That is the question that everyone is placing a major bet on. Unfortunately, the CMMC has not offered much information on when they will be releasing the CMMC Certified Professionals training classes required to become CMMC Certified Professionals and Certified Assessors. According to the CMMC frequently asked questions classes were supposed to be authorized mid-to-late summer 2021. To date, only four authorized C3PAO are currently announced on Marketplace, and we still are yet to see what a successful CMMC audit entails. The good news is that since no audits have been completed, no company is yet to fail the DIBCAC ML3 assessment.
Nonetheless, progress is still being made (at minuscule levels). Currently, there are 67 C3PAO Candidates pending CMMC ML3 Assessment. Background checks are in process and there are 45 approved Licensed Training Providers. Meanwhile, the list of Registered Practitioners (RP) and respective Registered Provider Organization (RPO) continues to grow. All signs are showing commitment to the CMMC and we are advising our clients to continue to prepare for some level of certification come 2022.
Whether you are currently in the assessment process or you are considering becoming certified next year, we advise you to be familiar and compliant with the established CMMC Ethics. Based on the September CMMC Town Hall over 9 discrete allegations of improper conduct / conflict-of-interest and ethics violations by CMMC-AB Board members were addressed. As you can imagine, the CMMC is taking this very seriously and will no doubt emphasize compliance with the Code of Ethics for all board members as well as applicants going forward.
At the base of the spirit of the CMMC are baseline principles that establish the high standards of honesty and integrity required to operate within the CMMC Ecosystem. The CMMC has taken great care to construct its Code of Ethics, which is intended to provide a guideline of acceptable business practices. This is applicable and expected for all entities that facilitate cyber security services both domestic and internationally and includes all major regulatory agencies and all entities wishing to successfully bid on any DoD contract requiring CMMC. The CMMC Code of Ethics is amplified and supported by the CMMC Code of Conduct, which outlines specific requirements in the following areas:
• Promotion of Good Practices
• Professional Representation
• CMMC-COE Assignments
• Client Interests
• Responsible Reporting
Additionally, it’s important to remember that at this time, the CMMC does not allow for self-attestation of compliance. As more and more C3PAOs join the marketplace, a larger number of companies will be working towards becoming certified in order to remain viable contractors and continue to participate in bidding all government contracts. Ensure yours is one of the initial organizations to achieve the status of being CMMC certified, assuring less competition when bidding DoD contracts that require CMMC.
Keep in mind that preparation for this assessment can be intricate and time-consuming. In order to take the first step towards assessment, it is prudent to candidly evaluate your organization’s current level of cybersecurity by conducting a Gap Assessment.
Elevate can make the process of becoming compliant much less painful by preparing your firm for your formal assessment by a certified C3PAO with a thorough CMMC Gap Assessment with remediation advice. Contact us today and let Elevate take the heavy lifting out of CMMC!