How does an organisation get certified?

The DoD has committed to working with a volunteer, third-party accreditation body—the CMMC-AB. The CMMC-AB is authorised by the DoD to be the sole authoritative source for the operationalisation of CMMC Assessments and Certifications.

Who will perform the CMMC assessments?

The CMMC-AB will train organisations to become CMMC Third Party Assessor Organisations (C3PAO), which will be delegated to assess DoD suppliers’ cybersecurity programs and certify that they have achieved a designated level of maturity. Additionally, the CMMC-AB has established a “CMMC Marketplace” on its website. Firms can register there to become a CMMC-AB Registered Provider Organisation (RPO) and will be listed in the marketplace. Individuals also can receive training to become CMMC-AB Registered Practitioners (RP).

What happens with my assessment results?

The DoD will have access to all CMMC certificates of DIB companies, which will be posted in both the CMMC Enterprise Mission Assurance Support Services (eMASS) database and the Supplier Performance Risk System (SPRS) database. Specific results of the CMMC assessment and the specific level of certification will not be made public; only the fact that the DIB has achieved certification will be made public.

Is there a cost to obtain a CMMC?

There are many factors that determine total certification cost. The biggest factor is the current state and maturity level of an organisation’s cybersecurity program, compared to the CMMC level that needs to be achieved. Organisations will fare best if they have mature and robust cybersecurity programs that are well documented and subject to formalised policies and procedures, and have internal processes to validate their control compliance.

Organisations with large gaps between their current maturity levels and those required by the CMMC will need to apply more resources to close those gaps, including controls to maintain compliance as well as regular testing to assess the effectiveness of those controls.
There also is a cost for the CMMC-AB C3PAO services. The cost for these services will be considered allowable and may be included in the contract bid price. In some cases, the costs to implement CMMC requirements also may be included in the contract bid price, an exception that will be determined by the DoD and on a contract-by-contract basis.

How will a DLB contractor know what level of CMMC certification is required for a specific contract?

The DoD will specify the required CMMC level certification in Requests for Information (RFIs) and Requests for Proposals (RFPs).

How can HKA help?

HKA is a CMMC-AB Registered Provider Organisation. Our CMMC-AB Registered Practitioners have significant experience assisting DIB contractors and subcontractors with cybersecurity and data privacy regulatory requirements and are well-versed in the CMMC requirements. HKA has helped many firms assess their current cybersecurity programs against CMMC requirements, identify gaps and areas for improvement, and develop and implement proven strategies for compliance. HKA also provides CMMC training for Executive and Senior Leaders; Cybersecurity and IT Professionals; Compliance, Risk, and Internal Audit Teams; and Contract Administration Teams