Oversight
U.S Government department is responsible for developing and mandating the CMMC Framework.
DoD; Department of Defense
These organizations are authorized by the CMMC-AB to conduct official CMMC assessments.
C3PAOs; Certified Third-Party Assessment Organizations
These individuals provide guidance on the regulatory context and CMMC levels
CMMC Advisors
Before undergoing a formal CMMC assessment, organizations often conduct this internal evaluation to ensure they meet cybersecurity requirements.
Self-assessment
These organizations offer specialized courses and training programs to help individuals and companies meet CMMC requirements
Licensed Training Providers (LTPs)
The CMMC Framework is designed to protect what type of sensitive information, often related to defense projects.
CUI; Controlled Unclassified Information
Individual or organization qualified to conduct assessments to determine if a company meets the required cybersecurity standards under CMMC.
CMMC Certified Assessors are individuals deployed by the Certified Third-Party Assessment Organizations (C3PAO) to conduct assessments
These individuals help organizations meet CMMC compliance requirements
CMMC Practitioners, (PR). Can work as an independent contractor or a part of a Register Practitioner Organization (RPO)
Organizations must undergo a formal assessment how often to maintain their CMMC certification and demonstrate compliance
Annually for level 1, tri-annually for 2 & 3
After a CMMC assessment, these professionals help organizations address any deficiencies by creating a Plan of Action and Milestones (POA&M) for remediation and helping with annual self-assessments
CMMC Advisor
This group requires CMMC certification, includes business that supply goods or services to the DoD.
Defense Contractors, Subcontractors, and Suppliers. (DIB)
CMMC assessment results are documented to determine if organizations meet the required level. These results are submitted to the DoD for records and to help develop the POA&M
Assessment Report
These individuals are responsible for level 1 & 2 CMMC assessments
These individuals are responsible for level 3 CMMC assessments
C3PAOs conduct level 1 & 2 testing while DIBCAC runs level 3 tests
This happens if an assessment isn't taken or not passed
Loss of DoD contracts, possible penalties.
These cybersecurity experts implement technical controls and provide hands-on support to organizations following a CMMC assessment, ensuring compliance measures are effectively integrated
RP/RPOs
CMMC-AB; Cybersecurity Maturity Model Certification Accreditation Body
Once assessment is passed, this organization grants CMMC certification
Certified Third-Party Assessment Organizations (C3PAOs)
These individuals are specifically responsible for the overall accreditation and oversight of the entire CMMC ecosystem, including managing the C3PAOs
Cybersecurity Maturity Model Certification Accreditation Body, Cyber AB
Organizations seeking CMMC certification must demonstrate compliance this many cybersecurity practices. Levels 1, 2, and 3
Level 1 - 17
Level 2 - 110
Level 3 - 320
These individuals help remediate gaps in CMMC compliance by performing security assessments, implementing security controls, and providing continuous monitoring
Managed Service Providers, MSP
In addition to creating the CMMC framework, the DoD is also responsible for enforcing this aspect of CMMC compliance.
Regulations
After assessment care
Review Assessment Report
Address Identified Gaps (POA&M)
Regular Audits and updates on practices
Keep record of practices, policies, or remediations efforts
Ongoing training + Awareness Programs
Work with practitioners to stay up to date and get advice
These individuals focus specifically on training and certifying CMMC professionals, like assessors and instructors
Cybersecurity Assessor and Instructor Certification Organization, CAICO
This is the estimated time frame achieving CMMC compliance typically takes for most organizations
6 to 18 months
After receiving CMMC certification, these roles within the company ensure that organizations are continuously monitoring their compliance and adapting their cybersecurity practices to align with changing regulations.
Compliance Officers or Internal Compliance Teams