If there’s one thing that’s true about the Department of Defense, it’s that they take cybersecurity extremely seriously — and they expect their contractors to take it seriously, too. That’s why a lot of DoD contractors are anxious about the new Cybersecurity Maturity Model Certification (CMMC). Not only are the stakes high, but most have not been through it before.
It’s understandable if you have some nerves about your first CMMC third-party assessment, especially if your organization depends on large government contracts to stay afloat. Let’s take a look at what you can expect from your first CMMC assessment with a CMMC Third Party Assessment Organization (C3PAOs), so you know exactly what to expect.
For the purposes of this article, I’m assuming you need a third-party assessment.
Related: Your First Compliance Audit: Will You Crush It or Get Crushed?
Hire a CMMC Assessor
The first thing you’ll need to do is hire a C3PAO. I’ve written about hiring an Assessor before, but it’s worth emphasizing again that your Assessor works for you, not the other way around. If your C3PAO isn’t the right fit for your organization, you aren’t obligated to stay with that firm. Just like any other service provider, their job is to help you accomplish your goals while doing their job. They aren’t the CMMC police, but a partner in your success with a job to do.
Also worth repeating is to find an Assessor who is able to take a middle of the road approach — one who adheres firmly to the purpose of each requirement, without unjustifiably adhering to the letter of the law. Each organization is different, and you may be structured in a way that justifies a degree of flexibility here and there.
Hiring the right C3PAO is only one small piece of successfully navigating the Cybersecurity Maturity Model Certification. Get fully equipped with TCT’s online guide to CMMC.
Start Your CMMC Engagement
Once you’ve hired your C3PAO, the Assessment firm will likely take a three-phase approach to your engagement. The timing may vary from firm to firm, and the details of the approach might be different, but the basic structure will likely be something like the following three phases.
Phase 1: Kickoff Meeting
Chances are, you already had some kind of a kickoff meeting or discovery meeting with the Assessment firm when you hired them. This meeting will cover similar information, but the purpose is essentially to do a discovery call, set expectations, and make sure that all of the basic information they collected before is accurate while bringing their assigned Assessor up to speed on your engagement.
The C3PAO will want to know who you are as a business, what you’re doing, and what you need to accomplish as an applicant organization. This meeting will primarily include your upper level executives and the internal stakeholders in charge of operationally overseeing the CMMC engagement. The kickoff meeting will likely be fairly short — 60 to 90 minutes or so.
Phase 2: Review of Your Environment
Shortly after the kickoff meeting, the C3PAO will begin a review of your cybersecurity environment. If the first meeting was a 10,000-foot view of your organization, this is the 5,000-foot view.
During this phase, the Assessor will start getting their arms around some of the high level details to get a sense of what your overall cybersecurity stance looks like. They’ll want to know information such as:
- Where is your environment hosted?
- What is the inventory?
- What does the network diagram look like?
- Who are the connected vendors?
They’ll also ask about your personnel and your departments, data flow diagram, and your physical locations. This phase gives the C3PAO the context for the detailed evidence that they’ll be receiving from you next.
Phase 3: Evidence Collection and QA
Now that your CMMC Assessor has some notion of where everything fits in the puzzle, they’re ready to dive into the nitty-gritty details near ground level. This is where the most grueling work happens.
It’s also the phase when you suddenly feel like you’ve been released into a chaotic scavenger hunt filled with roadblocks and landmines — all while up against a countdown timer.
During this phase of your CMMC engagement, your C3PAO will ask you to supply evidence to prove you’re fulfilling all of the requirements of the CMMC requirements. On your side of the fence, you’ll need to rely on a team of personnel from numerous departments across your organization to help in the effort.
You’ll gather and send every piece of evidence to the C3PAO for review. The Assessor will either accept it or reject it. If they reject it, they’ll give you instructions based on their review of the submitted evidence and how you need to comply, and you’ll be able to resubmit the evidence accordingly, or confirm the GAP.
If the evidence looks good to the Assessor, they’ll pass it on to their QA person for a final review.
Multitudes of items are flowing up and down the workflow with the ultimate objective of getting to confirmed GAP, otherwise a blessing from the Assessor to head into their QA process and into, ultimately into a completed state.
Monitoring Your SPRS Score
As items are finalized, your SPRS score will fluctuate up and down, depending on whether your evidence fulfills the requirements or is a confirmed GAP.
For example, at first, this item looks fulfilled, so five points are added to your score. But the Assessor reviews it and decides you need to supply additional information. Minus five points. Once you provide the information, the Assessor checks it and approves it. Plus five points. And so on, for all 110 requirements — and it’s all moving north and south through the workflow simultaneously.
At first, your SPRS score could fluctuate wildly, but over time, you’ll see it start to gain stability and you’ll have a sense of where you stand.
If your Assessor is using spreadsheets or some manual method of entering SPRS information, chances are that they’ll do it occasionally, when it’s convenient to update a bunch of line item scores at once. To go in every time there’s a change is impractical, and a gigantic pain in the ass.
But the beauty of TCT Portal is that your SPRS score is automatically calculated and updated live. Your Assessor doesn’t have to do any manual data entry or calculations, and you can all track your progress in real time — no waiting until the Assessor finds time to make a major SPRS update. Which means you won’t have major surprises along the way, either.
Don’t Piss Off Your C3PAO
It is critical to have a central repository that gives you immediate access to all of your evidence, files, and supporting documents. You should know precisely where every piece of information is, what you have, who is responsible for it, and whether it’s current or not.
You don’t want to start off your engagement hunting down every document the C3PAO asks for, while they’re sitting there twiddling their fingers waiting on you to find the information you should already have at your fingertips.
If you don’t have an automated compliance management system, now is the time to get one — before you start engaging with an Assessor. Own your data, maintain your own repository and make it available to your Assessor. The same system can then assist your organization with operational compliance management to prepare for your next Assessment and ensure that even if you change Assessors (it happens) then you will not lose your data repository and internally perfected processes while using your OWN tool for compliance management.
CMMC Reporting
At this point in the game, your CMMC Assessor starts working on generating the CMMC report. Your mad rush is over and you can start breathing again.
Expect the report generation to take some period of time. The Assessor will need to create the report and send it through their QA department. Once the I’s are dotted and T’s are crossed, you’ll receive a draft report for your own review.
Take some time to go through the draft report, because there’s always a chance that the Assessor may have misunderstood something or captured some detail incorrectly. This is your opportunity to make sure the report accurately captures your cybersecurity maturity. If necessary, you can talk through any adjustments that may need to be made.
Assuming the report is accurate, the document is signed off on, finalized, and provided to your organization for use with your interaction with DoD. Congratulations, you’ve successfully completed your first CMMC assessment!
Manage CMMC Assessments with Confidence
Going through a CMMC assessment is no cakewalk, and it’s a big effing deal. It takes hard work and a good deal of effort, over a period of months. But if you know what to expect and have the tools you need, you can minimize the anxiety and surprises of your first CMMC assessment.
Get equipped with insider expertise
Subscribe to the TCT blog
