Debunking CMMC Myths
Cybersecurity is becoming more critical every year, especially when it comes to protecting government and military data. Establishing safeguards to protect this information is crucial to national security and economic freedom. Unfortunately, having companies self-attest to their knowledge of security requirements has been unsuccessful. As a result, the CMMC has been put in place to ensure that companies in the supply chain meet security requirements. With the CMMC still in its infancy, there are several misunderstandings and myths related to the CMMC and companies' requirements in the supply chain. Here are a few myths that have confused companies trying to achieve CMMC compliance.
DoD Contractors Can Get Ahead of the Curve and be Deemed in Compliance with the CMMC
There has been a lot of confusion around the role of assessors and their role in the CMMC. In truth, there were no official CCP, CCA-1, or CCA-3 certified assessors until recently. Instead, there were only provisional assessors and a Provisional Instructor Program.
Redspin, Kratos Technology, and Cask Government services recently became CMMC-AB certified C3PAOs. They are authorized to perform assessments on defense contractors seeking compliance with the first three CMMC levels.
More assessors will be approved in the coming months, but at the moment, DoD contractors will have trouble getting official compliance approval.
A Company That Provides CMMC Gap Assessment and Readiness Services Can Assess Other Companies for Their CMMC Certification
While many people believe this, it is false. It would be a conflict of interest for an RPO to consult on CMMC readiness while also performing the assessment. As a result, it is prohibited by the CMMC-AB rules.
A CMMC Registered Provider Organization is a Certified CMMC Third-Party Assessor Organization
A CMMC RPO is not able to provide CMMC assessor services to the same OSC. However, RPOs are authorized to represent the organization as familiar with the basic constructs of the CMMC. If this is done, it is required that they use the CMMC Accreditation Body logo. In this case, they can provide advice but not an official assessment.
All DoD Contractors Will Need Level 5 Certification
There are five levels of certification in the CMMC, with the fifth level indicating the highest level of security. Many DoD contractors might think that they will be required to get level five certification, but it is unlikely that will be the case.
The DoD is not expected to make level five certification required for most contractors. That will be reserved for a select few. The majority of contractors will only need to meet level three certification.
Stay Informed on CMMC Guidelines and Updates
With over 300,000 contractors needing CMMC assessment, some misinformation will spread. The CMMC is still relatively new, and it will continue to change over the next few years. As a result, DoD contractors need to stay updated with the CMMC and changes and keep an eye out for press releases and news with updates on CMMC certification policies.
By: Alex O’Reilly