‍

CMMC certifications are valid for three years, after which companies are re-audited to maintain their status. However, in some circumstances, they may need to requalify before the three-year term expires. 

Title 32 in the Code of Federal Regulations (32 CFR) states that any "significant change" to your IT environment will trigger a new CMMC assessment. 

But what constitutes a significant change? And how can you anticipate the move and ensure continuity of compliance? 

Ultimately, it's up to the organization to recognize these factors, remediate, and recertify. Otherwise, the DoD will almost certainly do it for you when it's time to renew your contract, and their threshold is far less forgiving. 

Let's break it down. 

Defining "Significant Change" Under CMMC

Under 32 CFR, the federal government defines "significant change" as any substantial change to the IT environment – but it also applies to changes in governance, such as would be the case in a merger or acquisition. 

It does not mean that every time you make a change, like removing or adding resources, you'll need to recertify. Under the rule, the DoD clarifies that CMMC-certified organizations can make unlimited operational changes without triggering a reassessment as long as they fall within the initial assessment parameters. 

• With mergers and acquisitions, if there are any significant changes to the scope of the previous assessment, the contractor should be recertified to ensure they still comply with CUI security standards. The thinking here is that mergers tend to involve integration of new systems or infrastructure changes, so the need is understandable. 
• Moving to new facilities is also considered a significant change, as is adding new business functions or modifying the company's core mission. 
• Changing your cloud provider, adding a new data center, or implementing new software systems or hardware directly involved with storing or processing CUI.
• Changes in scope in terms of how you handle CUI may also trigger reassessments. For example, if you take on a new contract that involves a different type of CUI, the scope boundary of your assessment may need to expand. New security protocols may be required, and a reassessment ensures all new systems are compliant. 
• DoD contract changes could introduce a new type of CUI, requiring a change of the scope boundary and revision of security policies should significant architectural changes be necessary. 

Do I Need a Reassessment?

The bottom line is that, while operational changes won't likely trigger reassessment, any significant changes to the scope or type of CUI or changes to IT systems architecture that handle it will. 

But how do you know for sure? 

Since all but Level 1 CMMC audits are conducted by a third party, there is no room for error. The process itself can be costly, complex, and time-consuming, so it's always advisable to work with an expert. A CMMC-certified service provider like Essendis can help you understand whether any changes you've made will require a reassessment and ensure you are ready for the audit. 

Speak With a CMMC Expert Today

Whether you are preparing for your first CMMC audit or trying to understand how upcoming changes will affect your certification, the experts at Essendis can guide you through the readiness journey. Our team provides DoD contractors with the essential support they need to stay compliant and ensure CUI is protected. 

When in doubt, consult your documentation, and don't hesitate to reach out for support.