The recent announcement of the proposed 48 CFR rule, which integrates CMMC 2.0 requirements into defense contracts, has rippled through the defense industrial base (DIB). As the deadline for compliance approaches, it’s imperative that businesses understand the CMMC Level 2 certification process and take proactive steps to prepare.
In this informative video, Kyle Lai, President and CISO of KLC Consulting, breaks down the CMMC Level 2 assessment process, providing valuable insights into the requirements and what to expect during an audit.
Key takeaways from the video include:
- The timing of CMMC phase-in: Understand the timeline for CMMC 2.0 implementation and how it affects your business.
- The implications of the shortage of C3PAOs and Certified Assessors: Learn about the challenges of finding qualified assessors and how to secure your spot for a timely assessment.
- A template to help you scope CUI: Get a head start on your CMMC journey with a helpful template to identify your in-scope systems and data.
- KLC Consulting’s FREE Assessor’s Playbook: Access a valuable resource to guide you through the assessment process and ensure your success.
- How to reserve your spot NOW for your 2025 CMMC Level 2 Certification Assessment: Don’t delay, as availability of C3PAOs and Certified Assessors may be limited.
With the CMMC 2.0 rollout accelerating, it’s more important than ever to start preparing for certification. Don’t wait to schedule your 2025 CMMC Level 2 Assessment. Watch the video now to learn how KLC Consulting can help you achieve CMMC compliance and secure your future in the defense industry.
In this video, we break down the #CMMC Level 2 assessment process, walking you through the requirements and what to expect during an audit. We provide #C3PAO insider tips to help your company prepare and succeed in achieving #CMMCAccreditation.. CMMC Level 2 Certification Assessments - What You Should Know from a C3PAO
Introduction to KLC Consulting
Kelly McDermott: Hello! My name is Kelly McDermot, and I work with KLC Consulting. We were founded in 2002, and we bring over two decades of experience and the expertise of a C3PAO (CMMC Third-Party Assessment Organization) to help organizations navigate the CMMC (Cybersecurity Maturity Model Certification) landscape. Our mission is to demystify CMMC, assist you in understanding its requirements, and work collaboratively to achieve certification quickly and efficiently.
Today, I’m thrilled to introduce Kyle Lai, our president and chief security officer. With over 25 years in cybersecurity, Kyle is a leading expert in CMMC compliance. He’s a certified CMMC assessor and a key player in the C3PAO community. Kyle is uniquely qualified to guide you through the CMMC certification process.
The CMMC 2.0 Final Rule Timeline
Kelly: Hi, Kyle. Thanks for joining us today. When can we expect the final CMMC rule to drop, and what does that mean for DoD (Department of Defense) contractors?
Kyle: The DoD has submitted the CMMC 2.0 final rule to the Office of Information and Regulatory Affairs (OIRA) for review. We expect the CMMC rule to be finalized around Q4 2024 or Q1 2025.
Once the rule is finalized, DoD contractors should expect to see CMMC requirements in DoD contracts. Both prime and subcontractors are responsible for meeting the CMMC assessment and certification criteria by the contract award date.
DoD’s Four-Phase Rollout Plan for CMMC
Kyle: The DoD has a four-phase rollout plan:
- Phase 1 (Months 1-6): Level 1 and 2 self-assessment requirements in new contracts.
- Phase 2 (Months 7-18): Level 2 certification requirements for new contracts.
- Phase 3 (Months 19-30): Level 2 certification requirements for existing contracts and some Level 3 certifications.
- Phase 4 (After Month 30): No exceptions; all DoD contracts will have CMMC requirements.
The Shortage of CMMC Assessors
Kelly: Everyone knows CMMC compliance is coming, but is there a shortage of assessors? How will that impact the timeline for getting certified?
Kyle: There is currently a shortage of CMMC-certified assessors and C3PAOs. With only 54 authorized C3PAOs and approximately 77,000 DIB (Defense Industrial Base) companies requiring CMMC Level 2 certification, there will be a huge demand. It’s crucial to act now and get in line for a CMMC Level 2 certification assessment.
Why Start the CMMC Certification Process Now?
Kelly: Why should companies start the process now? What do they need to know?
Kyle: If you’re a prime contractor, you’ll want to look for subcontractors that are certified or are in line to be certified when the CMMC rule is finalized. It’s mandatory for subcontractors to have CMMC Level 2 certification by the contract award date. If you’re a subcontractor handling CUI (Controlled Unclassified Information), you need to find an authorized C3PAO and sign up for a CMMC Level 2 certification.
KLC’s “Reserve Your Spot” Offer
Kelly: KLC offers a “Reserve Your Spot” program. Can you explain what that entails?
Kyle: We guarantee two things:
- We’ll reserve a spot for your CMMC Level 2 certification assessment.
