Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: What to Expect From Your First CMMC Assessment
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd have a spirited discussion about what to expect from your first CMMC Assessment. As this topic seems to be on everyone in the DoD Contractor space’s mind, Adam covers it on this episode from stem to stern.
- What is CMMC at a high level?
- How does one go about finding a C3PAO?
- Curious about the different phases and what to expect in each one?
- Want to know some good practices on how to stay up to date on your SPRS Score?
Don’t worry, all those topics, and more, are on the agenda for this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the slash to your compliance runs and roses. Mr. Adam Goslin, how the heck are you, sir? I’m fairly feeling like a rock star today. I’ll tell you what, man, and that is not surprising, in fact that you’re you, and we’re talking about this topic, and that is what to expect from your first CMMC assessment.
For those of you who don’t know, we are currently hanging out at CMMC day, and we’re excited to have Adam, set the stage for us. Give us a high-level overview of the landscape of CMMC’s compliance. All right. Well, before we even get into that, I just want to note for the record, this is officially the first time that we’ve done a podcast recording and actually been side by side. Just a live Compliance Unfiltered. For those of you listening at home, you’re welcome. It is good to be here for CMMC day, so this topic is kind of appropriate. With all that said and done, I mean, there’s one thing about the DOD, and they take compliance really seriously. They expect that their contractors are taking it seriously as well. That’s why a lot of the DOD contractors are anxious about the new you know CMMC you know efforts they’re gonna have to go through and you know the reality is, is that not a lot of them have been through this process before, some may have gone through some you know kind of other compliance standards well you know yeah whatever they went up against some framework you know type thing. This is really going to be their first their first foray into the world of you know compliance if you will and you know so there’s it’s understandable there’s going to be some nerves around going ahead and getting through your, your first CMMC engagement with a third party you know, what all’s coming all that fun stuff so hopefully, hopefully today’s topic you know hopefully today’s topic will help. I mean there’s some of the organizations that will be able to do their do their own self-assessment which I think we’ve talked about, that in a relatively recent you know recent article as well but there’s others that are going to have to go the assessment process. So, this is kind of to set the stage for, you know, for the folks that are needing to head down, head down that path.
Absolutely. Now, how does one go about getting a C3PAO, not R2D2’s buddy, yet a CMMC assessor, a C3PAO, how do you find the one?
Well, you know, at the beginning, you know, that’s one of the first things that the organization is going to need to do is go down that path. You know, we’ve actually, if you go out and you take a look at, you go out and you take a look at some of the materials we’ve got on the TCT website for either the blog or the podcast, we’ve got some, you know, some detailed articles about hiring an assessor. But, you know, it’s worth emphasizing, you know, again, the assessor, the assessor works for you. It’s not the other way around. You know, a lot of organizations, you know, kind of take this position of kind of acquiescing to the assessor, etc, it seems they’re a vendor. You know, they’re a vendor, they’re nothing different than somebody that’s providing your email, somebody that’s providing your hosting, you know, etc, they’re a vendor. And so, you know, you’re not obligated to stick with them, you know, if they’re not the right fit for the organization. So just like any other service provider, their job is to help you accomplish your goals, you know, while still doing so, you know, they’re not the CMMC police or, you know, but a partner in your success. Right. And so, you know, I’d say it’s worth repeating that, you know, finding an assessor that is going to take kind of a middle of the road approach. And we’ve talked about this before, where, you know, some assessors are just absolutely black and white. Some assessors are very loosey goosey. You know, you want somebody that’s going to make sure that they’re hitting the mark for the essence of the requirements. And yet, being able to take that organization’s circumstances into… you know, into account. And are they fulfilling the nature of the requirement their assessing because that, capability to you know provide interpretation to the objective of the requirement that they’re able to use their toolbox to assist going through it and actually getting to the point, you know and are ready to go down the path.
No, and that makes a ton of sense. Now, when you start your engagement there are typically general phases, so tell us about phase one. Well, once you’ve, you know, when you’ve got your C3PAO, one of the first things they’ want to do is some form of a kickoff meeting uh, where, you know, they’re looking to get sit down an kind of go over at high level information about the organization, you know you’ll call it a discovery call, if you will. It’s a combination of things. It’s a discovery call so they can figure out and reacquaint themselves with your organization, set expectations for what’s gonna happen and make sure all the basic information that they’ve collected up is accurate before they’re running off down the path. They’ll wanna do things like go over at a high level, who you are as a business, what types of business lines are you into and what is it that they accomplish for you as an organization going through compliance. So all of those are gonna be elements of that initial meeting. But that initial meeting is really gonna include likelihood your upper level management, executives and the initial stakeholders in the compliance engagement, all kinds of participation in that first initial meeting. For most organizations, that initial meeting is gonna be something along the lines of 60 to 90 minutes, something along those lines.
