Before the Audit: How You Can Prepare for CMMC Assessments

If you’re a defense contractor or subcontractor working with the Department of Defense (DoD), achieving and maintaining CMMC compliance is essential. But reaching that point takes more than just good intentions—it requires preparation, documentation, and a clear understanding of what’s expected during a CMMC assessment.

Whether you’re aiming for Level 1, Level 2, or Level 3, here’s what you need to know to boost your CMMC readiness and prepare for a successful assessment.

What Is a CMMC Assessment?

A CMMC assessment is a formal evaluation that verifies whether your organization has implemented the cybersecurity practices and processes required by the Cybersecurity Maturity Model Certification (CMMC) framework.

Assessment requirements vary depending on the level of CMMC compliance:

• Level 1 (Foundational): CMMC Level 1 focuses on safeguarding Federal Contract Information (FCI) and allows for self-assessment annually.
• Level 2 (Advanced): CMMC Level 2 focuses on protecting Controlled Unclassified Information (CUI). If companies do not process, store, or transmit CUI that’s critical to national security, they can self-assess annually. However, this only applies to a small subset of entities. If your organization handles CUI that’s critical to national security, which is the majority of companies, you’re required to complete an assessment with an Authorized CMMC Third-Party Assessor Organization (C3PAO) every three years.
• Level 3 (Expert): CMMC Level 3 focuses on reducing the risk from advanced persistent threats (APTs). It requires companies to work with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct government-led assessments every three years.

What Steps Should I Take Before Starting a CMMC Assessment?

1. Understand Your Required CMMC Level: The first step in your CMMC readiness journey is knowing what level of certification you need. Review your contracts to determine whether you’re required to protect FCI, CUI, or both. Specifically, you should look for FARS or DFARS clauses as they will help you identify which CMMC Level applies to you.
2. Conduct a Gap Analysis: Perform a CMMC readiness assessment (also called a gap assessment) to identify which controls and processes are currently in place and which are missing. This helps you determine how far you are from meeting your desired CMMC level.

For example:

• At Level 1, you need to implement the 15 basic safeguarding requirements in FAR 52.204-21.
• At Level 2, you must meet 110 security requirements from NIST SP 800-171. If your contract includes a DFARS 252.204-7012 clause, you likely need to pursue CMMC Level 2 certification.
• At Level 3, you’ll need to implement advanced practices aligned with a subset of NIST SP 800-172 (final requirements are still pending DoD clarification).

3. Document Policies and Procedures: A successful CMMC assessment relies heavily on documentation. Make sure your cybersecurity policies, procedures, and system security plans (SSPs) are clear, complete, and up to date. You’ll need to provide assessors with evidence of implementation, not just intent.
4. Implement Missing Controls: Use the results of your gap analysis to remediate any missing or insufficient controls. This may involve:

• Enhancing access controls
• Encrypting data at rest and in transit
• Logging and monitoring system activity
• Establishing incident response procedures

For Level 2 and 3, most organizations will also need a Plan of Action and Milestones (POA&M) to track progress toward full compliance.

5. Conduct a Mock Assessment: Before scheduling your official CMMC assessment, consider conducting an internal or third-party mock audit. This will help you:

• Identify weak areas before a C3PAO finds them
• Practice responding to assessor questions
• Gain confidence in your documentation and evidence collection processes

What to Expect During a CMMC Assessment

Once you’re ready, here’s what the actual CMMC assessment process typically looks like:

• Level 1
  • Self-assessment required annually
  • Must be submitted through the Supplier Performance Risk System (SPRS)
  • Based on 15 basic cybersecurity practices
• Level 2
  • A small subset of companies can self-assess at CMMC Level 2. However, it’s more likely that you’ll need to work with an Authorized C3PAO to complete your Level 2 certification assessment. Self-assessments must be completed annually with results submitted through SPRS, while third-party assessments must be renewed every three years. However, even if you work with an Authorized C3PAO to complete your CMMC Level 2 assessment, you must still complete an annual self-assessment during years two and three of the three-year certification cycle.
  • Involves review of 110 NIST 800-171 controls
  • Assessor will evaluate documentation, interview staff, and examine systems
  • C3PAO certification is valid for 3 years; self-assessments must be renewed annually and submitted through SPRS
• Level 3
  • Requires a government-led assessment through DIBAC every three years
  • Focuses on protection against APTs
  • Includes enhanced practices beyond Level 2
  • More details are expected once the DoD finalizes CMMC Level 3, which is expected to happen later this year

Preparing for a CMMC assessment takes time, resources, and commitment from leadership. By proactively assessing your gaps, documenting your controls, and building a strong cybersecurity culture, you’ll be in a better position to pass your assessment and protect sensitive federal data.

At IS Partners, we’ve been helping our clients successfully navigate cross-industry compliance for more than 20 years. We are an Authorized C3PAO that prides itself on providing a tailored approach to audit preparation and certification. Ready to learn how we can help you prep for your upcoming CMMC assessment or become CMMC Level 2 certified? Explore our full suite of CMMC compliance services.

the way through to assessment and certification. Click here to learn more about our HITRUST certification services.

FAQs

About The Author

Jena Andrews

Jena is a senior auditor and security consultant since 2021. She is specialized in compliance management, cybersecurity, IT security, and risk management. Jena is a certified information systems auditor (CISA) and project manager.

With a decade-long history in Project Management, Jena has focused the past five years on Compliance, IT and Operations auditing, Information Security, and Cybersecurity. She has conducted a plethora of compliance audits and security assessments in accordance with standards including SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, and NIST 800-53, 800-171.

Jena is a proud B.S. graduate in Criminal Justice from West Chester University and holds esteemed CISA, PMP, and CCP certifications, further highlighting her expertise and commitment to professionalism.