Panicked About CMMC? Don't be!

April 22, 2020 Schellman & Company

Panicked About CMMC? Don't be!

The Cybersecurity Maturity Model Certification (CMMC) has been a hot topic in the federal and defense contracting sector leading up to and since its formal release with v1.0 on January 31, 2020. The details around the implementation of CMMC are rapidly evolving – from the formalization of the CMMC Accreditation Body (CMMC-AB), to guidance on maintaining compliance with the current DFARS 252.204-7012 and NIST SP 800-171 mandates while also ramping up to CMMC Levels 1-5, to understanding when contractors must have CMMC fully implemented, to timelines for when certified third-party assessment organizations (C3PAOs) will be credentialed to perform assessments.

Organizations undoubtedly want to be proactive in their preparation for CMMC and certification for any contract requirements. Because of the evolving landscape and the many unknowns of CMMC, the industry has expressed increased anxiety about achieving CMMC certification right now.

Here at Schellman, we have closely followed CMMC through its draft iterations and formally published versions, attended in-person and web-based symposiums, and have spoken with many clients about their plans and concerns with CMMC. Our biggest takeaway for organizations? Don’t panic! The timeline is not as near as it may seem (think 2021 and beyond) and organizations may be closer to compliant than they realize.

Whitepaper: Panicked about CMMC? Don't be!

We published a whitepaper titled Panicked about CMMC? Here’s why you shouldn’t be., which details the phased roll-out of CMMC, timelines in play, comparisons to DFARS 252.204-7012 and NIST SP 800-171, and responses to common questions.

Note: CMMC v1.02 was released on March 18, 2020. This version update included minor changes to formatting, spelling, control references, and references to FIPS 140-3. No material changes to the CMMC were made. The changes are detailed in the CMMC Errata.

About the Author

Schellman & Company

Schellman & Company, LLC (Schellman) is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

More Content by Schellman & Company
Previous Article
What is C5?
What is C5?

Need a comprehensive cloud computing control framework? Meet C5.

Next Article
Safety and Cybersecurity First
Safety and Cybersecurity First

Three Steps to Ensure Employee Safety during a Pandemic






Now Providing C5 Examinations

Learn about C5