CMMC Assessment Checklist
If you think you are ready for a CMMC assessment, use this resource to test where you actually are before contacting a professional.
.jpg?ext=.jpg)
The First Step to Avoiding a CMMC Assessment Halt
Take-aways:
- Passing a CMMC assessment does not happen automatically
- A C3PAO will first and foremost examine, interview, and test whether the SSP matches reality
- Avoid a cessation of assessment by implementing a pre-assessment with a consultant before your final assessment
The number of CMMC-certified companies already exceeds what the Department of War predicted for this point in time. Unfortunately, not all companies pass their third-party assessment on their first try. Sometimes, the C3PAO halts the process because it is clear the company will not pass.
Ceasing an assessment can be costly and disruptive. It can also delay contract eligibility. One of the most common reasons we have had to halt assessments is because of gaps between a company’s documentation and what they are actually doing.
The "Say-Do" Gap
A disconnect between written policy and daily operations is one of the most common reasons an assessor must stop the assessment. Organizations often present a comprehensive System Security Plan (SSP) filled with robust security language and all of the right processes. The point some companies miss is that CMMC assessors do not just read policies and give the go-ahead. Assessors also validate that what is documented in the SSP actually occurs in real life. To do this, a C3PAO uses a strict triad of evidence: Examine, Interview, and Test.
The gap that exists sometimes between the SSP and reality necessitates familiarity with the SSP at all levels of the company. This is not just so all employees can follow the plan, but it also enables employees to report if they notice something amiss.
Why Does the Gap Between Reality and Documentation Exist?
One of the most common causes for these kinds of gaps in the CMMC compliance process is the legacy of companies treating CMMC like a checkbox instead of a necessary evolution in the company’s entire environment. Companies pursuing CMMC must understand the importance of protecting controlled unclassified information (CUI), which means they likely need to update many of their operational procedures. This is also why CMMC is not just an “IT” issue. The whole company needs to be involved.
How to Avoid a Halted Assessment
Before scheduling your C3PAO assessment, conduct a rigorous internal readiness review. This can be done with another C3PAO or a Registered Practitioner Organization (RPO). They will interview your staff, test your systems, and scrutinize your documentation. Finding and fixing these gaps internally ensures that when your official assessment begins, it moves forward to a successful certification rather than an abrupt stop. The C3PAO cannot conduct this type of readiness assessment because it would create a conflict of interest.
What Questions Do You Have?
Creating an SSP for the entire organization to follow can feel like a daunting task. Smithers can recommend trusted consultants to you who will help you map out what you want your SSP to include and how to enact those policies in the day-to-day operations of your organization. Smithers can also conduct your final CMMC assessment when you are ready.
Contact us today and let’s kick off the conversation.