3 Strategies for Successful CMMC Assessments, According to C3PAOs

As the CMMC Final Rule is about to be published and organizations are planning for CMMC requirements to roll into their DFARS clauses starting in 2025, companies are now signing up and preparing for their CMMC assessments as a JSVA (pre-published final rule) or a scheduled C3PAO (post-published final rule).

You may have seen companies celebrating perfect 110/110 scores on their Joint Surveillance Voluntary Assessments (JSVAs) on LinkedIn.

The JSVA program provides DIB contractors with the opportunity to participate in voluntary assessments, which are collaboratively carried out by a CMMC 3rd Party Assessment Organization (C3PAO) and the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). JSVAs are expected to translate directly into a CMMC L2 Certification once the ruling is finalized.

 
With your coming JSVA or C3PAO assessment, you may be asking yourself: "How can we prepare ourselves to face a CMMC assessment with confidence?" Well, who better to ask than the C3PAOs themselves? 

At CS2 Denver, a panel of C3PAOs shared insights for the Defense Industrial Base (DIB) companies seeking CMMC compliance. According to their advice, there are three crucial takeaways for a successful CMMC assessment.

Watch the full C3PAO panel discussion from CS2 Denver here:  

Panelists:  Carly Logan CMMC Assessor/Security Analyst, Summit 7, Amy Williams Vice President of CMMC, Coalfire Federal, Tony Buenger Vice President of Cybersecurity Advisory Services, SecureStrux 

What do C3PAOs recommend for a successful CMMC assessment?

1. If You Are a Small Business, Hire an MSP 

With the requirement for CMMC coming fast down the pipeline, most organizations are turning to MSPs because they do not have the right resources (time, knowledge, skillset, experience, training, technical expertise) to implement and manage controls to meet  all the 110 requirements and 320 assessment objectives of NIST SP 800-171 that CMMC is measuring them against. As Jacob Horne reminds us, "CMMC isn't making you do the requirements; it's making sure you did the requirements." 

We heard from Jacob Hill at CS2 as well, the one-man show who took on CMMC requirements and lived to tell the tale, who shared the time and cost involved in an in-house undertaking for a small business. Jacob says it took at least a year’s worth of 100% dedicated full-time employee man hours (appr. 2080 hours). 

“But we’re just too small to afford an MSP!” 

Amy Williams, one of the panelists and Vice President of CMMC at Coalfire, said small businesses often believe they can’t afford a certified MSP, but the reality is: they can’t afford a breach.  The panel emphasized that small businesses are the weakest link in the supply chain and are being increasingly targeted by bad actors.  

 
As Microsoft's Digital Defense Report noted, there has been a significant increase in cyberattacks aimed at critical infrastructure, with nation-state attacks on critical infrastructure rising from 20% to 40% from 2020-2022. 

The Benefits of Working with an MSP 

The good news is, CMMC is not just the way to protect your company from a costly data breach; it’s also your entry point into more contracts with the DoD.  Working with an MSP, you can display the security level of a larger company, providing your small business with a competitive edge.   

As Matt Travis, Cyber AB CEO, stated plainly at CS2 Denver: “You have to have a CMMC certification if you want to win more contracts.” 

2. Choose your MSP Wisely 

If you decide to go with an MSP, Amy Williams recommends weighing three providers against key criterion. The panel provided information and questions to help organizations assess the viability of a potential MSP. Here are the top five: 

5 Crucial Questions to Ask Your Potential MSP  

1. Are you intimately familiar with NIST 800-171, DFARS 7012, and CMMC? 

• This may seem obvious, but there are many different MSPs out there with a lot of different specialties. You are looking for an MSP who has lots of experience with – or better - specializes in working with the Defense Industrial Base.   

2. Can you provide a tailored Shared Responsibility Matrix (SRM)?  

• An SRM is a way for your IT team to see all 110 controls and 320 assessment objectives of NIST SP 800-171, and delineate who is responsible for what between your team and the MSP.  

