Getting CMMC assessed? Some advice..
Listen to your assessor
If we say that your evidence isn’t related to the requirement being inspected, or especially the critical words “I think you have misinterpreted this requirement”, instead of getting mad, take a long pause and go ask a knowledgeable consultant to review your situation. Most interpretation problems can be fixed quickly, but ONLY if you understand what you need to do. Don’t let pride take you down. Assessors will often try to explain their interpretation if you can listen. If it doesn’t make sense, ask your assessor for a list of knowledgeable consultants and get their advice.
Make sure that your CMMC scope is solid
This means that your boundaries perform as you described and that you can explain why each asset is categorized the way it is. Finding out mid-assessment that an entire CUI system was left out of scope (and shouldn’t have been) is a huge disaster which will probably cause your assessment to fail. If you get certified with an un-declared and un-assessed system, this fact will be recorded with DoD and may come back to haunt you later.
Don’t use your calendar as an excuse
Perform every CMMC requirement (with evidence) at least once before assessment, even if you would normally schedule it in the future. Experienced 800-53 practitioners get caught by this one regularly. You will fail your self assessment, risk assessment, and vulnerability scanning checks if you tell us “those are scheduled to be performed the first time in Q4.”
Most assessors aren’t jerks
Realize that most assessors are looking for a way to pass you. Life is way easier for everyone if we can pass you.
Seek out a C3PAO that checks your readiness before they accept you for assessment. Low cost assessments are cheap on the front-end, but if you fail because of an obvious problem, what was the point?
If a company is doing each requirement at the bare minimum level, they are still VERY secure. The 800-171 requirements overlap to create comprehensive protection. Your solutions don’t need to be gold plated, they just need to address the exact language in the requirements.
Caught off-guard during the assessment? Instead of replying, “We don’t do that”, give yourself space by saying “We are trying to find the right person/record for you”.
Our sponsor, Kieri Solutions, Authorized C3PAO, does their best to help defense contractors build compliant systems (if they consult) or reward the DIB for compliance (if they assess). They are a model for good pre-screening and “what to expect” processes to reduce bad outcomes.
I hope these tips help you have a better day if you are scheduled for a #CMMC assessment with Kieri or another C3PAO.