The Cybersecurity Maturity Model Certification (CMMC) has made life a lot more interesting for government suppliers and contractors who are trying to get their arms around the new security standard. In many ways, it isn’t like other certifications. There’s a weird scoring system, three levels of maturity, and either a self assessment or a third-party assessment requirement.
So what kind of assessment do you need — self-assessment or third party? It depends. You might need one or the other, and you likely need to do both to prepare for your assessment. On top of that, the DoD itself might do their own validation of your organization.
It might sound confusing at first, but the question of self assessment vs. third-party assessment is actually well defined once you get into the specifics of the job you’re bidding on. This article will give you all the details you need.
What Is a C3PAO?
Your third-party Assessor must be a CMMC Third Party Assessment Organization (C3PAO). To qualify as a third party Assessor, an organization must be authorized by the CMMC Accreditation Body (AB).
Most organizations seeking compliance also benefit from a Consultant, known as a Registered Provider Organization (RPO). The RPO helps you prepare for the third-party assessment and the C3PAO conducts the assessment. A C3PAO can also be an RPO, but they can’t act as both the C3PAO and the RPO for the same client, due to the obvious conflicts of interest.
You can find a directory of authorized C3PAOs on the Cyber AB Marketplace.
Do You Need a C3PAO for Your CMMC Audit?
The question of self-assessing or using a third-party Assessor will be based on the requirements that are defined in the contracting process with the Department of Defense. It all depends on the sensitivity of the data that your organization has access to. The more sensitive the data, the greater the chance that you’ll need to go through a third-party assessment with a CMMC Third-Party Assessor Organization (C3PAO).
If you aren’t touching sensitive data, then the chances are greater that you’ll be able to do a self-assessment for CMMC.
Either way, it’s driven by the contracting requirements as set by the DoD. They’ll spell it out in the contract whether or not you’ll need to go down the C3PAO route.
In addition, you could be bidding on multiple contracts at the same time — one contract allows you to self-assess and the other requires a third-party assessment by a C3PAO. In that case, your third-party audit will cover both types of contracts.
It’s All the Same Stringent Requirements
One thing to keep in mind is that even if you go through a self-assessment, your CMMC requirements aren’t any different from an engagement with a C3PAO. Either way, you need to fulfill the same set of requirements, based on the level your organization will need to meet. Every organization is held to the same standard, no matter what the contract may be. The only difference is who must assess your organization’s cybersecurity stance.
Think of it like a test you take in school: it’s the same test with the same grading scale, but a different person grading it.
Furthermore, it’s possible that as part of the contracting process, the DoD will choose to do their own validation of your organization — particularly if you don’t meet certain elements. So there’s certainly an element of very much needing to have your stuff buttoned up as you’re heading down the path.
How Long Does an Assessment Take?
If the DoD gets involved in the assessment process, you can expect your assessment to take longer than usual. Every assessment is different, but I tell clients that they should expect preparations for the audit to take six to nine months on average — and in some cases, it could take longer. The CMMC audit itself is typically four to 12 weeks, depending on how well prepared you are.
Related: What to Expect During Your First CMMC Assessment
Better Be Prepared for Your CMMC Assessment
No matter what, whether you’re self-assessing or going through a third-party assessment, one of the early steps is to get your arms around your situation. The difference between being fully prepared and unprepared is a smooth assessment or a living hell.
Get to know the requirements and get a sense of the work that will be needed by everyone within your organization. Do your due diligence and know what will be required of your personnel. Plan for the marathon ahead and make sure you have everything in place for a successful CMMC audit.
I recommend to any organization going up against any compliance standard that they own their own data. What I mean by that is having a system of your own for managing your compliance information. It’s not about trying to get compliant once, but achieving compliance and then maintaining it from year 2 and beyond. A system that you own will enable you to easily manage and maintain your data and to have easy access to it, regardless of changes in your RPO or C3PAO.
Understanding the assessment process is only one small piece of successfully navigating the Cybersecurity Maturity Model Certification. Get fully equipped with our online guide to CMMC.
