Panicked About CMMC? Don't be!

April 22, 2020 Schellman Compliance

Panicked About CMMC? Don't be!

The information presented here has been superseded by CMMC 2.0, which you can read about here.


The Cybersecurity Maturity Model Certification (CMMC) has been a hot topic in the federal and defense contracting sector leading up to and since its formal release with v1.0 on January 31, 2020. The details around the implementation of CMMC are rapidly evolving – from the formalization of the CMMC Accreditation Body (CMMC-AB), to guidance on maintaining compliance with the current DFARS 252.204-7012 and NIST SP 800-171 mandates while also ramping up to CMMC Levels 1-5, to understanding when contractors must have CMMC fully implemented, to timelines for when certified third-party assessment organizations (C3PAOs) will be credentialed to perform assessments.

Organizations undoubtedly want to be proactive in their preparation for CMMC and certification for any contract requirements. Because of the evolving landscape and the many unknowns of CMMC, the industry has expressed increased anxiety about achieving CMMC certification right now.

Here at Schellman, we have closely followed CMMC through its draft iterations and formally published versions, attended in-person and web-based symposiums, and have spoken with many clients about their plans and concerns with CMMC. Our biggest takeaway for organizations? Don’t panic! The timeline is not as near as it may seem (think 2021 and beyond) and organizations may be closer to compliant than they realize.

Whitepaper: Panicked about CMMC? Don't be!

We published a whitepaper titled Panicked about CMMC? Here’s why you shouldn’t be., which details the phased roll-out of CMMC, timelines in play, comparisons to DFARS 252.204-7012 and NIST SP 800-171, and responses to common questions.

Note: CMMC v1.02 was released on March 18, 2020. This version update included minor changes to formatting, spelling, control references, and references to FIPS 140-3. No material changes to the CMMC were made. The changes are detailed in the CMMC Errata.

About the Author

Schellman Compliance

Schellman is a leading global provider of attestation, compliance, and certification services. Operating as an alternative practice structure as Schellman & Company, LLC, a top 100 CPA firm, and Schellman Compliance, LLC, a globally accredited compliance assessment firm, we are able to offer clients services as a CPA firm, an ISO Certification Body, a PCI Qualified Security Assessor Company, a HITRUST assessor, a FedRAMP 3PAO, and as one of the first CMMC Authorized C3PAOs. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Schellman's approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives using a single third-party assessor. For more information, please visit schellman.com.

More Content by Schellman Compliance
Previous Flipbook
Panicked About CMMC?
Panicked About CMMC?

Next Article
EnergyTech Insights Update: New Mapping of CIP to NIST CSF
EnergyTech Insights Update: New Mapping of CIP to NIST CSF

Schellman's Grayson Taylor shares an overview of the new mapping of NERC CIP Reliability Standards to NIST ...