Smithers CMMC and Cybersecurity Resource Library
Have questions? Look for answers in our CMMC and Cybersecurity Resource Librayr!
.jpg?ext=.jpg)
Since November 2021, the Cybersecurity Maturity Model Certification (CMMC) has been a hot topic among contactors, suppliers, and cybersecurity experts. Finally, after seven years of rulemaking, CMMC went into effect on December 16, 2024. As an authorized C3PAO, Smithers has begun conducting assessments for companies voluntarily seeking certification now. Once 48 CFR is published, contracts will begin to mandate CMMC compliance and all C3PAO companies will be inundated with assessment requests.
How are DFARS, NIST, and CMMC Related?
In 2016, the Defense Federal Acquisition Regulation Supplement (DFARS) was updated, which is really where the history of CMMC begins. The update required all DoD contractors and their sub-contractors to self-assess against meeting the cybersecurity requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In 2019, DFARS was updated again. This update included the requirement for the Cybersecurity Maturity Model Certification supported by a tri-annual independent assessment. Department of Defense (DoD) contractors and their sub-contractors handling controlled unclassified information (CUI) were given five years to implement these changes
Also in 2019, the CMMC-Accreditation Body (CyberAB) was established as a joint venture between Carnegie Mellon University, The Johns Hopkins University Applied, Physics Laboratory LLC, and Futures, Inc. The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOD CIO office. CMMC-AB released the first draft of CMMC 1.0 in that same year on the credentials required for independent assessors and how to conduct the assessments for DoD contractors.
In November 2021, the DoD paused CMMC 1.0 based on public comments. It began the process of evaluating and and updating the DFARS rules for the independent assessments with the release of CMMC 2.0. CMMC 2.0 covered several critical changes, including the removal of the CMMC maturity processes, alignment to the NIST SP 800-171 security controls for the body of the assessment, and the reduction of CMMC levels from five to three. Lastly, the governing body was renamed Cyber-AB to reduce confusion between the CMMC requirements of the DoD and the Cyber-AB’s role as certifying organizations and auditors to conduct CMMC assessments.
Keep in mind that none of these events impact the existing requirement under DFARS 252.204-7012, requiring contractors and their sub-contractors handling CUI to ensure they are compliant with the 110 controls and 320 objective statements of the NIST SP 800-171.
Do I Need CMMC?
If you are not sure you needed to read this far, check out our post on who needs CMMC. It offers a guide so you can tell if you need to comply or not. If you have any questions let us know!
- ISO 27001
- Certified Companies Information
- What is CMMC
- What is NIST SP 800-171
- Integrated Management System Audit and Certification Services
- Smithers Quality Assessments Client Portal: Beyond Audit Management Software
- Tailored Account Services
- AS9100 Audit and Certification Services
- AS9110 Certification and Auditing Services
- AS9120 Certification and Auditing Services
- IATF 16949 Audit and Certification Services
- ISO 9001 Audit and Certification Services
- ISO 13485 Audit and Certification Services
- ISO 14001 Audit and Certification Services
- ISO 45001 Audit and Certification Services
- SN 9001 Audit and Certification Services
- Internal Auditing Services
- Supplier Solutions
- Certified Companies Information
- File a Complaint or Appeal
How Do I Get CMMC Certified?
- Make sure you are compliant withall NIST SP 800-171r2 controls. There are 110 total.
- Once you feel you are assessment-ready, it is time to select a C3PAO. Smithers can provide experience that is the result of more than thirty years of auditing against standards like ISO 9001 and AS9100, which can be beneficial for several reasons.
- Begin your relationship with your C3PAO approximately 12 months before your assessment. Not only will this help you reserve a time slot on the C3PAO's calendar, but it will also give the C3PAO time to learn about your organization and cybersecurity infrastructure, understand your scoping, and more.
- Consider a pre-assessment or an internal assessment to gauge how ready you are for your final CMMC assessment
- Once you pass your CMMC assessment, your certification becomes official.
CMMC FAQs
What does CMMC Stand for?
CMMC stands for Cybersecurity Maturity Model Certification.
What is 32CFR and 48CFR?
32CFR and 48CFR are the two parts of the CMMC rule. Learn more about 32CFR.
What is SPRS? What is a SPRS score?
SPRS stands for Supplier Performance Risk System. It is where contractors have been entering their self-assessment scores against NIST SP 800-171 since 2018. Learn more about SPRS.