Understanding When and Why You Need a New CMMC Assessment

Cybersecurity is a top priority for the Department of Defense (DoD) as they continually work to protect national security from increasingly sophisticated cyber threats. As part of their efforts to continually boost the nation’s security posture and better secure DoD information, the DoD recently released the Cybersecurity Maturity Model Certification (CMMC) Final Rule in October 2024. This document outlines the security measures DoD contractors and subcontractors must take to secure government data in order to achieve compliance and maintain their government contracts.

Achieving/maintaining CMMC certification is essential for organizations who want access to DoD contracts, as well as for those who already work with the DoD in order to meet contractual security requirements. A big part of the CMMC certification process includes undergoing regular CMMC assessments to ensure that your organization is in compliance with the security standards outlined in your designated CMMC Level. This assessment process varies depending on which level of certification is required of an organization, and it can leave DoD contractors confused wondering what level of assessment they need, how often they need to undergo CMMC assessment, and whether anything could trigger an early reassessment.

To help you navigate the complicated CMMC assessment process, keep reading as we take a look at what DoD contractors and subcontractors need to know about when and why you would need a CMMC reassessment.

What is a CMMC Assessment?

The CMMC program is designed to ensure the protection of sensitive unclassified information (including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)) shared by the DoD with its contractors and subcontractors by providing cybersecurity guidelines for the handling of sensitive government data that is processed on nonfederal systems. In order to ensure that their contractors are CMMC compliant, the DoD requires that their contractors undergo a formal CMMC evaluation of their cybersecurity practices to determine whether they meet the requirements for their designated CMMC Level. These assessments are a critical part of the CMMC certification process, as they help assure the United States Government that sensitive data is being properly protected to ensure national security.

Who Does CMMC Apply To?

You may find yourself wondering how you will know if CMMC applies to your organization and whether you need to undergo a CMMC assessment. The CMMC program applies to all Department of Defense contractors and subcontractors who, in the performance of their contract, will be processing, storing, or transmitting FCI and/or CUI on nonfederal systems. If you have a government contract and you handle sensitive unclassified information, you will likely need to become CMMC compliant in order to maintain your government contract. If you’re unsure whether CMMC applies to you, or which level of CMMC compliance you need to achieve, check your existing contract requirements for more detailed information.

How Often Are CMMC Assessments Required?

How often you will need to undergo CMMC assessment, and the type of assessment that will be required of you, will depend on your assigned CMMC Level (more on this below) as outlined in the CMMC Final Rule. Self-assessments will be required on an annual basis for those who must adhere to CMMC Level 1, while organizations subject to CMMC Levels 2 and 3 will require CMMC assessment every three years. Organizations at all CMMC levels must also submit an affirmation of continued compliance on an annual basis. The affirmation typically involves completing a self-assessment or attestation process, confirming that the organization is still compliant with the security controls and practices defined for their assigned CMMC level.

What Type of CMMC Assessment Do I Need?

Upon learning more about CMMC assessments, you may now find yourself wondering how you will know which type of assessment your organization needs. The type of assessment you will need depends on the required CMMC Level assigned to you in your government contract. CMMC Levels are assigned at progressively advanced levels based on the type and sensitivity of the information a contract will require an organization to handle.

Based on the type of government information you will be handling; you will be assigned one of three CMMC assessment levels. Below is a brief overview of what is required of DoD contractors at each assessment level.

CMMC Level 1: Basic Safeguarding of FCI

CMMC Level 1 is for organizations that handle Federal Contract Information (FCI), which is the least sensitive class of information subject to CMMC. Organizations assigned to CMMC Level 1 must perform an annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21, the baseline for cybersecurity standards that all federal contractors must meet, ensuring the sensitive information is adequately protected.

CMMC Level 2: Broad Protection of CUI

For organizations handling CUI who are assigned CMMC Level 2, either a self-assessment or a C3PAO assessment will need to be performed every three years. For organizations that must comply with CMMC Level 2, your contract will specify whether self-assessment or third-party assessment is required based on the type of CUI you process, transmit, and store on your information systems. CMMC Level 2 also requires contractors to submit an annual affirmation verifying compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

CMMC Level 3: Higher-Level Protection of CUI

CMMC Level 3 is designated for high-stakes contracts that need more stringent security policies to protect them against advanced persistent threats. These organizations must comply with the 110 NIST SP 800-171 security requirements required of CMMC Level 2 as well as 24 requirements from NIST SP 800-172.

