A CMMC assessment is the process in which a company’s IT network is assessed against the cybersecurity controls required for each specific level of CMMC compliance. The control frameworks for each level are as follows:
- Level 1 Foundational: FAR 52.204.21
- Level 2 Advanced: NIST SP 800-171
- Level 3 Expert: NIST SP 800-172
When it comes to the subject of CMMC, the word “assessment” gets thrown around a lot. There are a few different versions of the CMMC assessment and it’s important to understand what each one is and the purpose it serves:
- Self-Assessment: These are assessments that are performed in-house by employees within the organization. The National Institute of Standards and Technology (NIST) has provided a self-assessment handbook for NIST 800-171 for companies that want to self assess. That can be downloaded here. There is no self-assessment handbook for FAR 52.204.21 or NIST 800-172.
- Assessment by a Registered Provider Organization (RPO): These RPOs are third-party consultants that conduct their own assessments of a company’s network so that they can help prepare the organization for an official assessment by a C3PAO. Technically, any Managed Service Provider (MSP) can perform CMMC assessments, however, we recommend that you choose an RPO since they’ve been audited by the CMMC-AB and are qualified to perform the task.
- Assessment by a Certified Third-Party Assessor Organization (C3PAO): These are the official assessments that are conducted during the certification process.
If you have additional questions about CMMC, check out our CMMC Compliance Guide, or give us contact us for a free consultation and to learn about how SysArc can help your company navigate the complexities of complying with DFARS, NIST 800-171 and CMMC.