The CMMC assessment process varies depending on which level of certification is required. CMMC Level 1 and non-critical Level 2 assessments are less rigorous compared to critical Level 2 assessments. Level 3 assessments are the most rigorous and led by government officials.
Here’s an overview of the assessment process for each CMMC level.
CMMC Assessments
When it comes to achieving CMMC 2.0 certification, understanding the different types of assessments is key to navigating the process successfully. Each assessment type corresponds to the level of certification your organization is seeking, with varying degrees of rigor and oversight.
Whether you're preparing for a self-assessment, a third-party assessment, or a government-led evaluation, knowing what to expect can help you better prepare and ensure your cybersecurity practices meet the required standards.
In this section, we'll explore the different types of CMMC assessments, what they entail, and how they fit into your overall compliance strategy.
Self-assessment
Frequency: Every year
Applicable to: Level 1 and some Level 2 contractors that manage CUI that is not critical to national security
What It Involves: Organizations pursuing Level 1 certification or non-critical Level 2 certifications can perform self-assessments. This process requires an internal review of your cybersecurity practices, ensuring they align with the necessary controls and processes outlined in the CMMC framework.
A self-assessment team must have the required knowledge and expertise about CMMC Level 1 requirements and your organization’s security posture to conduct this assessment. They can use self-assessment tools provided by the DoD Chief Information Officer, including scoping and self-assessment guidance, to inform their evaluation. During their assessment, the team will review the System Security Plan (SSP), which outlines the specific security controls and practices the organization has implemented, and document whether each Level 1 requirement is fully, partially, or not implemented. Critical requirements will need to be remediated immediately before continuing. Any other requirements that are not fully implemented must be documented in a Plan of Action and Milestones (POA&M). This document will outline the specific steps, owners, and deadlines for completing remediation actions.
Once the self-assessment is complete, a senior official must provide a letter of attestation to certify that the self-assessment was thorough and the organization satisfies CMMC level 1 requirements.
The organization must submit the self-assessment and affirmation in the Supplier Performance Risk System (SPRS). This will generate a score ranging from 110 to -203 based on assessment results, which aid the DoD in gauging risk and awarding contracts.
How to Prepare: Self-assessments require rigor and transparency. You'll need to document your practices, conduct internal audits, and have a senior company official affirm compliance annually and submit your SPRS score to the DoD.
Third-party assessments
Frequency: Every three years
Applicable to: Level 2 contractors that manage CUI that is critical to national security
What It Involves: For critical Level 2 certifications, organizations must undergo an assessment conducted by a certified Third-Party Assessment Organization (C3PAO) triennially. Organizations must choose a C3PAO from the list of authorized assessment organizations provided by the Cyber-AB.
These assessments are more comprehensive than self-assessments and involve a detailed review of your cybersecurity practices and documentation, including an SSP and POA&M as well as other key documents like a risk mitigation plan, incident response and reporting plan, continuous monitoring plan, access control policy, configuration management plan, separation of duties matrix, and more.
After this review, the C3PAO may provide a report with preliminary feedback to highlight any issues or areas of concern uncovered by the assessment. If any Level 2 requirements were partially implemented or not implemented, this report will include recommended corrective actions. The C3PAO will enter the assessment information electronically into the CMMC Enterprise Mission Assurance Support Service (eMASS) that will electronically transmit the assessment results into SPRS. The C3PAO will then submit the final report along with SPRS score to the Cyber-AB for review and the final certification decision.
If deemed compliant, the organization receives the CMMC certification for the assessed level, which is valid for three years. During those three years, organizations must continue to monitor and improve their cybersecurity practices by maintaining their POA&M.
Additionally, a senior official from the organization must affirm continuing compliance with the specified security requirements after every third-party assessment and annually thereafter. Affirmations are entered electronically in SPRS.
How to Prepare: Preparing for a third-party assessment involves conducting thorough internal audits, gathering necessary evidence, and ensuring that your cybersecurity practices are fully documented and compliant with the CMMC 2.0 Level 2 requirements.
Government-led assessment
Frequency: Every three years
Applicable to: Level 3 contractors
Note: Please note that the DoD is still developing requirements for government assessments and these are expected to be released with the final ruling. The information below is from the proposed rule submitted by the DoD for comment in December 2023.
What It Involves: Organizations seeking Level 3 certification, which involves handling the most sensitive DoD information, will be subject to assessments led by government officials. These assessments are the most rigorous and require extensive documentation and implementation of advanced cybersecurity measures.
Organizations seeking this certification level must coordinate with the Department of Defense’s DIBCAC for a government-led assessment. This process typically begins with a pre-assessment meeting to discuss scope, timing, and process.
Like C3PAOs, government assessors will review key documentation, such as the SSP and POA&M. They will also conduct on-site evaluations including interviews and technical testing, and examine evidence like logs and configurations to verify control effectiveness.
Also like a C3PAO, government assessors may provide a preliminary report for addressing deficiencies before the final report is submitted to the Cyber-AB for certification, which is valid for three years. To maintain compliance, organizations must continuously monitor systems, update their POA&M, and keep policies current.
The DoD assessor will enter the assessment information electronically into the eMASS, that will electronically transmit the assessment results into SPRS. A senior official from the organization must affirm continuing compliance with the specified security requirements after every DoD assessment and annually thereafter. Affirmations are entered electronically in SPRS.
How to Prepare: Preparation for a government-led assessment is intensive. Your organization must demonstrate a robust cybersecurity posture, supported by comprehensive documentation, advanced threat detection and response capabilities, and a track record of compliance with stringent security standards.
FAQs
What is a CMMC assessment?
A CMMC assessment is a formal evaluation of an organization's cybersecurity practices to determine whether they meet the requirements for their designated CMMC level.
What type of CMMC assessment do I need?
The type of CMMC assessment you need depends on the level of certification required:
- CMMC Level 1: Requires an annual self-assessment by the organization. This is for companies that handle Federal Contract Information (FCI).
- CMMC Level 2: For organizations dealing with Controlled Unclassified Information (CUI), a third-party assessment by a C3PAO is required unless the contract allows for self-assessment under certain conditions.
- CMMC Level 3 (being finalized): Will require government-led assessments for high-stakes contracts with more stringent security needs.
You should verify the assessment type by reviewing your DoD contract or consulting with a contracting officer.
Can CMMC Level 2 contractors self-assess?
CMMC Level 2 contractors can self-assess in some cases. Under CMMC 2.0, the self-assessment option is available for non-prioritized acquisitions, meaning that organizations working with CUI on lower-risk contracts can conduct annual self-assessments. However, for prioritized acquisitions or contracts deemed high risk by the DoD, a third-party assessment conducted by a C3PAO is required. The contract or DoD agency will specify if a self-assessment or third-party assessment is applicable.