What To Expect During a CMMC Assessment
So you're looking to achieve a CMMC certification. In this video, we will cover the
- What you can expect from your assessor, and
- What the outcome of the assessment is
So CMMC assessments are governed by the CMMC assessment process, of course, this is all dependent on the finalization of that document (as it's in draft). Which is also dependent on the rule-making process. So we're gonna talk about what we're seeing currently within that joint surveillance assessments and what that process looks like, and then what we can expect moving from joint surveillance to formal CMMC certification assessments.
One of the most important things as an organization when you come to Shellman or any C3PAO for assessment is to ensure you've identified your CUI, your controlled and classified information because that's really the important component in terms of the scope of the assessment, and that you understand the data flow and the other systems that are being impacted as you're handling that CUI within your organization.
From there, once you've identified your CUI, you want to understand how the information security can that you have implemented with respect to the standard (one hundred and ten controls or requirements in level two), and that translates to three hundred and twenty assessment that we as assessors are going to look at, you want to understand how you can address each one of those relative to the CUI and relative to your security protection assets, as well as other components in your system. Those are all very key inputs to how we go about scoping assessment timeline, cost, and how we really plan to execute that within your organization.
When we think about the timeline, that's really broken out into a multi-phase assessment:
- Phase One: The Planning and preparation phase
- Phase Two: The assessment execution phase
- Phase Three: Primarily reporting-focused.
- Phase Four: A phantom phase, this would be contracted separately. This is on an as-needed basis if you do need to have retesting performed or POA&Ms close-out performed. That's really done under phase So we're gonna focus on the first three phases: plan/prepare, execute, and then report.
Phase One: Planning
In the planning phase, the primary outcome of that there are a number of CMMC deliverables that will be in play currently right now in joint surveillance. The primary output of phase one is the security assessment plan, as well as that really green light to say, yes, we're good to move forward with the assessment into phase two. So we perform a readiness review, which is to determine if the organization is ready to move forward. So we'll look at documentation, we'll look at whether the control sign is appropriate.
If no matter how well that control is implemented, it still will not meet the intent of the control or the requirement: that's a red flag. We want to make sure organizations have appropriate controls designed before moving forward to test implementation effectiveness during phase two.
During phase one, we will issue an information request list, which is really focused on your policies, your procedures, your system security plan, and then provide you an opportunity to collect that information and provide it to us, and then we perform a deep dive of that. We look to make sure we understand the architecture, the service that you may be providing to your customers, and how you're handling and processing CUI within your environment.
And then from there, we will execute the security assessment plan and determine the appropriate timeline for moving forward to phase two of the assessment.
Phase Two: Execution
Alright, So now we've talked about planning and preparation. Let's move into phase two the execution.
This is like the bulk of our assessment in fieldwork. So we will have an interview week depending on the scope of the assessment and other factors that may be:
- On-site, or
We will perform roughly a week of interviews to understand control implementation, make observations, we'll ask your subject matter experts to demonstrate control implementation (dig into a console and pull up a configuration and show us how that's operating). We want to make sure that SMEs have the right institutional knowledge and that it's following the policies and procedures that you've defined for them.
And then it also aligns with the evidence that we receive during that process as well. And then once we complete those interviews, there is a week or two (all scope dependent) on how we put pen to paper, essentially, with our test procedures. We'll review the additional evidence that you provided. If there are any follow-ups, it gives us an opportunity to resolve those and ensure that we have the outcomes (the met / not met status) for each of the assessment objectives.
Phase Three: Reporting
Once we've completed the testing and we have the met / not met status for each objective, we're going to move forward to the reporting period. At that point, in joint surveillance, it's putting together a security assessment report (SAR) with those results. We will have had a closing meeting with your organization to deliver those results and if there were any deficiencies that we identified during testing, we tell you that in the process. We don't want any surprises, so we won't drop a finding in the reporting phase. We want you to know about that ahead of time. That way, if there are any discrepancies, we can resolve that.
With the reporting, we issue a draft so you have the opportunity to provide feedback or comments and make any updates, and then we finalize.
From there, that report goes to your organization, and then you have the opportunity within joint surveillance to submit that to the DoD, specifically the DCMA DIBCAC team that is also performing the assessment jointly. In the larger CMMC certification assessment, these phases and steps are further defined with some CMMC-specific deliverables. That's all defined in the CAP. Again, is subject to finalization with the rulemaking process.
While CMMC assessments are occurring right now in that joint surveillance process, and will probably change a little as it moves into the formal CMMC certification, the phases of assessments should not change.
You're going to have phase one: plan and prepare, phase two: execute, and phase three: report. And so now you have an idea of what to expect from the assessment, things that will look for the different milestones that occur, and then ultimately how you get your results within the security assessment report.
If you have additional questions or wanna understand how to engage Shelman to complete your assessment or begin that process, Go to our website, complete our contact us form, and a member of our team will reach out to you.
About Marci Womack
Marci Womack is a Director in Schellman’s FedRAMP practice and CMMC technical lead, and is based in Denver, CO. Marci has nine years of information security experience across various industries – cloud services, government, and financial services. In addition to performing numerous FedRAMP assessments, Marci has experience assessing organizations for compliance with other federal frameworks, including NIST SP 800-53, DoD CC SRG, NIST SP 800-171, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).