What are your thoughts when a vendor or contractor states here is a SOC 2, SOC 3 or SOC for Cyber report we are using instead of a CMMC level 3 certification?
It is a new world, we have not had discussions with the 1st party successors. The standards that are in CMMC are things that we have experience with and how things will be incorporated. The uncertainty will be there until we can do a full evaluation.
What we can imply is Level 3 certification is where you need to be to cover yourself across the board.