Cybersecurity Maturity Model Certification

On March 18, 2020, the Department of Defense (DoD) released Version 1.02 of the Cybersecurity Maturity Model Certification (CMMC) document, as a replacement for Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.Since that time federal contracting companies have been inquiring about CMMC, and asking questions about this topic. To help contractors, clients, and potential prospects, Edwards Performance Solutions has provided a list of the most frequently asked questions (FAQ) and DoD related questions below.

CMMC 101

The CMMC-AB website and newsletter provide the latest information. Edwards website also adds regular updates to our dedicated CMMC webpage explaining how updates can potentially affect your organization, and how we can help.

There are three components to undertstanding the CMMC Model - the CMMC Model itself, the CMMC Assessment Guide, and the NIST 800-171r2 Framework. Visit the Office of the Under Secretary of Defense for Aquisition & Sustainment.

CMMC-AB does not have any detailed insight into the DoD’s specific plan. However, the DoD stated it plans to introduce CMMC requirements into the first 15 solicitations starting in March 2021 and will build more CMMC requirements into solicitations over the next four years. CMMC requirements are already present in some pre-RFP documentation.

A Licensed Partner Publisher provide the materials for Licensed Training Partners (LTPs), used by their Certified Instructors for training Certified CMMC Professionals, Certified CMMC Assessor Level 1, and Certified CMMC Assessor Level 3 candidates.

Licensed Training Providers (LTPs) are private companies who specialize in cybersecurity assessments and professional instruction (like Edwards), as well as the universities, community colleges, and other learning institutions that train Certified Professionals and Certified Assessors.

Certified Third-Party Assessment Organizations (C3PAOs) are organizations employing Certified CMMC Assessors (CCAs) and Certified CMMC Professionals (CCPs), ensuring they adhere to the CMMC-AB Code of Professional Conduct. C3PAOs provide quality assurance of the assessment process and results, and presents them for final certification to the CMMC-AB. C3PAO's themselves must meet stringent standards, internal CMMC certification, and can be verified on the CMMC marketplace if they are currently an approved CMMC provider.

In September 2020, the CMMC-AB approved the first LPPs to deliver certification curriculum and published a list on their website. Edwards is proud to have been selected as an LPP and we expect our first CMMC-AB approved publication, the CMMC-AB Certified Professional Exam Prep Guide, to be ready for shipment in early May 2021. Visit our Edwards training platform for upcoming courses.

Many OSCs need a trusted consultant to support their CMMC journey from preparation through certification. RPOs employ credentialed Registered Practitioners, who are qualified to provide CMMC consulting and support to OSCs in the Defense Industrial Base (DIB). The CMMC-AB created the RPO certification to provide approved organizations known for their quality and dedication to CMMC standards. Edwards is a RPO, certified through the CMMC-AB, and each member of our Cybersecurity Team are RPs.

Edwards is currently a "Candidate" C3PAO. A comprehensive list is available on the CMMC-AB Marketplace. The C3PAO accreditation status process ranges from "Applicant" to "Candidate" to "Certified."

Yes, Edwards is a CMMC-AB approved Licensed Partner Publisher (LPP). We currently offer CMMC informational courses such as CMMC Executive Overview and CMMC Fundamentals, as well as certification training based on the CMMC-AB curriculum (pending CMMC-AB approval). Contact us at Training@EdwPS.com or visit our training platform for more information.

Controlled Unclassified Information. Organizations proccessing CUI must achieve Maturity Level 3.

Federal Contract Information. Organizations handling FCI must achieve a minimum Maturity Level 1.

The Maturity Levels (Level 1 - Level 3) are dependent upon what type of data you and your subcontractors hold, process, or create in support of DoD contracts. All DoD contractors and subcontractors are required to attain at least Maturity Level 1 compliance if they handle Federal Contract Information (FCI). Those processing Controlled Unclassified Information (CUI) must achieve Maturity Level 3. More information about the levels and corresponding requirements, as well as impact to your business, is one of the focuses of our informational courses: CMMC Executive Overview and CMMC Fundamentals, available for groups of 10 or more upon request. Contact us at training@edwps.com for more information.

The CMMC-AB suggests that you plan for the certification process to take 6+ months. Currently, no LTP's (Licensed Training Providers) can offer the CMMC-AB approved courses that are required to sit for the certification exams: CCP, CCA-1 and CCA-3. The LTPs expect for the DoD final documentation and learning objectives to be issued in time to deliver courses starting in Q3/Q4 of 2021.

To become CMMC certified, an organization must schedule an assessment with a C3PAO. The certification is valid for 3 years. More information can be found on the CMMC-AB website.

Many OSCs need a trusted consultant to support their CMMC journey from preparation through certification. RPOs employ credentialed Registered Practitioners, who are qualified to provide CMMC consulting and support to OSCs in the Defense Industrial Base (DIB). The CMMC-AB created the RPO certification to provide approved organizations known for their quality and dedication to CMMC standards. Edwards is a Registered Provider Organization, certified through the CMMC-AB, and every member of our Cybersecurity Team are Registered Practitioners.

