Getting CMMC Certified in Baltimore, Maryland (MD)
The Cybersecurity Maturity Model Certification (CMMC), developed by the Defense Department (DoD), is a modern standard that leverages the National Institute of Standards and Technology’s (NIST SP 800-171) Special Publication 800-171 – Securing Confidential Unclassified Information (CUI) in Nonfederal Networks and Organizations. CMMC is an instrument based on NIST SP 800-171, focused on five specific standards of integrity requirements, to introduce a tiered method to verify conformity for DoD contracts.
A CMMC evaluation is a compulsory component to conduct business with the Defense Department that requires RFPs and RFIs for companies vying for a contract or contractor status. DoD departments are set to comply with NIST 800-171 as of January 2018. Past versions of the DoD regulations recognized as the Defense Federal Procurement Regulation Supplement (DFARS) were put in place to assist DoD companies in performing self-assessments to apply for government contracts, but have been considered challenging to implement.
Federal agencies may partner with accredited third-party organizations (3PAOs) to obtain a CMMC assessment and receive a competency level, based on the opportunity to show the necessary capability. There are five rates of performance for CMMC that evaluators may use. Five processes are also used and essential for calculating device problems through the 5 maturity levels.
How much does the certificate cost?
The cost of a CMMC assessment would depend on several factors including the CMMC’s level you are applying for, the scale of the organization’s DIB network, and other business influences. That said, the certification cost would be considered to be an acceptable, reimbursable investment and not a prohibitive one. Keep in mind though that if the company is not approved you would be excluded from CMMC contracts. Consult with your tax advisor to cover expenditures.
Can I still self-assess?
Unfortunately not – that ‘s what the current process is doing away with. Defense contractors used to claim that their security measures would have been effective – but they were generally not. In the future, only auditors who have been qualified and been certified by CMMC AB can provide CMMC Certification. CMMC assessments will be conducted by both third party evaluation organizations (C3PAOs) and independent evaluators certified by CMMC AB. However, contractors have been strongly advised to conduct a self-assessment before preparing their CMMC review – this is the audit readiness phase with which we can also support here at ISO Pros.
Who has access to the results and how often do we need to reassess?
The findings of a CMMC audit are not considered public. The only information available to the public is that the organization has CMMC certification. The maturity level of certification is also never going to become available. However, the DoD will be able to access the levels of all DIB companies. There is a 3-year validation period of the CMMC certification.
When does it take effect?
On January 31, 2020, the DoD launched version 1.0 of the CMMC Prototype to the public and has already submitted an extension to fix the technical problems in the initial update. The CMMC System v1.02 update contains a number of resolved errata as well as a more open edition of the software (i.e. Excel tabular format).