Why Feeling “CMMC Ready” Isn’t the Same as Passing a Level 2 Assessment

Show Notes

Many DoW contractors feel confident they’re ready for a CMMC Level 2 assessment until assessors get involved. That’s when gaps in documentation, scope, and operational maturity start to surface.

In this episode of the CMMC Compliance Guide Podcast, Brooke breaks down why implementation alone does not equal readiness. We walk through what assessors look for before technical testing even begins, why documentation is often the real reason companies fail, and how poor scoping or misaligned staff interviews can derail an assessment.

You’ll learn:

• Why “feeling ready” is not the same as being assessment-ready
• What assessors review first during the readiness and pre-assessment phase
• How SSP quality can make or break your assessment
• Why screenshots alone are not sufficient evidence
• How POAMs are viewed during Level 2 assessments
• The role of operational maturity and ongoing proof
• How scope and employee interviews expose readiness gaps
• How to realistically self-check readiness before scheduling an assessment

If you’re preparing for a CMMC Level 2 assessment or think you’re close this episode will help you identify blind spots before they cost you time, money, or certification.

Transcript

SPEAKER_00: 0:21

Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacy from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast tracked to compliance. But today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're talking about something that trips up a lot of DOW contractors. Many companies feel confident they're ready for a CMMC level two assessment, but when assessors get involved, that confidence doesn't always hold up. All right, Brooke, let's dive right into it. Why is there such a big gap between feeling ready and actually being ready with CMMC?

Brooke: 1:07

Sorry, you know the what's tripping me up is is I'm thinking about you said DOW and it it still just doesn't sound right. But we're getting there. It's we're getting starting to get used to it, I think. Uh you know, most organizations. Uh well, maybe not necessarily. I was gonna say most organizations, there's you know, IT people that are leading this. They're they may not necessarily be IT people leading it, but they're uh a big part of it. Uh makes sense because it's cybersecurity. But um, you know, as an IT person, uh you have a tendency to, and and other people as well, have a tendency to mistake uh uh implementation with actual readiness. Implementation is great, you know, uh, but somebody's gotta be able to under to see and understand and uh believe that you have uh you have all those uh controls in place and that they're working. And uh so you can't really do that without uh a lot of documentation. And when I say a lot, I mean a lot. Uh so as we always say, documentation, documentation, documentation. There's a lot of documentation that goes along with it. Uh you got your SSP, your system security plan, you have all your policies, you're gonna have some plans in there and some procedures along with it. You're gonna have lists of authorized users, devices, and processes, uh you I mean, uh all your artifacts, uh proof, you know, that uh that you're doing what you're doing. I mean, it is a ton, ton, ton of documentation. So uh uh the you know, we just seems like most of the time when we talk to people who are try who've been trying to implement this, and so they ask for our help, and we come in and they say, well, we've we already have that done, we're doing this. And we'll we're like, well, where have you documented it at? You know, how do you uh how do you how do you tell and how does somebody else come in and verify that? You know, we can show them a screenshot. Yeah, but show them a screenshot doesn't tell them that much. So you've got to tell them what you're doing and you've got to show them that you're doing what you say you're doing. So uh and you it's ongoing management, of course. So but that documentation uh is really the biggest part of this. If it was just controls, just technical controls you could just implement and be done with, be great. But it's not. It's that documentation.

SPEAKER_00: 3:25

So before all of the technical testing even begins, there seems to be a readiness review. How important is that step with CMMC?

