The Rise of CMMC False Starts

Although CMMC assessments are difficult, CMMC certifications are achievable assuming you have passed through the “assessment feasibility determination” prior to the actual assessment that is.

For many companies, failing CMMC assessments won’t be their biggest problem – it will be qualifying for the assessment in the first place.

Watch the Podcast

Listen to the Podcast

This episode is from the Sum IT Up podcast. Click here to learn more.

CMMC Failure vs. CMMC False Starts

Many companies aren’t ready for CMMC assessment. However, the total number of actual assessment failures will be very low, in my opinion, because of the way the CMMC Assessment Process is structured.

If companies don’t represent “feasible” assessments, then they won’t fail because the assessments simply won’t happen.

The CMMC Assessment Process Guide “CAP”

It’s been a while since we talked about the “CMMC Assessment Process Guide” (“CAP”)

• Released July 2022.
• Still in draft status.
• The Cyber AB took public comments, but we haven’t seen anything come of them yet.
• Updated CAP won’t happen until after the rule is final, according to the Cyber AB Town Hall series.

Nevertheless, we expect the rough structure of CMMC Assessment phases and steps to remain mostly the same

• Phase 1: Plan and Prepare the Assessment (7 steps)
• Phase 2: Conduct the Assessment (3 steps)
• Phase 3: Report Recommended Assessment Results (2 steps)
• Phase 4: Close-Out POAMs and Assessment (2 steps)

CMMC Assessment Step 1.7 – Verify Readiness

Today we’re going to talk about the last step of Phase 1 and it’s two sub-steps:

• Step 1.7 Verify Readiness to Conduct the Assessment
  • Step 1.7.1: Access and Verify Evidence
  • Step 1.7.2: Make an Assessment Feasibility Determination

As the CMMC Assessment Process Guide explains:

“The final step of Phase 1 is to confirm that all parties are ready and positioned to conduct the CMMC Assessment. This includes ensuring that the OSC is adequately prepared, the C3PAO Assessment Team is established and ready, that Evidence is available and accessible, and that risks have been identified all of which contribute to the overall feasibility of conducting the Assessment as planned.”

“Upon analyzing all of the information collected and discussions conducted during Phase 1, the Lead Assessor shall arrive at one of the following four (4) possible determinations:

1) Proceed with the Assessment as planned

2) Replan the Assessment

3) Reschedule

4) Cancel the Assessment”

Step 1.7.1 Access and Verify Evidence

The actual process of verifying that security controls have been implemented in order to satisfy the requirements in NIST SP 800-171 in accordance with the CMMC Assessment Guide doesn’t occur until Phase 2.

Unless it’s clear that a defense contractor is capable of proceeding to Phase 2, that part isn’t guaranteed to happen.

From the CAP:

“In this step the Lead Assessor and/or Assessment Team Members are obtaining said Evidence and confirming that it is present, accessible, and available to satisfy the requirement to assess the Evidence for CMMC Certification purposes in Phase 2

At no time during this preliminary review of the Evidence shall the Assessment Team provide any advice or recommendation on how the OSC could improve or enhance the sufficiency or adequacy of their presented Evidence.”

Step 1.7.2 Make an Assessment Feasibility Determination

The Lead Assessor determines whether or not it’s feasible for an Organization Seeking Certification (OSC) to proceed to Phase 2:

“Based on the verified existence of Evidence, along with the aforementioned resource estimates, Assessment objectives, plans, and schedule, the Lead Assessor shall determine if conducting the Assessment, as framed, is feasible.

The Lead Assessor makes his or her Assessment feasibility determination known to the OSC and the C3PAO and documents the recommendation in writing.

The C3PAO retains the ultimate decision authority on whether or not to proceed with the conduct of the Assessment.

In the event that the C3PAO elects to either replan or reschedule the Assessment, the C3PAO and the OSC should agree upon the specific way forward and make arrangements accordingly to resume the engagement at a future date.

Under no circumstances shall the C3PAO offer any advice, implementation assistance, or recommendations as to how the OSC can improve or enhance their preparedness for a replanned or rescheduled CMMC Assessment and doing so is an explicit violation of the CMMC Code of Professional Conduct.

If the C3PAO or the OSC decides to cancel the Assessment, both parties should settle all affairs—including the return of any OSC proprietary information—and formally close out the engagement.”

Enter: CMMC “False Starts”

It seems likely that a significant number of companies will not pass a phase 1 feasibility determination. When that happens, it won’t count as an assessment failure – the assessment simply didn’t occur.

We decided that we should coin a phrase for this phenomenon so that the powers that be can hopefully track the metrics for passing through the feasibility gate.

As with any important decision, we turned to the CMMC hivemind on LinkedIn:

“False Start” is probably the best term for failing to make it through the first phase of a CMMC assessment because it implies that there has been a miscue in preparation rather than simply getting something incorrect.

Summing It Up

It’s hard to pass a CMMC assessment, but it’s also hard to qualify for one by representing a feasible candidate.

CMMC assessments won’t simply be a matter of paying money to a C3PAO and hoping for the best.

Want to know what decent documentation looks like? Check out our recent deep-dive episode into NIST policy and procedure controls here.

Free Resource: CMMC Readiness Brief

Click Here to Get Your Blueprint to CMMC Success with Leadership Support

Sum IT Up Podcast

With Jacob Horne and Jason Sproesser

We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.