5 Tips to Prepare for CMMC Assessments
By Heather Bennett
February 7, 2023
Many OSCs (Organizations Seeking Certification) and C3PAOs eagerly await the final ruling on CMMC. In their CMMC Certification Overview, the CyberAB has stated that “organizations can and should be implementing the CMMC standard.” (https://cyberab.org/CMMC-Ecosystem/Ecosystem-roles/DIB-Companies-OSCs) Many OSCs are signing or have already signed agreements with C3PAOS for their assessment in anticipation of the final ruling. As a certified C3PAO, we want to share some insight and advice on getting ready for your CMMC Assessment while there is still time to prepare.
Here are five tips to prepare for a CMMC assessment. Considering these tips will help make the assessment process smoother and more likely to succeed.
TIP #1. Documentation Review
Outdated or misaligned documents can lead to confusion and even failure. Your processes and procedures should be living documents that show ongoing development and change. This is especially true for your SSP (System Security Plan). Your SSP should be solidly built upon your supporting documents. All wording in your SSP should match your process and procedure documents. This shows continuity and maturity in your environment, which is paramount to CMMC.
The CAP (CMMC Assessment Process) Version 1.0, section 1.5.6 supplies a list of items that the C3PAO will require:
- Results of most recent OSC self-Assessment or any pre-Assessment conducted by an RP or Registered Practitioner Organization (RPO)
- A preliminary list of the anticipated evidence
- The System Security Plan and other relevant documentation; and
- A list of all OSC personnel who play a role in the procedures in scope.
The Assessment Team then collaborates and coordinates with the OSC to correlate all of the above information to each CMMC practice. The purpose of this procedure is to do a preliminary “triage” of all of the available evidentiary materials and “map” or “cross-walk” each item to their respective CMMC practices to establish the mutual understanding that the OSC has, at a minimum, addressed each of the CMMC practices with some evidentiary basis. This inventory does not establish that any or all CMMC practices have been implemented adequately or sufficiently in accordance with the CMMC standard, but rather that no “gaps” exist with regard to a particular CMMC practice. This ensures that the practice was neither neglected, ignored, or dismissed.
Having these key documents polished and ready is vital to obtaining a CMMC certification.
TIP #2. Prepare Evidence and Logs
As you begin the CMMC assessment process, you will be required to provide evidence that you meet the requirements for each control. This means all supporting artifacts must be ready. You will need to have all evidence items in versions that can be shared safely and securely. As mentioned above, these documents and logs should show a history and level of maturity that is expected for their corresponding control.
Section 1.5.7 of the CAP version 1.0 clearly defines the evidence requirements. “Adequate and sufficient Evidence will be required to determine if the OSC is ready for the assessment.”
Adequate Evidence is the correct artifact, response, demonstration, or test that proves that the organization is implementing the CMMC practice. You should ask the question: Is this the appropriate evidence for this practice?
Sufficient evidence is the correct amount of evidence to verify that the CMMC practice is implemented correctly. This prompts the question: Are we providing enough proper evidence?
Applying these two questions to each piece of evidence will reduce the time wasted providing additional or correct evidence after the assessment has begun.
TIP #3. Resolve Existing POAMs
Currently, CMMC 2.0 rules do not allow pre-existing POAMs (which is different from NIST 800-171 High conducted as part of the DIBCAC Joint Surveillance Assessments). If pre-existing POAMS are discovered, it will result in an automatic failure. Any pre-existing POAMs must be resolved before your CMMC assessment begins. For more detailed information on POAMs and CMMC, check out our blog at https://provincia.io/poams-and-their-significance-in-cmmc/
The CAP version 1.0 section 22.214.171.124 lists criteria for items that are ineligible for a POAM:
- Practices that could lead to significant exploitation of the network or exfiltration of CUI, aslisted in Appendix K, paragraphs (e) and (f);
- Any practice(s) listed on the OSC’s Self-Assessment Practice Deficiency Tracker (validatedin paragraph 1.4.2);
- Practices that were not implemented by the OSC prior to the current CMMC Assessment;
- Any practice that changes and/or limits the effectiveness of another practice that has beenscored as “MET”
If any of these scenarios is found, it will render any applicable CMMC practice ineligible. The OSC will not qualify for the “Limited Practice Deficiency Correction Program”.
TIP #4. Prepare for Interviews
Preparing for interviews may seem daunting, especially for personnel who have never been through an assessment. Prepare in advance so that your assessment is kept on schedule.
To help you do this, here are four things you can practice before your formal interviews.
With a bit of planning, communication and practice, preparing for interviews can significantly influence the outcome of the CMMC Assessment.
TIP #5. Pre-Assessment by Certified C3PAO
It is highly recommended that all OSCs undergo a preassessment before their CMMC assessment. This process can identify and remediate areas of potential failure while you have time to make corrections. A preassessment can also save time, money, and frustration. During the preassessment, your assessor should focus on critical areas that will prepare you for a successful CMMC certification assessment.
Some of these areas include:
- Document Review
- POAM Resolution
- Evidence verification
- Evidence preparation
- Environment Analysis
Preparing for a CMMC assessment can feel like a monumental task. With the help of the right professionals, navigating your assessment can be smooth sailing. Contact us today to discuss how Provincia Government Solutions can help you successfully achieve CMMC Certification.
Here at Provincia Government Solutions, we believe knowledge is power. We make sure to stay informed regarding all things CMMC and pass this expertise on to you. We are here to help you earn your CMMC 2.0 certification. Your success is our success.
We will continue our CMMC theme with “Am I ready for CMMC”. We will discuss the most important things to consider before diving in to a CMMC assessment.
Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.
Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!
Until then, be safe and stay secure!
Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments, security consulting, or CMMC certification, we have the expertise to help. Contact us at (615) 807-2822 or at email@example.com to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!
Subscribe to our Blog!
Be The First
When New Blog Content is Published
Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.