Breaking Down the CMMC Assessment Process

by: A-LIGN 16 Jan,2025 3 mins

The CMMC Assessment Process (CAP) is the official guide used by C3PAOs (CMMC Third-Party Assessment Organizations) to conduct a CMMC Level 2 certification assessment. C3PAOs use the CAP to make sure the assessment maintains consistency and integrity when an Organization Seeking Certification (OSC) goes through the process of getting certified.  

The Cyber AB recently released the official CAP guide for CMMC Level 2 assessments, so we’re here to break down what you need to know.  

What is the purpose of the CAP? 

The CAP is the procedural guide for C3PAOs conducting a CMMC Level 2 certification assessment. It’s used to ensure the consistency and integrity of CMMC assessments, ensuring C3PAOs and their CMMC Certified Assessors (CCAs) meet Cyber AB requirements.  

While the CAP outlines the process to try to standardize all CMMC assessments, not all C3PAOs are created equal. Check out the CMMC Buyer’s Guide to learn more about choosing a C3PAO and get a list of questions to ask as you’re making your selection.  

The four phases of the CAP 

The CMMC assessment process consists of four phases that cover the steps before, during, and after the actual assessment: 

  • Phase 1: Conduct the pre-assessment 
  • Phase 2: Assess conformity to security requirements 
  • Phase 3: Complete and report assessment results 
  • Phase 4: Issue certificate and close out POA&M 

Phase 1: Conduct the pre-assessment 

The pre-assessment phase validates that organizations are prepared for the CMMC Level 2 assessment. This phase ensures that all the required documents, evidence, and resources are in place before starting the formal assessment. The C3PAO will review the System Security Plan (SSP), confirm the scope of the assessment, and assemble the assessment team. The C3PAO will then complete the Pre-Assessment Form, documenting key information such as the organization’s CAGE code, SSP title, contact details, and readiness determination. The goal is to make sure that the organization is fully ready for the assessment.

Phase 2: Assess conformity to security requirements 

In this phase, the CMMC Level 2 assessment takes place, and the implementation of security requirements is evaluated. At the beginning of this phase, the lead CCA will facilitate an “in-brief” meeting, which is a kick-off meeting to align on assessment scope, procedures, and schedule. Then, the real work begins. The C3PAO assessment team will review implementation of security requirements and conduct assessment scoring. Throughout this process, the assessment team will meet every day with the organization to monitor progress, address challenges, and maintain quality and consistency. The goal of this phase is to verify that the organization meets the assessment objectives. 

Phase 3: Complete and report assessment results 

This phase focuses on finalizing and documenting the assessment results. A formal quality assurance review takes place by a CCA outside of the assessment team to check the accuracy and completeness of the results, which are then presented to the organization before being submitted into the CMMC system. This is also when the “out-brief” meeting occurs, where the lead CCA and assessment team present the assessment results briefing. 

Phase 4: Issue certificate and close out POA&M

The fourth phase involves the final steps of the certification process. This is when the organization receives the official CMMC Level 2 certificate. In the case that the organization received a conditional certificate, they will need to address and close out any remaining Plan of Action and Milestones (POA&M) items. Once these items are closed out, the organization will be reassessed by a C3PAO to receive full CMMC Level 2 certification. 

Getting certified in 2025 

Understanding the four phases of the CAP will help ensure a smooth path to certification. At A-LIGN, we specialize in guiding organizations through this process. As an accredited C3PAO with over 1000 federal assessments completed, we are dedicated to being your partner in achieving and maintaining compliance. 

Contact us today to secure your spot in our CMMC certification queue and learn how we can support all your compliance needs.  

As new guidance is released and more organizations begin their journey to become CMMC certified, it’s important to understand the certification process and how it will impact your company. Read on to learn what the guidance means for you, what to look for in a C3PAO, and prepare for your assessment. Follow along and download the guide here.

What is CMMC? 

CMMC stands for Cybersecurity Maturity Model Certification. The program requires all DoD defense contractors to meet cybersecurity controls and be certified by a C3PAO assessment.  

CMMC 2.0 is now mandatory for all entities doing business with the DoD at any level who store, transmit, or process information that meets the standards for FCI or CUI. Prime contractors and their subcontractors are required to meet one of the three CMMC trust levels and demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities. The initial award or continuance of a DoD contract will be dependent upon CMMC compliance.    

Contractors will only be permitted to receive or share DoD information related to programs and projects if they have completed the CMMC process. At the time that a contractor’s contract is up for renewal, they must be CMMC compliant.

Defining the CMMC journey 

To simplify the CMMC process, we’ve developed a five-step journey that will take your organization from understanding through certification and beyond. 

blog cmmc buyers guide compliance journey 1 0

Understand 

Read the CMMC final rule, understand program requirements, review DoD’s resources, and familiarize yourself with the practices outlined in the model for each of the CMMC levels. 

Identify 

First, you’ll need to identify your CMMC level. Later in this guide, we provide an overview of the levels so you can determine which is most applicable to your organization. 

Based on your level, you must identify the assets in scope for your CMMC assessment. Refer to the Scoping Guidance from DoD for levels 1-3. 

As a part of this step, you should also complete a gap assessment to identify any areas where there are gaps in your compliance. 

Prepare 

To prepare for the assessment, we recommend developing an implementation plan addressing any vulnerabilities found in the gap assessment to ensure compliance to the CMMC standard. 

