CMMC Assessments

Frequently Asked Questions

How does my company become a C3PAO?

Interested organizations should reference the CMMC-AB website for additional information on becoming a candidate C3PAO.


How frequently will assessments be required?

Once CMMC 2.0 is implemented, self-assessments, associated with Level 1 and a subset of Level 2 programs, will be required on an annual basis. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis.


Who will perform third-party CMMC assessments?

Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized and accredited C3PAO or certified CMMC Assessor, and C3PAOs shall use only certified CMMC assessors for the conduct of CMMC assessments.


Will my organization need to be certified if it does not handle CUI?

DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.



Will the results of my assessment be public? Will the DoD see my results?

Once CMMC 2.0 is fully implemented, the DoD will have access to information and data relating to a company’s assessment, to include the assessment results and final report. The DoD will store all self-assessment results on SPRS. CMMC certificates and the associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. CMMC eMASS will automatically post a copy of a company’s CMMC certificate to the Supplier Performance Risk System (SPRS). The detailed results of a CMMC assessment will not be made public.

If a company voluntarily chooses to obtain a CMMC assessment and certification from a third-party assessment organization in the absence of a contractual requirement, the company must provide written consent to allow DoD access to or use of those assessment results. If a company consents to DoD access and use of data relating to the assessment, then DoD intends to store that information on eMASS.


How much will CMMC certification cost?

The CMMC assessment costs will depend upon several factors including the CMMC level, complexity of the DIB company’s unclassified network for the certification boundary, and market forces. DoD will develop a new cost estimate associated with CMMC 2.0 to account for the changes made to the program which will be published on the Federal Register as part of the rulemaking process.


What is the difference between a CMMC self-assessment and a basic assessment required as part of the DoD Assessment Methodology?

A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI. The CMMC self-assessment should be completed using the CMMC Assessment Guide codified in 32 CFR for the appropriate CMMC level. A CMMC self-attestation is a representation that the offeror meets the requirements of the CMMC level required by the solicitation. The CMMC program will require an annual self-assessment and an annual affirmation by a senior company official.

A “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that -

  • Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);
  • Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and
  • Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.

Regular cybersecurity assessments of contractors provide the Department increased assurance that sensitive information shared with the defense industrial base (DIB) is adequately protected. CMMC 2.0 simplifies and increases accountability in the cybersecurity assessment process.

Overview of Assessments

CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Upon implementation of CMMC 2.0:

  • Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
  • Contractors managing information critical to national security (a subset of Level 2) will be required to undergo third-party assessments.
  • The highest priority, most critical defense programs (Level 3) will require government-led assessments.

Self-Assessments

The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks.

Likewise, a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.

Contractors will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements. The Department intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).

Third-Party Assessments

Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security.

The CMMC-AB will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on the CMMC-AB Marketplace. The DIB company will be fully responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will provide an assessment report to the DoD.

As part of the CMMC 2.0 implementation, the DoD will approve all CMMC-AB conflict of interest related policies that apply to the CMMC ecosystem. Additionally, the CMMC-AB must achieve compliance with the ISO/IEC 17011 standard prior to accrediting C3PAOs and a CAICO. Separately, C3PAOs will be required to comply with ISO/IEC 17020 and the CAICO will be required to comply with ISO/IEC 17024 requirements.

Government Assessments

The Department intends for Level 3 (“Expert”) cybersecurity requirements to be assessed by government officials. Assessment requirements are currently under development.

Key changes incorporated under the CMMC 2.0 framework


Assessments

CMMC 1.0


  • Required all DoD contractors to undergo third-party assessments for CMMC compliance

CMMC 2.0


  • Allows the majority of contractors, associated with Foundational/ Level 1 and a subset of Advanced/Level 2 programs, to perform annual self-assessments
  • A portion of the Advanced/Level 2 programs will require triennial third-party assessments
  • Expert / Level 3 programs will require triennial assessments conducted by government officials
Oversight of Assessment Ecosystem

CMMC 1.0


  • DoD reviewed CMMC-AB Conflict of Interest policies

CMMC 2.0


  • DoD will approve CMMC-AB’s Conflict of Interest policies