The CMMC Accreditation Body (CMMC-AB) is an independent nonprofit organization formed by the industry, for the industry. The CMMC-AB is not part of the DoD or the US government by design. The CMMC-AB was designed to be run by an independent board of directors, to ensure the CMMC business model is mindful of any potential impact to small and midsize businesses that are relied upon by the DoD.
The Initial governance architecture and business model was designed through committees with representatives from across industries and academia. The CMMC-AB continues to engage the industry through working groups for continued feedback and was designed to be a listening organization that welcomes feedback from industry advisory councils.
The CMMC-AB has a strong relationship with DoD, which oversees the CMMC framework, while the CMMC-AB manages the CMMC ecosystem. The DoD controls the CMMC model and sets minimum thresholds for acceptable CMMC assessments. The DoD can also impose at its option additional cybersecurity requirements outside of the CMMC ecosystem. The DoD requires the implementation of CMMC requirements by contractors through DFARS and other contractual requirements.
The CMMC ecosystem is managed by CMMC-AB, which defines the ecosystem structure, entities, training, exam requirements, etc. It also creates additional refinements as necessary to ensure a strong CMMC ecosystem and provides feedback to DoD about the CMMC Model and documentation, to further refine and enhance the model.
The CMMC ecosystem consists of a marketplace that includes Service Provider Organizations and Individuals Performing Services. Service Provider Organizations consist of Registered Provider Organizations (RPOs), who are consulting companies that help contractors prepare for assessments but are not permitted to provide formal assessments, and Certified 3rd Party Assessment Organizations (C3PAOs), who can provide assessments or consulting services to contractors who are also considered Services Provider Organizations. However, an organization providing assessment readiness consulting services to a contractor cannot conduct a CMMC audit on that same organization.
Individuals Performing Services consist of Registered Practitioners (RPs) who are consultants that help contractors prepare for assessments, Certified Professionals (CPs) who are consultants that can participate on assessment teams, and Certified Assessors (CAs) who are consultants that lead formal assessments.
Contractors can visit the CMMC-AB service provider marketplace to find an RPO or C3PAO, who will then determine what level individuals need to engage with the contractor. Contractors can also prepare for an assessment by themselves without engaging with an RPO or C3PAO.
The purpose of a pre-assessment readiness review is to ensure the contractor has carefully cataloged the objective evidence necessary to demonstrate sufficient adoption of the practices and processes corresponding to the desired CMMC maturity level certification. The contractor can engage a consultant for a pre-assessment readiness review or perform it themselves. The pre-assessment readiness review collects two forms of objective evidence for each practice and process and provides a written description of how the objective evidence demonstrates satisfactory adoption of the corresponding practices and processes. It is important to note that falsifying or misrepresenting information from a self-assessment can be grounds for a False Claims Act against the contractor.
However, during the initial provisional period, the process will be slightly different. During the provisional period, contractors register with CMMC-AB and indicate if they are requesting certification or are in need of certification due to actively responding to a DoD solicitation requiring CMMC certification as a condition of award. The CMMC-AB then validates need where appropriate and will prioritize those seeking active solicitation that required CMMC. The CMMC- AB will manage pairing contractors with C3PAOs only during the provisional period.
After the provisional period, the process will be different, as the CMMC-AB will no longer be managing the pairing of contractors and C3PAOs. Contractors can find a C3PAO using any desired method, including visiting the CMMC-AB marketplace. Contractors are encouraged to validate with the CMMC-AB that a C3PAO is in good standing prior to engaging with them.
The contractor will define the scope with the C3PAO lead assessor based on FCI/CUI location and the target maturity level. The pre-assessment readiness should determine what is in or out of scope. The scope must include all equipment on the network where FCI/CUI is stored as well as physical copies. The CMMC-AB charges the C3PAO a fee at the beginning of the assessment, and the CMMC-AB charges the contractor a fee if the certification is awarded. However, the CMMC-AB does not set pricing between contractors and C3PAOs.