Complete the necessary documentation to outline your organization’s compliance with the CMMC standard including policies and procedures, and your System Security Plan. 

Prepare for the C3PAO assessment by gathering all evidence needed and preparing for the interview questions that will be a part of your assessment. 

A helpful way to ensure you’re prepared is to have a C3PAO perform a mock audit against applicable CMMC practices. 

Assess 

Now, for level 2 and 3 organizations, your C3PAO will complete the CMMC assessment for certification. 

Following the CyberAB’s CMMC Assessment Process, the C3PAO will review your documentation and complete interviews with your team before putting together the final report. 

If you’ve done the appropriate pre-work, gap assessments, and mock assessments, your team should be well prepared for this step in the process. 

Improve 

After receiving your certification, the work continues. Plan for continuous improvement and ensure you understand the next steps for future assessments. 

Perform annual self-assessments attesting to meeting the CMMC practices for your categorization level.

Assessing your needs 

Now that you understand the steps of the CMMC journey, it’s crucial to evaluate your organization’s readiness and preparation to set a clear roadmap. 

Start by familiarizing yourself with the different CMMC levels and identifying where your organization stands. This is part of the “Identify” step. 

If necessary, consider a partner to help you prepare for the assessment. Later in this guide, we outline the types of CMMC partners available so you can make the best decision for your organization’s needs. Download our CMMC Buyer’s Guide to follow along.

Explaining the CMMC levels 

blog cmmc buyers guide cmmc model 1 0

CMMC 2.0 Level 1 (“Foundational”) requirements  

Level 1 contractors handle Federal Contract Information (FCI) but not CUI. One of the more significant changes from CMMC 1.0 to 2.0 is that Level 1 is now a self-assessment only, placing this responsibility on the organization itself. Level 1 includes the same 15 controls outlined in Federal Acquisition Regulation (FAR) 52.204-21.  

CMMC 2.0 Level 2 (“Advanced”) requirements  

Level 2 contractors are those that handle CUI. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. The DoD has pared down the 130 practices in the original CMMC Level 3 baseline to the 110 practices outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. “Critical” handlers of CUI will need a third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) for CMMC certification every three years. Level 2 processes must be documented and managed to protect CUI.   

CMMC 2.0 Level 3 (“Expert”) requirements  

Level 3 is for organizations with the highest-priority programs with CUI. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level will replace what was formally known as CMMC Level 5. Level 3 will add additional requirements pulled from NIST 800-172 in addition to the Level 2 requirements. It is expected that organizations will be required to be assessed by the DoD directly every three years for Level 3 requirements. 

Preparation and readiness 

Once you understand your CMMC level, preparation for the assessment can begin. Many organizations seek assistance with preparation and readiness before taking the final step of the assessment for certification with a C3PAO. 

There are different types of partner organizations that can help you prepare for CMMC. 

MSSPs and consulting firms  

Managed Security Services Providers (MSSPs) and consulting firms can assist with program development, policy and procedure development, implementation, and ongoing CMMC management.  

RPs & RPOs 

Registered Practitioner Organizations (RPOs) provide CMMC guidance and support to Organizations Seeking Certification in the DIB. Registered Practitioner (RP) is a certification for an individual who can provide CMMC guidance, advice, and support. Many MSPs/MSSPs are also RPOs. 

GRC partners 

Governance, Risk & Compliance (GRC) partners help organizations conduct risk assessments, develop and enforce cybersecurity policies, and provide continuous monitoring. GRC platforms can streamline and automate the preparation process and ensure ongoing compliance. 

Selecting a C3PAO 

What is a C3PAO? 

The Cyber AB authorizes a CMMC Third Party Assessment Organization (C3PAO) to contract and manage CMMC assessments. Only authorized C3PAOs can conduct CMMC assessments. 

Currently, fewer than 85 C3PAOs can assess CMMC and more than 80,000 organizations need assessments. That means early adopters will have their pick of C3PAOs and will be first in line to receive certification. 

A C3PAO will be an essential partner in your CMMC journey, so you must choose an organization that meets your needs. Although the Cyber AB authorizes all C3PAOs, each organization has different strengths and weaknesses. 

Factors to consider when choosing a C3PAO 

Expertise 

Above all, you want to choose a C3PAO experienced in federal compliance, such as FedRAMP, NIST, and StateRAMP. Their deep understanding of the CMMC and NIST 800-171 frameworks ensures they can guide you through the necessary controls and requirements, helping you avoid common pitfalls and ensuring a smoother path to certification. You should consider how long the C3PAO has been in business, the experience of its employees, and its overall knowledge of cybersecurity compliance. 

Quality 

Not all assessment teams and final audit reports are created equal. While some organizations check the box, others go above and beyond to ensure quality at every step. High-quality C3PAOs bring extensive experience and a deep understanding of CMMC requirements, which helps identify and address potential compliance issues effectively. This reduces the risk of failing the assessment and ensures that your organization meets all necessary standards. Additionally, a quality C3PAO provides detailed feedback, helping you improve your cybersecurity posture and maintain compliance over time. 

