In July 2022, the Accreditation Body (“AB”) of the Cybersecurity Maturity Model Certification program (“CMMC”) released a 47-page CMMC Assessment Process guide (“CAP Guide”). The CAP Guide outlines the assessment process for contractors seeking a CMMC level 2 certification, which, as we discussed in earlier posts, is the required certification level for all contractors who expect to receive or store Controlled Unclassified Information (“CUI”).
The CAP Guide has been widely criticized by members of the Defense Industrial Base for being overly complicated and contrary to the Department of Defense’s (“DoD”) stated intention to reduce the complexity and cost of the CMMC program for small businesses. However, assuming it is adopted by the DoD, the CAP Guide includes helpful guidance for contractors that are beginning to prepare for their CMMC level 2 assessment.
First, the CAP Guide explains that CMMC level 2 assessments will be conducted by CMMC Third-Party Assessment Organizations (“C3PAOs”). Contractors can find “authorized” C3PAOs that are in good standing with the CMMC AB on the AB’s online marketplace. The CMMC AB will only accept assessments from authorized C3PAOs that are in good standing, so it is important to confirm authorization and standing status before beginning the assessment process.
Second, contractors must designate an Assessment Official (“AO”) and Point of Contact (“POC”) for the CMMC assessment. The AO should be the most senior representative of the contractor, who is directly and actively responsible for leading and managing the contractor’s CMMC assessment and who possesses decision-making authority for the contractor. The POC is an individual who provides daily coordination and liaison support between the contractor and the C3PAO assessment team. The CAP Guide makes clear that these individuals are critical for any CMMC level 2 assessment.
Third, contractors should make sure their assessment is properly scoped. The CAP Guide indicates that only those parts of the contractor that are performing DoD contracts and have access to the CUI need to be assessed. While in some cases this could require the entire organization to be assessed, oftentimes only a subsidiary, division, or operating component of the contractor organization requires the assessment. Similarly, contractors must ensure that they do not exclude third-party resources from the assessment. Contractors should inform their C3PAOs of any third-party personnel, procedures, or technologies that the contractor relies on in performing its DoD contracts. By accurately scoping the assessment, contractors can be more confident in the accuracy of their assessment, while reducing the risk that they are over- or under-assessed.
Fourth, contractors should be prepared to negotiate. The CMMC AB does not expect all C3PAOs to offer the same assessment package at the same price. Instead, contractors and C3PAOs are given latitude as to how and when an assessment engagement is structured and executed, as well as to the specific terms and conditions of the contractual agreement, including pricing and payment considerations.
While the Defense Industrial Base is still waiting for final CMMC rules from DoD, contractors who will need a CMMC level 2 certification can begin taking these steps to ensure that they are ready for their assessment as soon as those rules are finalized.