Assessor Organization (C3PAO).

The C3PAOs are entities containing at least two assessors to whom a license has been issued to engage with organizations seeking certification to complete their associated CMMC assessment. Since the C3PAOs themselves need to have the right security protocols in place to transmit information to the DoD database, they must be certified as CMMC Level 3 compliant at a minimum by the Defense Industrial Base Cybersecurity Assessment Center (DIB-CAC). The DoD plans to have more than enough assessors to handle the volume of contractors having gone through the first step of obtaining certification.

Contractors can find the list of assessors on the CMMC AB website, which includes the following regarding the provisional assessors: 

  • Who they are
  • Their registration with a C3PAO
  • Requirements that they must meet in order to be certified.

Considerations for Finding an Assessor

How well do they know your business? Select an assessor who has the experience and can understand what type of business or service you provide, since their main task is to look at your environment and provide feedback. Once there are qualified C3PAOs available to conduct assessments, consider several candidates to ensure you find one that presents the best match for your organization.

How comfortable are they with the technology you are using? Assessors that are familiar with the types of technology that your firm uses will streamline the assessment process.

Do your schedules align? Mutual availability between government contractors and assessors can be overlooked. However, aligning schedules is essential because CMMC certification is a requirement prior to contract award.

Resources in Preparing for Assessment

Businesses should consider their current security protocols against the anticipated CMMC level they seek to meet. If your company works with Controlled Unclassified Information (CUI), then it will be expected that you meet the cumulative requirements of CMMC Maturity Level 3, which contains controls designed to exceed NIST SP 800-171 requirements. The DoD provides resources to contractors seeking compliance, starting with the OSC CMMC website, which lists controls, including the source from which it is derived (e.g., NIST 800-171, NIST 800-53, ISO27001, etc.). Pay close attention to the assessment objectives. According to Matt Gilbert, provisional assessor with Baker Tilly: “What I will evaluate are the practices, but specifically the assessment objectives that are in the guides... So, it certainly behooves all contractors to spend a good amount of time reading those and being very familiar with those because that's going to be the focus of the assessment.” For small businesses, Project Spectrum can also be a key resource.

Getting CMMC Ready with Deltek

Deltek is prepared to support the industry and its CMMC requirements with key investments. For nearly 40 years, Deltek has provided financial and accounting compliance capabilities and solutions, and continually made greater investments in security, trust, privacy and compliance.

Deltek recently released the Costpoint GovCon Cloud Moderate (GCCM) offering which aligns with FedRAMP Moderate controls to allow storage of covered defense and controlled technical data as well as data subject to the International Traffic in Arms Regulations (ITAR). Deltek’s cloud offerings have been developed to align with NIST 800-171 standards for more than four years, and alignment with at least the CMMC Level 3 controls has been incorporated into our internal compliance and cloud security posture.

Also, Deltek helps the industry stay informed on some of these topics like CMMC and other cybersecurity trends. The GovWin IQ Federal Opportunities product allows users to search for opportunities that contain CMMC requirements, as well as the specific CMMC Level required for contractors that are bidding on that opportunity. GovWin IQ provides more insight and visibility into those opportunities that will have very specific requirements around CMMC. As part of the GovWin IQ market analysis and information services solution, new content and resources are constantly released and refreshed, providing key analysis of DoD initiatives, plus insight into how companies are responding (or should be responding).

Want to learn more? Check out this blog for more information on Deltek’s Costpoint GovCon Cloud Moderate offering, and discover how Deltek can support your compliance requirements.


Understanding CMMC Compliance

Basics & Best Practices

Get the Guide