• Having a generic SRM is a start, but a great MSP should be able to provide a detailed SRM for the client to use in prepping for a 3rd party assessment.  

• Showing your SRM during the assessment instills confidence in your C3PAO assessor. 

3. Are you able to support us in a Join Surveillance Voluntary Assessment (JSVA) Program? 

• The panel noted that many organizations don’t realize the difference between CMMC certification and DIBCAC High Assessments. C3PAOs are not currently authorized to conduct CMMC assessments and issue certifications; but they are authorized to do joint assessments with DIBCAC, called a JSVA.  

• Before CMMC shows up in contracts, organizations can pay to receive a JSVA (Joint Surveillance Voluntary Assessment). This pre-CMMC assessment is provided by a joint effort of the DIBCAC (the DoD's cybersecurity assessment agency) and a C3PAO (CMMC 3rd party assessment organization). It is not a guarantee, but it is expected that organizations who pass the joint DIBCAC High/C3PAO Level 2 assessments will be permitted to convert that assessment to an official CMMC L2 certification when rulemaking is finished. 

• JSVAs are a useful way to meet the DIBCAC High assessment requirement while helping organizations gauge their CMMC readiness.  

4. Are all your employees U.S. persons? Will all data that you store for us be geolocated in the U.S.? 

• The focus of CMMC is on protecting CUI (Controlled Unclassified Information). Certain types of CUI require that it be handled by U.S. persons only, and stored on U.S. soil. Can the MSP, and the MSP’s tools and technology solutions meet these requirements? 

5. Are You Compliant?  

Consider the following questions:

• Would you trust a mechanic to fix your car if he can’t fix his own? When choosing an MSP, make sure that they are compliant too.  
• Not only is it wisdom to have someone do for you what they have already proven they can do for themselves, it’s also required that the services and products they deliver as part of your assessment boundary be compliant as well.   

3. Tell a Good Story 

Prepping for your assessment is on you, not your MSP. Your MSP should provide you with a tailored Shared Responsibility Matrix that delineates who is responsible for implementing controls and meeting the NIST SP 800-171 objectives. The MSP is there to carry their weight and support you, but you aren’t handing over the keys for them to drive your organization to CMMC, get it certified, and bring it back ready to go. When it comes to preparing for your DIBCAC or CMMC assessment, your organization is in the driver’s seat.  

C3PAO panel members provided organizations preparing for a CMMC Certification one major piece of advice: tell a good story.  

NIST SP 800-171 is descriptive, not prescriptive in presenting the measures required for CMMC. In other words, if NIST SP 800-171 is a cookbook, each of the 320 assessment objective shows you a photo of the finished product, not the recipe. They tell you WHAT you must do, but not HOW to do it. 

This makes preparing for your assessment especially difficult, because what the DIBCAC and C3PAOs are looking for is precisely HOW you did it. Your C3PAO is going to grade you on the recipe, not just the taste-test. 

What does this mean, practically?  

You need to show your evidence for how you implemented the controls. A C3PAO is going to be thrilled if you hand them a novel full of things like CUI data flow, responsible persons, and a control matrix that doesn’t just enumerate the controls you met, but the PPT (People, Processes, and Technology) involved in meeting those controls. Don’t just show your policies - show HOW your policies are fulfilled by corresponding procedures.  

If you err, err in over-communicating your security story.  

While it's great that you get to write the recipe, its worth a reminder that once written, you must follow it.

In other words, say what you are going to do (your organizationally defined variables, policies, procedures) but then make sure you DO the things you say. You have to cook from your recipes, because the DoD is coming back - hungry.

According to the CMMC Proposed Rule, you will need to be re-assessed by a C3PAO every three years, and every year a senior official at your company will have to sign a formal affirmation that you are using the recipes you submitted when certified.

If the DoD comes for a taste test and don't like what they find, a False Claim Act may be coming your way. 

Summit 7 is the #1  MSP for the DIB. If you're curious what our answers to the five MSP questions above would be, reach out in the form below.