- We offer the “Best Price Guarantee,” provided we have the same terms and conditions.
You’ll need to make a $5,000 deposit to reserve your spot.
Understanding CMMC Level 2
Kelly: Can you break down what CMMC Level 2 means? What does it protect, and why is it so important?
Kyle: CMMC Level 2 is the minimum requirement for companies to handle CUI. CUI is sensitive information that is required to be protected by laws, regulations, and government-wide policies. DoD will not award contracts that handle CUI to companies without CMMC Level 2 certification.
NIST SP 800-171 and CMMC Level 2
Kelly: How does NIST SP 800-171 fit into the framework of CMMC Level 2?
Kyle: CMMC Level 2 certification is based on NIST SP 800-171 revision 2. It has 110 controls, which consist of 320 assessment objectives. The DoD NIST SP 800-171 assessment methodology, also called the SPRS (Supplier Performance Risk System) scoring methodology, is used to generate the summary level score. The perfect score is 110.
Benefits of CMMC Level 2 Certification
Kelly: What are the benefits of getting CMMC Level 2 certified? Is it worth the effort?
Kyle: The benefits include:
- Increased opportunities to work with DoD or prime contractors
- Demonstration of your company’s cybersecurity capabilities and compliance
- Ability to market yourself to handle contracts that involve CUI
- Boosted competitive edge
- Recognized commitment to protecting CUI
Common Misconceptions about CMMC
Kelly: What are the most common misconceptions about CMMC?
Kyle: One common myth is that if you have any gaps, you’ll fail the certification assessment. This is false. If you have a few POA&M (Plan of Action and Milestones) items or gaps that are allowed under CMMC, you can still get a conditional certification, provided you have a score of 88 points or 80% or above. You’ll have 180 days to remediate these gaps.
Four Phases of a CMMC Level 2 Assessment
Kelly: What is the typical journey like for a CMMC Level 2 assessment? How do you ensure it won’t be a painful process?
Kyle: There are typically four phases:
- Pre-assessment: We review your documentation, such as your CUI scope diagram, asset inventory, and System Security Plan (SSP), to ensure you’re ready for the assessment.
- Assessment: We conduct the actual assessment, typically over five days. We provide daily briefings to keep you informed of our progress.
- Results and Reporting: We document the results and any POA&M items. We submit the report to DIBCAC, which updates the SPRS system.
- POA&M Close-Out Assessment (Optional): If you have POA&M items, we can conduct a close-out assessment within 180 days to convert your conditional certification to a final certification.
Assessor’s Playbook
Kyle: Would you like to see the “Assessor’s Playbook” we follow during a CMMC Level 2 certification assessment? It’s #5 on this list of free tools we provide here.
How KLC Consulting Checks for NIST SP 800-171 Compliance
Kelly: How do you go about checking if someone is meeting all those NIST SP 800-171 requirements?
Kyle: Our CMMC-certified assessors conduct the assessment based on the CMMC Assessment Guide against 110 requirements and 320 assessment objectives. We’ll expect to see supporting documents, policies and procedures, screenshots, configuration settings, and more. We’ll interview the people responsible for the controls and requirements, review your processes and technologies, and assess your physical security.
What to Expect During a CMMC Assessment
Kelly: What happens if a company finds security gaps during the assessment? Can you help them fix those issues?
Kyle: As a C3PAO, we maintain independence and cannot provide consulting services. We’ll identify the issues but cannot tell you how to remediate them.
Kelly: I’ve heard horror stories about some audits that have gone wrong. How do you ensure the process is collaborative and not just about finding problems?
Kyle: Our assessors have many years of experience conducting various assessments. We focus on collaboration and understanding the intent of your controls. We provide a playbook for CMMC assessors to help you prepare and understand the expectations. Clear communication is key to a smooth and successful assessment.
A CMMC Success Story
Kelly: Can you share a success story where you helped a company get CMMC certified?
Kyle: We helped a small manufacturing company prepare for and pass their CMMC Level 2 assessment. We worked closely with them and their managed service provider to ensure they were ready. There were a few minor gaps, but they were able to remediate them and achieve a final certification.
Biggest Challenges and Recommendations
Kelly: What are the biggest challenges to overcome in the CMMC certification process? What would you suggest that a contractor look for when seeking help?
Kyle: The biggest challenge is often underestimating the level of effort required. It’s crucial to get senior management buy-in, secure the necessary funding and staffing, and choose a C3PAO with experienced assessors. A mock assessment is also highly recommended to ensure a smooth and successful final assessment.
Conclusion
Kelly: Thank you, Kyle, for sharing your expertise. CMMC Level 2 is coming soon, and securing your assessment spot is crucial. KLC is here to help you navigate the CMMC landscape and achieve certification. Please don’t hesitate to contact us for a free consultation or a quote.Kyle: Thank you, Kelly
click here to close