Efficiency 

Efficiency directly impacts the time and resources required to achieve certification. The CMMC process can be cumbersome to navigate, but some C3PAOs offer technology to help streamline the process. This accelerates the certification process and minimizes disruptions to your operations. Additionally, efficient assessors help ensure that your organization remains aligned with CMMC requirements without incurring unnecessary costs. To further increase efficiency, consider a firm who can tackle additional frameworks such as SOC 2, ISO 27001, and more.   

Timing 

We expect to see CMMC as a requirement in DoD contracts in early 2026, meaning organizations must give themselves ample time to prepare for and complete the assessment. Because CMMC is a new rule, most organizations will need months to prepare the necessary compliance and documentation. Organizations will need 6-12 months of preparation before beginning the assessment. When choosing a C3PAO, timing should be a key consideration, so be sure to ask how soon you can get started and find out your place in the assessment queue. 

Budget 

While some affected organizations are used to budgeting for compliance, CMMC also covers businesses that may not have a compliance program or budget. Budget is an important consideration, but as with most things, you get what you pay for. Beware of budget C3PAOs that are offering assessments for under-market value. When looking at the budget, you should balance it with other factors that are important to you. Are you willing to pay more to expedite your timeline? Is the C3PAO you choose known for quality? Is it worth it to spend more to work with a trusted auditor instead of a brand-new firm? 

Case Study: Network Coverage 

Network Coverage is a managed service provider (MSP) that integrates technology and cloud solutions within business operations to improve productivity and security with as few issues and disruptions as possible. Network Coverage has been proactive in addressing the compliance needs of DoD subcontractors. Anticipating the impact of CMMC and the need for an assessor with federal compliance expertise, Network Coverage adapted from NIST 800-171 to CMMC 2.0 and engaged a reputable C3PAO for their federal compliance expertise. 

A-LIGN’s skilled auditors and responsive team have been instrumental in preparing for CMMC compliance, validating Network Coverage’s control set formally, and enhancing its marketability as a reputable MSP. Network Coverage found A-LIGN’s visibility into control crossover among multiple frameworks, such as SOC 2 and ISO 27001, to be a significant time saver. Network Coverage emphasizes planning, budgeting, and continuous monitoring for CMMC readiness, advising subcontractors to review contracts, conduct needs assessments, and prepare for third-party certification, leveraging A-LIGN’s expertise to streamline the process. 

“We’re seeing urgency around CMMC that we’ve never seen before. Contractors taking the wait-and-see approach need to have these conversations now. If they’re not having the conversations, now is the time to start.” 

-Bridget Wilson, SVP Governance Risk & Compliance 

Checklist: Questions to ask a C3PAO 

Selecting a C3PAO is a vital step of the CMMC assessment process. It will significantly impact the assessment experience and your final report. This checklist outlines key questions to ask a C3PAO to ensure you’re choosing the best fit for your needs. 

  • What is your experience with CMMC/NIS 800-171 assessments? 
    • How many CMMC Certified Assessors (CCAs) and (CMMC Certified Professionals) CCPs do you have? 
    • Are your CCAs and CCPs full-time employees or contractors? 
  • Does your team have experience with other federal assessments? 
    • How many federal clients do you have? 
    • How many federal audits and assessments have you completed? 
  • Does your organization conduct assessments beyond CMMC? 
    • What other federal or non-federal assessments/attestations/certifications does your organization provide? 
    • What efficiencies can we gain by consolidating our audits with a single provider? 
  • What can I expect in the assessment process? 
    • What is your team’s standard response time? 
    • Do you utilize technology that drives efficiency and streamlines the audit process? 
  • How much will my CMMC assessment cost? 
    • What are your rates, and what do they include? 
  • What is the timeline for assessment? 
    • What is the lead time to begin the assessment? 
    • How long do you anticipate the assessment process will take? 
  • Do you have references and case studies from satisfied customers? 

Ready to take the next step? Download the guide or contact us to learn more.

The responsibility of implementing and tracking the use of artificial intelligence at any company is growing more important every day as AI usage increases. In fact, in a survey from McKinsey, 65% of respondents say their organizations are regularly using generative AI in at least one business function, nearly doubling the survey’s last results.  

Interested in developing an AI policy for your company? Read on to learn why it’s important and how to get started. Download the template to follow along. 

Why is an AI policy important? 

Beyond serving as a marker to progress with the trends—like 44% of companies who already have an AI policy in place, according to Litter—AI policies also protect your company from potential lawsuits and liabilities. Using AI-based technologies can put sensitive data at risk or inadvertently cause copyright infringement if not used properly. Plus, these policies are a crucial element for AI frameworks and regulations like ISO 42001 and the EU AI Act. 

Who needs an AI policy? 

Deciding whether your company needs an AI policy doesn’t have to be complicated. Consider whether your company fits into one of these groups: 

  • Your company or employees are using AI to some degree in their day-to-day 
  • Your company is developing technologies that use AI 
  • Your company needs to adhere to frameworks and regulations like ISO 42001 and the EU AI Act 

What should an AI policy include? 

Cover your bases. If you’ve developed company-wide policies before, you might have a framework in mind. Regardless, keep these key elements top of mind: 

  • The purpose and scope of the policy 
  • Alignment with company goals 
  • Process for deviations 
  • Risk management 
  • Monitoring and reporting 
  • External communication and transparency 

Your company’s AI policy should be personalized to your company’s current and future usage of AI. Not every policy will look the same. Plus, this isn’t an exhaustive list. You might want to include monitoring and reporting information or required trainings for your company. 

