The Latest on CMMC Audits and Certification

ROCKVILLE, Maryland — July 2nd, 2020 — The CMMC Accreditation Board (AB) released new requirements for Organizations Seeking Certifications.  General information on the certification process has been released via Webinars and talks over the past several months, but this latest update lays out detailed roadmaps for those seeking to be a CMMC Certified Supplier and Third-Party Assessor Organization (C3PAO).

In addition to providing CMMC Program details, the AB is now accepting applications for assessors and organizations alike, pushing a timeline of scheduling a CMMC audit via the AB Marketplace to late 2020/early 2021.  At this time, no organization can perform a CMMC audit or achieve CMMC certification.

How Your Organization Should Prepare

Although CMMC audits may not be available to most DoD vendors in 2020, the CMMC Accreditation Board highly recommends the following for organizations requiring certification:

  • Focus on Readiness – Prepare now to be CMMC ready; identify and address compliance gaps.
  • Focus on DFARS requirements – DFARS is still the current requirement as 90-95% of DFARS requirements apply to CMMC.
  • Focus on POAMs – CMMC will not accept POAMs for certification, meaning open findings associated to CMMC controls will be accepted to satisfy the requirement.
  • Focus on Level 3– Organizations that handle any Controlled Unclassified Information (CUI) must comply to CMMC maturity level 3 as a baseline.
  • Focus on where your CUI is – Identify where your organization stores CUI. A key distinction is whether your CUI is stored on-premises or in a cloud service solution.

How Aerstone Can Help

As experienced DFARS assessors, Aerstone helps clients transition to the new standard and prepares them for future audits by conducting CMMC Readiness Assessments.  Aerstone has taken initial exploratory steps towards becoming an AB certified C3PAO assessor, while we await full requirements from the AB.

To schedule an alignment call to discuss CMMC readiness, contact .

For more information about the CMMC program, please visit and


About Aerstone
Quest Consultants LLC DBA Aerstone is an NSA-Certified Vulnerability Assessor (NSA VAS) and Service-Disabled Veteran-Owned Small Business (SDVOSB) that provides subject matter expertise in the field of advanced cybersecurity. Our products and services touch all aspects of cybersecurity, including standards-based assessment, penetration testing, engineering and mitigation, executive level advisory, architecture, systems design, software development, and security training.