last changes: 7/12/2021
CMMC Timeline of Rollout
The DoD has started rolling out the first contracts with CMMC requirements this year. The small number of initial contracts that are part of this pilot project phase are expected to impact 1500 companies in the Defense Industrial Base (DIB) Supply Chain that are currently going through the CMMC certification process. The number of contracts with CMMC requirements will continuously increase each year until all contract will require CMMC by the end of 2025. The graph bellow shows the forecast for the projected CMMC timeline we compiled from different DoD sources:
The CMMC Certification Process – Who Is Involved?
The CMMC eco-system is always evolving and has a lot of moving parts. If your company is required to become CMMC certified there are only a few organizations that are relevant. The main parties involved and their focus are summarized in the diagram bellow. The CMMC Accreditation Body (CMMC-AB) is authorized by the US Department of Defense to be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community. This is the organization that will award you the certification.
On the way to certification there are two main type of organizations that you will encounter. Both are trained and registered/certified by the CMMC-AB:
- CMMC Registered Provider Organizations™ (CMMC-RPO) like Ecuron are focused on consulting and help with all the steps until the certification assessment. This includes an initial CMMC gap analysis, followed by remediation and implementation of missing controls, developing documentation etc. Prior to the certification audit by a C3PAO it is recommended to perform a CMMC Pre-Assessment.
- CMMC Third Party Assessor Organizations™ (C3PAO) are focused on the CMMC Assessment (aka Certification Audit). They will report their findings to the CMMC-AB which will award you the certification if applicable. While C3PAOs are able to provide all services that CMMC-RPOs provide, they cannot provide those services to a company they will assess. This would be a clear conflict of interest.
The CMMC Certification Process – The Different Phases
The journey of achieving CMMC compliance for your organization can be broken down into four phases:
CMMC Certification Timeline – An Example
Each organization, scope, implementation, and certification is different as it depends on a variety of parameters that determine timeline and cost. Among the main factors are:
- CMMC Level required.
- Existing infrastructure and cybersecurity posture of the DoD contractor
- Number of locations in scope
- Availability of the C3PAO to perform the Certification Assessment.
While timing is influenced by these factors, the following general example of the CMMC certification process will give you a good overall idea about the steps involved and some time estimates.
HOW WE CAN HELP
Due to our status as a CMMC Registered Provider Organization™ (CMMC-RPO), Ecuron can perform pre-assessment services which include CMMC gap analysis, implementation help, CMMC pre-assessments. We do not conduct the final Certification Assessments.
Depending on your current cybersecurity status as well as the CMMC Level you are required to achieve, implementation of the new standard will take several months. Starting now by implementing the likely requirements and cyber security best practices will save you valuable time and will get you ahead of the curve and competition.
We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:
- CMMC Gap Analysis / CMMC Gap Assessment
See where your organization stands and what it takes to achieve compliance
- CMMC Implementation Help
Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls and any missing requirements. This includes developing and writing the extensive documentation required.
- CMMC Pre-Assessment
Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. Once we are confident that you are ready for the CMMC Assessment we will recommend to schedule the actual audit.
- CMMC Assessment Support
We help you prepare for the certification audit, gather & organize evidence for a smooth assessment by the C3PAO. We will be at your side throughout the process.