Common CMMC Assessment Questions: A Conversation with Matt Bruggeman from A-LIGN
Insights from a CMMC assessment expert on compliance, assessment readiness, and common challenges faced by organizations aiming for certification.
We get many questions about how CMMC assessments work. People want to know about more than just the policies or checklists, but what actually happens when a Certified Third-Party Assessor Organization (C3PAO) shows up and starts asking questions.
So we sat down with Matt Bruggeman from A-LIGN, one of Summit 7’s trusted C3PAO partners, to unpack what’s happening behind the scenes. A-LIGN has been in the FedRAMP space for years and is now a top CMMC player. This conversation is a goldmine for anyone preparing for certification.
“Just because you’re compliant doesn’t mean you can prove it,” Matt said.
Here are some of the most important takeaways:
What Do Assessors Consider a “Relevant Control”?
What are “relevant controls” for Security Protection Assets (SPAs), and is there a cheat sheet?
According to Matt, the key is not to overcomplicate it. “Just go back to the basics,” he said. “Understand what information the asset produces, whether CUI or otherwise, and protect it like you would any other sensitive information.”
In other words, treat your SPAs like any other information system component—apply access control, incident response, and training as applicable.
He also noted that assessors will treat it differently if an SPA stores or processes CUI (like a spam filter might). It’s not officially a separate category, but assessors will naturally apply a different lens.
Is FedRAMP Equivalency Harder Than Authorization?
Another central question we get often:
Is FedRAMP equivalency harder than actual FedRAMP authorization?
According to Matt, in many ways, yes.
With FedRAMP authorization, POAMs are allowed. However, no POAMs are allowed with equivalency, often resulting in a more challenging path.
“You have to be clean,” he said. “Many people think equivalency is easier because you don’t need a sponsor. But the reality is, you can’t have a single open item.”
And you can technically lose your equivalency status if you undergo a significant infrastructure change and don’t revalidate it. So, having a plan in place for maintaining compliance is critical.
FIPS 140-2 vs. 140-3: What If I Can’t Buy the Old Stuff?
With FIPS 140-2 on the way out and 140-3 coming in, many folks wonder: Will using 140-3-certified tools be problematic?
Matt was clear: “That would not be a POAM. No points off. 140-3 supersedes 140-2, and we understand the transition.”
What Kind of Questions Will Assessors Ask Non-Technical Staff?
If you’re an HR director, finance manager, or other non-technical team member, what should you expect during a CMMC assessment?
Matt explained that assessors won’t ask you technical questions, but they will expect you to be familiar with security policies, procedures, and training.
For example:
- “Can you describe your organization's security policies?”
- “Have you received cybersecurity training?”
- “What would you do if you received a phishing email?”
He emphasized that compliance isn’t just about having policies; it’s about demonstrating awareness and action across the organization.
Can you choose who will be interviewed for a CMMC assessment?
Short answer: Not really.
Organizations can help identify key contacts during the planning phase, but assessors reserve the right to interview anyone responsible for CMMC practices.
Matt recommends knowing who owns what. If you don’t have a RACI matrix or similar responsibility chart, now’s the time.
What happens if you’re not ready for your CMMC assessment?
There are multiple checkpoints during the assessment process:
- Phase 1 (Plan & Prepare): Assessor determines if you’re ready based on your documentation.
- Phase 2 (Assessment): You’re assessed and given a 10-day window to remediate any 3- or 5-point findings.
- Phase 3 (Reporting): You're certified if all objectives are met.
- Phase 4 (POA&M): If you meet at least 80% of the controls and only have eligible 1-point failures, you can receive a conditional certification and fix the rest within 180 days.
What About International Companies?
Contrary to popular belief, CMMC does apply to international companies if they process CUI. While no international certifications have been finalized yet (as of March 2025), Matt confirmed that A-LIGN is actively working with global organizations preparing for certification.
VDI and Personal Devices: Are They Out of Scope?
With recent rulemaking clarifying that properly configured VDI endpoints are out of scope, many are asking:
Can personal devices be used to access VDI?
Matt’s take: It depends on the configuration.
If the endpoint is just a screen (no drag, drop, print, or clipboard access), assessors treat it as out of scope.
However, most organizations still restrict access to corporate-managed devices for additional assurance.
Enclave vs. All-In Approaches
Right now, Matt sees a roughly 50/50 split between organizations going “all-in” and those using an enclave model (like VDI).
While it’s still early in the certification cycle, many, due to cost and complexity, favor an enclave.
But as always, “It depends.”
You must map your data flows and determine what makes sense based on how your organization handles CUI.
How Long to Prep for an Assessment After Implementation
Once your environment is fully implemented and technically compliant, add 2-4 months for organizational prep before starting your CMMC assessment.
That includes:
- Making sure policies are known and practiced
- Performing internal readiness reviews or mock audits
- Ensuring staff are trained and interview-ready
“Just because you’re compliant doesn’t mean you can prove it,” Matt said. “A mock audit can help close that gap.”
What’s A-LIGN’s backlog for a CMMC assessment?
At the time of recording (March 2025), A-LIGN’s backlog was just 10-12 weeks to start a formal assessment. That estimate is significantly shorter than many competitors' bookings, which are often booked out for months.
To learn more about C3PAOs and A-LIGN, visit their website.
