Blog

CMMC 2.0 Compliance Assessment with a C3PAO: What to Expect

Posted by: Mariya Bouraima October 31, 2023 CMMC, Compliance
CMMC 2.0 Compliance Assessment with a C3PAO: What to Expect

Background on CMMC 2.0 Compliance Assessment

In our recent webinar, we shared insights together with guest speakers from KLC Consulting, a certified CMMC 3rd Party Assessment Organization (C3PAO), about what to expect when going through a CMMC/NIST 800-171 compliance assessment and how to prepare for and pass it. 

With cyber threats and data breaches growing in volume, sophistication, and impact, ensuring cybersecurity within the Defense Industrial Base (DIB) has become paramount. The Department of Defense (DoD) has worked diligently to upgrade cybersecurity protocols by introducing the Cybersecurity Maturity Model Certification (CMMC).  

CMMC serves as a standardized set of security practices designed to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Initially introduced as CMMC 1.0, it was revised to CMMC 2.0, streamlining the standard by focusing on the effective implementation of the 110 security controls defined in National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171).

Latest CMMC 2.0 Timeline

The Department of Defense published the CMMC final rule (32 CFR) on October 15, 2024. It became effective on December 16, 2024. It expects to publish the final DFARS rule (48 CFR), which will formally incorporate CMMC requirements into DoD contracts, in early 2025. 

The DoD is rolling out CMMC 2.0 in phases. The first phase of the CMMC 2.0 timeline starts in early 2025, with CMMC requirements appearing in some contract solicitations. Contractors must demonstrate CMMC 2.0 compliance at the required CMMC to qualify for these contract awards. The second phase begins a year later, expanding the scope of contracts requiring certification, particularly those involving CUI, which will need Level 2 certification. The third phase, commencing a year after Phase 2,  introduces additional contracts, including those requiring Level 3 certification. The final phase, targeted for completion by 2028, will see full implementation across all applicable DoD contracts.

In the meantime, it’s important to check your contracts for the following Defense Federal Acquisition Regulation Supplement (DFARS) clauses:

  • 252.204-7012
  • 252.204-7019
  • 252.204-7020

DFARS 7019 requires the completion of a self-assessment and accurate reporting of your score on the DoD’s Supplier Performance Risk System (SPRS). If you’re not abiding by the regulation and/or reporting inaccurate scores, you subject yourself to adverse consequences, including being found in violation of the False Claims Act. You can read more about the False Claims Act and other implications of non-compliance with DFARS clauses here.  

What Is a C3PAO?

A C3PAO (Certified Third-Party Assessment Organization) is an independent organization authorized by the CMMC Accreditation Body (The Cyber AB) to conduct CMMC assessments of defense contractors and subcontractors. These organizations employ certified CMMC assessors who can evaluate whether companies meet the cybersecurity requirements specified in CMMC 2.0 across its various levels.

How a C3PAO CMMC 2.0 Mock Assessment Can Help

A mock assessment is an informal engagement to evaluate all of your NIST 800-171 practices as if it were a real CMMC third-party audit. The mock assessment includes detailed findings that describe weaknesses of your organization’s processes relative to the corresponding NIST 800-171 requirements, indicating whether practices would be rated as ‘met’ in a formal CMMC assessment. It also includes looking at the evidence of compliance that an organization provides, as well as testing team members to assess whether they understand the practices and procedures. A mock assessment is not an advisory service; it’s an unofficial, comprehensive exercise that mirrors the formal CMMC Assessment to help you determine your company’s readiness. 

What is the Joint Surveillance Voluntary Assessment Program (JSVA)? 

The Joint Surveillance Voluntary Assessment Program (JSVA) is a program offered by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in association with C3PAO companies. As part of this program, a CMMC C3PAO compliance assessment team is paired with a DIBCAC team to conduct a compliance assessment. The DoD expects a successful JSVA review will translate into a CMMC Maturity Level 2 (ML 2) certification issued by the participating C3PAO when the CMMC rulemaking takes effect.  

A mock C3PAO CMMC assessment is recommended before pursuing a certification or participating in the DoD’s Joint Surveillance Voluntary Assessment Program (JSVA) in order to give your company time to remediate gaps. Once the gaps identified in the mock assessment have been remediated, your company can work with a C3PAO company to schedule the JSVA. The same C3PAO can perform the mock assessment and JSVA; there is no conflict of interest, provided the C3PAO companies are not involved in the remediation of any Plans of Actions and Milestones (POAMs) identified in the compliance assessment.

What Does the JSVA Preparation Process Involve? 

To qualify for the JSVA, your company must be in an active DoD contract, whether as a prime or a subcontractor. First, you will select an authorized C3PAO company to perform your JSVA; this C3PAO will submit your JSVA request to The CyberAB. The CyberAB is the official accreditation body of the CMMC ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing CMMC conformance. Upon acceptance, the DIBCAC will contact you and add your company to the JSVA queue.  

Your C3PAO assessment team will be paired with the DIBCAC to conduct a CMMC assessment. The C3PAO will meet with you to verify the scope of the audit (based in part on where CUI lives in your enterprise) and create a plan. DIBCAC and the C3PAO will ask for supporting evidence or artifacts as part of the process.   

Evidential artifacts may include the following:

  • System Security Plan (SSP)
  • Data Flow Diagram (DFD) that depicts the CUI boundary
  • Asset categorization diagram
  • Policies and plans for each of the 14 security domains in NIST 800-171
  • Applicable documented procedures and processes referenced in the SSP
  • Configuration items and organizational defined parameters
  • Customer responsibility matrix for inherited/assigned practices from cloud or managed service providers
  • Service Level Agreements (SLAs) for vendors providing services that involve CUI 

The JSVA typically takes five business days to cover everything from reviewing your company’s SSP to inspections and tests, examining required documentation, and an out brief. There will also be interviews and tests for all applicable practices and compliance assessment objectives for CMMC ML 2.  

We hope this post has helped you understand the essential aspects of going through a CMMC/NIST 800-171 compliance assessment with a certified CMMC 3rd party assessment organization (C3PAO). We invite you to watch the recording and review the slide deck for more details about the JSVA and mock assessments.