What to Expect for CMMC 2.0 Assessments

So now you have put in all the work to meet the requirements of CMMC 2.0 level 1, 2, or 3, but what’s next? Once the rules are finalized and being implemented, companies will need to be able to certify that they are meeting the requirements of their desired level so they can continue to pursue Department of Defense (DoD) contracts. I will note again that since the rulemaking isn’t finalized, these requirements can change, but we do have a good idea of what they will look like. There will be three different assessment approaches depending on the CMMC level.

Level 1

All level 1 certifications will be based on annual self-assessments. Companies will perform scoring of their security posture as it relates to CMMC level1, and report it on the DoD’s Supplier Performance Risk System (SPRS). The SPRS will be the storage location for all three levels of CMMC, however, only the self assessments will need to be reported by companies directly. This process will likely be able to become a fairly routine process after the first year. All companies will just need to keep in mind the need to make sure all processes are continuously documented as required. 

Level 2

For some companies being certified at level 2, the self assessment process will apply with all the enhanced requirements. However, for many this is where outside parties will absolutely be required. Even if these companies used outside assistance to get ready for level 2, they will need to arrange for certification approval through special 3rd parties referred to as Certified 3rd Party Assessment Organizations (C3PAOs). These are organizations that have gone through their own certification process to be approved to assess companies pursuing level 2 certification. In the link above, you can see that there are currently 57 approved organizations, although there will likely be many more added to the list over the next few years. These 3rd party assessments will be required every 3 years.

Exact processes of C3PAO certification will likely vary from one organization to another, but regardless of approach, all will have some form of extensive interview process to score companies on their level of compliance. This may be done in person, virtually, or through some combination of both. It should also be noted that some CMMC requirements will be allowed to be a part of a Plan of Actions and Milestone (POA&M), where companies are allowed to work toward meeting requirements while still pursuing contracts, but some requirements will be considered mandatory first.

Level 3

Finally, we are once again at the strange land of CMMC level 3 requirements. This time though, it appears that as far as the assessment process goes, the level 3 requirements will be fairly similar to those of level two. There will still need to be an assessment by a 3rd party every 3 years, just with the difference of the 3rd party being Federal Government agents. Companies can likely expect there to be similar variability in exactly how the assessments are conducted as in level two.

That brings us to the end of this week’s dive into all things CMMC. Coming up in future installments, we will discuss tips for how to navigate and prepare for all of the new documentation that could come from these new requirements.

See us next week