Gigit’s leading expertise and CMMC Readiness Services provides federal DoD prime and sub-prime contractors with detailed consulting and advice to help your company stand-up to the CMMC Conformity Assessment process.
Through its acquisition of Peak InfoSec, Gigit can deliver CMMC 3rd Party Assessing Organization (C3PAO) services. After the completion of our CMMC Level 3 Certification by the Defense Contract Management Agency (DCMA), our authority will be to conduct CMMC Conformity Assessments up to Level 3.
Choosing your C3PAO
The diagram above is the high-level process an Organization Seeking Compliance (OSC) will generally go through in order to become CMMC Certified.
The Diagram is broken down into two major Phases:
Consulting: All of the actions taken by the OSC and their team to get ready for a Conformity Assessment by a C3PAO
Assessment: The steps taken during the actual Conformity Assessment
Please note, at this point the diagram describes components within the C3PAO selection and execution process.
Assessment Readiness Review
Once an OSC has selected their C3PAO, the C3PAO designated Lead Assessor (LA) will conduct an Assessment Readiness review. The point of this review is to:
Verify the OSC Certification and Assessment Boundary Scopes are consistent with what was accepted during the C3PAO Selection process
Verify via a small Assessment Objective sampling that the OSC is ready for Focused Conformity Assessment at the Assessment Objective level for organizational-centric requirements and at the Assessment Objective to Each System in Scope level for system-centric controls.
Assessment
The next step is to conduct the Conformity Assessment. Per NARA Information Security Oversight Office guidance, CMMC and NIST SP 800-171 formal assessments will be conducted at the Focused level. For more information on this, see NIST SP 800-171A, Appendix D.
Assessments where an OSC does not Conform
If an OSC is found to be non-conformant to one or more requirements, at the Lead Assessor’s discretion, the OSC can be approved to remediate the deficiency. The Lead Assessor can either allow the OSC to remediate during the Conformity Assessment or within 90 days of the conclusion of the Conformity Assessment.
Prior to the 90-day window the Lead Assessor will review the non-conformant requirements to determine if the OSC has resolved the issues. If the OSC has not resolved the issues for the Certification level, the Lead Assessor will submit the OSC to the CMMC-AB for Certification at the next lower level they are eligible for.
Certification
The C3PAO and Lead Assessor will submit their Conformity Assessment report to the CMMC-AB for quality assurance reviews. If the CMMC-AB concurs and does not find any discrepancies, the CMMC-AB will certify the OSC at the appropriate level.
Conformity Assessment Support
During the Conformity Assessment, the OSC may want to have their CMMC certified professionals involved during the Conformity Assessment. This is allowed as long as the consultants do not answer on behalf of the OSC, except where they fulfill a role specified in the CMMC Assessment Guide interviewee lists.
During this step, the OSC compares themselves against the CMMC or NIST SP 800-171 Security Requirements. Per NIST SP 800-171A, this is a Basic level assessment. It is generally good enough to determine gaps and deficiencies for companies just starting their CMMC efforts. Advanced firms will need to evaluate themselves at the Assessment Objective level.
Design
Coming out of the Self-Assessment step there should be a list of all remediations that need to be done in order for an OSC to pass the Conformity Assessment. This typically involves a change to technical architectures, deploying new software, and changing how business processes flow. This all needs to be accounted for in this phase before moving onto Planning.
Plan
Simply put, the Plan step’s goal is to generate the Plan of Action & Milestones needed to come into compliance.
Remediate
Remediate is where the POA&M is executed and efforts are taken to resolve the gaps and deficiencies identified in the Self-Assessment step.
It is critical to note here, this work is done at the Assessment Objective level for organizational-centric requirements and at the Assessment Objective to Each System in Scope level for system-centric controls.
Pre-Assessment Readiness Review
Pre-Assessment Readiness Review is the verification where each Assessment Objective is tested, documented, and approved before conformity is considered to be “met.”