C3PAO Wait Times: How to Get Scheduled in Time

The culmination of all of your efforts to implement CMMC rules as per your DoD contracts is the audit. Hiring a C3PAO and having your systems and security reviewed, so you can earn your certification and start working in the defense ecosystem, is the capstone to the long and arduous process.

Unfortunately, many companies encounter a serious problem when it comes time to hire their C3PAO: the timeline.

When you’re researching how long it can take to achieve CMMC compliance, you’re going to see a lot of answers, and they’re going to vary based on several factors, including:

• The size, scope, and complexity of your business.
• How much experience you have with other frameworks like FedRAMP or ISO 27001.
• How much reliance you have on external and third-party providers and services.

Many estimates say you should plan for 6-12 months from your initial gap assessments to the final C3PAO audit, remediation, and certification.

So, what’s the problem?

You don’t need a C3PAO until most of the way through your process. So, you’ve started work, you’ve spent months on improving your systems, and you’re finally ready to schedule your audit. You send out messages, contacting C3PAOs, and the answer keeps coming back:

“We’d love to work with you. Our earliest available date is six months from now.”

Instantly, you may have doubled the timeline for achieving certification, solely because you waited too long to schedule your assessment.

Why Waiting to Schedule is a Problem

It’s reasonable to wait to schedule your assessment when you don’t have all the facts. Scheduling your assessment puts a firm deadline on when you need your implementation finished, or at least ready to a state where remediation can solve any remaining issues.

Having to work under that tight deadline puts pressure on your security teams, and it can lead to higher costs and more mistakes. So, it’s natural to want to take things a little more slowly.

There are a few problems with this approach, however.

The first is the pressure to start your contracts. DoD contracts don’t wait forever. If you’re aiming for specific contracts, you already have a timeline to meet, and if you wait to hire your C3PAO, you’re adding even more delays.

The second is the dearth of C3PAOs available. There are, as of this writing, only 104 accredited C3PAOs on the CyberAB CMMC Marketplace. Some of those aren’t capable of providing auditing services, and others won’t do business in your region. Your actual pool is even smaller.

Third, we have CMMC 2.0’s rollout bearing down on us. Phase 1 of CMMC 2.0 is coming to a close in November, at which point Phase 2 will begin. Phase 2 adds many more Level 2 CMMC certification requirements to existing contracts, which means there will be an even greater burden to earn your certification.

In fact, some estimates place the number of businesses needing Level 2 certification during Phase 2 to be somewhere between 77,000 and 110,000. This includes businesses that need a new L2 assessment, as well as businesses that need a reassessment or a step up from their previous Level 1 assessment.

If there isn’t a significant increase in accredited C3PAOs in the coming months, this is going to be a substantial bottleneck.

How Far Out are C3PAOs Booked?

There’s no single answer to this question. With 100+ C3PAOs, there are 100+ answers.

Some C3PAOs are booking for within the next couple of weeks at any given time. Those are the minority.

Many others are looking at an average wait of 3-6 months.

Some of the best, the ones who specialize in complex cases or who are able to handle markets that many others won’t, can be booked out even longer.

All of that is as things stand now. With the coming deadline and the likely rapid increase in the number of businesses needing their assessments, those wait times are going to skyrocket.

Some experts are crunching the numbers and expecting wait times to balloon to as much as 24 to 30 months, just to get that assessment scheduled. C3PAOs can only handle so many assessments in any given month, after all. The numbers aren’t favorable.

All of this is predicted. So far, there haven’t actually been any C3PAOs reporting that they’re booked out over a year. It’s possible that the staggered dates of contract renewals, proactive work by CMMC seekers, and other efforts can reduce that burden. The future remains to be seen.

What Happens if You Have to Wait?

So, what happens if you reach the point of booking a C3PAO, only to find a long delay before they can get to you?

Nothing… and that’s the problem. One of the big changes in the coming phase 2 is the firm requirement of a valid level 2 certification to operate within the DoD ecosystem. If you don’t have that certification, no matter how far you are through the process, you won’t be able to work with DoD contracts.

For some businesses, that means dropping operations. For others, it means losing contracts.

There’s also the possibility of legal liability. In some cases, failing to achieve your certification in time means existing contracts, which now require it, find you in violation. This can even escalate to an FCA violation, though it’s not terribly likely that the DoD will be unnecessarily punitive here.

If you need a long timeline, schedule a long timeline. Don’t wait out most of the timeline and hope to schedule a short-delay audit.

How to Get the Ball Rolling

If you’re currently a business handling FCI but not CUI, and you’re sitting at level 1 with self-attestation requirements, you’re probably fine.

If you’re on the edge, where you were previously handling CUI under a self-attestation, you will need to get a fully audited Level 2 report after November.

If you’re currently an assessed Level 2, you’re good to continue what you’ve been doing.

