How Does an Organization Achieve a CMMC Certification?
Many organizations want to understand how they can pursue a CMMC certification. They're really interested in the standard or they know it's very important to their line of business. And today we're going to talk about the ways that CMMC certification can happen right now. And what we expect in the future.
Hi, I'm Marci Womack, I'm the federal services practice leader here at Schellman. We've been performing federal assessment services for about 10 years, and we do over a hundred of these annually.
So as most of you know, because you're watching this video, CMMC has been a roller coaster over the last couple of years. Many questions that we get is:
- How can an organization be assessed right now?
- How can they be certified?
- What's the current state?
So right now CMMC is not a certifiable or assessable standard because it's going through that rulemaking process. And so what that means for you and for us as a CMMC C3PAO and as an assessment organization is we are assessing organizations under the joint surveillance program. And this program was announced by the Department of Defense and the Cyber AB to allow organizations an opportunity to go through the assessment process while rulemaking is ongoing. And prior to this, the finalization of the standard and integration into that, into DFARS. And so within that joint surveillance program, it is a joint surveillance assessment between the C3PAO, so Schellman in this case, as well as the Department of Defense. So it's going to be the DCMA DIBCAC team.
Lots of acronyms, I know.
Schellman (or the C3PAO) is going to be doing the NIST 800-171 part of the assessment (you'll see I didn't say CMMC) and the DoD is going to be looking at the remainder of those DFARS 7012 clauses. That's because this is essentially a DIBCAC high assessment. So historically, the DIBCAC team has gone out and they have performed these assessments for organizations, and now we're doing that in a joint manner.
The idea is that when CMMC rulemaking is complete, these joint surveillance assessments, the successful ones, can then be essentially converted to a CMMC level 2 certification. Of course, this is dependent on rulemaking, but that is the intent and that's also kind of the justification for organizations going through assessment now.
So I've talked a lot about the joint surveillance assessments and what's happening right now. In the future, once rulemaking is complete, joint surveillance assessments will stop occurring and we will start performing the actual CMMC certification assessments. There are many things organizations can be doing now to get ready.
If you have any questions about what you can be doing now or how you can prepare for assessment, go to our website, complete the contact us form, and a member of our team will be reaching out to you.
About Marci Womack
Marci Womack is a Director in Schellman’s Federal Practice overseeing both the emerging CMMC assessment program and the established FedRAMP assessment program. Marci also serves as the 3PAO (third party assessment organization) representative on the Federal Secure Cloud Advisory Committee (FSCAC). Prior to joining Schellman in 2016 as a senior associate, Marci worked as a federal contractor implementing and assessing federal cybersecurity programs, as well as an FFIEC/GLBA security controls assessor and consultant. Marci has over 10 years of information security experience across various industries and holds many key certifications, including CISSP, CISA, and CEH. Marci is also experienced in other frameworks, including StateRAMP, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).