Once the contractor and C3PAO enter into a contract, the C3PAO registers the assessment with the CMMC-AB and obtains an Assessment ID. This ID will be used to track the assessment throughout the process. The lead assessor will develop an assessment plan defining roles and responsibilities, as well as what objective evidence needs to be collected. The assessor will not need access to CUI/ FCI except any that may contain objective evidence. The assessor will need to be able to walk the floors of the facility that are in scope, as site visits are necessary to validate controls in the Physical Protection domain.
At the start of the assessment, the assessment team will provide an opening briefing to define the targeted maturity level for assessment, introduce the assessment team members, and methods for collecting data, as well as the assessment schedule. At the end of each day, during the assessment, the assessment team will conduct a daily debrief with the contractor to discuss daily progress and ask any questions, as well as identify practices and processes that were reviewed, and those that are “other than satisfied” areas that need to be re-examined, and discuss the next day’s schedule.
After the assessment is complete, the assessment team will generate recommended findings and provide a timeline for when the assessment results will be registered with CMMC-AB. If there are any findings that prevent certification, the contractor will have 90 days to remediate minor issues.
In addition, the C3PAO must agree that the issues are of a nature that can qualify for remediation. For example, missing policies will generally not qualify for remediation; just writing a policy does not demonstrate that the relevant practices and processes are integrated into the organization’s culture. Any remediation may require the assessors to return to the site to review again.
After any issues are remediated (where appropriate), the lead assessor finalizes the assessment report and submits it to the C3PAO. The C3PAO must then perform a quality assurance review of the assessment report and ensure that two forms of objective evidence are recorded for all relevant practices and processes and that any remediation that was necessary has been properly implemented. The C3PAO must concur with the findings of the assessment recommendation. Once the assessment report has been QA reviewed, the report and assessment results are submitted to the CMMC-AB by the C3PAO.
The CMMC-AB will receive the assessment report and recommendations. If certification is not recommended, the CMMC-AB will not complete a QA review. However, if certification is recommended, then the CMMC-AB will perform an independent QA review. If the review confirms that the assessment report is sufficient, then the CMMC- AB will issue a certification to the contractor, which will be valid for 3 years. If the QA review determines that the assessment is not sufficient, then CMMC-AB will notify the contractor and C3PAO and provide details on why the certification is not being issued.
Contractors can then dispute the CMMC-AB’s findings if they feel that the assessment team or C3PAO misinterpreted CMMC practices, displayed an ethical lapse, made egregious errors, or were malfeasance in their duty to perform a professional and unbiased assessment. The contractor has 14 days from the completion of their assessment to file the dispute with the CMMC-AB, and all disputes will be completed and resolved within 90 days.
When a contractor submits an adjudication request, the CMMC-AB will conduct a preliminary evaluation. If it is determined that the certification should have been granted, then CMMC-AB will issue revised assessment results.
However, if it is determined that the assessment results are valid, the contractor has the opportunity to request a secondary evaluation. The CMMC-AB will then conduct a secondary evaluation in the form of a “delta assessment” covering only the areas that are being disputed, at a cost to the contractor. The CMMC- AB quality staff will then evaluate the results of the second evaluation and determine the final results.
During the assessment, the assessment team cannot provide consulting advice, recommendations, etc. including minor changes that may benefit the contractor during the assessment. The assessment team conducts interviews in private and develops notes which are confidential. The assessment team can also leverage virtual components, such as screen sharing, videoconferences, etc., to conduct their review.
For the above reasons, it is critical for contractors to start preparing for their CMMC assessment now. The DoD’s phased approach gives contractors a chance to address any potential shortcomings in their systems in advance of a formal assessment. Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB). We’re happy to answer any questions about the CMMC process or help you plan the steps you need to take in order to qualify. Our team is happy to talk through the steps your particular company should take in the CMMC process, or get started on your certification.