Author: Tara Lemieux, CMMC Consultant, PA/PI/CCP/CCA/ISO Lead Auditor
The Cybersecurity Maturity Model Certification (CMMC) assessment process can often feel overwhelming at best, particularly for organizations new to this process. Assuring that…
- your organization’s security controls are implemented correctly and operating as intended
- these security controls and supporting assets are clearly aligned to each of the assessment objectives
- this proficiency is clearly demonstrated at all levels of our organization
…is no small task – especially when human nature reminds us of its presence. And, for some reason, the interview process seems to encourage most of this angst. As assessors, we’ve witnessed the wider gamut of this emotional distress, from anger to outrage and including full-on panic attacks.
This guide is intended to help organizations effectively navigate this process while hopefully alleviating the absolutely normal emotions associated with the event.
When being interviewed by your CMMC Assessor, remember – it’s vital for you to be prepared, knowledgeable, and honest. And more so, remember, we are here to empower your success.
Here are some recommendations for a team member facing a CMMC interview:
1. Be Preapred
We are not here to test your rote memorization of an external standard. Rather, we are here to understand how your organization operates and whether the currently implemented security controls are effective. To that end, make sure you understand your role, your responsibilities, and the specific requirements that your organization is aiming to meet.
2. Stay Positive
Yes, it’s okay if you’re nervous, and we understand. Just know that we want you to be as comfortable as possible; if you have any specific needs, make sure to let us know before the interview commences. The assessor is there to gather information and not to find faults. If you don’t know the answer, it’s okay to say so.
3. Honesty is Key.
Always provide truthful information. If there’s an area where the organization falls short, it’s better to acknowledge it than to try and hide it. Remember, our goal is to ensure the protection of sensitive information and data.
4. Avoid Speculation.
If you’re unsure about a specific detail, don’t guess. It’s alright to admit that you’re not sure; just let the assessment team know that you don’t have that information now, but you will be happy to provide that information once you’ve clarified.
5. Use Specific Examples.
When describing how your organization meets a particular requirement, give concrete examples of practices, incidents, or procedures. Some interviewees are hesitant to share information regarding incidents, feeling that they may have an adverse impact on their certification. Just remember, how well your organization responds in these circumstances can yield positive and invaluable insight.
6. Focus on the Question.
Avoid veering into unrelated topics. Stick to your area of expertise and answer the assessor’s questions directly and concisely.
Make sure you’re familiar with your organization’s policies, practices, and procedures. Knowing where to find information or evidence can be beneficial during the interview.
8. Practice Makes Perfect.
Consider doing a mock interview with a colleague. This will help you anticipate potential questions and formulate your responses.
9. Clarify Ambiguities.
If you’re unsure about a question or its context, ask the assessor for clarification. It’s better to ask and answer correctly than to make assumptions.
10. Stay Positive.
The assessment is an opportunity to improve the organization’s cybersecurity posture. Emphasize the steps your organization has taken and is planning to take to enhance its cybersecurity.
Remember that the CMMC assessment process is designed to help organizations identify areas for improvement and work towards better security, not to penalize them. We are all in this together, one team, one fight. By being prepared and forthright during the interview, you’ll be contributing to a more accurate and beneficial assessment.
Is your team prepared for an assessment interview?