Self-assessment, self-affirmation, and CMMC

The Cybersecurity Maturity Model Certification (CMMC) became official in December 2024. Understanding your organization’s responsibilities with the annual requirements for a self-assessment and self-affirmation to the Department of Defense (DOD) for continued compliance is a must for leaders at all levels. The self-assessment/affirmation requirements pose unique risks and potential liabilities not only to the organization, but also to the senior leader who signed off on these documents under the False Claims Act (FCA), 31 U.S.C. §§ 3729 – 3733. The upside is the ISO certification process may help lower these risks and provide organizations with supporting documentation to validate the self-affirmation requirements.

Self-assessment in CMMC landscape?

The self-assessment/affirmation are required for all organizations processing, storing, or transmitting AbouControlled Unclassified Information (CUI). There are two different conditions where self-assessments are required:

1. The organization is designated as a CMMC level 1 or level 2 self- assessment only with an annual requirement to conduct both.
2. The organization is designated as CMMC 2 or 3 with a 3rd party assessment requirement which requires the self-assessment/affirmation to be conducted annually in between 3rd party assessments every three years. Ask your contracting officer which is required for your organization.

Self-assessments: Pros and cons

The self-assessment option versus a third-party assessment may appear to be more cost-effective. However, the self-assessment comes with the risks of errors or omissions in the assessment, resulting in an incorrect self-affirmation to the DOD into the Supplier Performance Risk System (SPRS). CMMC compliance requires a solid understanding of controls and assessment objectives to ensure your self-assessment meets the adequacy and sufficiency as detailed in NIST SP 800-171a. Mistakes and misinterpretations can and do occur. Regardless of how the error in reporting occurred, the organization and the leader who signed the SPRS self-affirmation can be held personally liable under the FCA.

ISO processes reduce risk

The ISO process is focused on ensuring the organization maintains continuous compliance through a three-year certification cycle with annual surveillance assessments between certification and recertification. Applying this process to CMMC has the following advantages:

• Reduces self-assessment risk for errors or omissions with a 3rd party assessment based on a sampling of controls.
• Provides the senior official signing the SPRS self-affirmation confidence in stating the organization’s compliance. Provides stable and consistent pricing and budgeting for CMMC assessments across all three years of the cycle.
• Provides a path for the organization to improve and upgrade the information system(s) without requiring a new 3rd party assessment by leveraging the annual surveillance assessments.

Working certifications in parallel

Pursuing an ISO standard in parallel with CMMC not only benefits the organization by obtaining two certifications, but the surveillance audits for the other standards can be used for CMMC assessments. There’s significant overlap in CMMC and ISO/IEC 27001:2022 standards in both the controls and the scope, and this may result in a reduction of audit duration and cost while obtaining both certificates. ISO/IEC 27001:2022 is the internationally recognized standard for cybersecurity. Note: This dual certification process is only possible if your CMMC Third Party Assessor Organization (C3PAO) is also an accredited certification body (CB) for the other standards (Smithers is one of these organizations).

Contact me with questions

What questions can I answer for you? The FCA as it relates to self-assessments can be confusing, as can mapping other standards such as ISO 27001 or AS9100 to CMMC controls. I’m happy to address your general questions in a no-obligation meeting to help make sure your organization is on the right path. If you’re ready for a CMMC assessment, we can also talk about scheduling, as Smithers is an authorized C3PAO. Use the QR code or link below to pick a convenient day and time.

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.

Smithers
https://www.smithers.com