The Cybersecurity Maturity Model Certification can be a stressful topic for defense contractors. That’s why many of them wonder whether they can self-certify CMMC. In today’s post, we offer a clear, detailed overview of CMMC and self-certification. Keep reading to learn more.
Certifications Under CMMC
Let’s begin by answering the question raised in the title of this blog: Can you self-certify CMMC? The answer is yes, but only if you aim to achieve CMMC Level 1. In all other cases, self-certification is NOT possible.
CMMC comprises three progressive levels that mandate an increasing number of cybersecurity practices as follows:
- Level 3 (Expert): 110+ practices
- Level 2 (Advanced): 110 practices
- Level 1 (Foundational): 17 practices
The certification process varies depending on the CMMC level a contractor intends to achieve. Level 1 certification is obtained through annual self-assessments; for Level 2, it is necessary to pass triennial third-party assessments (for critical national security information) and annual self-assessments (for select programs); for Level 3, triennial government-led assessments are required.
CMMC and Self-Certification
Simply put, you can self-certify compliance with the Cybersecurity Maturity Model Certification, but only for CMMC Level 1.
If you aim to achieve CMMC Level 2 or CMMC Level 3, then you cannot do so through self-certification.
Remember that CMMC Level 1 is required if you handle Federal Contract Information, also known as FCI. If you handle Controlled Unclassified Information (CUI), or both CUI and FCI, then you need to achieve CMMC Level 2 or 3.
Contractors looking to self-certify compliance with CMMC Level 1 can learn more about the process by reading the official CMMC Level 1 Scoping Guidance and the CMMC Level 1 Self-Assessment Guide.
Achieving CMMC Level 2 Compliance
For defense contractors, aiming for CMMC Level 2 compliance is a smart move for at least two reasons.
First off, CMMC Level 2 compliance would make you eligible for more contracts. The second reason is that CMMC Level 2 is aligned with NIST SP 800-171, which you should already be following, so chances are good that you have some of the major components of CMMC already in place. (To learn more about this topic, check out our previous post, “What CMMC Level Do I Need?”)
CMMC Level 2 compliance is obtained through third-party assessments. These assessments are performed by entities certified by the CMMC Accreditation Body known as Third-Party Assessment Organizations (or C3PAOs).
Preparing for a CMMC assessment can be a daunting task, unless you can count on the right help. Luckily, Registered Provider Organizations (RPOs) were created to perform consulting and implementation services within the CMMC ecosystem.
In other words, an RPO like Brea Networks / CMMC Compliance is the organization to call if you need to implement CMMC and prepare for your CMMC assessment.
Need To Achieve CMMC Compliance? We Are Here To Help
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
