The diagram above is the high-level process an Organization Seeking Compliance (OSC) will generally go thought in order to become CMMC Certified.
The Diagram is broken down into two major Phases:
- Consulting: All of the actions taken by the OSC and their team to get ready for a Conformity Assessment by a C3PAO
- Assessment: The steps taken during the actual Conformity Assessment
We recommend all OSC’s follow these steps.
During this step, the OSC compares themselves against the CMMC or NIST SP 800-171 Security Requirements. Per NIST SP 800-171A, this is a Basic level assessment. It is generally good enough to determine gaps and deficiencies for companies just starting their CMMC efforts. Advanced firms will need to evaluate themselves at the Assessment Objective level.
Coming out of the Self-Assessment step should be a list of all remediations that need to be done in order for an OSC to pass the Conformity Assessment. This typically involves changes technical architectures, deploying new software, and changing how business processes flow. This all needs to be accounted for in this phase before moving onto Planning.
Simply put, the goal of the Plan step is to generate the Plan Of Action & Milestones needed to come into compliance.
Remediate is where the POA&M is executed and efforts are taken to resolve the gaps and deficiencies identified in the Self-Assessment step.
It is critical to note here, this work is done at the Assessment Objective level for organizational-centric requirements and at the Assessment Objective to Each System in Scope level for system-centric controls.
Pre-Assessment Readiness Review
Pre-Assessment Readiness Review is the verification where each Assessment Objective is tested, documented, and approved before conformity is considered to be “met.”
Please note, the diagram jumps over the C3PAO selection process.
Assessment Readiness Review
Once an OSC has selected their C3PAO, the C3PAO designated Lead Assessor (LA) will conduct an Assessment Readiness review. The point of this review is to:
- Verify the OSC Certification and Assessment Boundary Scopes are consistent with what was accepted during the C3PAO Selection process
- Verify via a small Assessment Objective sampling that the OSC is ready for Focused Conformity Assessment at the Assessment Objective level for organizational-centric requirements and at the Assessment Objective to Each System in Scope level for system-centric controls.
The next step is to conduct the Conformity Assessment. Per NARA Information Security Oversight Office guidance, CMMC and NIST SP 800-171 formal assessments will be conducted at the Focused level. For more information on this, please see NIST SP 800-171A, Appendix D
Assessments where an OSC does not Conform
If an OSC is found to be non-conformant to one or more requirements, at the Lead Assessor’s discretion, the OSC can be approved to remediate the deficiency. The Lead Assessor can either allow the OSC to remediate during the Conformity Assessment or within 90 days of the conclusion of the Conformity Assessment.
Prior to the 90-day window the Lead Assessor will review the non-conformant requirements to determine if the OSC has resolved the issues. If the OSC has not resolved the issues for the Certification level, the Lead Assessor will submit the OSC to the CMMC-AB for Certification at the next lower level they are eligible for.
The C3PAO and Lead Assessor will submit their Conformity Assessment report to the CMMC-AB for quality assurance reviews. If the CMMC-AB concurs and does not find any discrepancies, the CMMC-AB will certify the OSC at the appropriate level.
Conformity Assessment Support
During the Conformity Assessment, the OSC may want to have their CMMC certified professionals involved during the Conformity Assessment. This is allowed as long as the consultants do not answer on behalf of the OSC, except where they fulfill a role specified in in the CMMC Assessment Guide interviewee lists.