The Cybersecurity Maturity Model Certification (CMMC) isn’t just a catchy term thrown around by defense contractors anymore—it’s a mandate that will affect which companies can and can’t continue doing business with the Department of Defense (DoD).
If your business deals with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), certification is even more critical.
But what actually occurs in a CMMC audit? What happens when assessors come knocking to evaluate your cybersecurity?
The more you delve into the process, the better you will be able to ensure a smooth and successful audit experience.
Here are a few things you will likely experience during your CMMC certification audit.
1. Pre-Audit Preparation
The better prepared you are before the audit, the less time and stress you’ll deal with once it begins.
Preparation is the most important phase of any full certification process. Before an official audit, those organizations will have to pre-review themselves to ensure that they are at the same mature level.
Furthermore, for many companies, that means reaching out to consultants and RPOs (Registered Practitioner Organizations) to ensure they understand the details of the NIST 800-171 controls and CMMC compliance.
Businesses typically conduct gap analyses at this time. This means reviewing their current security practices and comparing them to CMMC’s requirements to find any holes.
They would also need to develop an SSP and Plan of Action and Milestones (POAM) to describe how they will address all deficiencies before an audit.
Not only are these great documents to get your team aligned, but they’re also essential while you’re on an assessment.
2. Audit Kickoff
The audit starts with a kick-off meeting between the CMMC Third Party Assessment Organization (C3PAO) and the client desiring certification.
This can be the first call that establishes the tone of the review and brings both sides onto the same page as to the breadth and timing of the audit. Assessors will validate the level of CMMC the company is seeking, review documentation and describe how evidence will be gathered.
The kickoff is also an opportunity to address any questions about the system boundary—the boundaries of the systems, networks, and environments that process, store, or transmit CUI. This boundary is a critically important demarcation line and one that should be clearly stated and supported throughout the audit.
Lack of clarity on this stage can create devastating errors in a later stage, so it’s important to be open and transparent throughout.
3. Evidence Collection
When the audit begins, the assessors then start collecting evidence to ascertain whether or not the organization meets all of the required controls for the chosen CMMC level. And the evidence gathering isn’t just documents; it’s interviews with staff, screenshots, war room configurations, and actual operational behavior.
In general, the assessors evaluate whether the practices and processes the organization has implemented correspond to what the level requires. This can be reviewing logs, firewall rules, access controls, or backup policies. They will want to ensure that the practices are not just documented, but also put into effect in everyday meetings and processes.
Staff interviews are conducted to verify that personnel are aware of security policies and that they are being implemented.
4. Assessor Interaction
Assessors’ interactions are an important part of the auditing process. These professionals are trained to evaluate security, but they are human and must also know and understand your information. You want to be as cooperative, honest and candid about it.
And organizations will need to nominate a single point of contact, usually a compliance officer or IT manager, who can help assessors navigate systems and records. If asked, staff have to tell the truth and can’t guess.
It’s best for somebody else who knows the answer to respond rather than to paraphrase some incorrect answer a team member guessed at.
5. Findings and Remediation
On review of the evidence, the assessors will prepare their report. This empowers you to document what you don’t do as well. When the company satisfies all the criteria for the appropriate level of CMMC, it will be referred for certification.
If discrepancies are identified, the entity may be provided with a list of the findings and, in some circumstances, may be provided with additional time to correct the findings.
Generally, there is no “re-do” of the audit, but if the issues are minor and easy to fix, some assessors may permit a limited amount of remediation quickly. However, more serious deficiencies will warrant a complete re-evaluation.
Good to see that the report is out, no matter the content. It gives you a road map for improving your information security and shows the business where it needs to invest and improve.
6. Final Certification Decision
Once the assessment and any remediations are made, the assessor reports its findings to the CMMC Accreditation Body (CMMC-AB), reviews the report, and provides certification. It can take a few weeks for this decision to be made, depending on how complex the audit is and how long the certification queue is.
If certification is granted, the company will receive an official letter indicating its CMMC level and area of system coverage. This certification will be active for three years, but continual compliance and preparedness will be assumed in the meantime.
Wrapping Up
Getting ready for and completing a CMMC certification audit is a big job, but it will make your company more cybersecure and competitive in the long run.
Understanding what to expect throughout that process—from preparing for a pre-audit to the ultimate certification decision—can help you better manage what can be a daunting ordeal.
With thoughtful preparation, open communication, and a good understanding of requirements, you’ll be well on your way to being and staying compliant.
Bear in mind that the audit is more than a test; it’s a statement about your organization’s dedication to safeguarding sensitive government data so that you can continue to bid and win work as a defense contractor.
By
By
By
