CMMC Assessment Guidelines: What to Expect When It’s Time for Your Audit
The first thing that a CMMC Assessor will need to know is the scope of the assessment. If part of your Remediation Plan was to limit where Controlled Unclassified Information is stored, how it’s transmitted, and who handles it, then your assessor will have less territory to cover, and you’ll save on assessment costs.
As they go through your assessment, the Assessor will be looking at specific Assessment Objectives that will have a set of determination statements. Determination statements are a set of parameters that explain the performance or function of the objective. In other words, these tell the Assessor what they’re looking for to determine how effective the control is.
Each Assessment Objective will have assessment objects. These are the evidences that you prepared beforehand. They can include documentation, mechanisms deployed by hardware and software, activities, and behaviors.
The methods that the Assessor uses to verify each assessment object will require access to your systems, people, documentation, and facility. Methods will include a combination of:
- Examining – Looking to see if an assessment object is in place.
- Interviewing – Talking to people about the behaviors they use when handling CUI.
- Testing – Triggering or demonstration of a control to see how it responds.