CMMC Compliance Process

Achieving CMMC Certification: A Step-by-Step Guide

Successfully navigating the CMMC certification process requires a clear understanding of each step. This guide provides a step-by-step walkthrough, including assessment methods, remediation processes, and the phased implementation timeline to help you achieve CMMC compliance.

9

Phased Implementation of CMMC Requirements

4

Phase 1 – Initial Implementation

  • Begins at 48 CFR Rule Effective Date
  • Where applicable, solicitations will require Level 1 or 2 Self-Assessment
5

Phase 2

  • Begins 12 months after Phase 1 start
  • Where applicable, solicitations will require Level 2 Certification
6

Phase 3

  • Begins 24 months after Phase 1 start
  • Where applicable solicitations will require Level 3 Certification
7

Phase 4 – Full Implementation

  • Begins 36 months after Phase 1 start
  • All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award

CMMC Process - OSA Perspective

1
2
3
OR
4
6

CMMC Status visible to DoD in SPRS.

Government determines CMMC Status Requirements

Contractor/Sub perform Self-Assessment

Contractor/Sub undergo C3PAO or DIBCAC Assessment

Assessment results entered into SPRS or eMASS, depending upon assessment type

Contractor/Sub completes Annual Affirmation

Conditional and Final Status

  • An OSA may achieve a Conditional CMMC Status if the initial
    assessment (with passing score) resulted in allowable POA&M items
  • An OSC achieves a Final CMMC Status when assessment results in a passing score with no POA&M, or when the POA&M has been closed out within 180 days of achieving a Conditional CMMC Status.

CMMC Post-Assessment Remediation

CMMC Program will allow limited use of POA&Ms
Closeout Assessment

Failure to close POA&M within 180 days will result in an expired CMMC Status

CMMC Scoring Methodology (§ 170.24)

Level 1:

  • Score not required; either MET or NOT MET

Level 2:

  • Security requirements are valued 1, 3, or 5 points with a range of -203 to 110, with a minimum passing score of 88. Partial credit is allowed for 2 requirements:

    • MFA: 5 points deducted from overall score of 110 if MFA is not implemented or implemented only for general users and not remote and privileged users
    • MFA: 3 points deducted if MFA is implemented for remote and privileged users but not implemented for general users;
    • FIPS: 5 points deducted from overall score of 110 if no cryptography is employed;
    • FIPS: 3 points deducted if cryptography is employed, but not FIPS validated.

Level 3:

  • All Level 3 security requirements are valued 1 point with a maximum score of 24. Requires a prerequisite Level 2 score of 110.

Results for all Levels are posted in SPRS and reviewed by contracting officers and
requiring activities.

Standards Acceptance

Contractors and subcontractors that completed a DCMA DIBCAC High Assessment aligned with CMMC Level 2 Scoping are eligible for CMMC Level 2 Final Certification Assessment under the following conditions:

Achieved a perfect score with no open POA&M from a DCMA DIBCAC High Assessment conducted prior to the effective date of the CMMC rule
Scope of the CMMC Level 2 Final Certification Assessment is identical to the scope of the High Assessment