How Long Does a CMMC Assessment Take?
I don’t know. You don’t know. Nobody knows.
The scoping and final methodology guides have yet to hit the press as we await approval from the Department of Defense.
Until then we guess, but with observable evidence in mind.
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) portion of the Defense Contract Management Agency verified the self-assessment of a few organizations that attested to NIST-SP-800-171 compliance. To date they have conducted around 200 assessments of various kinds. Only a small portion of the 200 assessments conducted to date are CMMC Level 3 Assessments, which consist of both a High Assessment by DIBCAC and additional CMMC controls.
Under the new interim rules of the Defense Federal Acquisition Regulation, supplemental assessments come in four flavors. First, there is the home made variety of Basic-Self assessments, called the 7018. These are followed by Medium Assessments, which are conducted by DIBCAC off-site, and fall under 7019; the majority of the 200 assessments conducted to date have been at this level. The High Assessment flavor of 7020 requires an on-site, in-depth review of the implementation of 701 from DIBCAC. Finally, the banana split of them all—171—comes with CMMC sprinkles. Don’t worry; only the Undersecretary of A&S has hands on this jummy jar.
So, currently you get a call and DIBCAC asks for documents, or they may roll in to kick the tires on the System Security Plan (SSP) and the Plan of Action and Milestone.
For the C3PAO, things are a bit different. They need 100% compliance on all 705 assessment objectives. In the case of a Level 3 CMMC Assessment, scoring a 704 out of 705 means failure. Under the interim rule, you can still have a POA&M; Medium, High, and Basic Self-Assessments are scored on a scale of -203 to 110, and there is no penalty for a low score. However, you will be need to pass these assessments with flying colors before you will be able to consider passing a Level 3 CMMC Assessment. On a CMMC Assessment performed by DIBCAC for a C3PAO, you can have no open assessment objectives.
Six Week Assessment Cycle
Overall, the assessments take around six weeks. Most of these assessments occurred during the COVID-19 lockdown, and it has been speculated that the circumstances of the pandemic may have extended the timeline, although this is doubtful.
Four weeks before an assessment begins, DIBCAC meets with the Organization Seeking Certification (OSC), in this case the Certified Third Party Assessment Organization (C3PAO) candidate. You then receive a systems set-up to exchange documents. Consider: will your company use email, or a third party file sharing service?
Two weeks before an assessment, DIBCAC reviews the documents and decides if the prerequisites fall in place. They then meet with the C3PAO to discuss their go or no-go decision.
One week before an assessment, DIBCAC finalizes the assessment plan with the OSC.
Then, the assessment week hits. DIBCAC has built a team and grouped domains into four loose categories. These give you clues to the types of people a C3PAO may include on an assessment team. We loosely categorize these into:
- Group One- Identity and Access Management
- Group Two- People and Procedures
- Group Three- Technical Systems
- Group Four- Governance
Then for one week—in some cases two, if the assessment goes long— the assessment takes place. Following this, the final report is written by the DIBCAC team.
As we have no official assessment process to share; we can only guess at what the Department of Defense will do by looking at what the Department of Defense does in the coming months.
Just remember, CMMC is a bit off. 2026 does not even show up on desk calendars.
Until then, grow the SSP and shrink the POA&M.
featured image:
TIme flickr photo by Dominic Hargreaves shared under a Creative Commons (BY-SA) license
source: DIBCAC CMMC Assessment Team (April 2021). Candidate C3PAO Brown Bag. Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)