How can I get started? 

For more, download this AI policy template developed by A-LIGN’s expert auditors to help you get started.

Competing priorities, everchanging standards, and a nonstop audit cycle can make tracking and executing audit plans a challenge. Enterprises are now turning to their audit partners to streamline the process and provide strategic plans through a process called audit consolidation. Read on to learn more from A-LIGN’s 2025 Compliance Benchmark Report

According to A-LIGN’s survey, 92% of organizations conduct at least two audits or assessments each year, with 58% conducting four or more audits. So, it should come as no surprise that nearly two-thirds of organizations are spending at least three months per year preparing for audits. This reactive, one-off approach likely has some impact on the available resources dedicated to compliance.   

In this blog, we will share some of the benefits of consolidating audits and auditors and some of the best practices to do so.  

What are the benefits of consolidating audits? 

Audit harmonization can reduce complexity and streamline compliance efforts by creating a close partnership between companies and their auditors. Auditors work with clients to create a compliance strategy that not only meets regulatory standards but also enhances customer trust, reduces risk, improves efficiency, and drives additional revenue. 

Additional benefits of consolidating audits include:  

  • Consistency across assessments: By consolidating audits, organizations can ensure a consistent approach to completing multiple assessments. This can help to standardize the audit process, reduce the risk of errors or inconsistencies, and provide a more comprehensive view of the organization’s compliance posture.  
  • Conducting multiple assessments with one vendor: Consolidating audits enables organizations to conduct multiple assessments with one vendor. This can help streamline the audit process, reduce costs, and improve communication and collaboration between the organization and the vendor.  
  • Reduction in duplicate evidence collection: Consolidating audits can also save time in evidence collecting. By consolidating multiple audits into a single event, organizations can more efficiently collect and organize the evidence required for each assessment, all at one time. This reduces the need to collect the same or similar evidence for different assessments throughout the year, reducing the amount of time and resources required to achieve compliance.  
  • Time savings: Consolidating audits can also save time for the auditor reviewing the evidence. By consolidating audits, auditors can more easily identify and review evidence that is relevant to multiple assessments, reducing the amount of time required to complete each audit (and the cost associated with their work).  

In addition to consolidating audits, organizations can also streamline compliance by consolidating their audits with a single provider. 

What are the benefits of consolidating auditors? 

Consolidating auditors involves working with a single provider to manage all of audits, instead of hiring multiple auditors across different areas of focus.  

A-LIGN’s research shows that half of organizations might switch audit service providers for more efficient, less time-consuming processes and 45% would do so for cost savings. Consolidating audit service providers could help realize these benefits.   

By consolidating auditors, organizations can realize several advantages, including:  

More efficient and effective audits: Consolidating auditors can reduce the time and resources required to manage multiple vendors. By working with a single provider, organizations can streamline the audit process and reduce the administrative burden of managing multiple auditors.   

Cost savings: Another significant benefit of consolidating auditors is cost savings. By working with a single provider, you can negotiate better rates and reduce the overall cost of your compliance program. Furthermore, consolidated audits reduce the time spent managing the audit process, which can help reduce costs and increase efficiency.  

Improved communication: Consolidating auditors can help improve communication and collaboration between different areas of your organization. By working with a single provider, you can ensure that everyone is on the same page and that all compliance activities are aligned with your organization’s goals.  

Organizations should carefully consider their options when selecting an auditor and ensure that they are working with a provider that can meet their unique needs. It’s important to choose an auditor that has experience in your industry and understands the specific regulations and standards that you must comply with. Additionally, organizations should carefully review the audit methodology and approach used by the provider to ensure that it aligns with their overall compliance goals.  

Want to learn more? Contact us today to learn how A-LIGN can save you time and streamline your audit process.

As artificial intelligence (AI) continues to position itself as an integral part of business operations in 2025, safeguarding AI systems against security threats is essential. Recognizing this need, HITRUST has launched its own AI Security Assessment, offering organizations a robust framework to address the unique challenges of deployed AI technologies.

What is the HITRUST AI Security Assessment?

HITRUST’s AI Cybersecurity Assessment provides a structured approach to evaluate and manage AI-related risks, ensuring secure, transparent, and ethical AI practices for not only healthcare organizations, but for businesses operating across all sectors.

Based on ISO/IEC 23894:2023 and the NIST AI Risk Management Framework, this assessment includes 51 controls for AI governance to ensure comprehensive risk management without disrupting current and ongoing compliance efforts.

Key features of the HITRUST AI Security Assessment include:

  1. Curated security controls: Focused on the distinct challenges posed by AI technologies, these controls are specifically designed to address AI-related vulnerabilities.
  2. AI-specific threat requirements: The assessment leverages insights from authoritative sources to establish security requirements that counter emerging AI threats.
  3. Control inheritance: Organizations can inherit controls from their AI solution providers, streamlining the assessment process and reducing administrative burdens.

The assessment provides a report with strengths and improvement areas, adaptable for various AI stages, supporting self-assessment or HITRUST validation. Certified entities will receive HITRUST e1, i1, or r2 Certification reports and letters, as well as AI Security Certification reports and letters.

Who can get a HITRUST AI Security Assessment?

Although organizations in any industry can conduct a HITRUST AI Security Assessment, there are certain guidelines that must be met to be assessed.

