According to the CMMC rule published on October 15, 2024 and finalized on December 16, 2024, a level 1 CMMC status requires that the organization seeking assessment (OSA) comply with all 15 security requirements from FAR clause 52.204-21.,that the organization conducts a self-assessment, and that the company enter the assessment score into SPRS. This self-assessment needs to occur on an annual basis. No plans of action & milestones (POAMS) are acceptable for level 1 CMMC companies.
If a self-assessment is acceptable according to the final rule, why are somes organizations exploring third-party assessments for their level 1 compliance?
The False Claims Act, or 31 U.S. Code § 3729, dates back to 1863 and the Presidency of Abraham Lincoln. In today's world, the False Claims Act intersects with the world of cybersecurity and SPRS. If a Defense Contractor enters an incorrect and/or fale entry into the SPRS database, the executive who signed off on the score will be held accountable. That person, not the company, could face substancial financial penalties in the aftermath.
Presumably, but not necessarily, an executive will be aware of and integrated into the compliance journey, ensuring that no corners are cut, all controls are met, and continuous compliance occurs. Without a third-party assessment, however, a company executive has to rely on his or her team and his or her own knowledge of what is required.
Smithers is one of the C3PAO companies who offers assessments for CMMC Level 1 OSAs. Consider the C3PAO in this case as an editor who reviews a written work you have been composing for a long time. A company working to comply with any level of CMMC is neck-deep in the process and has touched every minute detail. In that kind of scenario, regardless of the context, it can be easy to miss or overlook important steps. A third-party comes to the company with a fresh perspective.
A Level 1 Assessment will help ensure that the executive signing off on the SPRS score can do so with confidence. With no egos or politics involved, a C3PAO can offer a measured and honest evaluation of where a company is in its compliance journey.
What questions do you have about CMMC Level 1 assessments? Do you have other questions about CMMC? Contact us today to learn more.