All right, so then once wrapped, what comes next in phase two? So during phase two, that’s where they kind of take the next step. They need to get to a next level of depth and really reviewing information about your environment. So shortly after the kickoff meeting, maybe immediately following, maybe scheduled in a day or two, whatever, is they wanna go through and review the cyber environment. Going through, look at the first meeting, from a 10,000 foot view, now they wanna bring it down a level. So they’re gonna go about 5,000 foot if you will. And so during this phase, they wanna get their arms around some of the high level details, get a sense of what your overall stance looks like. So they wanna be looking at, where’s your environment hosted? What’s the inventory? what is the network diagram looking like? Who are the connected vendors in the environment? And really going through things like your personnel, your departments that you’ve got, the data flow diagram, how’s data coming in, getting processed, moving, and exporting out of the environment, as well as your physical location. So physical points, presence, etc. So all of those will give them the context and allow them to gain an understanding of the detailed evidence that basically they’re about to go in and see in the next phase.
That tracks. Now, after that, what’s around the corner in phase three? So evidence collection, quality assurance is the main placard for that stage. Sure. So now that they’ve gone through, they’ve got the high level idea, they’ve gotten the mid-range idea of what all is going on, etc. Now they can go through and get an idea of where everything fits in the puzzle and they’re ready to get down to the nitty gritty. This is really the phase where most of the most grueling work happens during the engagement. It’s also a phase where you feel like you’ve been released into some type of chaotic scavenger hunt with roadblocks and landmines and all sorts of fun stuff. While you’re trying to get through this with a timer going, the assessor doesn’t have until the dawn of time to be able to get through this. They’re expecting that you’re marching through, etc. It’s during this phase that they’ll be asking for the organization going through compliance to supply their evidence to prove out that they’re fulfilling the various requirements of CMMC.
On your side of the fence, as the organization going through it, you’re going to need to rely on your team of people that are actively going out, garnering, gathering evidence, etc, and keeping organization out of the internal personnel as they’re provisioning that evidence. You’re going to go ahead and need to gather up all that evidence, present it to your C3PAO for their review. The assessor is either going to go through, accept the evidence that you’ve given, or reject it. It could be a straight rejection, it could be a, hey, this is closed, but we also need to see some details on fill-in-the-blank, and they’ll give you some instructions on what else it is that they need so that you can go in, resubmit that evidence that got rejected, and then pass it back up the chain. If the evidence looks good to the assessor, then they’ll pass it on to their internal QA department. The QA will go through and do the oversight of the assessor, making sure that everything’s in place, etc. The just center just kinda, you know, just kind of needs to understand, there is a multitude of items that are flowing up and down this, you know, various workflows with items, you know, passing up and being good items coming back with additional information needed. There’s just a ton that’s flying back and forth, you know, during this phase. And, you know, like I said, at the beginning, it’s really the phase where it’s a lot more, it feels a lot more chaotic to the organization that’s going through.
No, absolutely. Now, in terms of the prevailing metric, as we spoke in the last podcast, it’s the SPURS score for CMMC. So how can organizations keep an eye on their SPURS score? So, you know, as they’re going through, and this is the one part that gets a little bit confusing for the folks that are going through it, is that, you know, that SPURS score out of the gate when they first kind of get their brain around, here’s where I think I stand. Well, next thing you know, you start getting faced with reality, right? The assessor’s gone in, they’ve looked at this and go, yeah, this is close, but no. That negative number will kick you in the throat real quick. Yeah, exactly. So as they’re passing items now, for every item that they say, nah, don’t think so, and passing it back, now your spur score is going lower. And every time you’re passing evidence up, it goes up, but it only stays there if the assessor passes it into QA, etc, the next score is kind of bouncing all over the place. It’s going to be wild, it’s going to be a wild ride out of the gate. But certainly for organizations that are using the TCT portal, we covered it in the last run, live SPURS scores. So as they’re going in and as they’re going in and they’re filling out, filling these items out, they’re able to go in and look in the TCT portal and see what that SPURS score looks like, and it will fluctuate, but it’ll start to stabilize as they kind of get to the end of the run. And for those of you hearing this for the first time, they’re curious about the SPURS score and what that looks like. Please feel free to go back to the episode prior to this one, listen to the explanation of the SPURS score, and understand it fully. But for those who are just hopping in on this episode, what’s the easiest way to explain kind of the SPURS score and how it applies here? So at a high level, without going into all the detail we did last go around, there’s a score that you get, it’s called the SPURS score. It’s one of the elements that goes into DOD’s system for a vendor, and it’s effectively a measure of their cybersecurity maturity against the CMMC requirements. And that number is somewhere between, I think it’s negative 203 up to 110, and so the closer to 110. you are the thumbs up you know etc. But it’s one of the measures there’s a whole bunch of other factors that come into play things like you know price and you know the vendors you know past you know past history with the DOD etc there’s a lot of factors that are going to come into it at that point in the game.
