CMMC Level 2 Certification Assessments – What You Should Know from a C3PAO

Introduction to KLC Consulting

Kelly McDermott: Hello! My name is Kelly McDermot, and I work with KLC Consulting. We were founded in 2002, and we bring over two decades of experience and the expertise of a C3PAO (CMMC Third-Party Assessment Organization) to help organizations navigate the CMMC (Cybersecurity Maturity Model Certification) landscape. Our mission is to demystify CMMC, assist you in understanding its requirements, and work collaboratively to achieve certification quickly and efficiently.

Today, I’m thrilled to introduce Kyle Lai, our president and chief security officer. With over 25 years in cybersecurity, Kyle is a leading expert in CMMC compliance. He’s a certified CMMC assessor and a key player in the C3PAO community. Kyle is uniquely qualified to guide you through the CMMC certification process.

The CMMC 2.0 Final Rule Timeline

Kelly: Hi, Kyle. Thanks for joining us today. When can we expect the final CMMC rule to drop, and what does that mean for DoD (Department of Defense) contractors?

Kyle: The DoD has submitted the CMMC 2.0 final rule to the Office of Information and Regulatory Affairs (OIRA) for review. We expect the CMMC rule to be finalized around Q4 2024 or Q1 2025.

Once the rule is finalized, DoD contractors should expect to see CMMC requirements in DoD contracts. Both prime and subcontractors are responsible for meeting the CMMC assessment and certification criteria by the contract award date.

DoD’s Four-Phase Rollout Plan for CMMC

Kyle: The DoD has a four-phase rollout plan:

• Phase 1 (Months 1-6): Level 1 and 2 self-assessment requirements in new contracts.
• Phase 2 (Months 7-18): Level 2 certification requirements for new contracts.
• Phase 3 (Months 19-30): Level 2 certification requirements for existing contracts and some Level 3 certifications.
• Phase 4 (After Month 30): No exceptions; all DoD contracts will have CMMC requirements.

The Shortage of CMMC Assessors

Kelly: Everyone knows CMMC compliance is coming, but is there a shortage of assessors? How will that impact the timeline for getting certified?

Kyle: There is currently a shortage of CMMC-certified assessors and C3PAOs. With only 54 authorized C3PAOs and approximately 77,000 DIB (Defense Industrial Base) companies requiring CMMC Level 2 certification, there will be a huge demand. It’s crucial to act now and get in line for a CMMC Level 2 certification assessment.

Why Start the CMMC Certification Process Now?

Kelly: Why should companies start the process now? What do they need to know?

Kyle: If you’re a prime contractor, you’ll want to look for subcontractors that are certified or are in line to be certified when the CMMC rule is finalized. It’s mandatory for subcontractors to have CMMC Level 2 certification by the contract award date. If you’re a subcontractor handling CUI (Controlled Unclassified Information), you need to find an authorized C3PAO and sign up for a CMMC Level 2 certification.

KLC’s “Reserve Your Spot” Offer

Kelly: KLC offers a “Reserve Your Spot” program. Can you explain what that entails?

Kyle: We guarantee two things:

1. We’ll reserve a spot for your CMMC Level 2 certification assessment.
2. We offer the “Best Price Guarantee,” provided we have the same terms and conditions.

You’ll need to make a $5,000 deposit to reserve your spot.

Understanding CMMC Level 2

Kelly: Can you break down what CMMC Level 2 means? What does it protect, and why is it so important?

Kyle: CMMC Level 2 is the minimum requirement for companies to handle CUI. CUI is sensitive information that is required to be protected by laws, regulations, and government-wide policies. DoD will not award contracts that handle CUI to companies without CMMC Level 2 certification.

NIST SP 800-171 and CMMC Level 2

Kelly: How does NIST SP 800-171 fit into the framework of CMMC Level 2?

Kyle: CMMC Level 2 certification is based on NIST SP 800-171 revision 2. It has 110 controls, which consist of 320 assessment objectives. The DoD NIST SP 800-171 assessment methodology, also called the SPRS (Supplier Performance Risk System) scoring methodology, is used to generate the summary level score. The perfect score is 110.