To achieve certification, organizations must meet the following guidelines:

  • Be an AI platform and product provider – this excludes AI developers, users and partners
  • Achieve HITRUST e1, i1, or r2 certification prior to the AI Security Assessment
  • Achieve the following minimum score on applicable assessments:
    • e1 and i1 assessments: 83
    • r2 assessments: 62

Why should organizations pursue a HITRUST AI Security Assessment?

Businesses across all industries are heavily investing in AI as its use expands rapidly. However, AI systems process sensitive data, making them prime targets for cyberattacks.

With new regulations like the EU AI Act, organizations must proactively manage AI risks to ensure compliance and gain a competitive edge as reliance on AI grows.

Ensuring robust security measures is crucial for protecting data integrity, preventing breaches, and maintaining compliance. The HITRUST AI Security Assessment provides a structured framework to address these challenges, fostering trust and resilience in your AI initiatives.

Additionally, organizations using CSF v11.4.0 or newer can now add the “Cybersecurity for AI Systems” compliance factor through the MyCSF platform. This integration, which requires additional report credits and adheres to standard QA reservation protocols for validated reports, seamlessly integrates with existing HITRUST e1, i1, and r2 assessments.

Partnering with A-LIGN for your HITRUST AI cybersecurity needs

A-LIGN provides comprehensive services to guide your organization through the HITRUST AI Security Assessment process, no matter where you are at on your journey.

  1. Advisory services: Our readiness assessments identify gaps and prepare your organization to meet HITRUST requirements efficiently.
  2. Comprehensive assessments: We conduct HITRUST AI Security Assessments, as well as HITRUST AI Risk Management Assessments, and handle submission to HITRUST for certification, streamlining your compliance journey.
  3. End-to-end support: From preparation to certification, we ensure a smooth process, allowing your team to focus on core business activities.

The HITRUST AI Security Assessment helps to safeguard AI technologies against evolving threats. With A-LIGN’s high-quality audit services and unparalleled expertise, you can confidently navigate this process, enhancing your AI security posture and maintaining compliance with global standards.

Contact A-LIGN and one of our compliance experts will be in touch to start your HITRUST AI security journey.

Achieving Cybersecurity Maturity Model Certification (CMMC) is essential for organizations in the Defense Industrial Base (DIB), yet diving into certification without adequate preparation can lead to costly setbacks. Many organizations rush to hire a CMMC Third-Party Assessor Organization (C3PAO) prematurely, often bypassing essential preparatory steps. This post highlights how leveraging a qualified Managed Service Provider (MSP) with Registered Practitioner (RP) status, like CyberSheath, can help organizations prepare for certification with compliance-driven IT and security services. 

CMMC roles and responsibilities: Qualified MSP/RPs and C3PAOs 

To understand the CMMC compliance process, it’s essential to recognize the distinct roles of MSPs, RPs, and C3PAOs: 

  • Qualified MSPs with Registered Practitioner (RP) status: Not every RP is equipped to support CMMC compliance with an operational approach, but those that are also MSPs bring a unique advantage. MSPs like CyberSheath, with strong CMMC experience and RP credentials, offer not only advisory support but also the practical, day-to-day compliance services that meet CMMC standards. Unlike RPs who may only advise, an MSP that also functions as a Registered Practitioner operates in alignment with CMMC requirements through compliance-driven IT and security services—supporting clients’ CMMC compliance goals by maintaining continuous operational alignment. 
  • C3PAOs: CMMC Third-Party Assessor Organizations (C3PAOs) are authorized by the Cyber Accreditation Body (Cyber-AB) to conduct official CMMC certification audits. C3PAOs must maintain strict separation of duties to ensure an objective audit—they cannot provide advisory or compliance services as this would compromise the independence required for certification. C3PAOs are limited to performing formal CMMC assessments and mock assessments, helping organizations understand what a real audit entails without impacting the certified environment. 

Common pitfalls in CMMC compliance preparation 

Rushing into the certification process without sufficient preparation can lead to costly missteps. Here are some common mistakes to avoid: 

1. Engaging a C3PAO without adequate preparation 

While it’s important to connect with a C3PAO early to secure a spot on their schedule, rushing into the certification process without adequate preparation can lead to failed assessments and unnecessary expenses. Organizations sometimes assume they’re ready simply because they’ve implemented certain cybersecurity controls. However, without thorough preparation and understanding of CMMC requirements, critical compliance gaps are often overlooked. Partnering with a qualified MSP/RP like CyberSheath ensures your organization is fully prepared. MSPs with RP status provide the operational IT and security services needed to address compliance gaps, so you’re ready for a successful C3PAO assessment.

2. Skipping the gap assessment 

A gap assessment is a foundational step for effective CMMC preparation. While it’s possible to conduct a self-assessment, qualified MSPs with RP status, such as CyberSheath, provide gap assessments that evaluate an organization’s practices against CMMC requirements, identifying critical areas for improvement. MSPs that serve as RPs not only perform assessments but support day-to-day compliance operations, distinguishing themselves from RPs who only advise. This operational involvement enables MSPs to support clients in maintaining the specific security standards necessary for certification. 

