We’ll work with you to determine a time frame and location for the assessment. We’ll also verify your scope and readiness for the assessment before moving forward.
Business Transformation Institute (BTI) has been in business since 2005 and is a C3PAO authorized by The Cyber AB. Our experienced Certified CMMC Assessors (CCAs) and Lead CCAs are qualified to conduct Level 2 assessments and bring extensive knowledge and technical skills to the process.
Our team members are authorized to work at the highest levels of government information sensitivity, so you can be sure they understand your customer’s mission and the critical cybersecurity controls at an expert level.
During an assessment, our qualified team of assessors will evaluate your organization’s cybersecurity practices against CMMC Level 2 requirements. As a C3PAO, we’re required to follow a phased approach, which may include the following stages depending on your compliance needs:
We’ll work with you to determine a time frame and location for the assessment. We’ll also verify your scope and readiness for the assessment before moving forward.
We’ll determine the most cost-effective and beneficial assessment method for your organization. Depending on our chosen methods, our assessment might include examining or testing your organization’s security safeguarding activities. Following the assessment, we’ll determine whether your organization has or hasn’t met Level 2 requirements.
After sharing the final assessment results with you, we’ll upload them to the CMMC Enterprise Mission Assurance Support Services (eMass) database and issue a certificate stating your CMMC status.
If your organization does not pass the assessment and therefore develops a Plan of Action and Milestones (POA&Ms), we can conduct a second assessment to close out POA&Ms.
A CMMC assessment is not a one-size-fits-all experience. Your assessor has the discretion to choose the best assessment methods for your organization, so it’s essential to partner with an experienced C3PAO to ensure the process is efficient and cost-effective.
The certified experts at BTI will go above and beyond your expectations. Here’s why:
We offer CMMC services for every stage of the journey:
The CMMC level you need to achieve depends on the type of information you handle, how sensitive it is, and your contractual clauses. CMMC 2.0 has three levels:
If you handle FCI and not CUI, you will require a CMMC Level 1 self-assessment. Remember that FCI is any Federal Contract Information, so if you have a contract with DoD or are a subcontractor to a DoD prime contractor, you are in-scope for CMMC and will need to self-attest that you meet the 15 NIST SP 800-171 practices for CMMC Level 1 certification.
Companies that have a low risk of ever encountering CUI, like those doing landscaping or serving food at a DoD facility, will likely never have to leave CMMC Level 1.
CMMC Level 2 certification is for any DoD contractor or subcontractor that handles CUI. Level 2 brings all 110 NIST SP 800-171 practices and DFARS 252.204-7012 security requirements into scope. It requires a CMMC Level 2 C3PAO Assessment, which means an accredited outside organization must assess your CMMC Level 2 implementation.
Level 2 is a prerequisite for CMMC Level 3 certification. Contractors needing to achieve CMMC Level 3 must meet all of Level 2’s requirements, plus 24 enhanced security requirements from NIST SP 800-172. The DoD has said that only a small subset of DIB companies will require it, but those that do will need a CMMC Level 2 third-party assessment for the NIST SP 800-171 practices and a direct federal government assessment for the NIST SP 800-172 practices.
Phase 1 of CMMC Program implementation begins when the 32 CFR Part 170 rule becomes effective on December 16, 2024. It will end one calendar year later, at which point Phase 2 will begin.
During Phase 1, the DoD can add CMMC requirements to requests for proposals or contracts for any work that will be awarded or begin at the start of Phase 2. In other words, a requirement to have CMMC Level 2 can be added starting December 16, 2024, as long as the requirement isn’t enforced until December 15, 2025.
The DFARS 48 CFR rule, which requires the use of a third-party assessment organization, is anticipated to be published in March 2025. The requirement to use a third-party assessor isn’t yet known but will be either six months or one year after the final 48 CFR rule is published.
The term “C3PAO” is a key phrase for defense industrial base (DIB) contractors and subcontractors preparing to comply with the finalized Cybersecurity Maturity Model Certification (CMMC) Program.
Under the Department of Defense’s (DoD) final ruling, most DIB organizations that handle Controlled Unclassified Information (CUI) must obtain a CMMC Level 2 certification assessment.
The meaning of C3PAO is CMMC Third Party Assessment Organization. C3PAOs are authorized by The Cyber AB — the official CMMC accreditation body — to perform CMMC assessments on behalf of the DoD.
Depending on the organization’s size (small, medium, or large) and the required certification level (1 to 3), Defense Industrial Base (DIB) companies should anticipate allocating between $25,000 and $250,000 annually to achieve and maintain the right CMMC level of compliance. Many factors impact the cost of CMMC certification and can lead to significantly higher or lower CMMC-related expenses, including the complexity of IT infrastructure, the need for third-party assessments, and the degree of cybersecurity maturity already in place.
