Organizations seeking CMMC certification should not be hiring a consulting firm for a mock assessment (right now, that is).
Yep, you heard us right.
That may sound a little out-of-place coming from a consulting firm, but it’s the truth.
With the CMMC Certification Model (including sampling methodology, period of assessment, and remediation opportunities) and Scoping Guide (particularly the scope of the CUI) still unclear until after June 2021, it would be ineffective (and an unnecessary expense) to conduct a Mock Assessment at this time without fully knowing what to assess.
Even though Mock Assessments aren’t recommended at this time, Organizations Seeking Certification (OSCs) should still begin planning their certification 6-12 months prior to their desired CMMC certification date.
OSCs should take the following sequential steps when planning their certification:
1. Understand the CMMC requirements.
Do this by obtaining the current Model and Assessment guide here.
2. Identify your desired Maturity Level.
3. Identify your scope, enterprise, organization unit, and program enclave with a Scoping Project:
- Understand sources, content and quantity of FCI and CUI data held by your organization.
- Understand CUI flow from DoD, from your organization and down to any subcontractors.
- Understand the extent of information systems and their boundaries.
- Identify third parties with access to FCI and CUI.
- Review SSP and POA&Ms.
- Review network architecture and engineering principles.
- Review your list of business units and supporting departments that fall into the CMMC scope.
- Review the defined scope and assessment boundaries.
- Develop an Enclave Strategy to restrict CUI/FCI flow/storage within your organization’s (the OSC) environment.
4. Perform a Current State Assessment and find your gaps—with more efficiency/lower cost than a full Mock Assessment.
5. Lay out a remediation roadmap for your project plan(s) to execute the Plan Of Action & Milestones.
6. (Optional) Conduct a Pre-assessment/Mock Assessment with an RPO or C3PAO after the necessary information is available (anticipated June 2021).
Begin assessment work at the earliest date possible, contingent on the upcoming release of the CMMC guidance release regarding the updated CMMC Model and Scoping Guide.
7. Find a C3PAO on the CMMC-AB Marketplace.
8. Conduct the Certification Assessment with a C3PAO.
It’s incredibly important to still proactively prepare for your organization’s CMMC certification. However, at this time our recommendation is that, until the guidelines and scope are more clearly defined, your organization should invest its time and money on steps 1-5 rather than conducting a Mock Assessment.