Your Guide to Engaging with a C3PAO

CMMC is here and C3PAO assessments began on January 2, 2025. So what should you expect from an assessment, and how can you set your company up for success?

You’re a defense contractor who has been working on your CMMC Level 2 compliance and the time has finally arrived: you need to get a certification assessment with a CMMC Third Party Assessment Organization (C3PAO).

“How do I get started with a C3PAO?”

Only an authorized C3PAO can perform a CMMC Level 2 certification assessment. All authorized C3PAOs can be found on the Cyber AB marketplace (Hive Systems is expecting to be authorized as a C3PAO by Spring 2025!). When you reach out to a C3PAO, they will need to request information from you to get an idea of the assessment scale before entering into a contract. Some of this information will include:

• The CAGE codes for the actual entity being assessed;

• Whether any External Service Providers (ESPs) or Cloud Service Providers (CSPs) are in scope;

• The size of the organization and system being assessed;

• The prospective CMMC scope, including number of physical locations, if applicable; and,

• The desired schedule, personnel involvement, and general logistics for execution of the assessment.

Your C3PAO may ask for additional information to help determine the level of effort required for your assessment, as well as the need for any travel. While the C3PAO will be asking you questions about your environment, this is also your opportunity to interview and get to know your potential C3PAO. It’s important to choose a C3PAO you like, because ideally you will build a relationship and return to that C3PAO for any POA&M closeout assessments and future re-assessments. However, if at any point you find that you and your C3PAO are not a good fit, you may be stuck with them through the end of your assessment. The good news is you are under no obligation to keep using their services once the original contract terms are fulfilled.

In this initial discussion, you will also identify any potential conflicts of interest between yourself and the C3PAO or prospective Lead assessor. If the C3PAO has previously performed advisory or implementation services for your company, they cannot be your assessor. If there are no conflicts with the C3PAO but the Lead Assessor has a conflict of interest, it must be disclosed but the assessment can still move forward as long as both parties agree.

After all of this initial dialogue and information gathering,  you can finally move forward with a formal contract, including a mutual non-disclosure agreement and planned date for the assessment.

“What should I have ready before the assessment starts?”

Before the assessment even starts, the C3PAO will conduct a Planning phase to ensure that you are actually ready for the certification assessment. Things you need to have prior to the Planning phase include:

• Complete documentation: All of your policies, procedures, standards, etc. cannot be in draft format and must be final and approved.

• Complete System Security Plan, including boundary diagrams: Lack of an SSP is a show stopper - an assessment will not proceed without it. If you don’t know where to start with an SSP, check out our free CMMC SSP templates.

• CMMC Scoped Asset Inventory: For this, I don’t mean the system component inventory. This is more of an itemized list of the different types of assets in scope, including the CMMC asset category they fall into. For example, if you have 50 engineers who work with CUI, list “Engineers - 50 - CUI Assets” and if you have 3 System Administrators supporting the CMMC environment, list “System Administrators - 3 - Security Protection Asset.” This will be extremely helpful to the assessment team when validating your assessment scope.

• Evidence Repository: You should clearly identify what evidence maps to the different assessment criteria, and have it organized in a folder structure that your assessors will have access to. Ideally, the assessors will receive access to a Shared Drive or SharePoint in your environment to perform the assessment, but if you absolutely cannot allow the assessors into your environment you can also send it to the assessment team when requested.

• ESP and CSP details: For any ESPs you have, make sure you have their Customer Responsibility Matrix (CRM) or proof of CMMC Level 2 certification (if they voluntarily obtained one). For any CSPs you have, confirm they are FedRAMP Moderate or ensure you have a body of evidence proving FedRAMP Moderate equivalency. Note that you are responsible for ensuring they are FedRAMP Moderate equivalent before using them in your CMMC environment. If your CSP is not FedRAMP Moderate or equivalent, you will not pass the assessment.

Having all of these items ready prior to the Planning phase will allow for a smooth assessment and also give you the chance to confirm nothing is missing before getting started.

“How does the assessment work?”

There are multiple phases to any C3PAO assessment: Planning (or Pre-Assessment), Assessment, Reporting, and Close Out.

Planning/Pre-Assessment

The Planning/Pre-Assessment phase will be the first step you take after the contract is signed with your C3PAO. During this phase, your C3PAO will need to review certain artifacts and details to ensure that you are ready for your Certification assessment. This includes a high level review of the System Security Plan (SSP) and any network or data flow diagrams, as well as your evidence repository. It is important to note that the C3PAO is looking for completeness here, making sure you have evidence for each of the assessment criteria but not diving into whether the evidence is adequate or sufficient  to confirm the assessment criteria have been met. One of the best things you can do ahead of this phase is to clearly fill out a template that identifies what evidence and personnel support what assessment criteria, and have it pre-organized into a SharePoint or Shared Drive folder structure. This will expedite the assessment process and will also give you the chance to confirm you have everything buttoned up before you even sit down with the assessment team.

