We get many questions about how CMMC assessments work. People want to know about more than just the policies or checklists, but what actually happens when a Certified Third-Party Assessor Organization (C3PAO) shows up and starts asking questions.
So we sat down with Matt Bruggeman from A-LIGN, one of Summit 7’s trusted C3PAO partners, to unpack what’s happening behind the scenes. A-LIGN has been in the FedRAMP space for years and is now a top CMMC player. This conversation is a goldmine for anyone preparing for certification.
“Just because you’re compliant doesn’t mean you can prove it,” Matt said.
Here are some of the most important takeaways:
What are “relevant controls” for Security Protection Assets (SPAs), and is there a cheat sheet?
According to Matt, the key is not to overcomplicate it. “Just go back to the basics,” he said. “Understand what information the asset produces, whether CUI or otherwise, and protect it like you would any other sensitive information.”
In other words, treat your SPAs like any other information system component—apply access control, incident response, and training as applicable.
He also noted that assessors will treat it differently if an SPA stores or processes CUI (like a spam filter might). It’s not officially a separate category, but assessors will naturally apply a different lens.
Another central question we get often:
Is FedRAMP equivalency harder than actual FedRAMP authorization?
According to Matt, in many ways, yes.
With FedRAMP authorization, POAMs are allowed. However, no POAMs are allowed with equivalency, often resulting in a more challenging path.
“You have to be clean,” he said. “Many people think equivalency is easier because you don’t need a sponsor. But the reality is, you can’t have a single open item.”
And you can technically lose your equivalency status if you undergo a significant infrastructure change and don’t revalidate it. So, having a plan in place for maintaining compliance is critical.
With FIPS 140-2 on the way out and 140-3 coming in, many folks wonder: Will using 140-3-certified tools be problematic?
Matt was clear: “That would not be a POAM. No points off. 140-3 supersedes 140-2, and we understand the transition.”
If you’re an HR director, finance manager, or other non-technical team member, what should you expect during a CMMC assessment?
Matt explained that assessors won’t ask you technical questions, but they will expect you to be familiar with security policies, procedures, and training.
For example:
He emphasized that compliance isn’t just about having policies; it’s about demonstrating awareness and action across the organization.
Short answer: Not really.
Organizations can help identify key contacts during the planning phase, but assessors reserve the right to interview anyone responsible for CMMC practices.
Matt recommends knowing who owns what. If you don’t have a RACI matrix or similar responsibility chart, now’s the time.
There are multiple checkpoints during the assessment process:
Contrary to popular belief, CMMC does apply to international companies if they process CUI. While no international certifications have been finalized yet (as of March 2025), Matt confirmed that A-LIGN is actively working with global organizations preparing for certification.
With recent rulemaking clarifying that properly configured VDI endpoints are out of scope, many are asking:
Can personal devices be used to access VDI?
Matt’s take: It depends on the configuration.
However, most organizations still restrict access to corporate-managed devices for additional assurance.
Right now, Matt sees a roughly 50/50 split between organizations going “all-in” and those using an enclave model (like VDI).
While it’s still early in the certification cycle, many, due to cost and complexity, favor an enclave.
But as always, “It depends.”
You must map your data flows and determine what makes sense based on how your organization handles CUI.
Once your environment is fully implemented and technically compliant, add 2-4 months for organizational prep before starting your CMMC assessment.
That includes:
“Just because you’re compliant doesn’t mean you can prove it,” Matt said. “A mock audit can help close that gap.”
At the time of recording (March 2025), A-LIGN’s backlog was just 10-12 weeks to start a formal assessment. That estimate is significantly shorter than many competitors' bookings, which are often booked out for months.
To learn more about C3PAOs and A-LIGN, visit their website.