Doing CMMC right the first time will be an expensive process, but not as expensive as the second time or third time - especially with the DoD maintaining its position on not allowing costs for aerospace and defense contractors. Having a proper CMMC assessment completed is the final, and obviously most critical step in a company's journey to CMMC certification.
In this blog, we're going to cover what items need to be on your "CMMC readiness" checklist in order to successfully complete a CMMC assessment.
This should be the final stop on your 7 Steps to CMMC journey. As with many things in CMMC, the formal assessment process has yet to be fully baked, and with good reason – many stakeholders have provided detailed feedback and suggestions for improvement on the draft (Version 1.0) of the CMMC Assessment Process (CAP) document that was publicly introduced in July of 2022. Until the final ruling of 32 CFR comes out (expected between March 2023 and March 2024), the details of the final CMMC Assessment Process are under wraps, thus leading to a bit of educated guesswork from the C3PAO community.
In this final blog of our 7 Steps to CMMC series, we’ll do our best to outline what we expect CMMC readiness looks like for a Cyber AB-authorized C3PAO assessment. This is not meant to exactly mirror the public draft of the CAP (1.); it is structured to include what makes the most sense.
7 Steps to a CMMC Assessment
In the previous blogs, we captured the roadmap of the following activities. The results of each step will be captured in preparation for engaging with a C3PAO:
The C3PAO will likely provide a readiness checklist of items that will be reviewed to ascertain whether your team has prepared for a true assessment stature.
The CMMC C3PAO readiness checklist list will ask for items such as:
Pre-assessment or formal CMMC Level 2 assessment
A quality C3PAO will ask for the right information upfront to best understand your assessment needs, as well as maintain efficiency, in order to move forward if any of the answers to the above indicate a gap in availability, coverage, or readiness. Once a preliminary go-forward is established, the C3PAO will initiate basic contracts like NDAs and MSAs to prepare for the review of more sensitive documentation:
In this initial phase, the C3PAO may also request a workbook or chart showing the types of evidence artifacts you are prepared to present, organized by Practice and Assessment Objective for each of the CMMC Level 2 domains. This will verify the availability of evidence and maturity of your program, which in turn helps the C3PAO determine costs, timelines, and resources needed to navigate the full assessment.
You can access our Guide to CMMC Level 2 by clicking the image below.
Here are some additional questions you will want to have thoroughly thought out and prepared for review in advance. Some of these were reviewed in previous articles, but they bear repeating:
The voluntary CMMC Level 2 “Joint Surveillance” assessment will be conducted differently than the formal CMMC Level 2 assessment. If your goal is to participate in the voluntary assessment program prior to 32 CFR ruling, be sure to get the details on how this affects your deliverables and readiness from the C3PAO you are hiring.
Once the formal CMMC Level 2 assessment is initiated by a C3PAO, the validation of evidence for each control will hopefully be a smooth process from one category of domains to another. Expect a daily meeting to review what progress has been made as well as the initial results for each practice that has been validated. There should be no surprises by the end of the assessment engagement; if your organization has failed a 5-point or 3-point control according to the NIST 800-171 assessment scoring methodology (or the CMMC Assessment Process document in its final form), you will not be granted the six month POA&M period to remediate that control.
The video above is a CMMC 2.0 update from Stacy Bostjanick, Director of CMMC, OSD DoD CIO, from a recent Cloud Security and Compliance event. It walks through where the DoD currently sits with the CMMC program, and how it impacts contractors in the Defense Industrial Base today.
If you’re unsure where you are at in the journey or how well you’ve prepared, we cannot stress enough the value of seeking professional assistance. You can contact the Summit 7 team here to start the conversation, no matter where you are on your Steps to CMMC compliance. Click the image below for more content on the 7 Steps to CMMC.