Benefits of CMMC Level 2 Certification

Kelly: What are the benefits of getting CMMC Level 2 certified? Is it worth the effort?

Kyle: The benefits include:

• Increased opportunities to work with DoD or prime contractors
• Demonstration of your company’s cybersecurity capabilities and compliance
• Ability to market yourself to handle contracts that involve CUI
• Boosted competitive edge
• Recognized commitment to protecting CUI

Common Misconceptions about CMMC

Kelly: What are the most common misconceptions about CMMC?

Kyle: One common myth is that if you have any gaps, you’ll fail the certification assessment. This is false. If you have a few POA&M (Plan of Action and Milestones) items or gaps that are allowed under CMMC, you can still get a conditional certification, provided you have a score of 88 points or 80% or above. You’ll have 180 days to remediate these gaps.

Four Phases of a CMMC Level 2 Assessment

Kelly: What is the typical journey like for a CMMC Level 2 assessment? How do you ensure it won’t be a painful process?

Kyle: There are typically four phases:

1. Pre-assessment: We review your documentation, such as your CUI scope diagram, asset inventory, and System Security Plan (SSP), to ensure you’re ready for the assessment.
2. Assessment: We conduct the actual assessment, typically over five days. We provide daily briefings to keep you informed of our progress.
3. Results and Reporting: We document the results and any POA&M items. We submit the report to DIBCAC, which updates the SPRS system.
4. POA&M Close-Out Assessment (Optional): If you have POA&M items, we can conduct a close-out assessment within 180 days to convert your conditional certification to a final certification.

Assessor’s Playbook

Kyle:  Would you like to see the “Assessor’s Playbook” we follow during a CMMC Level 2 certification assessment?  It’s #5 on this list of free tools we provide here.  

How KLC Consulting Checks for NIST SP 800-171 Compliance

Kelly: How do you go about checking if someone is meeting all those NIST SP 800-171 requirements?

Kyle: Our CMMC-certified assessors conduct the assessment based on the CMMC Assessment Guide against 110 requirements and 320 assessment objectives. We’ll expect to see supporting documents, policies and procedures, screenshots, configuration settings, and more. We’ll interview the people responsible for the controls and requirements, review your processes and technologies, and assess your physical security.

What to Expect During a CMMC Assessment

Kelly: What happens if a company finds security gaps during the assessment? Can you help them fix those issues?

Kyle: As a C3PAO, we maintain independence and cannot provide consulting services. We’ll identify the issues but cannot tell you how to remediate them.

Kelly: I’ve heard horror stories about some audits that have gone wrong. How do you ensure the process is collaborative and not just about finding problems?

Kyle: Our assessors have many years of experience conducting various assessments. We focus on collaboration and understanding the intent of your controls. We provide a playbook for CMMC assessors to help you prepare and understand the expectations. Clear communication is key to a smooth and successful assessment.

A CMMC Success Story

Kelly: Can you share a success story where you helped a company get CMMC certified?

Kyle: We helped a small manufacturing company prepare for and pass their CMMC Level 2 assessment. We worked closely with them and their managed service provider to ensure they were ready. There were a few minor gaps, but they were able to remediate them and achieve a final certification.

Biggest Challenges and Recommendations

Kelly: What are the biggest challenges to overcome in the CMMC certification process? What would you suggest that a contractor look for when seeking help?

Kyle: The biggest challenge is often underestimating the level of effort required. It’s crucial to get senior management buy-in, secure the necessary funding and staffing, and choose a C3PAO with experienced assessors. A mock assessment is also highly recommended to ensure a smooth and successful final assessment.

Conclusion

Kelly: Thank you, Kyle, for sharing your expertise. CMMC Level 2 is coming soon, and securing your assessment spot is crucial. KLC is here to help you navigate the CMMC landscape and achieve certification. Please don’t hesitate to contact us for a free consultation or a quote.Kyle: Thank you, Kelly