CMMC Level 2 Self-Assessment or Assessment by a CMMC Third Party Assessment Organization?

Home / Uncategorized / CMMC Level 2 Self-Assessment or Assessment by a CMMC Third Party Assessment Organization?
Uncategorized
October 15, 2024October 15, 2024By 1 like

Given the choice, most companies would choose a self-assessment over a third party assessment. Isn’t that what CMMC was trying to get away from?

The decision of whether a company can self-assess for a Level 2 assessment or if a contract requires a third-party C3PAO assessment is determined by the specific requirements stated in the DoD contract solicitation.

The CMMC rule states that it is the government’s duty ( the DoD Program Manager’s responsibility) to determine the CMMC level and assessment type in the request for proposals based on the risks linked to the contract and the sensitivity of the CUI at stake.

It’s extremely important for businesses to carefully review the contract solicitation to identify the assessment type. If the solicitation specifies “CMMC Level 2 (Self),” the company can conduct a self-assessment. If it states “CMMC Level 2 (C3PAO),” a third-party assessment is mandatory.

Factors Influencing the Government’s Decision on Level 2 Assessment Types

While the rule doesn’t detail the specific criteria used to determine the assessment type required, it does mention some factors that influence this decision:

  • Nature of the effort to be performed: The type of work, the technologies involved, and the potential impact of a cybersecurity breach.
  • Sensitivity of the CUI to be shared: The level of confidentiality, integrity, and availability required for the CUI will play a role.
  • Cybersecurity threat: The perceived likelihood and severity of potential cyberattacks targeting the CUI

Company size is not a factor in determining the assessment type. This means that even small companies will be required to undergo a C3PAO assessment if the government deems it necessary for the contract.

Whether a contract requires a Level 2 Self-assessment or a C3PAO assessment has significant implications for a company. Some are:

  • Cost: Self-assessments are generally less expensive, as they don’t involve the fees associated with hiring a C3PAO.
  • Time: C3PAO assessments might involve longer lead times due to the limited availability of qualified assessors.
  • Rigor and Objectivity: Third-party assessments provide a higher level of assurance and reduce the potential for bias compared to self-assessments.
  • Liability: While both assessment types require affirmations from company officials, relying on a C3PAO might offer some legal protection in case of a breach. (I don’t know this, I’m not a lawyer. Please ask one!)

Given these factors, companies bidding on DoD contracts should:

Thoroughly review the solicitation: Pay close attention to the specified CMMC level and assessment type.

Proactively assess their cybersecurity posture: Determine if they currently meet the 110 NIST SP 800-171 R2 requirements.

Engage with C3PAOs early: If a third-party assessment is anticipated, start the process of identifying and selecting a C3PAO as early as possible to avoid delays.

Factor assessment costs into their bids: Account for the potential expenses associated with either a self-assessment or a C3PAO assessment.

By understanding the requirements in the contract solicitation and proactively preparing for the appropriate assessment, companies can increase their chances of success in competing for DoD contracts.

If you have questions, or you need C3PAO recommendations, contact us! We are happy to help.