Complete a CMMC Assessment
Documentation will be what CMMC assesors review to make sure that you are meeting the requirements that your organization has stated it is meeting. This blog covers how to prepare for upcoming CMMC assessments.
Complete a CMMC Assessment
Doing CMMC right the first time will be an expensive process, but not as expensive as the second time or third time - especially with the DoD maintaining its position on not allowing costs for aerospace and defense contractors. Having a proper CMMC assessment completed is the final, and obviously most critical step in a company's journey to CMMC certification.
In this blog, we're going to cover what items need to be on your "CMMC readiness" checklist in order to successfully complete a CMMC assessment.
This should be the final stop on your 7 Steps to CMMC journey. As with many things in CMMC, the formal assessment process has yet to be fully baked, and with good reason – many stakeholders have provided detailed feedback and suggestions for improvement on the draft (Version 1.0) of the CMMC Assessment Process (CAP) document that was publicly introduced in July of 2022. Until the final ruling of 32 CFR comes out (expected between March 2023 and March 2024), the details of the final CMMC Assessment Process are under wraps, thus leading to a bit of educated guesswork from the C3PAO community.
In this final blog of our 7 Steps to CMMC series, we’ll do our best to outline what we expect CMMC readiness looks like for a Cyber AB-authorized C3PAO assessment. This is not meant to exactly mirror the public draft of the CAP (1.); it is structured to include what makes the most sense.
7 Steps to a CMMC Assessment
In the previous blogs, we captured the roadmap of the following activities. The results of each step will be captured in preparation for engaging with a C3PAO:
- Define Your Required CMMC Level
- Identify Assets for CMMC (scoping)
- Choose A Technical Design for CMMC
- Implement Microsoft Government for CMMC
- Find a Managed Service Provider for CMMC
- Prepare and Document for a CMMC Assessment
CMMC C3PAO Readiness Checklist
The C3PAO will likely provide a readiness checklist of items that will be reviewed to ascertain whether your team has prepared for a true assessment stature.
The CMMC C3PAO readiness checklist list will ask for items such as:
-
Pre-assessment or formal CMMC Level 2 assessment
- The defined scope of assessment
- The chosen assessment initiation date
- The provision of contractual requirements
- Shared contact information and specific roles
A quality C3PAO will ask for the right information upfront to best understand your assessment needs, as well as maintain efficiency, in order to move forward if any of the answers to the above indicate a gap in availability, coverage, or readiness. Once a preliminary go-forward is established, the C3PAO will initiate basic contracts like NDAs and MSAs to prepare for the review of more sensitive documentation:
- Systems Security Plan (SSP)
- Scope diagrams and explanation of external connections
- Inventory Lists
- Previous assessment results
In this initial phase, the C3PAO may also request a workbook or chart showing the types of evidence artifacts you are prepared to present, organized by Practice and Assessment Objective for each of the CMMC Level 2 domains. This will verify the availability of evidence and maturity of your program, which in turn helps the C3PAO determine costs, timelines, and resources needed to navigate the full assessment.
You can access our Guide to CMMC Level 2 by clicking the image below.
Questions for Your CMMC Assessment Preparation
Here are some additional questions you will want to have thoroughly thought out and prepared for review in advance. Some of these were reviewed in previous articles, but they bear repeating:
- Can you defend the scope you have presented with proper explanation and documentation of external connections?
- If you use an External Service Provider like an MSP/MSSP, are they ready with their documentation, artifacts, and personnel to participate in the assessment?
- Is their role clearly defined in both an SRM (Shared Responsibility Matrix) and in their MSA (Master Services Agreement) with your organization?
- If they need to undergo their own CMMC Level 2 assessment as a Security Protection Asset (SPA), will they be ready in time? This requirement is still to be determined by the DoD
- If you use Cloud Service Providers to store, process, or transmit CUI, do you have their FedRAMP Moderate package available for review along with their SRM?
- Have you generated proof of FIPS 140-2 validation for any applicable asset or system?
- Is everyone on the team who has responsibility for any of the 110 practices (NIST 800-171A) ready to either demonstrate their procedures or speak to the same in an interview?
- Have they been appropriately prepped to limit their interview dialogue to the practice at hand, or to demonstrate only what has been asked for?
- Have they been appropriately prepped to limit their interview dialogue to the practice at hand, or to demonstrate only what has been asked for?
- If the assessment team sends one or more assessors to your facility, will their physical presence be addressed with care according to the physical security practices outlined in CMMC Level 2?
- Have you made sure the only items remaining on your POA&M are “Enhancements” that will not indicate a failure on any CMMC Level 2 practices?
The voluntary CMMC Level 2 “Joint Surveillance” assessment will be conducted differently than the formal CMMC Level 2 assessment. If your goal is to participate in the voluntary assessment program prior to 32 CFR ruling, be sure to get the details on how this affects your deliverables and readiness from the C3PAO you are hiring.
Once the formal CMMC Level 2 assessment is initiated by a C3PAO, the validation of evidence for each control will hopefully be a smooth process from one category of domains to another. Expect a daily meeting to review what progress has been made as well as the initial results for each practice that has been validated. There should be no surprises by the end of the assessment engagement; if your organization has failed a 5-point or 3-point control according to the NIST 800-171 assessment scoring methodology (or the CMMC Assessment Process document in its final form), you will not be granted the six month POA&M period to remediate that control.
Final Thoughts
The video above is a CMMC 2.0 update from Stacy Bostjanick, Director of CMMC, OSD DoD CIO, from a recent Cloud Security and Compliance event. It walks through where the DoD currently sits with the CMMC program, and how it impacts contractors in the Defense Industrial Base today.
If you’re unsure where you are at in the journey or how well you’ve prepared, we cannot stress enough the value of seeking professional assistance. You can contact the Summit 7 team here to start the conversation, no matter where you are on your Steps to CMMC compliance. Click the image below for more content on the 7 Steps to CMMC.