So You Think You Are Ready for Your CMMC Assessment

At some point in the “relatively near future”, if are a DoD contractor, subcontractor, vendor, managed service provider or a host of other folks, you will be staring a CMMC certification in the face. Here are some thoughts from a provisional assessor on what it will take to get the job done.

• Not applicable – some things are going to be legitimately not applicable but who approved those as NA? Maybe it is the DoD’s Office of the CIO (worst case), your contracting officer or maybe an executive in the company. In any case, you need to make sure that you have all of your evidence lined up to make your case.
• Is your System Security Plan comprehensive? You can’t just say “we have turned on password protected screen savers”. You should say how, maybe what GPO you used and, for sure, a screen shot. All well organized.
• Speaking of well organized, you need to be able to quickly lay your hands on whatever evidence you have. You don’t want to be searching for it when the assessor is billing you $500 an hour.
• Data flow – how does CUI get into your system and how does it get out. By the way, the fewer of each of those, the easier your life will be since everything has to be documented and each of those in and out ways represents one or more vulnerabilities.
• Asset inventory – no, this is not like the classified world; you do not need to serial number every copy of every document, but you better know exactly where each category of CUI is stored and what categories you have and who is authorized to access it and, and, and.
• Do you have a Plan of Action and Milestones? Maybe not because everything is perfect. Not likely in the real world, but possible. Assuming you do have one, is it current, dates and people assigned and sufficiently detailed?
• Don’t try to stump the professor. This is not an ego trip between you and the assessor. If it turns into that, you will lose. Don’t get too creative with the rules and no matter what, document everything.
• Make sure your administrative stuff is in order. Which contracts have CUI? How many CAGE codes do you have? What systems are in and out of scope? If you allow work from home, each house is likely an alternate work location.
• There are a number of “sort of out of scope” categories of assets like risk managed assets. That doesn’t mean you can ignore them. It means you have manage the risk.
• Make sure the advice you get is good. While everyone is working on understanding the rules, don’t ask your Uncle Mike. Also don’t trust everything you read. Ask lots and lots of questions and keep asking until the answers converge. Sort of like weather models. Sometimes they give wildly different answers, but eventually, hopefully, they converge.
• There are a number of categories of assets that may be out of scope like some development systems and test systems. Read the documentation and if you can exclude them, it will make your life easier. Just don’t bend the rules too much.

Hopefully this is helpful. If it gives you more questions, that is good. Contact us. We can help you get answers to those questions.

Also, go back to the top of the post. If you think these rules don’t apply to you, maybe you are right. But if you are wrong, it won’t be pretty when you discover that. For most companies it will take a year of concerted effort to get ready to be assessed. Maybe more.

We are here to help, so reach out to us.

by