CMMC Assessment Guidelines: What to Expect When It’s Time for Your Audit
Whether you’re self-assessing or preparing for a third-party audit, you’ll need to define the scope of the assessment.
Limiting where Controlled Unclassified Information is stored, how it’s transmitted, and who handles it will give you less territory to cover and if you need a third-party audit, you’ll save on assessment costs.
For a self-assessment, you’ll submit a spreadsheet that documents two security controls that you’re utilizing to meet the requirement. The controls you choose will depend upon your specific IT environment and your business processes.
As CMMC 2.0 is rolled out, contractors may submit a Plan of Action and Milestones (POAM) as a demonstration that the company is moving towards full compliance. What’s important is that the company can show that progress in cybersecurity maturity is being made.
CMMC Third-Party Assessment
During a third-party assessment, the Assessor will be looking at specific Assessment Objectives that will have a set of determination statements. Determination statements are a set of parameters that explain the performance or function of the objective. In other words, these tell the Assessor what they’re looking for to determine how effective the control is.
Each Assessment Objective will have assessment objects. These are the evidences that you prepared beforehand. They can include documentation, mechanisms deployed by hardware and software, activities, and behaviors.
The methods that the Assessor uses to verify each assessment object will require access to your systems, people, documentation, and facility. Methods will include a combination of:
- Examining – Looking to see if an assessment object is in place.
- Interviewing – Talking to people about the behaviors they use when handling CUI.
- Testing – Triggering or demonstration of a control to see how it responds.