10 Steps to CMMC Supplier Certification

The DoD finalized and released the CMMC requirements in late January 2020 and by 2025 all DoD suppliers must be CMMC certified. With five years to fully roll out, the Pentagon expects third-party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023. However, even before the release of the first CMMC drafts, there were many companies advertising their ability to get other vendors certified under CMMC. All companies seeking CMMC must understand, to become certified, the engagement must start with a CMMC-AB (accreditation body) trained professional for guidance and preparation. The CMMC-AB maintains the CMMC-BOK (standards,practices,scenarios,learning objectives,etc.) as well as develops and delivers the certification exams. Those training and examinations are not yet in place. While companies, claiming their ability to get other vendors certified, can evaluate companies seeking certification against the model, they are not authorized to issue certifications.

To provide clarity about the certification process and to protect companies seeking CMMC Certification, the CMMC- AB provided a road-map which lists 10 Steps to obtain CMMC (Cybersecurity Maturity Model Certification). By following these steps, vendors can proactively prepare for the final implementation of CMMC standards across the DoD.

1. Understand CMMC Requirements

2. Identify your scope, Enterprise, Organization Unit or Program Enclave

3. Identify the desired Maturity Level

4. Pre-assess using an RPO (Registered Provider Organization) or C3PAO (CMMC Third-Party Assessor Organization)

5. Close identified gaps

6. Find a C3PAO on the CMMC-AB Marketplace

7. Conduct the Assessment with C3PAO’s Certified Assessment Team

8. Resolve any findings within 90 days

9. CMMC-AB reviews submitted assessment

10. Upon approval, 3-year certification issued.

The CMMC- AB recommends getting planning started at least 6 months ahead of anticipated certification start date. To get started first, identify the desired Maturity level to bid on DoD Contracts. After determining the desired maturity level,consult a CMMC-AB trained professional for guidance and preparation as needed.

A LTP (Licensed Training Provider) uses materials provided by a LPP (Licensed Partner Publisher) following CMMC-AB learning objectives to deliver extensive training from Certified Instructions by Licensed Training Providers. Before receiving assessor certification, all candidates must be certified as a CMMC Certified Professional. To be credentialed, all professionals must then pass a rigorous CMMC-AB exam and background check which is may include a NAC clearance or similar for Level 3 and above.

To schedule and complete the assessment, go to the CMMC-AB Marketplace to find an available C3PAO (CMMC Third Party Assessment Organization). All C3PAOs must adhere to a Code of Professional Conduct and be ISO 17021 certified. The C3PAO will schedule the assessment with a Certified Assessor.

The CMMC-AB reviews the assessment with Quality Auditors and organizations seeking accreditation have up to 90 days to resolve any findings with the C3PAO before the assessment is finalized. Following the final successful assessment review from a CMMC-AB Quality Auditor, the CMMC Maturity Level Certificate is issued and the received CMMC-AB is valid for 3 years – allowing the organization to bid on DoD contracts up to the identified Maturity Level.

As the DoD continues to fully implement new CMMC requirements, vendors, assessors and trainers still have time to ensure they are ready to do business with the necessary level of certification. No matter the role, make sure your organization is abreast of and prepared for changes impacting how business is done with the DoD. For the latest updates about CMMC and changes to certification requirements, visit the Official CMMC website. For details about the pathway to CMMC Accreditation visit the CMMC Accreditation Body or email Key Cyber Solutions at info@keycybersolutions.com.