Brooke: 3:34

Oh, it's very important. It's very important for you as uh as an OSC and organization seeking uh certification. Um uh and it's also important for uh the uh C3PAO who is assessing you. Uh so they they want to get off on the right foot. They don't want to waste a lot of time, they don't want to make you really mad by getting through a whole$50,000 uh certification going, sorry, you didn't even have the basic stuff ready. So uh that wouldn't be good. So there's a pre-assessment um portion of this. Generally, it comes after a down payment. Uh um a lot of them these days are taking a down payment, uh, and then you come up to the uh certification uh and or mock, whatever it may be, and you either pay the rest of it or however that works with them. So um and the first thing last for they want to see your SSP and they want to see some other a list of other documentation and uh all this kind of fun stuff to to show them that you actually know what you're doing and have stuff ready. And what I can tell you from all the assessors I've talked to, uh they say if it takes it if it takes them more than a day to get all this information back to us, we're pretty sure they're not ready. Because if you're if you're ready, you have that simple you have that simple documentation ready to go, and you can just go, here you go, here it is, you know. Um maybe a little more complicated than that, but you know, it's it's it's ready to go, and you're not gonna take two or three days to figure out how to get them the basic simple documentation. So that's and so at that point, if you don't have all the documentation ready, they tap the brakes, C through POs will there's a range of things that they'll do. Uh one of the things that I've seen that they do uh quite a bit is uh they'll just pause and say, look, you're not ready. Uh you don't have the documentation ready, so um, you know, let us know when you are and they'll put you back in line. They're not gonna, it won't be, you know, they very well may be booked up for the next month or two or three or four. Uh, but uh you won't just completely lose your money most of the time that I've that I've seen. Um so um if it's just a matter of getting that ready or whatever it is, then then they'll let you get it ready and get it to them. But there's a chance right then of the uh when for that initial uh assessment, that pre-assessment to to say, you know what, you're not quite ready, so let's hold off. So um that's what it's for. It's to tap the brakes, so uh to make sure that you have every chance of passing it, to make sure that you don't have that you have every chance of not wasting money, and that they have every chance of making a happy client, right?

SPEAKER_00: 6:21

So, Brooke, when assessors are trying to validate readiness early on, what are they paying attention to first?

Brooke: 6:28

Uh your SSP, your system security plan. So uh they'll want to see that. They'll wanna it it your system security plan, we've said this before, but it needs to tell a good story. It needs to explain to them how you're putting things in place. You can't just regurgitate what the control says in a very broad uh you know, indirect manner. You know, you have to you have to say how you're filling uh you know, 3.1.1. You know, how are you how are you fulfilling that? It's even better if you can go by each of the assessment objectives and have an assessment objective objective statement and uh and go through and say how you're meeting all those. Some of them may be the same because it's uh you know, identify user, authorized users, identify uh authorized processes, identify authorized devices. You know, I guess you can change your statement up, but if you have a statement that basically gets it all covered, then that's a copy and paste on all three of those. Um but point is if you have a uh assessment objective level statement uh for these things uh that tells how you're uh addressing that objective, uh that's really good. That'll help uh clarify things. And again, you can't just you can't just regurgitate basically what the uh what the assessment objective or the the control says. If it says identify authorized users, you can't just say we identify authorized users. Great. How do you do that? You know. Uh so they want it, again, they want it to tell a story, so you've got to write your it doesn't have to be each obsessive each uh control or assessment objective does not need to be a little novella, but but it does need to have some good detail in there that says this is how we do it, you know. Um, and then you can lay the rest of it out in policy and plan and procedure.

SPEAKER_00: 8:26

Aaron Powell So heading into our favorite topic, documentation. A lot of companies collect piles of screenshots and documents. Why does that still fall short?

Brooke: 8:37

Uh well, um a couple reasons. Really, uh you you really need to be very intentional about your about your documentation, about all your artifacts. Uh it needs to be tied to the uh controls and uh the assessment objectives, if that's the level you tie it to. Um but it needs to be tied directly to those. Number of ways you can do it. If you use a GRC platform, you tag it right there in that GRC platform. If it's uh um, you know, a folder structure, uh, which a lot of uh assessors want you to upload a folder structure anyway, um, then that folder structure, you know, you have uh everything broken down by control and all your evidence and everything in those controls, but it's gotta be um it's gotta be well thought out, it's gotta be structured, it's gotta actually address each of the controls it's supposed to address. You can't just say, here's my pile of evidence, good luck. You know, they're they're not gonna do anything with that. They'll say, Thank you, go fix it.