3. Underestimating the importance of compliance-focused operational services 

Organizations sometimes overlook the value of compliance-focused operational services in preparing for CMMC certification. A qualified MSP/RP like CyberSheath offers more than advisory support—it provides ongoing compliance IT and security services that are fundamental to daily operations and directly aligned with CMMC requirements. This goes beyond checklist guidance, as MSP/RPs are responsible for helping DIB clients maintain a compliant environment in their routine operations, embedding compliance into every aspect of IT and security. 

4. Blurring the boundaries between compliance services and certification 

Ensuring separation between compliance services and certification is crucial for an unbiased audit. Leveraging a qualified MSP/RP for compliance support ensures readiness without compromising the objectivity of the C3PAO certification process. Once prepared, engaging an independent C3PAO for the official audit not only meets Cyber-AB’s requirements but also ensures a fair, unbiased certification process. 

Preparing for a successful CMMC audit 

To prepare effectively for CMMC certification, follow these steps: 

  1. Start with a gap assessment by a qualified MSP/RP: Begin with a comprehensive gap assessment to identify areas of noncompliance. Working with an MSP/RP provides additional insight into how operational compliance can be embedded into daily activities, minimizing the risk of unexpected issues during the formal audit. 
  1. Implement compliance-focused operational services: Compliance services offered by an MSP/RP go beyond basic advisory—they encompass IT and security operations that meet CMMC standards day-to-day. This ensures the organization’s environment is consistently aligned with CMMC requirements, making them better prepared for certification. 
  1. Begin C3PAO assessment: Due to timing and a backlog of available assessors, it is recommended to contract with a C3PAO early in the audit process. Then, once implementation and remediation are complete, organizations will be ready to begin the certification audit. Remember, CMMC certification is a three-year cycle, and you’ll need to reassess if any significant changes impact your certified environment. 

Rushing into CMMC certification without sufficient preparation can lead to costly delays. By leveraging the operational compliance services of a qualified MSP/RP like CyberSheath, organizations can ensure their environment meets CMMC requirements before engaging a C3PAO for the formal audit. This strategic approach optimizes resources and maximizes the chances of a successful CMMC certification, establishing a compliant foundation for the three-year certification cycle ahead. 

In business, like in sports, achieving greatness isn’t just about recruiting star players – it’s about building a championship team. Bill Belichick didn’t just assemble a roster of talented athletes, he built champions through rigorous training, discipline, and leadership. At A-LIGN, we follow the same principles. We recruit strong professionals and then coach them to become industry leaders that other teams want in their starting lineup. 

Let’s break down our strategy of building a championship team of audit professionals. 

A-LIGN’s talent philosophy 

Championships aren’t won on raw talent alone. A successful team is made up of individuals with different strengths – from grit and intelligence to a team-first attitude – all guided by effective leadership. These qualities don’t come easy, as some are intrinsically present, while others must be cultivated over time. 

A strong talent development program is the foundation for high-caliber teams. There’s a direct correlation between a team’s effectiveness and its win-loss record, or in our case, the growth of our clients and A-LIGN. With company performance expectations trending higher than ever, it’s no longer enough to simply offer training and development programs. An organization’s game plan must include a talent development strategy that makes its way into every facet of its culture. 

Developing championship talent 

How do organizations stay competitive and maintain a deep bench of talent? By treating talent development like a long-term contract and investing in their future. Just like a winning team trains every player to not only perform at their peak but to lead, innovate, and deliver results, businesses must do the same. 

Technical training programs 

A-LIGN’s technical training programs are designed to develop well-rounded professionals by combining technical expertise with strong leadership skills. Our technical programs are essential for providing a comprehensive overview of the audit lifecycle, enhancing auditors’ technical expertise in regulatory and third-party standards, and integrating real project-related examples into the curriculum. 

These programs allow employees to practice applying technical concepts in meaningful ways, fostering a deeper understanding of their work. By making these learning experiences a core part of our culture, we encourage continuous growth and collaboration, ensuring that our team stays at the forefront of industry standards and innovations.  

Leadership and development curriculum 

Our leadership and development programs teach everything from leader identity, effective communication, emotional intelligence, and successful feedback, to developing strategy and vision.  As with all successful teams, there are coaches who support the players in real time whether in practice or on the field.  At A-LIGN, we have a full-time internal leadership coach who focuses on providing feedback and skill development for employees at every level.  

With the help of our leadership, manager, and player coaches, our professionals are in a continuous growth model. Being technically strong is essential, but the true MVPs are those with the skills to lead their team, adapt on the fly, and make tough decisions when the game is on the line.  

Investing in our industry’s future 

This level of investment in our people comes at a price. When you develop top talent, others take notice and want to recruit your players to join their team. We believe this is a sign of strength – we’ve recruited, grown, and developed the best in the industry. 

Our auditors, trained and tested through A-LIGN’s programs, often get recruited for key leadership roles at other organizations. When they move on, they carry our standards, our values, and our commitment to quality into the broader field. It’s at times like these, that A-LIGN’s coaching tree ensures that generations of auditors, managers, and directors are developed, and maintaining a deep bench for seamless, high-quality service delivery.  

We’re not just building great security and compliance professionals; we are actively investing in the advancement of the industry. Every professional who has been through our system continues to raise the bar wherever they go.   

We welcome this challenge because we’re not just in it to win for ourselves. We’re here to elevate the game for the entire cybersecurity compliance industry. As we continue to recruit, train, and develop top talent we know that our legacy extends far beyond our locker room. 