Yeah that makes a ton of sense. Now uh what are some of the ways to avoid pissing off your C3PAO? Well you know the reality is as you start this process the C3PAO is walking in with the understanding or impression that the, the organization has their act together that they are that they’re kind of ready to go, are they really though? Yeah, yeah, yeah okay well I appreciate their optimism. I guess well because here’s the deal is, you know they’ve been engaged to come in and do this assessment so okay expecting, you’re ready to do the assessments. Your shit is together. Yeah, exactly. And so as you go through the, as you’re going through the process, if they’re asking, okay, well show me this and, you know, it’s, you know, you’re basically digging through all of the cupboards and trying to find it and, well, wait, wait, wait. I know I left it somewhere. Yeah, I just need to put my finger on it, you know, type of thing. That’ll, that will just kind of grind gears. Um, you know, if you think about it this way, the, the assessor’s job is one of doing their job efficiently. And so it does really cheese them off when they’ve got a deal with an organization that is, you know, can’t put their fingers on stuff, can’t find things immediately, etc. So, you know, one of the critical things to, in order not to piss off your C3PAO, is to have your CMMC compliance shit together, as we like to say, and, you know, put all of your evidence into a central repository, so it’s organized and readily accessible. Exactly. Well, not only that, but it’s also searchable, right? Hey, I want to see the information on training. Guess what? If you can go to your central repository and just search training, you know, boom, now you’ve got the subset of anything that had to do with training across your, your CMMC engagement. That’s super, super simple. And especially when you’ve got all of your explanations, your attachments are all right there. I can answer questions on the fly, sitting in front of this C3PAO and boom, I’m on it. They’re loving it at that point in the game. But I tell you what, there’s nothing that’ll piss them off more than when, you know, people you know, are going digging through, trying to find stuff, etc. It’s just a gigantic pain in the ass. And, you know, it really, uh, it really helps out not only on your side, but on the C3PAO side, they appreciate it. Yeah, no. And most definitely you don’t want to piss those folks off.
Now, as you wrap up, what reporting is headed your way? As you go through CMMC. there’s a couple of different things. So the assessors gone through, they’re busily generating their CMMC report. For the most part, the mad rush of, holy, oh my God, where’s the evidence, etc, that’s starting to die down except for exception requests. But the report generation which the listeners need to be kind of mentally prepared for, it takes a minute for them to go through, get through the, get through things, but it’ll take them, likely for most of the organizations, it’ll take a week or two for them to go ahead and put their reporting together. They’ve got to get through QA. You know. OAMs, SSPs, all the things. Yeah, exactly, and so a little bit of time. Typically what will happen is they’ll typically issue initially a draft report. So what they’ll do is they’ll pass out a draft report over to the target organization with the intention that, you know, the, the assessor’s done their best job to understand the high level scope, understand the moderate level scope, review all of the all of the detailed evidence, but they may have gotten something wrong. So they’ll typically issue a draft report so that the target organization can go ahead and go through that, pass back any comments, hey, I don’t think you got this right, whatever it may be, and make any final tweaks and modifications to you know, to the final report. But certainly, you know, the outcome will be, you know, here’s where we believe you stand against the CMMC requirements, you know, the system security plan will be, you know, the plan of action milestones or the POEM as you as you referred to, that will be a part of it as well. But all of those should be, you know, should be elements that come out from the C3PAO back out to the target organization so that they can, you know, kind of give them hey, here’s where you know that we’ve concluded our review or our assessment, here’s what we believe you are.
Outstanding. Outstanding. Parting thoughts and shots for the folks this week, Adam. Well, for the love of all that’s holy and true. Do me, do you a favor, use the compliance management system. I mean, it’s almost old hat. Yeah, and people may, you know, I don’t know, people sometimes give me a hard time. But I’m like, you know, I don’t know what, yes, TCT has a compliance management system. But you want to know what, I would rather that the listener use a compliance management system than a spreadsheet period. 100%. If they want to use ours, sweet. If they don’t want to, and they want to use something else. Don’t please, please, please, please don’t be a dumb ass and use an Excel sheet, please. Do yourself a favor and automate. You know, and this, this is especially true for these organizations that, that have multiple security and compliance requirements that they need to go up against. In many cases, organizations are going to need to be compliant with CMMC for DOD, and they take credit cards. So then you got PCI in the mix. Maybe they’re dealing with medical data in some way, shape, or form, so they got HIPAA. If you’re dealing with multiple compliance requirements, that’s even a bigger case for making sure that you’re using a compliance management system. And trust me, your C3BAO or your CMMC assessor will thank you for having your CMMC shit together. These are facts.
That right there? That’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less. Thanks for watching!
