Feb 18, 2021

3 Myths About CMMC

Myth #1: You can prepare for a CMMC Audit by comparing cybersecurity posture to NIST SP 800-171 controls. 

Facts: Beware of ads and case studies citing CMMC experience based on NIST SP 800-171 readiness assessments. Conducting NIST SP 800-171 assessments is different from conducting CMMC readiness assessments. 

The CMMC Accreditation Body (AB) has announced that assessors should be using the most current version of the CMMC in their readiness assessments. Authorized assessors will be designated by a Certified 3rd Party Assessor Organization (C3PAO) badge. 

Myth #2: DoD Contractors need to be certified by an Accredited Assessor to bid on an RFP. 

Facts: Maturity Level Certification is not required until award notice. At that time, the awardee will need to present their CMMC Maturity Level Certification required by the proposal.  

 Myth #3: Organizations using the CMMC logo on their website to suggest they are already aligned with the CMMC Accreditation Body (CMMC-AB) for pre-assessment purposes. 

Facts: CMMC-AB does encourage readiness assessments, the best practice for contractors is to have the work completed by an organization that is a Registered Practitioner Organization (RPO) with Registered Practitioners (RP).  Practitioners will need to complete training to validate their understanding of CMMC practices and sign the CMMC-AB Code of Professional Conduct before officially becoming registered. They will be listed in the CMMC-AB marketplace and will utilize the official RPO badge similar to the C3PAO’s in their marketing material and communications. 

Share on Twitter
Share on Facebook