We offer a weekly facilitated peer group, 17 Domains in 17 Weeks.Edwards' Provisional Assessors, Registered Practitioners, and external SMEs share their expertise while facilitating and moderating a weekly peer discussion for each Practice (through Level 3) in each Domain. We talk through challenges, gotchyas, and caveats of implementation per industry, and focus on IMPLEMENTATION rather than what the assessor is looking for. To register for our 17 Domains in 17 Weeks group, visit our LMS.

Consulting & Audits

CMMC-AB approved CCP, CCA-1 and CCA-3 assessors will be available through the CMMC-AB marketplace, by searching under C3PAO organizations. At this time, very few C3PAOs have formal assessment capabilities, as there is a backlog of C3PAO companies still in "Applicant" or "Candidate" status. Once they are in "Certified" status, the C3PAOs that have available assessors will start scheduling assessments.

Organizations Seeking Certification (OSC) should contract with a RPO or a C3PAO to help prepare for either Level 1 or Level 3 certification from CMMC. Only C3PAOs can conduct the official assessment, and you cannot contract with the same provider for both the pre-assessment consulting services (i.e., RPOs) and the actual CMMC assessment/audit (i.e., C3PAO). You can find verified RPOs and C3PAOs on the CMMC Marketplace.

As of January 2021, the CMMC-AB established a small group of provisional assessors and will be working with a small group of provisional instructors, to start rolling out CMMC-AB accredited training. The final learning objectives for the training are expected in February 2021, with most LPPs and LTPs aiming to deliver the CMMC-AB Certified Professional (CP), Certified Assessor (CA) Level 1 and CA Level 3 classes in May, June, and July 2021 respectively. Prerequisites can be found on the CMMC-AB website.

A Certified CMMC Assessor (Level 1 or Level 3) will be qualified to lead a CMMC Assessment Team under a C3PAO, for an assessment equivalent to their Certified Assessor level. For example, if you require a Level 3 Assessment, you will need to contract with a C3PAO that has a Certified CMMC Assessor Level 3 available to lead the assessment team. Certified CMMC Professionals may participate as part of the C3PAO assessment team at any level, but cannot lead the assessment.

Organizations Seeking Certification (OSC) should contract with a RPO or a C3PAO to help prepare for either Level 1 or Level 3 certification from CMMC. Only C3PAOs can conduct the official assessment, and you cannot contract with the same provider for both the pre-assessment consulting services (i.e., RPOs) and the actual CMMC assessment/audit (i.e., C3PAO). You can find verified RPOs and C3PAOs on the CMMC Marketplace.

As of January 2021, the CMMC-AB organization trained a small group of Provisional Assessors who are qualified to conduct a provisional assessment, only for those organizations that are bidding on contracts the DoD has specified require a Level 1 or Level 3 Certification. This is meant to bridge the gap for the OSCs that are not currently required to show proof of Level 1 or Level 3 certification to bid on DoD contracts until the CMMC-AB is able to complete the Certification Training objectives and approve the LPP training materials.

The CMMC Marketplace lists many C3PAOs with some background information on each organization, including Edwards Performance Solutions. It is important to understand the agreed upon level of assessment your organization needs (Level 1 or Level 3) and the scope of the assessment and pricing prior to entering into a contract with a C3PAO.

Many RPOs and C3PAOs are available to assist your organization in preparing for the assessment. You can select from many already available on the CMMC marketplace or contact us at Info@EdwPS.com to discuss how Edwards Performance Solutions can help you prepare.

Organizations Seeking Certification (OSC's) should consider contracting with a RPO or a C3PAO to help prepare for either Level 1 or Level 3 certification from CMMC. Only C3PAOs can conduct the official assessment, and you cannot contract with the same C3PAO for both the pre-assessment consulting services and the actual CMMC assessment. You can find verified RPOs and C3PAOs on the CMMC Marketplace.

The CMMC is currently planning on listing CMMC preparedness tools on the CMMC marketplace. We expect this will be available in Q4 2021.

Training & Certification

As of January 2021, the CMMC-AB has established a small group of provisional assessors and will be working with a small group of provisional instructors to start rolling out CMMC-AB accredited training. The final learning objectives for the training are expected in February 2021, with most LLPs and LTPs aiming to deliver the CMMC-AB Certified Professional, Certified Assessor Level 1 and Certified Assessor Level 3 classes in May, June and July 2021 respectively.

We offer five-day official CMMC-AB (pending CMMC-AB approval) Certification bootcamp courses as well as a weekly 90-minute facilitated peer discussion groups. Check our online learning platform for the learning solution that is right for you.

Edwards will include many additional resources with the live, instructor-led CMMC courses. Check our training platform for more information on what we include with each course - materials will range from the official exam prep guide, to exam vouchers, to editable digital workbooks, and more.

Yes. Participants in the CMMC-AB Certified Assessor Level 3 5-Day Course will not be permitted to take the associated exam until they have provided proof of CMMC-AB approved Certified CMMC Professional (CCP) 5-Day Course and Exam, as well as the Certified CMMC Assessor Level 1 (CCA-1) 4-Day Course and Exam. In other words, the official CMMC-AB courses will build upon each other. You can find links to these courses along with what is included in the registration, on our online learning platform.

Our online courses are updated continuously to provide the most accurate recent information about CMMC.