Before they can undergo a CMMC Level 3 assessment, these organizations must first achieve CMMC Status of Final Level 2. Once they do this, they can then initiate a Level 3 assessment, which must be performed every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). To maintain CMMC Level 3 certification, organizations must also provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

Can System Changes Trigger Early Reassessment?

The biggest question you’ve likely found yourself asking at some point is whether any circumstances could trigger mandatory reassessment before your 12 or 36-month assessment period is up after completing a CMMC assessment. Can making too many changes to the CMMC Assessment Scope trigger an early reassessment? The good news is that, in most cases, you can make an unlimited number of operational changes to the previous CMMC Assessment such as adding or subtracting resources within the existing assessment boundary without triggering a reassessment.

Until recently, there was much debate about when (if ever) reassessment was necessary other than those required every 12-36 months to maintain CMMC compliance. Fortunately, the Department of Defense (DoD) clarified this in their Final CMMC Rule published in October 2024, which clarified that an unlimited number of operational changes within the CMMC Assessment Scope are allowed. The exception to this is if significant architectural or boundary changes are made to the previous Assessment Scope. Some of the most common situations that may require an organization to undergo reassessment outside of the typical 12-36-month timeframe include:

Mergers and Acquisitions

One of the most common situations likely to trigger a mandatory CMMC reassessment is if your organization experiences a merger or acquisition. In the event that merger and acquisition activity results in significant architectural or boundary changes to the contractor’s previous Assessment Scope, the contractor may need to undergo a new CMMC assessment in order to ensure that they’re still in compliance and that the CUI they handle is secure. The fact is that company mergers, acquisitions, and consolidations often involve the integration of new systems or changes to the overall IT landscape, which is why reassessment is often necessary.

Another instance where CMMC reassessment may be necessary is if you make substantial changes to your network infrastructure. As outlined in the Final CMMC Rule, big changes such as adding new data centers, switching cloud service providers, or introducing new applications, software, or hardware that handles CUI could require re-evaluation.

Scope Changes

You may also need a new CMMC assessment if the scope boundary of your systems that handle CUI changes. If a new project or contract involves handling new types of CUI, you may need to expand your CMMC assessment scope to include those systems. This could then require new security controls and potential reassessment to ensure that you are still in compliance given the addition of new systems within your assessment scope.

Contract Changes

Changes to your DoD contract could also result in the need for a new CMMC assessment. For instance, if a new contract (or changes to an existing contract) introduces new types of CUI, you may need to change your assessment scope and adjust your security practices accordingly. Such major architectural and scope changes would then necessitate reassessment.

You may also need a new CMMC assessment if a new or adjusted contract requires you to obtain a higher CMMC Level. This would require you to implement additional security controls to meet the higher standard, which would trigger a new assessment.

While most operational changes to your CMMC Assessment Scope likely won’t trigger reassessment, making major changes to the scope and architecture of your systems that handle CUI could result in the need for a new assessment in order to ensure compliance. Yet, how will you know for sure if your situation requires reassessment? Considering the important role compliance plays in ensuring you’re able to maintain your DoD contracts, you should consider consulting a CMMC-certified managed service provider if you’re unsure whether changes you’ve made necessitate reassessment.

Need Help With Your CMMC Assessment? Consult Agile IT Today!

Defense contractors, are you ready for your CMMC assessment? Whether it’s your first time, a renewal, or a scope change, navigating the process can feel overwhelming. Agile IT is here to help.

As a CMMC-certified managed service provider, we guide you every step of the way. Whether you are looking to start your defense journey with GCC High, need managed services to help you continuously secure your data or preparing your organization to succeed and thrive with CMMC, Agile IT ensures your valuable data stays protected.

Contact Agile IT today to simplify your CMMC journey with AgileThrive and achieve certification with confidence.