Assess
Assessment against NIST SP 800-171 requirements is the first step to achieving CMMC and DFARS compliance — a rigorous, highly detailed process that identifies gaps in your systems and outlines specific plans to address them.
Types of assessments
The term “assessment” refers to a number of distinct activities tied to NIST SP 800-171’s 110 security requirements and associated assessment objectives (as defined in NIST SP 800-171A), occurring at different stages of the CMMC compliance process:
Initial Self-Assessment or Gap Assessment Performed by the organization’s inhouse personnel or with support from a registered provider organization (RPO). This is typically the first step in the compliance process, resulting in a detailed System Security Plan (SSP), and Plans of Action and Milestones (POAMs) for each compliance gap.
C3PAO Mock (Readiness) Assessment Performed by a Certified Third Party Assessment Organization (C3PAO). This assessment simulates an actual certification audit, with controls marked met/not met. When conducted by a C3PAO in an assessment capacity, no remediation guidance is provided, and it is used to identify problem areas prior to the official certification assessment.
C3PAO Certification Assessment Official assessment against NIST 800-171 controls, performed by a C3PAO. All controls must be met in order to be certified CMMC compliant. The C3PAO determines only whether each requirement is met or not met and does not provide consulting or remediation guidance.
Ongoing Self-Assessment Certification is not an endpoint. CMMC requires reassessment every three years for applicable certifications, and organizations must perform annual self-assessments and affirm compliance in the interim. This requires an ongoing cycle of internal assessment, remediation, and documentation across the organization’s information systems.
Self-assessment basics
NIST 800-171 Rev. 2 mandates that all DOD contractors and their suppliers periodically assess and document the security controls in organizational systems to prove the controls are effective and identify gaps and vulnerabilities. NIST 800-171 comprises 110 security requirements and 320 NIST 800-171 assessment objectives, organized into 14 control domains.
What is a good assessment? A quality self-assessment examines your systems, processes, and procedures against each of NIST’s 110 controls and documents findings, detailing the areas where you believe you’re compliant and those where you are not.
CMMC 2.0 requires self-assessment as the first step in the compliance process without providing guidance as to exactly how to do it. Most organizations lack the NIST-specific knowledge, staff bandwidth or time to self-assess, electing instead to enlist outside help.
Self-assessment outcomes
The first mandated outcome of a self-assessment is documentation of results, including Plans of Action and Milestones (POAMs), which identify any deficiencies in meeting NIST SP 800-171 requirements and detail how and when your organization plans to address them. Your assessment should identify all unmet requirements and document a POAM for each, where permitted.
Another required assessment outcome is a System Security Plan (SSP), which describes system boundaries, environments of operation, how security requirements are implemented, and the connections to other systems. The SSP should be based on and supported by evidence such as system configurations, records, and other relevant documentation.
Once the assessment is complete, the results are submitted to the DOD’s Supplier Performance Risk System, an online system for recording assessment scores and supplier compliance data, in accordance with DOD requirements.
Choosing an outside assessment services provider
There is a growing number of providers in the marketplace offering assessment services for CMMC 2.0 compliance. Choosing the right one can be the difference between full compliance and discovering that you have spent a lot of time and money only to fall short of what’s required.
During the selection process, look for a provider that offers not only a gap assessment, but also an end-to-end managed services capabilities to guide you in implementation and remediation to close all gaps, support you in the CMMC-mandated C3PAO audit, and provide assistance in the security, IT, and regulatory functions necessary to maintain compliance over time.
The assessment validates progress, but real success comes from strong security and sustained NIST 800-171 compliance. Ideally, you’ll want to work with a provider for whom CMMC compliance is its sole focus, not a side business, with a long track record of success helping businesses like yours successfully pass the C3PAO assessment and receive CMMC certification.
Consider CyberSheath
CyberSheath is an established leader in CMMC compliance whose AIM (Assess/Implement/Manage) process focuses solely on getting its clients to the certification finish line — and helping them maintain continuous compliance — efficiently and cost effectively, with a minimum of pain. We are certified experts in all aspects of DOD cybersecurity regulations, with thousands of NIST-based assessments and implementations completed since 2008.
FAQs
What is an initial assessment for CMMC compliance?
The CMMC compliance process begins with a self-assessment of gap assessment to review, evaluate, and document an organization’s policies, processes, and controls against the 110 requirements and 320 assessment objectives outlined in NIST SP 800-171 Rev. 2. A key end product of the initial assessment is a Plan of Action and Milestones, or POAM, which outlines a specific plan and timing for addressing each compliance gap.
Who performs the initial assessment?
The initial assessment can be performed either by an organization using internal resources or by an outside RPO (registered provider organization). Typically companies lack the confidence in their knowledge of NIST standards or staff bandwidth to complete a CMMC assessment and decide to seek outside help.
NOTE: Self-assessment and gap assessment services should not be confused with C3PAO assessments, conducted by an independent third party to certify CMMC compliance after implementation. In certification assessments, examiners make only pass- determinations for each requirement and are not allowed to provide mitigation advice.
Every solution begins with a conversation.
Contact our experts today for a no-obligation discussion of CMMC 2.0 compliance, what's required, what you may need, and what we can do to provide it. We've helped hundreds of DOD contractors. We can help you.