I don’t know. You don’t know. Nobody knows.
The scoping and final methodology guides have yet to hit the press as we await Department of Defense Approval.
Until then we guess, but with observable evidence.
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) part of the Defense Contract Management Agency verified the self-assessment of a few organization that self-attested to NIST-SP-800-171 compliance. To date they have conducted around 200 assessments. Yet when we break down this 200 number the actual full assessments DIBCAC has completed shrink.
Under the new interim rules of the Defense Federal Acquisition Regulation Supplemental assessments come in four flavors. The home made variety of self assessments called the 7018. The medium assessments, done by DIBCAC not onsite that falls under 7019, the high flavor of 7020 which requires an onsite visit from DIBCAC. Then finally the banana split of them all, the 171 which comes with CMMC sprinkles. Don’t worry only the undersecretary of A&S has hands on this jummy jar.
So currently you get a call and DIBCAC asks for documents or they may roll in to kick the tires on the System Security Plan (SSP) and the Plan of Action and Milestone
For the C3PAO things a bit different. They need 100% compliance on all 705 assessment objectives. Get a 704 out of 705 you fail. Under the interim rule you can still have a POA&M and they usethe 171a methodology. On a CMMC assessment performed by DIBCAC for a C3PAO you can have no open assessment objectives.
Six Week Assessment Cycle
Overall the assessments take around six week. Most of these assessments occurred during the COVID lockdown and that may have extended (doubtful) the timeline.
Four weeks before the assessment begin DIBCAC meets with the Organization Seeking Certification (OSC) in this case the Certified Third Party Assessment Organization (C3PAO) candidate. You then get systems set up to exchange documents (will your company use email or a third party file sharing service?).
Two weeks before the assessment DIBCAC reviews the documents and decides if the prerequisites fall in place. They then meet with the C3PAO to discuss the go or no go decision
A week before the assessment DIBCAC finalizes the assessment plan with the OSC.
Then the assessment week hits. DIBCAC built a team and grouped domains into four lose categories. Thes give you clues to the types of people a C3PAO may include on an assessment team. We loosely categorize these into:
- Group One- Identity and Access Management
- Group Two- People and Procedures
- Group Three-Technical Systems
- Group Four-Governance
Then for week or two and two days (in case the assessment goes long) after the assessment of the final report gets written.
As we have no official assessment process to share we can only guess at what the Department of Defense will do by looking at what the Department of Defense does.
Just remember CMMC a bit off. 2026 does not even show up on desk calendars.
Until then grow the SSP and shrink the POA&M.
source: DIBCAC CMMC Assessment Team. (April 2021). Candidate C3PAO Brown Bag. Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)