On October 15, 2024, the Department of Defense (DoD) published the final 32 CFR rule for CMMC 2.0 in the federal register. The long-awaited rule outlines the requirements for defense contractors and subcontractors, defines the levels and assessment types, outlines responsibilities for CMMC third-party assessment organizations (C3PAOs), and sets the implementation timeline. 

Now that the CMMC program rule is finalized, here are the key takeaways you need to know. 

Notable updates on CMMC final rule 

Draft versions of the CMMC rule have circulated for months, providing strong indicators of the direction of the program. But, as expected, there are a few notable changes and updates in the final rule. 

Program timeline 

CMMC began operating on December 16, 2024. In September 2025, 48 CFR was published in the Federal Register with an effective date of November 10, 2025. This marks the official start of Phase 1 of the CMMC roll out, meaning readiness is no longer optional and all new DoD solicitations and contracts include some level of CMMC requirement. 

Organizations that get certified ahead of upcoming contractual requirements will be set to meet those requirements without delay. This is one of the many reasons we encourage organizations to get in the queue for certification as soon as possible. 

External service provider applicability 

The biggest difference between the proposed and final rule has to do with external service provider (ESP) certification. In earlier versions of the proposed rule, ESPs, such as managed service providers (MSPs) were required to obtain CMMC certification. Under the final rule, it is not required for ESPs to obtain their own certification. 

However, it is still highly encouraged that ESPs should pursue CMMC certification. If ESPs decide to not pursue CMMC certification, then their assets will be in scope of their client’s assessments by a C3PAO. This means that ESPs could negatively impact their clients’ timelines by adding additional hurdles to review assets. Therefore, it is highly encouraged that ESPs get CMMC certified in order to streamline the process – which many of them were planning to do before the final rule was published. 

Assessment staffing 

The final rule includes an important update on staffing. The CyberAB, the accreditation body behind CMMC certification, has a program for training and certifying the individuals conducting CMMC assessments. There are two levels, certified CMMC professional (CCP) and certified CMMC assessor (CCA). 

The CMMC final rule outlines that three CCAs must be involved in each assessment. Two CCAs will be required on the assessment team and one CCA will be a part of QA review. 

This mandate for trained and certified professionals to conduct CMMC assessments will help to set a standard for excellence. However, it may create challenges for smaller C3PAOs with limited staff resources, resulting in longer wait times for assessments. 

Requirements for CMMC level 2 compliance 

The majority of organizations affected by CMMC will fall into level 2. The final rule defines the requirements for level 2: 

  • If you store, transmit, or process Controlled Unclassified Information (CUI), then you will need to obtain Level 2 Certification via assessment from a C3PAO 
  • Organizations Seeking Certification (OSCs) will need to implement the 110 practices outlined in NIST 800-171 and meet all 320 practice objectives 
  • While the DoD contract requirement rollout will begin likely in 2026, it is possible for primes to begin placing CMMC requirements to their subs before then 

Get started with CMMC now 

The window to prepare for CMMC compliance is closing, and organizations that proactively align with these standards now will have a competitive advantage.  

Don’t wait until it’s too late. Start preparing for CMMC today. Strengthen your cybersecurity posture, secure future business opportunities, and ensure your place in a resilient supply chain that safeguards America’s security. 

A-LIGN is a globally recognized cybersecurity and privacy compliance provider that offers a single-provider approach for organizations. With more than 1,000 federal assessments completed, A-LIGN is an accredited C3PAO and FedRAMP 3PAO with extensive experience across NIST frameworks.   

Contact us today to secure your spot in line. 

NIS2 Directive: What You Need to Know

by: A-LIGN 01 Oct,2024 5 mins

The European Union has introduced the NIS2 Directive—an evolution of its cybersecurity strategy to safeguard essential services and networks. Once the directive is transposed into law by the EU member states, the penalties for non-compliance will follow soon after. For businesses operating within the EU, understanding this directive is crucial for compliance and enhancing their cybersecurity posture. 

This blog post will guide you through the intricacies of the NIS2 Directive, discussing who needs to comply, its purpose, coverage, requirements, and timeline. By the end, you’ll know how to prepare your organization for this pivotal shift in cybersecurity governance. 

What is the NIS2 Directive? 

The NIS2 Directive, a successor to the original NIS (Network and Information Systems) Directive, marks a significant step forward in the EU’s approach to cybersecurity. It aims to address the growing complexities and sophistication of cyber threats that can disrupt essential services. While the original NIS Directive laid the groundwork for cybersecurity measures across member states, NIS2 expands on these foundations, introducing more stringent requirements and a broader scope. 

The directive establishes a harmonized framework for cybersecurity across the EU, covering 18 critical sectors. It aims to bolster the EU’s resilience against cyber threats. By enforcing higher cybersecurity standards, NIS2 seeks to protect critical infrastructures and sectors vital to modern society’s functioning. From energy and healthcare to transport and finance, the directive ensures that all essential services maintain robust cybersecurity practices to safeguard against potential disruptions. 

NIS2 is not just about setting rules but about fostering a cybersecurity awareness and action culture. The directive encourages organizations to take proactive measures in identifying and mitigating cyber risks, ultimately leading to a more secure and resilient European digital landscape. 

When and how will NIS2 be enforced? 