SPEAKER_00: 9:41

So diving into the topic of poems, poems are allowed in certain cases, but how do assessors view them when determining readiness?

Brooke: 9:54

Uh well, poems should be the exception and not the rule. When you come go talk to an assessor, you should be very confident that you have everything done. If there's something that you disagree about or something that you thought was covered but's not quite covered uh the way they want to see it covered, then that can go on a poem with some caveats, but that can go on a poem. And then within 180 days, if you get that cleared, uh then you're good. Um but uh they you I would never go into an assessment uh having anything on a POAM or having anything I think might need to be on a POAM. Uh be very confident that you've got everything cleared, you're good to go. Um that said, uh remember also that uh there can be no five-pointers or three-pointers uh on a POM, and there's uh some one-pointers that can't be on a POM. And your score has to be at least an 88 or 80 percent. Uh so if you meet all those, then yes, some of those items can be on a POM and you have 180 days to fix it. Somebody I think uh I can't remember who asked me the other day, but they're they asked me about passing a level two certification. And I said, well, it's 110 controls, and you have to score 110, and they're like, well, you know, is there a percentage? And I was like, well, no, there's it's a pass or fail. It's a you get a uh 100% or you or you fail the uh you have like I said, you could have a POAM possibly, but uh, you know, it's either pass or fail. Uh at the end, especially at the end of that 180 days, it's pass or fail. You don't get a you know, 88% or anything like that. So it's not like uh some of the other uh maturity models out there. This maturity model, you have to have 100% on on the on this moderate level of uh of uh cybersecurity.

SPEAKER_00: 11:46

So it seems like operational maturity is pretty important with CMMC. It is what does that look like in practice?

Brooke: 11:53

Well, CMMC is a cybersecurity uh maturity model certification, right? So um there's maturity model, but uh really what this means is that uh it you have a certain level of maturity with your organization, and in this instance that you have ongoing monitoring and management, you have your policies in place that describe how you're doing things, and that you can prove that you are doing things how you say you're doing things. Um CMMC or or an 171 is is pretty prescriptive, but still um you have to you know define how you're doing things, and again being able to do that and prove it is the maturity part of that.

SPEAKER_00: 12:36

As Austin always likes to say, all roads lead back to scope.

Brooke: 12:40

Right.

SPEAKER_00: 12:41

So this road is leading back to scope. Uh scoping issues come up pretty constantly. Um how do they factor into readiness when it comes to scope?

Brooke: 12:51

Well, um a poorly scoped system can either cost you a lot more, be a lot more labor-intensive getting through the uh um uh assessment process, or a um a system that is too uh uh narrowly scoped uh can lease some things out that that you should have put in. So uh however, uh a properly scoped system uh could be that uh you've you've only well it will be that you've only scoped the correct things into that CUI environment and uh left out things that uh that don't apply and don't connect to that CUI, right? Um so when you do that, you limit you limit your exposure, limit your risk, limit your uh scope uh of everything that needs to be protected under CMMC at least. Um so that can lead to uh a lot better um process whenever you go to get an assessment. It could also lead to a lot better uh process while you're trying to get ready and implement everything as well.

SPEAKER_00: 13:56

All right, Brick. What role do staff interviews play in determining readiness?

Brooke: 14:01

Well, we'll pick on our favorite uh uh user, Sally Joe. Uh you know, so if Sally Joe is is in is you people are either CUI assets or not, right? I mean they're uh they're an asset just like computer system is, maybe not just like, but um don't know that computer systems necessarily get angry or emotional or anything, but um so the uh uh but they're they're CUI assets, so uh they they have to be tested as well. And that's part of the test is interviews. And so uh if a particular control says that uh you know they're taking uh insider threat training, and uh they say, okay, well let me see. Log, okay, great. Uh let me talk to Sally Joe. Sally Joe, uh tell me about the uh insider threat training you've taken. And she says, what is that? You know, uh there might be an issue there. If Sally Joe has no clue and it says that she's taken that uh insider threat training, uh then that might be an issue. So um not necessarily I don't I don't know necessarily if they're gonna ask uh for uh you know interview people on the training necessarily, but uh as an example, you know, if they ask somebody about something, uh they may, you know, if they can't answer it properly in the way that you've said you're doing things, uh then there's gonna be an issue there. So they you need to define things like they're actually happening, which means bringing in stakeholders, making sure that you define it properly, and then making sure that everybody understands what they're supposed to be doing.

