Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Myth busting the cybersecurity maturity model certification

Debunking the myths around CMMC guidelines

By John Roman
data security freepik
July 16, 2021

The role of cybersecurity has never been more prevalent than it is today. Safeguarding controlled government and military data from unauthorized disclosure is not only critical to our national security but also to economic freedom. Up until now, companies that process sensitive government data, whether directly or as a sub-contractor, have only been required to self-attest as to their knowledge of relevant regulatory requirements. In many aspects, self-attestation has proven unsuccessful as evidenced by notable breaches of critical government information in both the public and private sector. Over the past few years, data breaches, ransomware attacks and other cybercrimes have only continued to climb.

Due to this increase in cyberattacks on United States federal, state, local governments as well as private and public companies, the U.S. Department of Defense (DoD) has mandated a higher level of assessment by a third party – the Cybersecurity Maturity Model Certification (CMMC). CMMC is a unified standard for implementing cybersecurity controls based on the National Institute of Standards and Technology NIST 800-171. The mandate is for the protection of controlled unclassified information (CUI) as well as Federal Contract Information (FCI) at maturity levels 1 and 2 across the defense industrial base (DIB). The DIB supply chain includes over 300,000 companies.

While this is a step in the right direction, there are some confusion, speculation and rumors related to CMMC accreditation. The following are three common misconceptions around CMMC certification, with clarification to help organizations requiring CMMC certification to stay well-informed on the necessary guidelines and procedures.

 

Myth #1: DoD Contractors can get ahead of the curve and be deemed in compliance with CMMC

There has been much confusion about CMMC Service Providers and Assessors, and misinformation about companies offering CMMC services. The truth is there are no “official” CCP, CCA-1 or CCA-3 certified assessors or assessor instructors at this time. However to ensure the program is moving forward in preparation for upcoming company assessments, the CMMC-AB established a Provisional Assessor and Provisional Instructor Program. There are DoD-selected individuals who have been identified, trained and tested to validate that they meet the skills and requirements to deem them as “provisional.” Once the official exams are released, these individuals will be required to take and pass the actual exams to earn their assessor level certifications. It’s important to note that being deemed a “certified assessor” with the DoD for CMMC Level 1 and Level 3 assessments also requires passing a suitability check and the appropriate level in which they will be handling data.

From the beginning, the DoD had planned on running several pilots this year, then increasing the number of contracts with the CMMC clause in it year over year until it is in all contracts by 2025. With that being said, the effort involved in reaching any level of CMMC certification must begin now.

 

Myth #2: A Company that Provides You CMMC Gap Assessment and Readiness Services Can Assess You for Potential CMMC Certification

Again, this is false. It would be a conflict of interest for an RPO to consult on the readiness of organizations seeking certification (OSCs) and then also perform the assessment. The CMMC-AB rules prohibit this.

 

Myth #3: A CMMC Registered Provider Organization (RPO) is a certified CMMC Third Party Assessor Organization (C3PAO)

While there has been some speculation and confusion around this statement, this is also false. A CMMC RPO cannot provide CMMC assessor services to the same OSC. However, as a CMMC RPO, the provider is authorized to represent the organization as familiar with the basic constructs of the CMMC Standard by using a CMMC Accreditation Body (CMMC-AB)-provided logo. CMMC RPOs can currently only offer advice, not official assessment. Training for official certified assessors has yet to be conducted.  

Assessors will play a critical part of the procurement ecosystem, and for implementing sweeping new cyber standards for all of DoD’s 300,000 contractors. While CMMC RPOs cannot provide assessor services, they are listed on the CMMC-AB’s Marketplace and have all agreed to the strict CMMC-AB Code of Professional Conduct.

RPOs can, however, pursue becoming a C3PAO by going through the entire authorization process for that class of provider. Regardless, if they provide RPO services to a company, they would be prohibited from also performing a C3PAO assessment for that same company.

 

Stay Agile and Up to Date on CMMC Guidelines  

How can government agencies and other contractors stay agile and not fall victim to these CMMC myths? Keeping up to date with the latest news from the DoD will allow organizations to be aware of any new movements and updates in CMMC accreditation. The CMMC-AB website is an excellent source for current information. The AB also holds monthly Town Hall webinar meetings which are open to the public. Recordings of the meetings are later posted to the website. Additionally, there is information available on the website of the Office of the Undersecretary of Defense for Acquisition & Sustainment. The OUSD(A&S) and the CMMC-AB are the only organizations officially sanctioned by the DoD to speak and act on the Program’s behalf. While the CMMC rule has been delayed by COVID-19, it is still anticipated that CMMC will be in all DoD contracts by late 2025. Due to this inevitability, DoD contractors and sub-contractors must start preparing now.

CMMC compliance is required if your organization continues doing business for the DoD. CMMC requires each organization to undergo a third-party assessment to determine the maturity of their information security controls, which is assessed at five different levels. The levels are used to determine eligibility to respond to specific RFPs. Additionally, each one of these levels has its own set of specific practices and processes. Vendors must meet the practices and processes of each of these levels, which ends up creating an "all or nothing" approach.

CMMC is complex, which is why many organizations continue to experience confusion and more rumors circulate. However, achieving this level of compliance with this cybersecurity framework will strengthen and improve organizations to be resilient, prevent data breaches, and stop unauthorized access into their networks.

KEYWORDS: cyber security data breach information security ransomware risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

John Roman is the CIO of The Bonadio Group and the President and COO of Bonadio’s Information Risk Management and Cybersecurity Division, FoxPointe Solutions.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Capitol Technology University partners with CMMC cybersecurity and supply chain security

    Cybersecurity Maturity Model Certification Center of Excellence partners with Capitol Technology University

    See More
  • Emergency Room Myth Busting – Most Patients Have Insurance, Still Violent Healthcare Area

    See More
  • energy-security-freepik

    Department of Energy releases updated Cybersecurity Capability Maturity Model

    See More

Related Products

See More Products
  • CASP.jpg.jpg

    CASP+ CompTIA Advanced Security Practitioner Certification All-In-One Exam Guide...

  • GSEC.jpg

    GSEC GIAC Security Essentials Certification All-In-One Exam Guide, 2E

  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing