My organization passed an internal self-assessment under NIST SP 800-171, so we should be ready for our CMMC Maturity Level 3 assessment, right?
Not necessarily. Maturity Level 3’s requirements include the 110 requirements in NIST SP 800-171, but they also include 20 additional practices and the creation and demonstrable adoption of comprehensive processes that address all 130 total practices. Process maturity, that is, the demonstrable adoption of the processes, takes time. So, if your organization is confident that:
- its practices meet all applicable objectives defined in each CMMC Maturity Level 3 practice in the CMMC Level 3 Assessment Guide;
- all applicable objectives are addressed by one or more processes (i.e., both policies and practices implementing the policies); and,
- it can demonstrate that the processes are being followed
then your organization may be ready for a Maturity Level 3 assessment.