The C3PAO will also be reviewing documentation to validate the assessment scope. They will look for any ESPs and CSPs in use, your data flow and network diagrams to confirm they match the agreed upon scope, and that there are no glaring or obvious issues (for example, if the corporate environment was determined to be Out of Scope but the network diagram clearly indicates the corporate environment is not segregated from the CMMC environment).

When this review is complete, the C3PAO will make a determination on whether you are ready for the assessment to proceed. Assuming your documentation is finalized, you have an SSP, you have evidence for all your assessment criteria, and your CMMC assessment scope doesn’t have any red flags, the C3PAO will move forward with the assessment.

If the C3PAO does not think you are ready for the assessment and there is a high likelihood of not receiving a Certificate of CMMC Status, they will notify you at this point. You will be able to determine whether you want to reschedule or completely cancel your assessment, and any proprietary information you sent to the C3PAO will be returned or removed from the C3PAO’s environment.

Assessment

The Assessment phase will generally be the longest, and will require personnel to be available for meetings. The C3PAO will start with a kickoff meeting between the assessment team, your primary point of contact, and your affirming official, at a minimum. Anyone else you would like to have in attendance can join this kickoff. Then, using the evidence initially provided in the Planning phase, the C3PAO will begin to review documentation, screenshots, network diagrams, your System Security Plan, and anything else identified to support the assessment criteria.

The assessment team will also conduct interviews with personnel to understand how processes are implemented and to observe certain artifacts that may be required in addition to what was provided during Planning. It is critical to ensure you have identified the right personnel for the interviews, and that they are available to meet with the assessors. In the event you use an ESP, such as a Managed Services Provider (MSP) in your CMMC environment, they must be available to answer questions about the controls they are responsible for as well (unless the MSP voluntarily achieved CMMC L2 Certification, in which case their certificate can be provided instead).

If your environment uses a CSP, the assessor will check the FedRAMP Marketplace to confirm they are at least FedRAMP Moderate. If not, the assessor will need to review the Body of Evidence from the CSP to validate it is FedRAMP Moderate equivalent. If you know your CSP is not FedRAMP Moderate, but is FedRAMP Moderate equivalent, you should obtain a Body of Evidence from the CSP to provide along with other evidence in the Planning phase.

At the end of every day will be a checkpoint meeting to summarize progress, identify challenges, and provide an opportunity for the assessment team to request additional evidence if needed. This is also the time when your assessors may let you know if certain controls are “trending toward” MET or NOT MET, and you can determine if you need to find additional evidence for “trending toward NOT MET” controls.

Reporting

Now that all of the controls and evidence have been assessed, the final results will be documented and shared with you. Your C3PAO will schedule an out brief meeting where they will go through the MET, NOT MET, or NOT APPLICABLE determination for each one of the security requirements assessed. During this meeting, the C3PAO will also share the results and what type of certificate you will receive, if you passed.

You are expected to retain the assessment artifacts in your environment for six (6) years. The C3PAO is not allowed to retain any evidence. Guidance will be provided on how to hash the assessment artifacts you are retaining, and the list of hashes will be provided to the C3PAO.

At this point, if you disagree with the assessment results, you have the opportunity to appeal. The appeal must be filed first with the C3PAO. A CMMC Certified Assessor (CCA) who was not part of the initial assessment team will review the appeal and make a final determination. If you still do not agree with the results, you have fifteen (15) days to submit an appeal to the Cyber AB for review.

Close Out

This final phase of the Certification Assessment could be as simple as receiving your CMMC certificate, or it could also involve a POA&M closeout assessment. If you have controls that are NOT MET and are not permitted to be placed on the POA&M list, you will not receive a certificate and will need to schedule and conduct a new assessment at a later date.

There are two types of certificate you can receive: Final and Conditional. If you receive a Final Certificate of CMMC Status, you’re done until you’re due for re-assessment in three (3) years. If you received a Conditional Certificate of CMMC Status, this means you had some controls that were assessed as NOT MET that qualified for the POA&M list. You will have 180 days to remediate these POA&Ms, at which point your POA&M items will need to be re-assessed by an authorized C3PAO.

You can choose to conduct your POA&M assessment with a different C3PAO than the one that performed your initial assessment; however, it is important to note that a new C3PAO would likely need to gather the Planning Phase information again to ensure they can understand and assess your environment. There are two possible results for the POA&M Closeout assessment:

1. All POA&Ms have been remediated, and you receive a Final Certificate of CMMC Status.

2. Not all POA&Ms have been remediated. Your Conditional Certificate of CMMC Status is no longer valid, and you will need to re-do your assessment when you are certain all POA&Ms have been remediated and you are able to pass a CMMC assessment.

This is why it is absolutely critical to conduct a self-assessment prior to commencing your C3PAO assessment to ensure you have addressed all assessment criteria, have evidence to back it up, and will not be in a position where you have POA&Ms you cannot remediate within 180 days.

“Can anyone help me with this?”

If you’re prepared for an assessment and are worried about the rapidly growing line to get on a C3PAO’s schedule, Hive Systems is in the process of getting authorized and is already scheduling assessments to begin in Spring 2025! Reach out to us today to meet our assessors, learn more about our methodology, and discover how we can collaborate with you for a better assessment experience.