So many CMMC numbers thrown around. You hear 110, 131, Delta 20s, 99s, 97s, 98s.
None of this matters as much as the assessment objectives. In the Cybersecurity Maturity Model Certification porgram you must have compliance of all assessment objectives for all practices and process at the maturity level you seek. Furthermore an assessor will hold you responsible for all the objectives at lower levels. The model builds maturity through the accumulation of compliance with assessment objectives.
If one assessment objective falls out of compliance you fail your CMMC assessment (well you get a 90 adjudication period but more on that later….when we know more on that).
CMMC By The Numbers
- 130 Practices in CMMC Level 3.
- 51 Processes in CMMC Level 3. (99, 98, 97)
- 382 Assessment Objectives for Practices at Level 3
- 323 Assessment Objectives for Processes at Level 3 (Easter Egg the objective3 g has vanished from 97)
- 705 Assessment Objectives total at Level 3
What does it Mean for me?
Do not talk to any vendor who tries to sell you compliance on Practices and Processes without mentioning assessment objectives. They do not know anything.
While the numbers sound daunting many of the Assessment Objectives, especially the 98 and 97 process assessment objectives will overlap with Oberservable evidence you collect at part of you System Security Plan.
You can find good templates out there that will measure both the CMMC assessment objectives and also include the DoD Assessment Methodology DAM for a 171a self assessment against NIST SP-800-171.
You may have th4e wrong numbers because your documents fell out of date. If the version of the CMMC model documents come from version 1.02, you have outdated information. Go find the CMMC Assessment Guides (v1.10) on A&S website. The Appendices no longer matter. Do not use them.
One tip we often tell people to do to improve the assessment guide is to cut the page in half so you only have the Assessment Objectives left.
Thank you to Amira Armond and Jacob Horne for verifying and accounting the assessment objectives for everyone. If you need any CMMC compliance help the CT CMMC Coalition highly recommends both Kieri Solutions and DefCert.