CMMC: The Journey So Far

Let the Games Begin

After its announcement in January 2020, we have been anxiously awaiting more information on the implementation of the CMMC standard. Summit Business Technology has been on top of every announcement and preparing for the application process to become a C3PAO certified auditor. Beginning June 20th, the CMMC board began accepting applications.

Since we are coming to the final steps of this journey, we thought it would be a great time to cover where we are now and reiterate the implications of this certification requirement, cover the next stages of its implementation, and what steps you can take prepare for your audit.

Where We Are Now

Summit has submitted our application to become a C3PAO, and we are preparing to undergo the associated training. Pending our application’s approval, we are expecting to be able to begin audits in late 2020. As you can see in the timeline graphic provided by, we are still waiting on licensed instructors and training partners, hiring the CMMAC-AB Staff, and government agencies to adopt the standard.

What You Should Be Doing

Achieving the CMMC standard will not be as simple as implementing the necessary infrastructure and policies. CMMC will be looking for a proven history of compliance with its standards. When it comes time for audits to begin, you will want to give you auditor historical records showing a history of compliance like multiple iterations of mandatory password changes, and proven policy adaptation.

At Summit, we are at the forefront of assisting companies in preparing for the CMMC audit by completing NIST 800‐171/DFARS gap analysis. As a pending C3PAO, we can review your cybersecurity framework against the current NIST‐800‐171 standard and the anticipated additional controls required to achieve a level 3 CMMC accreditation. Should we find any potential gaps, we can work with your company to complete a necessary SSP and POAM remediation plan and assist in remediating your cybersecurity framework to align you with the CMMC standard better.

Contact our Cyber Security Division to discuss the process and any questions you might have.


On Key

Related Posts

49 minutes is NOT ENOUGH

Is Your Staff Getting Regular Security Awareness Training? Studies show that the most successful cybersecurity breaches continue to be the result of human error. From clicking on malicious links and