By Sese Bennett
October 31, 2022
As you are reading and preparing for the DoD’s CMMC 2.0 assessment, you more than likely have observed that both assessment and consulting organizations are offering a pre-assessment for those interested in attaining CMMC 2.0 certification. Did you ever think that spending money might actually save money? While there are still some requirements and restrictions that are still unclear, this article will help you determine if paying for a CMMC Pre-Assessment saves money. Likewise, we will discuss what type of pre-assessment is most likely to best prepare your company for the CMMC 2.0 certification assessment. Paying for a CMMC Pre-Assessment can save money
Choosing the right Certified Third-Party Assessment Organization (C3PAO) for your CMMC assessment will take effort and time. This will be time and effort well spent if you find the right match and avoid companies that don’t have your best interest in mind.
In this blog, we discuss 5 C3PAO red flags that you should look for when interviewing prospective C3PAO’s to perform your CMMC assessment.
To begin with, let’s define what a pre-assessment is and what it is not. In the context of CMMC, pre-assessments are a service that can be provided by anyone with knowledge of the CMMC 2.0 requirements prior to the formal certification assessment. Pre-assessments can be done in several different ways, but we will discuss the three most common options when considering this path for your organization. The value you gain from a pre-assessment greatly depends on the way it is performed and the deliverables you receive. Just remember that a pre-assessment is not the same as the formal certification assessment, and therefore is not a required step for certification. However, it is preferred. Read on to see why.
Shown below is the PGS Cheat Sheet for CMMC Pre-Assessment Guide. We will go discuss each option in more detail in the sections that follow.
The first approach to CMMC pre-assessments requires a knowledgeable CMMC resource to assess your CMMC environment for compliance. After accessing your environment, the assessor provides a report specifying the status of each practice reviewed for compliance. This report will specify a status of Met or Not Met (failed) but will not contain remediation advice, details, or steps to correct any issues identified. Although this information can be useful, it can leave companies with more questions than answers.
This option is typically a less expensive but also a less valuable option when it comes to pre-assessments. This type of pre-assessment can be conducted by Certified Third Party Assessment Organizations (C3PAO) that is or is not conducting your certification assessment, a Registered Practitioner Organizations (RPO’s), an external non-CMMC certified individual knowledgeable about CMMC, or even an existing non-CMMC internal resource with CMMC knowledge. Non-certified CMMC resources can present unique challenges for an organization. These can include lack of knowledge of revised CMMC requirements, over-familiarity with the environment, lack of management impact due to already being part of the organization (familiarity breeds contempt; no one can be a prophet in their own land, etc.) – well, you get the point.
The second approach to CMMC pre-assessments also requires a knowledgeable CMMC resource to assess your CMMC environment for compliance. For this approach, it is recommended that OSC’s (Organizations Seeking Certification) work with a C3PAO to conduct a detailed assessment of the CMMC environment. Output from this assessment should include a detailed report that includes the status of each practice (Met or Not Met) along with the remediation recommendations for correcting and deficiencies identified during the pre-assessment. This in-depth report and associated advice are far more useful than just a Met/Not Met report as discussed previously. The detailed CMMC pre-assessment with recommendations may be the more expensive option, but the return on investment is invaluable.
With this approach, there are a few additional things to consider. The rules surrounding the CMMC 2.0 assessment process address issues that could arise and be viewed as a “Conflict of Interest”. An example of this would be when a C3PAO performs a pre-assessment for a OSC that includes recommendation or remediation advice or assistance. In this example, that C3PAO cannot perform the certification assessment since they have provided consulting assistance to the OSC. If this is the case, the C3PAO would work with the OSC to identify a different and independent C3PAO to perform the actual certification assessment. C3PAO’s in this scenario do not collaborate or share any information regarding the pre-assessment or certification assessment.
The rule to keep in mind is that if your favorite C3PAO assists you with recommendations, remediation steps or advice, or issue resolution in any way, this is considered consulting and that C3PAO cannot perform your CMMC 2.0 certification assessment.
Of course, there is an option 3. That is to forgo the pre-assessment altogether. From a “likelihood of CMMC success” perspective, this seems to be the riskiest choice The chance of failing the assessment altogether is greatest with this option. Yes, with this option you will save money up front, but the cost of failing, remediation, and a second assessment is far more expense and time consuming in the end.
The CMMC pre-assessment is a critical part of your preparation process for successfully achieving your goal of CMMC certification. While achieving certification is possible with a pre-assessment, why risk it? Paying for a CMMC Pre-Assessment saves money and time.
Bypassing the opportunity for a pre-assessment significantly reduces your chances of certification on your first try and increases the likelihood that you will spend more on re-assessment activities in the future. Overall, a net loss for your organization.
Here at Provincia Government Solutions, we partner with a network of experienced and knowledgeable C3PAO’s. Whether we are preforming the pre-assessment or the formal certification assessment, we can recommend multiple C3PAO partners for your consideration. We are here to help you earn your CMMC 2.0 certification. Your success is our success.
We will discuss the top 5 questions you should ask any prospective C3PAO in the next article. This article will help you hire the best C3PAO to do the CMMC Assessment for your company.
Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.
Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!
Until then, be safe and stay secure!
Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments, security consulting, or CMMC certification, we have the expertise to help. Contact us at (615) 807-2822 or at firstname.lastname@example.org to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!
Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified HUBZone small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.