Is a CMMC Assessment Like an ISO Audit?

Is a CMMC Assessment Like an ISO Audit?

If your company is on a CMMC compliance journey, you might be wondering what the actual assessment is going to be like. Eventually, CMMC Third Party Assessor Organizations (C3PAOs) will be bound by accreditation standards just like accredited management systems certifying bodies are now. That being said, different businesses will have different styles and approaches. If you opt to work with Smithers once CMMC 2.0 goes into effect, here is what you can expect. 

Scope

If you have achieved ISO 9001 or AS9100 compliance, you know they cover a broad segment of the business operations. The AS9100 audit, for example, focuses on everything from manufacturing processes to personnel training.

The focus for a CMMC assessment is narrower, but perhaps deeper in some ways. The sole purpose of a CMMC assessment is to verify that the organization is properly protecting Controlled Unclassified Information (CUI) per the NIST SP 800-171 standard. Product quality, preventing counterfeit parts, and other facets you may have had assessed as part of an AS9100 audit do not show up on the CMMC radar. That being said, a CMMC assessment will address everything pertaining to the storage, transmission, and processing of CUI, from access control to encryption and much more. 

The ISO Auditing/CMMC Assessment Process

When working with Smithers, you will experience several similarities in how an ISO audit and a CMMC assessment are approached. In both cases, the number of contacts you will need to coordinate with is minimized so that communication can be effective and streamlined. In both cases, Smithers experts walk your key personnel through expectations for the process, including timeline, who will need to be involved, how long the audit or assessment should take, and more. 

One unique facet of working with Smithers is that our approach to CMMC assessments (and NIST assessments currently) mirrors our ISO audit process. The general ISO certification life cycle is three years, with a certification, two surveillance audits, and a recertification in the third year. Companies who will be seeking compliance with CMMC will experience the same kind of cycle with Smithers. Even though CMMC 2.0 only requires self-assessments in the middle two years between certification and recertification, Smithers offers “surveillance” assessments in order to build confidence in SPRS score reporting and to ease the recertification process in year three. If a company works with Smithers simultaneously on an ISO or AS9100 certification plus CMMC, Smithers auditors will be able to conduct surveillance audits for both standards in tandem.

Pricing

Working with Smithers ensures a predictable, level-set annual spend during your certification/recertification cycle. On the CMMC side, the continuous assessment process helps prevent any significant price increases during the three-year cycle.  

While Smithers does not offer flat pricing for ISO audits or CMMC assessments, the process by which your pricing is reached is transparent and is based on accreditation guidelines for quoting audits. 

Trust the Experts

Smithers has been an accredited management systems certification body since 1993. Although NIST 800-171 and CMMC are distinct from ISO standards, the approach and the processes that have been honed for the last three decades are the same. 

What questions can we answer for you and your team?

Cancel
Show Policy

Download our CMMC for Manufacturers FAQs Today

Latest Resources

See all resources