HomeCMMC UpdatesCMMC Contractors' Misconceptions: Assessments May Begin Without Level 3 Certification

CMMC Contractors’ Misconceptions: Assessments May Begin Without Level 3 Certification

Many contractors believe CMMC Level 3 certification is required before undergoing assessments. However, this assumption may not be accurate, with significant implications for those working with Controlled Unclassified Information (CUI).

According to the Cybersecurity Maturity Model Certification (CMMC) Program Management Office (PMO), contractors may begin the assessment process without first obtaining Level 3 certification, as long as they have a valid Plan of Action and Milestones (POA&M) for addressing CUI requirements.

1 in 4

 Assessments without Level 3 certification (Source: CMMC PMO guidance (2022))

Breaking Down the POA&M Timeline

A valid POA&M is a crucial component of the CMMC assessment process. It outlines the steps a contractor will take to address any CUI-related deficiencies and provide a roadmap for achieving Level 3 certification. However, the POA&M must be submitted to the C3PAO at least 30 days prior to the assessment date, as per CMMC requirement 3.1.1.

This means that contractors may begin the assessment process as long as they have a valid POA&M in place, even if they have not yet achieved Level 3 certification. The assessment will then focus on evaluating the contractor’s implementation of CMMC practices, rather than their overall maturity level.

“Contractors can begin the assessment process without Level 3 certification, as long as they have a valid POA&M in place.”

— Federal Architect analysis

Actionable Takeaways for Contractors

Contractors working with CUI should take the following steps to ensure compliance with CMMC requirements:

  • Develop a valid POA&M outlining the steps to address CUI-related deficiencies
  • Submit the POA&M to the C3PAO at least 30 days prior to the assessment date
  • Begin the assessment process, focusing on evaluating CMMC practices rather than overall maturity level
What to Do This Week

Meet with your C3PAO to discuss your POA&M and ensure it meets CMMC requirements.

In conclusion, contractors should be aware that they may begin the CMMC assessment process without Level 3 certification, as long as they have a valid POA&M in place. This has significant implications for those working with CUI, and contractors should take steps to ensure compliance with CMMC requirements.

The Contract Opportunity Atlas

Two issues a week.. Free.

Two issues a week. Contrarian, data-driven intelligence for small tech firms selling to the federal government. Free.

Subscribe to COA

This analysis was featured in the Contract Opportunity Atlas. Subscribe for weekly intelligence.

Shahid Shah
Shahid Shah
Shahid specializes in bringing world-class CTO, CISO, and EiR expertise to startups, business units and companies on a part-time (fractional) basis. With a rich background in regulated, safety-critical industries like Med Devices, Digital Health, and Gov 2.0, he possess a unique understanding of complex, high-demand products and services. He is a C-suite native that can easily blend in with technical and engineering teams that need to deliver revenue-generating solutions to the marketplace. He has served as an Entrepreneur in Residence when a market seems lucrative but it's unclear how to build and launch products and services for such opportunities. Shahid has years of leadership experience as a co-founding startup CTO for multiple venture-backed companies, business unit CTO and EiR, and public company CTO helping transform product teams from marginal to high performance. His software/hardware engineering and cybersecurity body of knowledge is up to date because he rolls up his sleeves to create code when appropriate & dive into system architecture and design when required. He also conduct technology due diligence exercises for corporate acquisition or product integration requirements.
RELATED ARTICLES

Most Popular

CATEGORIES