There is a clear and ever-present danger in the DoD CMMC landscape with bad actors claiming to provide CMMC Certifications. They may be contacting you directly, or at a minimum, representing themselves on-line as having the credentials to offer this service. With over 300,000 Defense Industrial Base companies being forced to navigate CMMC by the DoD and the Primes, these bad actors are preying on unsuspecting honest businesses. Don’t let yourself be the next victim – do your research.
According to Stacy Bostjanick – Director of the CMMC Policy Office in the Under Secretary of Defense for Acquisition and Sustainment, “If anyone tells you they can get you certified, they are lying. The test isn’t done yet.”
What has been made available are CMMC training and assessment guides that tell DoD contractors what it takes to be certified at levels 1, 2 and 3. Find answers to your CMMC level specific questions including the guides on the following Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification website.
As of this writing, the Department of Defense is still in the process of finalizing the CMMC Accreditation Body (CMMC-AB). It is expected this Accreditation Body will begin training the registered CMMC auditors, known as third-party assessment organizations (C3PAO), by this summer. Those C3PAOs that successfully complete the training will be positioned to begin auditing and certifying defense contractors.
However, DoD contractors need to be preparing for CMMC compliance right now, identifying the CMMC compliance level (1-5) they need to reach, performing a Controls Gap Assessment and creating their Plan of Actions and Milestones (POA&M). All DoD supply chain members should be actively remediating the identified gaps.
BostonCOMPLY has been creating custom compliance programs and delivering them in our Practical Compliance Automation™ SaaS platform since 2015. We have successfully completed engagements with DIB companies over the past year, specifically addressing the Controls Gap Assessments, building POA&Ms, performing NIST 800-171 self-assessments, addressing all their IT compliance issues, while positioning them for their march toward CMMC Certification.