As a defense contractor pursuing cybersecurity compliance, there’s no better place to start than with an assessment. It’s important to know your real posture against CMMC 2.0 requirements as it provides a clear list of actionable items that will structure your path to compliance. But what is an assessment, why is it necessary, and how do you get started? We’ll answer those questions and more in this blog.
Why Defense Contractors Need to Assess Their Cybersecurity Environment
First of all, DFARS 252-204-7012 requires implementation of NIST SP 800-171, and the CMMC Final Rule establishes third-party validation requirements for applicable future contracts. Assessing is your starting point to understanding the gap between what’s required and what you’re actually doing. NIST 800-171 requirement 3.12.1 states that you need to assess your controls and DFARS 252.204-7019 requires contractors to generate a NIST SP 800-171 DOD Assessment Methodology score and submit it to Supplier Performance Risk System (SPRS).
Beyond what is required, assessments make sense. If you don’t assess, you’re flying blind. Skipping an initial assessment often leads organizations to invest in major cybersecurity components that don’t fully align with the framework — resulting in overspending and under-compliance.
Understanding CMMC’s Focus on Controlled Unclassified Information (CUI)
CMMC is data-centric, focusing on protecting sensitive unclassified DOD data rather than just networks. NIST 800-171 can be organizationally-focused, systems-focused, or enclave-focused, but the requirements all revolve around the controlled unclassified information (CUI) dataset.
CUI, which in DOD contracts is designated as Covered Defense Information (CDI), is information the government classifies as sensitive but not classified. You need to understand where this data exists; the platforms, systems, and components that it impacts; and the components that are protecting it. This can be a challenge, however, as CUI is often unmarked or inconsistently marked, not always obvious to the contractor, and might be CUI in the hands of the DOD, but not in yours (for example, your own proprietary info).
Be sure to understand where you align against the NIST 800-171 framework and where CUI is located so that you know where to apply the controls. The people who touch the data are critically important to scoping and informing the entire assessment, even though about 60% of the controls are IT in nature.
Aligning Your Organization with NIST SP 800-171
You need a starting point grounded in a standard. As a member of the defense industrial base (DIB), there is a mandated framework and it’s for protection of a particular dataset, CUI. NIST 800-171 is a set of practices, and you have the regulatory obligation to protect CUI in accordance with these requirements.
In an assessment, we assess everything from IT-related controls, security information, security-related controls, physical security, personnel-related controls, and more. Understanding the big picture allows you to define your path forward based on deficiencies, identify corrective actions to solve those deficiencies, and end up in an operationally compliant state.
Assessing first identifies those technical, procedural, and operational gaps in accordance with an entire structure. That structure gives an understanding of your compliance risk against that framework, and this helps avoid building controls that don’t match real world operations and the state of compliance that you desire.
Effective Assessments aren’t Checklists
Doing diligent high quality assessment leads to better results, better preparation for compliance, and ultimately certification. Real assessments are structured investigations, not just policy reviews or implementation checks. Each requirement should be governed by policy and implemented defensively. Poor assessment methodology results in false confidence and failed audits.
You are not just looking for checkboxes; you are following the data, understanding operational realities, and verifying implementation. This necessitates that you understand what the people who touch CUI do with it, including the platforms they interface with, because that ties to where you’re going to be applying these controls from a corrective action standpoint.
Assess Using the NIST 800-171A Guide—it’s what Auditors Use
NIST 800-171A is the assessment guide associated with NIST 800-171. This guide lists the questions that the auditors or C3PAO certifying assessors will ask when they perform their assessment of your organization. Each requirement has multiple Assessment Objectives (AOs). You need to narrate around the assessment objectives and understand how you’re meeting them to plan for a successful audit.
Assessment scoring is strict and unforgiving. The assessment methodology assigns weighted scores of 1, 3, or 5 points with no partial credit—meaning one failed AO results in a full deduction. For example, if password complexity is enforced technically but not defined in documented policy or procedures, the practice can be scored as not met. Only two practices are partially scorable: 3.5.3 (MFA) and 3.13.11 (FIPS).
Plans of Action and Milestones (POAMs) don’t rescue failing controls — they only buy limited time under CMMC — so know the rules before you start building. Align with the framework, understand your environment from a scoping standpoint, including CUI flow and in-scope platforms, then build controls around what actually matters to the CUI data set.
Bottomline: If CUI is in your environment—or if you plan to pursue DOD opportunities where it may appear, start with an assessment. CMMC is the price of admission to the DOD supply chain, and assessing first gives you certainty about scope, requirements, and what it will take to qualify.
In our next blog in this series as well as in an upcoming webinar, we will discuss how to scope your environment, including your assets, as a part of the process of charting your path to CMMC compliance. In the meantime, if you have any questions about how to get started on your assessment, contact the experts at CyberSheath. We’re here to help.