CMMC assessment guide: Getting started and what to expect

If your organization is planning to pursue a Cybersecurity Maturity Model Certification (CMMC), you likely have questions. Start here to get the answers you need with our CMMC assessment guide. Find out how to prepare, what to expect and leading practices for success.

Identify the required CMMC level

What are your goals? At the outset of CMMC, your organization should determine the certification level (i.e., Level 1, Level 2 or Level 3) necessary to achieve your business objectives. At a minimum, CMMC Level 1 certification is required to perform work for the government and handle federal contract information (FCI). Level 2 will be required if your contract involves the handling of controlled unclassified information (CUI). Level 3 will be required if your contract involves the handling of highly sensitive information, such as CUI for Department of Defense (DOD) programs with highest priority.

Before CMMC: Get a Supplier Performance Risk System (SPRS) score 

Used by the DOD as a precursor to CMMC to assess the risk of a contractor’s cybersecurity position, the SPRS score is a numerical value that measures a defense contractor’s compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security controls.  

To determine SPRS scores, organizations are rated on their ability to meet multiple practices, with each practice worth one, three or five points. A total of 110 points may be earned for a perfect score. For any practices an organization does not meet, points are deducted from 110, rendering the lowest possible score of -203. Lower scores indicate the DOD will need to assume greater risk and defense contractors with low SPRS scores may not be awarded contracts.  

A strong system security plan (SSP) is the roadmap for CMMC 

A SSP is your organization’s roadmap to NIST 800-171 and CMMC compliance. This comprehensive document details the scope of your environment, including all systems and applications that contain CUI data, and outlines the security controls in place to protect your organization’s IT systems and the CUI data contained therein. A robust SSP allows your assessors to level and determine adequate organizational boundaries for processing and storing CUI data.  

The SSP should also include an implementation statement or control language for each NIST SP-800-171 practice explaining how your organization meets the requirement. Rather than simply restating NIST language, implementation statements should provide the assessor with a general understanding of your organization’s specific process. The implementation statements should address each assessment objective associated with the practice. Each practice should be given an implementation status of “implemented,” “not implemented” or “not applicable.” Ideally, all practices should have the status of “implemented” or “not applicable” before the beginning of the assessment; however, assessors may allow a plan of action and milestones (POA&Ms) for select practices not fully implemented at the time of the assessment.  

Finally, the SSP should indicate the control owner(s) for each practice, thereby ensuring accountability and ownership over the successful execution of each practice. Practice control owners are ultimately responsible for ensuring the practice is performed appropriately and retaining evidence of the control execution. These control owners should also be able to answer assessor questions during the interview phase of the assessment.  

Determine readiness by performing a gap analysis 

Before the assessment, your organization should internally review control compliance for each NIST SP 800-171 practice. Many factors impact the amount of time needed to perform this gap analysis, including but not limited to: 

• Number of systems and applications in scope for the assessment (CUI boundary) 
• Degree of decentralization of the organization’s structure and processes  
• Size of the organization 

Some organizations may have many systems and applications that process and store CUI, thereby expanding the scope of the assessment as these systems and applications will need to meet each practice’s requirement.  

The degree of centralization is a considerable factor. If a central IT team manages any of the organization’s systems and links them via an active directory (AD), the AD processes can simplify the assessment. However, if the organization operates in a decentralized manner, with various teams owning their applications and systems and executing separate control processes, this can increase the complexity of their CMMC environment. In such cases, separate documentation, such as multiple SSPs may be required.  

Larger organizations with multiple individuals responsible for executing practices and objectives can also increase the complexity of an organization’s processes. With multiple control owners responsible for the successful execution of a single practice, there is a higher risk of inconsistency leading to processes not being followed or requirements not being met.  

Regardless of the factors impacting your organization, gap assessments often provide key personnel with an informational or training exercise on CMMC and compliance requirements. A third-party assessor can also be instrumental in identifying practice gaps and providing guidance toward achieving compliance with the greatest efficiency. Following the gap assessment, your organization should be able to identify which controls are either partially implemented, not implemented or not applicable. Gaps can occur in the following scenarios: 

• Control has yet to be designed 
• Control is designed but performed inconsistently due to various reasons (e.g., lack of proper oversight, budget or proper resources) 
• Control is being performed but the organization lacks proper documentation to prove the control 

A third-party assessor with CMMC experience can help facilitate this assessment and provide recommendations for remediation. Ultimately CMMC is about demonstrating to a third party how you perform the required controls. If you have done this before, you will be more confident and ready for the official assessment.   

Remediation and POA&Ms 

Once all gaps have been identified, your organization should develop a plan for remediation using a tracker with due dates for completion. A third-party assessor can assist by answering questions, providing guidance regarding gap remediation leading practices and acting as a project manager to oversee remediation progress.  

As noted earlier, an organization may only pass their CMMC assessment if they have POA&Ms for certain practices that are allowed to be remediated within six months of the assessment. These POA&Ms must be addressed within six months from the end of the assessment. Your assessor will follow up to confirm the POA&Ms have been completed.  

Prepare an evidence package 

In our experience, a well-organized evidence package with one example for each control has been the most helpful differentiator to ensure success for a CMMC assessment. By preparing your evidence package in advance, your organization can help the assessment be executed efficiently by delivering the appropriate evidence at the right time. Depending on the control, evidence can take many forms, including policies and procedures, screenshots of configurations, sample tickets showing actions taken and meeting minutes. You can even redline certain pieces of evidence with short explanations to better showcase your organization’s efforts to meet the practice requirements (e.g. redlining firewall rules in a screenshot with a text box explaining the firewall rule). 

External service providers 

Organizations may choose to work with external service providers or cloud service providers who may be responsible for the execution of select practices. In these instances, the external service provider should have one of the following to ensure compliance: 

• Current CMMC certification 
• Federal Risk and Authorization Management Program (FedRAMP) certification 
• Participation in the organization’s CMMC assessment 

When participating in an organization’s CMMC assessment, external service providers may need to provide documentation (e.g., SSP, CUI flow diagram). These external service providers may also need to participate in answering assessor questions and provide artifacts as evidence of control execution. If the external service provider is a cloud solution, their participation might be limited to providing a shared responsibility matrix to demonstrate which controls are handled by them versus their customer. Ultimately, the assessor will want to understand that the organization and their external service provider have a clear understanding of the division of responsibility and that the required controls are in place regardless of who is responsible.   

Interview preparation and training 

As stated earlier, the organization should ensure all practices are assigned a control owner responsible for understanding the control and explaining to the assessors how the control requirements are met. Control owners should be familiar with the evidence presented for the control and adept at answering questions. Additionally, they should review the SSP for the practices they are assigned to and be familiar with the implementation statements and the evidence package. This allows for consistency in responses and helps make a good first impression with the assessors. 

It is recommended to offer training to the control owners before the assessment. Preparing for the questions assessors will likely ask can help the control owner navigate answers by providing detail without unnecessary or extraneous information, thereby minimizing follow-up questions.