How Does an Organization Achieve a CMMC Certification?

Many organizations want to understand how they can pursue a CMMC certification. They're really interested in the standard or they know it's very important to their line of business. And today we're going to talk about the ways that CMMC certification can happen right now. And what we expect in the future.

Hi I'm Marci Womack, I'm the federal services practice leader here at Schellman. We've been performing federal assessment services for about 10 years, and we do over hundred of these annually.

So as most of you know, because you're watching this video, CMMC has been a roller coaster over the last couple of years. Many questions that we get is:

  • How can an organization be assessed right now?
  • How can they be certified?
  • What's the current state?

So right now CMMC is not a certifiable or assessable standard because it's going through that rulemaking process. And so what that means for you and for us as a CMMC C3PAO and as an assessment organization is we are assessing organizations under the joint surveillance program. And this program was announced by the Department of Defense and the Cyber AB to allow organizations an opportunity to go through the assessment process while rulemaking is ongoing. And prior to this, the finalization of the standard and integration into that, into DFARS. And so within that joint surveillance program, it is a joint surveillance assessment between the C3PAO, so Schellman in this case, as well as the Department of Defense. So it's going to be the DCMA DIBCAC team.

Lots of acronyms, I know.

Schellman (or the C3PAO) is going to be doing the NIST 800-171 part of the assessment (you'll see I didn't say CMMC) and the DoD is going to be looking at the remainder of those DFARS 7012 clauses. That's because this is essentially a DIBCAC high assessment. So historically, the DIBCAC team has gone out and they have performed these assessments for organizations, and now we're doing that in a joint manner.

The idea is that when CMMC rulemaking is complete, that these joint surveillance assessments, the successful ones, can then be essentially converted to a CMMC level 2 certification. Of course, this is dependent on rulemaking, but that is the intent and that's also kind of the justification for organizations going through assessment now.

So I've talked a lot about the joint surveillance assessments and what's happening right now. In the future, once rulemaking is complete, joint surveillance assessments will stop occurring and we will start performing the actual CMMC certification assessments. There are many things organizations can be doing now to get ready.

If you have any questions about what you can be doing now or how you can prepare for assessment, go to our website, complete the contact us form and a member of our team will be reaching out to you. 

About the Author

Marci Womack

Marci Womack is a Director in Schellman’s FedRAMP practice and CMMC technical lead, and is based in Denver, CO. Marci has nine years of information security experience across various industries – cloud services, government, and financial services. In addition to performing numerous FedRAMP assessments, Marci has experience assessing organizations for compliance with other federal frameworks, including NIST SP 800-53, DoD CC SRG, NIST SP 800-171, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).

More Content by Marci Womack
Previous Video
The Dangers of Scope Creep
The Dangers of Scope Creep

Next Video
What to Ask Before Hiring a QSA
What to Ask Before Hiring a QSA