“OSCs must retain artifacts used as evidence for the assessment for the duration of the validity period of the certificate of assessment, and at minimum, for six years from the date of certification assessment as addressed in 32 CFR 170.17(c)(4).
The OSC is responsible for compiling relevant artifacts as evidence and having knowledgeable personnel available during the assessment. The organizational artifacts are proprietary to the OSC and will not be retained by the assessment team unless expressly permitted by the OSC.
To preserve the integrity of the artifacts reviewed, the OSC creates a hash of assessment evidence (to include a list of the artifact names, the return values of the hashing algorithm, and the hashing algorithm used) and retains the artifact information for six years.
The information obtained from the artifacts is an information collection and is provided to the C3PAO for uploading into the CMMC instantiation of eMASS.“
The above text is from the DoD’s June 21, 2024 submission to the Federal Register. It describes the expected information collection level-of-effort for a CMMC Level 2 assessment. This analysis is a requirement for any regulation that requires paperwork by the public.
DoD estimates paperwork burden at 525 hours
From the analysis: The DoD expects evidence collection and archival, assessment planning and results, C3PAO records about their assessment staff, and submission of data into CMMC eMASS to take 525 hours on average, per assessed company.
This is just the effort related to paperwork. It doesn’t cover the time spent interviewing or demonstrating the system. It doesn’t cover the time preparing.
This is about 2x more effort than a typical CMMC Level 2 assessment takes. This is probably because the calculation includes the time spent by the defense contractor to gather evidence internally, before the assessment.
Only 10,000 CMMC Level 2 events???
A non sequitur from this analysis is the DoD only estimated 10,000 paperwork events for CMMC Level 2. There was no timeframe defined. This doesn’t calculate, no matter how I do the math. The DoD has been estimating that up to 80,000 companies would need CMMC level 2. On the low end, maybe 30,000 companies? If we divide it this by three years (the time between assessments), we get 20,000 events per year, or 10,000 events at the low end. But CMMC will last longer than one year. If anything, this evaluation should calculate out 10+ years, which would be closer to 100,000 – 200,000 events.
Not sure what to think about this part of the analysis.
Read it yourself here: https://www.regulations.gov/document/DOD-2023-OS-0063-0374
What is the takeaway?
Bottom line? The DoD seems ๐ ๐๐๐๐๐๐๐๐๐ to get their defense contractors cyber-secure, no matter the cost. They are treating this as seriously as the defenses for our key military and government installations, and looking at a timeline of just a few years to get our manufacturing and military support base resilient to cyber-attack.
Between this analysis, and the movement of the CMMC Final Rule (32 CFR) to OIRA review, the DoD is putting in all the work to get CMMC done in a timely manner.
Time for assessment, or CMMC prep?
If you’re ready to start working seriously on NIST SP 800-171 and CMMC compliance, or want to get scheduled for your certification assessment, give our sponsors, Kieri Solutions, a call. Kieri Solutions specializes in helping IT teams be responsible for their own compliance.
Amira Armond is the chief editor of CMMCAudit.org, the vice chair of the C3PAO Stakeholder Forum, and the President of Kieri Solutions, an authorized C3PAO.ย Connect withย Amira on LinkedInย for more frequent CMMC news and information. Kieri Solutions provides CMMC assessments and solutions for CMMC compliance.