July 14, 2021

Last Updated on January 19, 2024

Cybersecurity Maturity Model Certification (CMMC) Level 3 assessments are upon us. But when exactly are they starting? And what businesses are queuing up to be among the first to achieve CMMC certification?

To get all the latest insights on what CMMC assessments will look like, including when they will start, Stacy High-Brinkley, VP of Compliance Solutions at Cask, a candidate C3PAO, was our guest on a recent episode of The Virtual CISO Podcast. Hosting the show as always was John Verry, Pivot Point Security CISO and Managing Partner.

What companies are first in line for CMMC assessments?

John asks: “A lot of people are reaching out to [Cask] already. Is that part of the initial 2021 contracts? Are they actually going to be in that first group of [pathfinder] contracts that we’re seeing? Or are most of those organizations trying to get ahead of the curve, and think there will be a strategic or competitive advantage to getting CMMC certified earlier?”

“It’s about 20% to 30% folks that know they’re going to be on contracts that require it,” replies Stacy. “And then the rest are literally just coming out of the woodwork wanting to be ready to bid on any contracts. And some of these folks are hoping to get on some of those [pathfinder] contracts. They have a ton of subs. So there’s hundreds of companies involved in those pilots and pathfinders.”

John agrees that Pivot Point Security is seeing about the same mix of inquiries: “We’ve probably got about a third or a quarter that have been doing high-end, heavy munitions-oriented DoD work for years and know that their contracts are just rolling over. And then we’ve got the ones that are saying, ‘Yeah, we want to get ahead of the curve,” and that’s probably two-thirds to three-quarters.”

When will CMMC assessments begin?

Along with that, Stacy notes that three C3PAOs have now passed their audits and are able to perform CMMC assessments. Her guess/hope is that C3PAOs will start auditing Organizations Seeking Certification (OSCs) as early as July 2021.

“The C3PAOs can actually go out once they are authorized and they can start assessments,” Stacy asserts. “So, I think there’s some confusion there. I think if you have the bandwidth and the personnel to move forward, you can. To be honest, as a provisional assessor, I’ve been waiting since I was certified in September [2020]… So I’m hoping that that’ll start up soon so we can get going.”

“I would think in January/February [2022] it’ll probably be rolling heavy,” adds Stacy. “You’ve got to get the WD-40 out a little bit and get it rolling, and then I think we’ll see a lot more folks getting certified.”

To ensure your company has the best possible chance for a successful CMMC audit, be sure to listen to this podcast episode with Stacy High-Brinkley.

To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.