How to Conduct a CMMC Assessment

By Daniel Morse • June 29, 2021

An important step toward achieving CMMC compliance at any level is to know what your starting point is. By accurately assessing your current state, you can figure out exactly what steps need to be taken to become compliant.

 

Before getting started, determine which level of CMMC compliance you need to attain.

  • Level 1: Compliance with this level demonstrates the basic cyber hygiene required for contractors receiving federal contract information (FCI). It covers 17 controls across six domains, including:
    • Access Control
    • Identification and Authentication
    • Media Protection
    • Physical Protection
    • System and Communications
    • System and Information Integrity
  • Level 3: This level is required for companies having controlled unclassified information (CUI) data. Compliance requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, and required training. It covers 130 controls across 17 domains, including:
    • Access Control
    • Asset Management
    • Awareness and Training
    • Audit and Accountability
    • Security Assessment
    • Configuration Management
    • Identification and Authentication
    • Incident Response
    • Maintenance
    • Media Protection
    • Physical Protection
    • Personnel Security
    • Recovery
    • Risk Management
    • Situational Awareness
    • System and Communications
    • System and Information Integrity

 

Assessment Process

In order to be successful, it’s important that everyone involved buys into the need for the assessment and is engaged in the process. We recommend the following approach.

Kickoff

Begin with an assessment kickoff, where you:

  • Provide an overview of the CMMC framework for the team members who may be included in the assessment process.
  • Outline the in-scope environment to guide the assessment team in formulating questions they should be asking about how you are controlling your data.
  • Identify points of contact across departments, including IT, your information security representative, and HR.
  • Discuss the information that will need to be shared as part of the process, including which artifacts are going to be required, and how they are going to be shared with the assessment team.
  • Craft a schedule and start planning your assessment interviews based on availability.

Interviews

The assessment team then interviews key personnel, being sure to ask informed questions to confirm if you have the processes in place to meet the requirements of a control. If the point of contact for your organization is able to attest that you’ve met a specific control, the assessment team should make a note of the attestation, as well as note the relevant artifacts that should be collected to validate that attestation.

Examples of controls and related artifacts include:

  • Control: Complex password enforcement
    • Artifact: Group policy setting screenshot demonstrating that you have configured password complexity
  • Control: Training content
    • Artifact: Presentation that has been internally made, or a screenshot of a platform such as KnowBe4 or InfoSec

Analysis

After interviews and follow-ups conclude, the assessment team begins analyzing the notes and compiling the initial scoring. Artifacts that have been submitted are analyzed to verify implementation. If an artifact was not submitted or was found to be improperly configured, the control would result in a failure. Keep in mind that to be considered compliant, your company must have the control fully implemented.

Report

Once the assessment team has analyzed the data and scored the controls, the report is drafted. The draft report should include these elements.

  • Executive summary with an overall compliance breakdown for CMMC L1 or CMMC L3
  • DFARS Interim Scoring Rule with the score to be submitted into the Supplier Performance Risk System (SPRS)
  • Key observations and recommendations, including areas discovered where your company has its biggest compliance gaps
  • Detailed analysis of each practice, including observations on how your organization is meeting or not meeting a requirement. If a practice is not being met, a recommended action item is noted within the recommendations piece of the practice control

Once the draft report is complete, it should be released to your company’s leadership team and any other larger audience within your organization with ample time to review and provide feedback prior to submitting the final report.

Out-briefing

The assessment team should then schedule one final meeting to present and discuss assessment results, key compliance findings, and the path forward for how your company can meet these requirements. This is also a great opportunity to field questions individuals may have with the compliance findings and recommendations.

Timeline

CyberSheath finds the below schedule to be most successful in performing a CMMC compliance assessment.

 

WeekWhat to do
1
  • Hold kickoff meeting
  • Confirm scope and objectives
  • Identify points of contact
  • Start collecting and reviewing artifacts
2 and 3
  • Conduct the security framework review
  • Schedule interviews and follow-ups
  • Analyze the data
  • Collect remaining artifacts
4 and 5
  • Write and issue draft report
  • Share with leadership and your greater audience to review the findings and provide feedback
  • Start writing your draft system security plan (SSP)
6
  • Issue your final draft report
  • Hold out-briefing to review high-level findings
  • Get sign-off from leadership
  • Start talking about your path forward to remediate compliance gaps
  • Document and finalize your SSP

 

If you need any assistance with your assessment to determine your CMMC readiness, contact the experts at CyberSheath. We have extensive experience helping organizations identify compliance gaps and craft remediation plans addressing issues.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.