Level 3, of course, is its own world.

The companies most at risk right now are companies that need to get a new Level 2 assessment or that need to shift from self-assessment to C3PAO assessment. Since Level 2 is where the bulk (as much as 93% of CMMC businesses) of CMMC certifications live, and since as much as 35% of the DIB will need a new Level 2 assessment when November’s changes roll around, it’s a significant number of businesses.

What should you be doing?

First, examine any current deadlines and firm limits you may have. November is when the shift to Phase 2 starts, but it’s not necessarily when it will affect you. If you’re aiming for a later certification, and you don’t have any contracts that are poised to make life difficult without it, you’re good to continue on a longer timeline.

After that, especially for businesses that are earning Level 2 for speculative reasons rather than existing contracts, knowing when contracts come up for bid is important. The DoD Award Cycle is a firm process for soliciting information and tends to be fairly slow.

Third, understand how long a C3PAO assessment takes. When the date of your assessment rolls around, you’re still looking at 1-3 weeks of actual work by the assessors. Once that work is done, you will have an additional 2-4 weeks to wait while the C3PAO prepares their report and gives it to you.

Then you have your remediation timelines. You have around 10 days to provide evidence to refute a C3PAO finding, and you have 180 days for POA&Ms if any are necessary for fixing issues the C3PAO found.

All of this tells you when you need to have your C3PAO assessment scheduled. That then defines the rest of your timelines. Treat the assessment as an anchor point in your scheduling, unless you truly have flexibility around it.

You’re already too late to be an early adopter, but the sooner you get the ball rolling, the better off you’ll be.

Finding a C3PAO to Work With

Choosing the right C3PAO is sometimes a matter of picking the right company, but we’re rapidly approaching the point where it’s more a matter of availability.

The simplest thing to do to find a C3PAO is to develop your pitch: who you are, your assessment level and your timeline. Then, simply go through the CMMC Marketplace and reach out to each C3PAO and gather quotes. It’s less than 100 phone calls, after all!

If you want to take a more deliberate tack, you can evaluate possible C3PAOs beforehand.

• Look into their expertise. Check how long they’ve been in business, how many customers they have helped achieve CMMC compliance, and how many assessments they perform each month.
• Check the quality of their work. While all C3PAOs have to be accredited and will be able to provide the minimum necessary assessments and information, others go the extra mile. Some C3PAOs will help with providing additional information and even guidance for remediation, to help encourage success.
• Ask about timelines. Not in the general sense, but specifically for the assessments. A C3PAO that takes longer to perform an assessment might be less efficient and more expensive for the end result.

Standard considerations like costs are also relevant, of course. It doesn’t do you much good to find a C3PAO that works on your timeline if you can’t afford to hire them.

Helping the Process Go Smoothly

Second chances will be scarce. If you fail your assessment and can’t handle remediation along the timeline, you’re effectively pushed to the back of the line. Slots with C3PAOs will be increasingly scarce while you try to sort out your implementation, and that means even longer timelines.

Obviously, the way to avoid this issue is to do it right the first time, but “do it right” isn’t exactly useful guidance.

Areas to focus on include:

• Credential management. Managing user accounts and credentials the right way is a tall order, and it’s also one area where personnel training is hugely important. This is one of the biggest reasons companies fail their assessments.
• Cryptography. Bad use of cryptography in systems that handle CUI is a major flaw, and it’s also a big part of why properly scoping and segmenting your systems is critical. Even if a particular system doesn’t touch CUI, if it’s not gapped from ones that do, it needs to be secured.
• Risk assessments. A big part of CMMC is handling risk assessments to evaluate threats, their impact, and their likelihood. Getting this wrong can be a serious problem, and it’s a big part of what C3PAOs look at.
• Logging. Everything relevant to your secured systems needs logs, and those logs need to be properly maintained and secure against tampering. You may even have these logs generated automatically, which means you need to know where to find and store them.
• Validation. It’s one thing to implement security, but it’s another thing entirely to validate that it works. Testing, including pen testing, can be a key piece in the puzzle, and the results of those tests also need to be stored appropriately.

You can read more about all of these, as well as other requirements, in our guide to the main reasons why companies fail CMMC audits.

Finally, make sure to keep all of your documentation in order. When you’re trying to compile thousands of logs, config files, data files, reports, and other artifacts, it’s exceedingly easy for something to slip through the cracks.

This is a big part of why we made the Ignyte Assurance Platform. Our platform is designed to handle all of your documentation in a centralized location, where different teams can access and maintain it, all while tracking progress along your security controls and related tasks.

To see how the platform can work for you and your CMMC implementation, just book a demo and talk to us about it. Alternatively, we at Ignyte are an accredited C3PAO and can provide personalized consulting and auditing services. We’d love to talk, so reach out today!