CMMC is Continuing to Grow
As we moved into 2021, the DoD and CMMC-AB have moved into their “pilot” program for CMMC. In 2021 that will mean 15 solicitations or RFI/RFPs will have CMMC requirements included in them. This will affect approximately 1500 contracting companies. The CMMC-AB is planning to have less than 100 provisional assessors to handle these assessments. They know that is not enough, so, for now, they are allowing Registered Practitioners (RPs) to work on the provisional assessments with the assessors.
So, how does this apply to you? Well, despite some people’s belief that CMMC was going to die on the vine, that’s not going to happen. Yes, the dates have slipped. A lot of that had to do with COVID-19. However, not only is it not going to go away, some other Federal agencies are starting to ask their suppliers if they are CMMC certified. It’s starting to look like this concept is going to spread to other Federal agencies and possibly to some State agencies. There is too much money at stake here to risk not being able to win an award because you didn’t get certified.
If you are one of the 1500 companies that will be required to reach a CMMC certification this year and you are not already well on your way, you might be too late. You can’t put policies, processes, and practices in place the day before the assessment team shows up at your door. You need time to establish a pattern (and evidence) of adherence to them. If you’re not one of those 1500, go ahead and get started now.
Think about the numbers here. Approximately 1500 companies this year. Approximately 7500 companies next year and the number goes up every year until 2026. How many Certified Third Party Assessor Organizations (C3PAOs) will there be? How many Certified Assessors will they have available? How long will you have to wait to have your assessment? Are you sure that you’ll be ready?
I spend several years as a Chief Information Security Officer at a government agency. Each year we had at least one and as many as three outside assessments and audits. I had a great team working for me, but each year each audit found something that we missed. You need a fresh set of eyes. You need an outside company to help you with a CMMC pre-assessment. I believe that the C3PAOs will be too busy doing the official assessments to be very active in the pre-assessment world.
Fortunately, Needling Worldwide can help you. We have a great team that can work with you on your schedule to help you prepare for the official CMMC assessment. Needling Worldwide is a Registered Provider Organization and our assessors have years of experience with CMMC, NIST, ISO, HIPPA, SOC2, and other assessments. We have RPs, CISAs, C|CISOs, ISO Lead Auditors, and other certifications to assist you. Our team can conduct a gap analysis for you and help you close any gaps. We can provide any policies that are missing and provide guidance on any other issues that are discovered.
Contact us for pricing and schedule availability.
Director, Business Development - Government Sector