The deadline for the NIS2 Directive to be transposed into national laws by all EU member states was originally established as 17 October 2024. As of May 2025, the European Commission issued formal warnings to 19 member states for failing to notify full transposition, giving them two months to comply or face potential referral to the Court of Justice of the European Union. 

Once transposed, member states are responsible for enforcing the directive through designated national authorities, which must implement supervisory and enforcement measures, including penalties for non-compliance. 

Who must comply with NIS2? 

The NIS2 Directive casts a wide net, encompassing a broader range of sectors and entities than its predecessor. While the original NIS Directive focused primarily on operators of essential services (OES) such as energy, transport, and health, NIS2 extends its reach to include digital infrastructure providers, public administration entities, and other critical sectors. 

Organizations that fall under the directive’s scope must comply with its requirements. This includes private and public entities providing essential services or operating critical infrastructure within the EU. Small and micro enterprises are generally excluded, unless they are deemed critical.

Organizations must assess whether they fall within the directive’s scope and understand their obligations. Compliance with NIS2 is not optional. Failure to adhere to its requirements can result in significant penalties and reputational damage. Therefore, organizations must proactively align cybersecurity practices with the directive’s mandates. 

What is the purpose of NIS2? 

The NIS2 Directive is designed to enhance the EU’s cybersecurity resilience and protect its digital landscape from evolving threats. The directive aims to ensure that essential services and critical infrastructure remain operational and secure, even in the face of cyber threats. 

One of NIS2’s primary objectives is to foster a harmonized approach to cybersecurity across EU member states. The directive seeks to eliminate fragmentation and inconsistencies in cybersecurity measures by establishing common standards and practices, ensuring that all member states work collaboratively to address cyber risks. 

Furthermore, NIS2 aims to enhance information sharing and cooperation between member states. This collaborative approach enables member states to pool their resources, expertise, and knowledge, strengthening the EU’s cybersecurity posture. 

What does NIS2 cover? 

The NIS2 Directive covers a wide range of sectors and entities. Its scope includes traditional critical infrastructure sectors, such as energy, transport, and healthcare, digital service providers, public administration entities, and manufacturing industries. 

Within these sectors, the directive applies to organizations that provide essential services or operate critical infrastructure. This includes entities responsible for maintaining the security and availability of network and information systems that underpin these services.  

The directive also emphasizes the importance of supply chain security. With cyber threats often exploiting vulnerabilities in the supply chain, NIS2 requires organizations to assess and mitigate risks associated with their third-party suppliers and service providers. 

What are the NIS2 requirements? 

The NIS2 Directive establishes requirements for organizations to achieve their objectives. These requirements cover various aspects of cybersecurity, including risk management, incident reporting, and governance. 

Firstly, organizations are required to implement robust risk management practices to identify and mitigate cyber risks. This includes conducting regular risk assessments, implementing appropriate security measures, and continuously monitoring their network and information systems for potential threats. 

Secondly, the directive mandates timely incident reporting. Organizations must issue the initial notification to the relevant national authorities within 24 hours, followed by an intermediate report within 72 hours and final report within one month. Timely incident reporting facilitates information sharing and collaboration between member states, enabling a coordinated response to cyber threats. 

Lastly, NIS2 emphasizes the importance of cybersecurity governance. This includes appointing a designated person or team responsible for overseeing cybersecurity measures and ensuring compliance with the directive’s requirements. 

What are the minimum measures for NIS2? 

Beyond the key requirements, NIS2 mandates the following baseline security measures: 

  • Policies and procedures to assess the effectiveness of cybersecurity risk management measures 
  • Security in system acquisition, development and maintenance, including vulnerability handling and disclosure 
  • Risk analysis & Information system security 
  • Supply chain security 
  • Policies on appropriate use of cryptography and encryption 
  • Incident handling 
  • Basic computer hygiene and trainings 
  • Business Continuity measures (back-ups, DR, crisis management) 
  • HR security, access control policies and asset management 
  • Use of MFA or secured voice/ video/text comm & secured emergency communication 

What are the penalties for non-compliance? 

Failure to comply with NIS2 can result in financial penalties for an organization. The actual amount will be determined by each EU member state once they transpose the NIS2 Directive into local regulations.

However, the directive offers guidance ass to what those penalties should be. The dollar amount of fines will be based on an organization’s classification. Essential entities are large companies (250+ employees or €50M+) that operate in sectors of critical importance. Important entities are large companies operating in the other sectors or medium-size companies (50-249 employees or €10M-50M) operating in any of the sectors in scope. 

For essential entities administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher. 

For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the critical entity belongs, whichever amount is higher. 

Conclusion 

The NIS2 Directive represents a significant advancement in the EU’s efforts to enhance cybersecurity resilience and protect critical infrastructures. The directive aims to create a safer and more secure digital landscape for all member states by establishing common standards, fostering collaboration, and addressing supply chain security. 

For organizations, compliance with the regulations transposed from NIS2 is not just a legal obligation—it’s an opportunity to strengthen their cybersecurity posture and gain a competitive advantage. By implementing robust risk management practices, timely incident reporting, and effective governance frameworks, organizations can protect their operations, safeguard customer trust, and contribute to the overall cybersecurity resilience of the EU. 

Organizations should consider engaging with cybersecurity experts like A-LIGN to stay ahead of evolving cyber threats and ensure compliance with the transposed regulations that will follow the NIS2 Directive. Reach out to our team today.