The diagram above is the high-level process an Organization Seeking Compliance (OSC) will generally go through in order to become CMMC Certified.
The Diagram is broken down into two major Phases:
We recommend all OSC’s follow these steps.
During this step, the OSC compares themselves against the CMMC or NIST SP 800-171 Security Requirements. Per NIST SP 800-171A, this is a Basic level assessment. It is generally good enough to determine gaps and deficiencies for companies just starting their CMMC efforts. Advanced firms will need to evaluate themselves at the Assessment Objective level.
Coming out of the Self-Assessment step there should be a list of all remediations that need to be done in order for an OSC to pass the Conformity Assessment. This typically involves a change to technical architectures, deploying new software, and changing how business processes flow. This all needs to be accounted for in this phase before moving onto Planning.
Simply put, the Plan step’s goal is to generate the Plan of Action & Milestones needed to come into compliance.
Remediate is where the POA&M is executed and efforts are taken to resolve the gaps and deficiencies identified in the Self-Assessment step.
It is critical to note here, this work is done at the Assessment Objective level for organizational-centric requirements and at the Assessment Objective to Each System in Scope level for system-centric controls.
Pre-Assessment Readiness Review is the verification where each Assessment Objective is tested, documented, and approved before conformity is considered to be “met.”
Please note, at this point the diagram describes components within the C3PAO selection and execution process.
Once an OSC has selected their C3PAO, the C3PAO designated Lead Assessor (LA) will conduct an Assessment Readiness review. The point of this review is to:
The next step is to conduct the Conformity Assessment. Per NARA Information Security Oversight Office guidance, CMMC and NIST SP 800-171 formal assessments will be conducted at the Focused level. For more information on this, see NIST SP 800-171A, Appendix D.
If an OSC is found to be non-conformant to one or more requirements, at the Lead Assessor’s discretion, the OSC can be approved to remediate the deficiency. The Lead Assessor can either allow the OSC to remediate during the Conformity Assessment or within 90 days of the conclusion of the Conformity Assessment.
Prior to the 90-day window the Lead Assessor will review the non-conformant requirements to determine if the OSC has resolved the issues. If the OSC has not resolved the issues for the Certification level, the Lead Assessor will submit the OSC to the CMMC-AB for Certification at the next lower level they are eligible for.
The C3PAO and Lead Assessor will submit their Conformity Assessment report to the CMMC-AB for quality assurance reviews. If the CMMC-AB concurs and does not find any discrepancies, the CMMC-AB will certify the OSC at the appropriate level.
During the Conformity Assessment, the OSC may want to have their CMMC certified professionals involved during the Conformity Assessment. This is allowed as long as the consultants do not answer on behalf of the OSC, except where they fulfill a role specified in the CMMC Assessment Guide interviewee lists.