Oversight
Assessments
Key Roles
Certification Journey
Supporting Ecosystem
100

U.S Government department is responsible for developing and mandating the CMMC Framework. 

DoD; Department of Defense

100

These organizations are authorized by the CMMC-AB to conduct official CMMC assessments.

C3PAOs; Certified Third-Party Assessment Organizations

100

These individuals provide guidance on the regulatory context and CMMC levels

CMMC Advisors

100

Before undergoing a formal CMMC assessment, organizations often conduct this internal evaluation to ensure they meet cybersecurity requirements.

Self-assessment

100

These organizations offer specialized courses and training programs to help individuals and companies meet CMMC requirements

Licensed Training Providers (LTPs)

200

The CMMC Framework is designed to protect what type of sensitive information, often related to defense projects. 

CUI; Controlled Unclassified Information

200

Individual or organization qualified to conduct assessments to determine if a company meets the required cybersecurity standards under CMMC.

CMMC Certified Assessors are individuals deployed by the Certified Third-Party Assessment Organizations (C3PAO) to conduct assessments

200

These individuals help organizations meet CMMC compliance requirements

CMMC Practitioners, (PR). Can work as an independent contractor or a part of a Register Practitioner Organization (RPO)

200

Organizations must undergo a formal assessment how often to maintain their CMMC certification and demonstrate compliance

Annually for level 1, tri-annually for 2 & 3

200

After a CMMC assessment, these professionals help organizations address any deficiencies by creating a Plan of Action and Milestones (POA&M) for remediation and helping with annual self-assessments

CMMC Advisor 

300

This group requires CMMC certification, includes business that supply goods or services to the DoD. 

Defense Contractors, Subcontractors, and Suppliers. (DIB) 

300

CMMC assessment results are documented to determine if organizations meet the required level. These results are submitted to the DoD for records and to help develop the POA&M

Assessment Report

300

These individuals are responsible for level 1 & 2 CMMC assessments

These individuals are responsible for level 3 CMMC assessments

C3PAOs conduct level 1 & 2 testing while DIBCAC runs level 3 tests 

300

This happens if an assessment isn't taken or not passed

Loss of DoD contracts, possible penalties. 

300

These cybersecurity experts implement technical controls and provide hands-on support to organizations following a CMMC assessment, ensuring compliance measures are effectively integrated

RP/RPOs

400
Non-profit organization authorized by the DoD to manage and oversee accreditation of CMMC assessors and certification process.

CMMC-AB; Cybersecurity Maturity Model Certification Accreditation Body 

400

Once assessment is passed, this organization grants CMMC certification

Certified Third-Party Assessment Organizations (C3PAOs)

400

These individuals are specifically responsible for the overall accreditation and oversight of the entire CMMC ecosystem, including managing the C3PAOs

Cybersecurity Maturity Model Certification Accreditation Body, Cyber AB

400

Organizations seeking CMMC certification must demonstrate compliance this many cybersecurity practices. Levels 1, 2, and 3

Level 1 - 17 

Level 2 - 110

Level 3 - 320

400

These individuals help remediate gaps in CMMC compliance by performing security assessments, implementing security controls, and providing continuous monitoring

Managed Service Providers, MSP

500

In addition to creating the CMMC framework, the DoD is also responsible for enforcing this aspect of CMMC compliance. 

Regulations 

500

After assessment care

Review Assessment Report
Address Identified Gaps (POA&M)

Regular Audits and updates on practices

Keep record of practices, policies, or remediations efforts

Ongoing training + Awareness Programs

Work with practitioners to stay up to date and get advice

500

These individuals focus specifically on training and certifying CMMC professionals, like assessors and instructors

Cybersecurity Assessor and Instructor Certification Organization, CAICO

500

This is the estimated time frame achieving CMMC compliance typically takes for most organizations

6 to 18 months

500

After receiving CMMC certification, these roles within the company ensure that organizations are continuously monitoring their compliance and adapting their cybersecurity practices to align with changing regulations.

Compliance Officers or Internal Compliance Teams

M
e
n
u