Ready or Not: How to Prepare for The CMMC Readiness Assessment

A CMMC Readiness Assessment is a review of objective evidence (OE). It looks for the adoption of practices and processes in relation to the desired Maturity Level. They’re also sometimes referred to as Pre-Assessment Readiness Review.

These reviews help organizations seeking certification (OSCs) prepare for their certification. Specifically, they streamline the entire assessment process.

A readiness assessment is the last step an OSC would take prior to scheduling the real thing.

Thus, it’s the last opportunity to catch documenting or performing issues.

Since it’s such a critical last step, choosing the right consultant prior to an assessment is important. To reemphasize, this is the last real opportunity to make changes to your cybersecurity program. If you don’t find and fix all of your gaps during this stage, it’s going to have a negative impact on the outcome of your certification.

Who can perform a CMMC Readiness Assessment?

Anyone can perform a readiness assessment but the quality will likely vary based on the experience of the assessor.

If I were to rank assessors, starting with the most qualified, it would look something like this…

1. Certified Instructor
2. Certified Assessor
3. Provisional Assessor
4. Certified Professional

This is a good place to mention that you’ll find consultants who offer identical services within the CMMC ecosystem. You’re more than welcome to seek their business.

However, it’s important to note that they haven’t gone through the same training and certification process. Thus, their ability to validate evidence sufficiency won’t be as profound as a certified professional.

Furthermore, Registered Practitioners (RPs) have had some training and passed an exam prior to their listing in the marketplace. But, their training didn’t focus on evidence sufficiency or scoping.

I’m not trying to speak ill toward RPs. There are probably a few out there that have an adequate knowledge bank to provide you with a thorough readiness assessment. But, I’ll caution you to not overvalue a badge issued by the CMMC-AB. It doesn’t carry much weight in terms of demonstrated expertise.

Some OSCs may choose to conduct an internal readiness assessment. I've been through RP training. Based on that experience, I don’t think there’s any value for an OSC to complete this training. Especially if its goal was to better perform an internal readiness review.

There will be training available as soon as October 2021 for OSCs. It's goal is to provide OSCs with the ability to register for Certified Professional training.

This training should be much more valuable as it covers topics such as validating evidence sufficiency and scoping. There are helpful resources available. These may address more granular questions regarding evidence sufficiency and scoping...

• CMMC Model and Assessment Guides
• NIST Special Publication 800-171

CMMC Objective Evidence and Readiness Assessments

There are three potential forms of OE for each practice.

During a readiness review, a best practice is to prepare to show all three types. You won’t have the choice of which of two forms the certified assessor will choose to evaluate.

Those three forms of objective evidence include…

• Examine: documentation supporting practice sufficiency
• Interview: questions asked of relevant stakeholders or practice owners
• Test: how inputs affect outcomes and the procedures that guide them

The exercise preparing for CMMC consists of the following…

1. For a given practice, identify the information systems within scope. And document evidence demonstrating practice sufficiency.
2. At Maturity Level 1, you’ll need to be able to describe the procedures in place but not necessarily have them documented.
3. Beginning at Maturity Level 2, you’ll need to start documenting the practices and policies.
4. At Maturity Level 3, you’ll need to write and resource a business plan to manage the activities of practice implementation.

Examine

As you begin to work through the practices, you’ll either be adding to the Plan of Action & Milestones (POA&M) or the System Security Plan (SSP).

Any practice that’s not sufficiently adopted goes into the POA&M along with details including…

• What needs to occur to bring the practice into compliance
• Who’s responsible for completing these activities
• A target completion date

The SSP contains the implementation details for all adopted practices and the relevant details around…

• Roles
• Responsibilities
• Tools
• Procedures

Luckily, NIST has provided samples of these documents:

• Plan of Action & Milestones Template
• System Security Plan Template

Organizations may try using manual software to store evidence and requirement progress. This approach may prove to be cumbersome. Of course, I’m referring to the relationship between OE and information systems within scope. As the former increases, so does the latter.

Cataloging evidence should include relevant…

• Practice(s)
• Assessment objective(s)
• Information system(s)

Incorporating this evidence into either a POA&M or SSP can also be labor-intensive. It may also require updating multiple documents if no central repository or automation exists.

To remove the clutter of many documents, you should consider centralized project management tools. Specifically, they should seek out ones that have the ability to produce updated SSP and POA&M templates.

Policy writing is another requirement within the CMMC maturity level three. Policies and assessment objectives often state the same requirements and procedures.

A tool that weaves together a policy statement, procedure, and process eliminates redundant work.

Scheduled updates to policies or planned actions can overwhelm a poorly designed project management portal when assigning a large number of action items to multiple stakeholders.

Having a central mechanism to track open items or show a history of completed actions can improve management’s ability to check the status of preparedness.

Auditing the sufficiency of OE is an important part of preparing for an assessment. Some organizations may have a chief information officer (CIO) or information systems security officer (ISSO) that can perform the audit of objective evidence.

Smaller organizations may choose to outsource this final pre-assessment readiness audit. Regardless of who’s conducting the audit, having the ability for a higher authority to easily view and mark evidence as sufficient would expedite the review process.

Interview & Test

As I mentioned earlier there are three potential forms of OE. Now that we've covered much of the documentation form, let's briefly discuss the other two forms.

For a more thorough readiness review, consider holding mock interviews with practice stakeholders.

Owners of these controls should be able to accurately describe the practice procedures and discuss any tools used. Mock tests of inputs may also ensure the procedures for the practice are well documented.

Having a tool that can catalog these three forms of OE helps identify if there are any gaps or shortcomings that require remediation. The readiness review is the last time an organization can make changes to its cybersecurity program.

This holds true whether internal resources or independent consultants completed the readiness review.

There’s a potential scenario in which an OSC contracts a C3PAO to conduct a readiness review prior to their certification assessment.

In this example, it’s important to note that the OSC cannot take any advice or consultation from the C3PAO if they’re choosing to use that assessment organization for their certification.

The CMMC-AB has clearly delineated the responsibilities of consultants so that the assessor organization cannot provide any consulting services to OSCs through them.

Once the internal resource or consultant completes a review of the evidence provided by the OSC, a gap analysis may identify any areas that fell short of meeting requirements.

In that case, it’s important for the OSC to create a POA&M to identify changes to their existing program that will bring them into compliance.

The POA&M in this example shows that the changes aren't new policies. Instead, it amends to existing policies or procedures to future certified assessors. Assessors look at how long these processes have been in place. As such, it’s important to have a history of any changes made to them that would demonstrate the maturity of the practice.

A successful readiness review’s only purpose isn’t to provide peace of mind to the executives of the OSC. It also serves as a way to reduce the cost of the certification assessment.

A report that links OE to requirements streamlines the assessment process for assessors. Thus, directly lowering the total price.

Objective evidence should reside in a secure repository that’s accessible to the certified third-party assessor organization. The OSC should also be able to prove the creation, modification, or deletion dates for any relevant objective evidence.

Conclusion

The K2 Compliance solution is a helpful tool for organizations on a pre-assessment readiness review. K2 meets the following requirements...

• Pairing objective evidence with scoped information systems and assessment objectives.
• Support three forms of evidence for each assessment objective & information system pair.

• Grade a practice or assessment objective as complete in progress or not complete.
• Export all relevant practices, procedures, policies into POA&M & SSP templates.
• Link policy objectives with practice objectives and procedures.
• Schedule documentation updates and assign stakeholder responsibilities.
• Auditing of objective evidence to determine sufficiency.

To learn more about how K2 might benefit your organization as you prepare for CMMC click here.