SPEAKER_00: 15:41

Aaron Powell What are some things companies think mean they're ready for a CMMC assessment, but really don't?

Brooke: 15:49

Aaron Powell Well, having a uh a really good high assessment score, like say 110, uh, or uh, you know, the fact that, hey, I've got all my policies here and uh, you know we got everything implemented, so we're good, you know. Um uh having two or three people uh be very knowledgeable and say, yes, we got everything implemented, you know. Um having a consultant come in and implement everything for you, you know. Uh that's all great, but that doesn't get to the heart of the matter, and the heart of the matter is that uh you've implemented all the controls, you've defined and documented all the controls, uh, and you have that ongoing management and proof that you're you're doing all these, which is going to require you to have some responsibility and some you know uh some part in that to make sure that you understand what's going on, that uh you know you've got that you've got uh everything documented, that you've got not just your policies done, but you've got everything that we talked about earlier. You've got your SSP, your policies, you've got plans that need to be made, you've got your policy or your procedures that uh it needs some procedures in there, you've got all your lists of authorized users and devices and and uh remote users and all that kind of fun stuff. Uh then you've got all your documentation, of course, of all your proof. So that's it's a lot that goes in there. Um and a lot of work goes into it. That said, just because you've been working on CMMC for four years and uh you think, by golly, I've been working on it so long, I'm ready. Well, you know, again, you need to go back and make sure that you really are ready and you really do have all that documentation, all that proof on all those all those artifacts ready to go.

SPEAKER_00: 17:34

So before scheduling an assessment, how can companies realistically self-check their readiness?

Brooke: 17:39

Aaron Powell Go back through your SSP, make sure that uh uh it is fully fleshed out, make sure it does tell that story to that uh assessor of exactly how you're doing things. Um reread your policies, make sure your policies aren't just a a bunch of bloatware, make sure that they actually apply. You know, here's a template. I put a template in place, that's great. No, it's it's gotta define what you do, right? Download the NIST 800-171 Alpha, the uh NIST 800-171A, uh, the assessment guide, and go through that, read through that uh as if you're an assessor and and test yourself. You know, make sure that you have uh everything ready to go and that somebody coming in from you gotta put your shoes and somebody from the outside that has no clue about your system. They don't know how to spell, you know, Windows or, you know, MFA, you know, whatever it might be. You know, they make sure that uh that they can completely understand it, uh not being or being an outsider, right? Not being an insider. So uh if you do those things, uh that'll that'll go a long way towards uh making sure that you're ready.

SPEAKER_00: 18:50

So if there's one thing our listeners at home should remember from this episode, what would that be, Brooke?

Brooke: 18:55

There's a lot of documentation. Uh you know, CMMC, you'll um you'll probably never feel 100% like you're ready. But uh but it's not a it's not a feeling necessarily that you're ready or that you're not. It's that you've compiled that you've put all the controls in place and that you've compiled all of the documentation that we've already talked about, ad nauseum. Uh, they've got all that documentation in place, it's all organized. So you ought to be able to hire somebody to come in off the street and at least, you know, understand the format where everything's at. Uh they might not be able to understand CMMC, uh, but uh if they can look at the format and make sense of where things are at, then that's good. It has to be laid out very well. So it's a lot of you know, it's a lot of that documentation again. And if you use a GRC platform, GRCRC platform uh will go a long way to help you make sure that's structured properly.

SPEAKER_00: 19:50

If you have questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.