Introduction
With CMMC fully enacted and Phase 1 enforceable, there is a flood of organizations seeking certification (OSCs) that delayed pursuing Level 2 certification or are even the implementation process and are now looking to schedule assessments. At Redspin, we are seeing many companies feeling a sense of urgency and coming to the assessment table unprepared for what the process actually requires and validates.
In our experience, a large portion of Defense Industrial Base (DIB) companies are in the dark about what is actually involved in the CMMC assessment process. Many have not engaged a CMMC Registered Practitioner (RP), CMMC Third-Party Assessor Organization (C3PAO), or another CMMC-specialized consulting firm to help them understand the details.
While some OSCs believe they understand the NIST Cybersecurity Framework 2.0, that alone is not enough to pass CMMC. Level 2 assessments are conducted against NIST SP 800-171 Rev. 2 requirements (or possibly Rev. 3 in the near future) using the CMMC Level 2 Assessment Guide and the procedures outlined in the CMMC Assessment Process (CAP).
So, what do OSCs need to do to navigate the journey?
Time It Right
At the start of an assessment cycle, Redspin is required to advise an OSC if, upon reviewing the information provided in Phase 1, we do not believe they are ready for their assessment. This is the Readiness phase of the assessment under the official CAP.
Specifically, Step 1.10 in the current CAP, “Determine Readiness for Assessment”, requires the Lead Assessor (Lead CCA) to determine whether the engagement is feasible before proceeding to Phase 2. From that point, it is the OSC’s choice whether to proceed or reschedule.
Under the CAP, the outcome of this feasibility determination may be to proceed as planned, replan the assessment, reschedule the assessment, or cancel the engagement. Unfortunately, given the high demand for CMMC assessments, rescheduling can push a company many months back in the assessment queue.
To avoid that delay, some OSCs plow ahead. However, this often results in the OSC either false-starting, so stopping the process midstream, or failing their assessment. This is costly and frustrating for everyone involved.
Importantly, if an assessment does not move forward past the feasibility determination, it is not recorded as an assessment failure, and the formal assessment does not proceed to Phase 2.
Personnel turnover, mergers, or operational delays can also impact the assessment readiness. Proper planning and proactive measures can help organizations feel prepared and in control, reducing the risk of costly false starts or failures.
At Redspin, we strictly follow the CAP and are committed to providing OSCs with clear communication and as much lead time as possible within that framework. Our goal is to help organizations move through the required process efficiently and avoid unnecessary rework.
Consistent with the CAP and the CMMC Code of Professional Conduct (CoPC), a C3PAO cannot provide implementation advice or remediation guidance during the readiness or assessment process. The responsibility for preparedness rests with the OSC.
Tackle the Groundwork
So, how can an OSC be confident they are actually ready?
Many false starts happen in Phase 1 when OSCs must demonstrate they have the required documentation and prerequisites in place. This includes having no open Plan of Action and Milestones (POA&M) items, a finalized System Security Plan (SSP), and an uploaded self-assessment score in the Supplier Performance Risk System (SPRS).
At this stage, some organizations discover they are missing foundational elements. For example, OSCs may not realize they need:
- A formal SSP often signed by a senior decision maker
- Documented policies and procedures for each of CMMC’s 14 domains
- Objective evidence of meeting all 320 CMMC objectives.
Ensuring these elements are complete and accessible helps organizations to confidently demonstrate compliance during Phase 2.
OSCs may also underestimate the role of a Managed Service Provider (MSP) in preparing for the process and fail to involve them in scoping discussions for the Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) environment that will be assessed. (Reference the CMMC Level 2 Assessment Guide, along with NIST SP 800-171A and Appendix E of NIST SP 800-171 Rev. 2, to fully understand the depth of documentation, testing, and objective evidence required).
This is often an oversight; organizations frequently rely on external support providers, like Registered Provider Organizations (RPOs), MSPs, or External Service Providers (ESPs) to assist with implementation and ongoing operations.
If such providers are supporting systems within the assessment scope, they must be properly involved in scoping discussions and assessment preparation activities.
Any external provider supporting CMMC requirements must understand the level of rigor expected under the CMMC Level 2 Assessment Guide and related NIST guidance. Providers with experience supporting organizations through DIBCAC High assessments, for example, may already be familiar with the depth of evidence and documentation required.
Make It Real
Perhaps the most valuable step an OSC can take in preparing for certification is to conduct a mock assessment.
This process involves a C3PAO testing security controls in the same way they would during a real assessment, and informing the OSC whether they would pass or fail based on the evidence provided.
As a C3PAO, we cannot advise on how to resolve any failures during a Mock Assessment (if we are also your C3PAO for the formal assessment). However, completing a mock assessment helps you know exactly where to focus improvement efforts.
Mock assessments are very helpful for companies worried about their certification runway and potential impacts on the government contracts they currently hold or plan to pursue.
This underscores the value of scheduling an assessment nine to twelve months after an OSC believes they are ready. That leaves enough time to conduct the mock assessment, get the results, and still have 180 days to correct any issues before the contract award, in case any items need to be corrected. In addition, a mock assessment typically requires less time and investment than a formal assessment and can help organizations identify gaps before entering the official process.
Prepare, Prepare, Prepare!
We understand that many DIB companies that delayed certification are now confronting the reality of CMMC, which can cause both confusion and sometimes even fear.
The good news is that help is available.
Since the 2017 effective date of DFARS 252.204-7012 requiring DIB members to comply with NIST SP 800-171, a growing ecosystem of resources and service providers has emerged to support organizations through the process.
With careful planning, preparation, the right timing, and qualified partners to guide them, OSCs will achieve their certification, and our military will be more secure as a result.
CMMC certification is not a scheduling exercise; it is a structured, evidence-driven process governed by the CAP.
Preparation determines whether the assessment can even begin. When organizations understand the feasibility gate, the documentation expectations, and the independence requirements placed on C3PAOs, they significantly reduce the risk of a costly false start.
Book a meeting to tackle CMMC with Redspin: