.jpg?ext=.jpg)
Since November 2021, the Cybersecurity Maturity Model Certification (CMMC) has been a hot topic among contactors, suppliers, and cybersecurity experts. Finally, after seven years of rulemaking, CMMC went into effect on December 16, 2024. As an authorized C3PAO, Smithers has begun conducting assessments for companies voluntarily seeking certification now. Once 48 CFR is published, contracts will begin to mandate CMMC compliance and all C3PAO companies will be inundated with assessment requests.
The Relationship Between DFARS, NIST, and CMMC
In 2016, the Defense Federal Acquisition Regulation Supplement (DFARS) was updated, which is really where the history of CMMC begins. The update required all DoD contractors and their sub-contractors to self-assess against meeting the cybersecurity requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In 2019, DFARS was updated again. This update included the requirement for the Cybersecurity Maturity Model Certification supported by a tri-annual independent assessment. Department of Defense (DoD) contractors and their sub-contractors handling controlled unclassified information (CUI) were given five years to implement these changes
Also in 2019, the CMMC-Accreditation Body (CyberAB) was established as a joint venture between Carnegie Mellon University, The Johns Hopkins University Applied, Physics Laboratory LLC, and Futures, Inc. The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOD CIO office. CMMC-AB released the first draft of CMMC 1.0 in that same year on the credentials required for independent assessors and how to conduct the assessments for DoD contractors.
In November 2021, the DoD paused CMMC 1.0 based on public comments. It began the process of evaluating and and updating the DFARS rules for the independent assessments with the release of CMMC 2.0. CMMC 2.0 covered several critical changes, including the removal of the CMMC maturity processes, alignment to the NIST SP 800-171 security controls for the body of the assessment, and the reduction of CMMC levels from five to three. Lastly, the governing body was renamed Cyber-AB to reduce confusion between the CMMC requirements of the DoD and the Cyber-AB’s role as certifying organizations and auditors to conduct CMMC assessments.
Keep in mind that none of these events impact the existing requirement under DFARS 252.204-7012, requiring contractors and their sub-contractors handling CUI to ensure they are compliant with the 110 controls and 320 objective statements of the NIST SP 800-171.
Not Sure if You Need CMMC?
If you are not sure you needed to read this far, check out our post on who needs CMMC. It offers a guide so you can tell if you need to comply or not. If you have any questions let us know!
- ISO 27001
- Certified Companies Information
- CMMC
- What is NIST SP 800-171
- Integrated Management System Audit and Certification Services
- Smithers Quality Assessments Client Portal: Beyond Audit Management Software
- Tailored Account Services
- AS9100 Audit and Certification Services
- AS9110 Certification and Auditing Services
- AS9120 Certification and Auditing Services
- IATF 16949 Audit and Certification Services
- ISO 9001 Audit and Certification Services
- ISO 13485 Audit and Certification Services
- ISO 14001 Audit and Certification Services
- ISO 45001 Audit and Certification Services
- SN 9001:2016 Audit Certification
- Internal Auditing Services
- Supplier Solutions
- Certified Companies Information
- File a Complaint or Appeal
Follow us on LinkedIn
How to Become CMMC Certified
The first step, naturally, is to begin your compliance journey by making sure you are in compliance with all NIST SP 800-171r2 controls. There are 110 total. Remember, looking at 800-171 by itself is not enough. You also need to review NIST SP 800-171a, which contains all of the assessment objectives. If you use a cloud environment or cloud-based services, there are other considerations to add to your process. A key focus for CMMC certification is not just checking off controls you have met, but also having all documentation tied to that control readily available.Once you feel you are assessment-ready, it is time to select a C3PAO. There are under 100 C3PAO companies currently, so there are plenty of choices. Smithers can provide experience that is the result of more than thirty years of auditing against standards like ISO 9001 and AS9100, which can be beneficial for several reasons.
No matter who you select as your authorized C3PAO, Smithers suggests you begin your relationship approximately 12 months before your assessment. Not only will this help you reserve a time slot on the C3PAO's calendar, but it will also give the C3PAO time to learn about your organization and cybersecurity infrastructure, understand your scoping, and more.
At Smithers, we like to begin a relationship with an introductory meeting where we meet your team, answer your questions, and understand what you need and by when. After this relationship and after we receive your official RFQ document, we can proceed with sending you a quote for our services. We always promise that our pricing structure will be transparent. Your quote will be customized per our conversations and will be explained line by line.