Inside the CMMC Assessment: A Mock Audit Experience

by: A-LIGN 45 min

CMMC Assessment: Key Strategies and Insights for Success

Cybersecurity compliance under the CMMC program can feel like a heavy lift, but you don’t have to navigate it alone. In a recent webinar, A-LIGN’s Matt Bruggeman and Kort Claybaugh broke down the complexities of the assessment process into actionable steps. From understanding the assessment phases to implementing preparation strategies, here’s how to maximize your readiness and ace your CMMC Level 2 assessment. 

Understanding the assessment phases 

The CMMC Level 2 assessment process is designed to verify compliance with 110 controls in NIST 800-171 Rev 2. These controls are evaluated across four distinct phases: 

Phase 1: Pre-assessment 

The pre-assessment phase is all about laying the groundwork. Assessors review your organization’s policies, procedures, and documentation to validate readiness and scope. This includes confirming artifacts like System Security Plans (SSP), shared responsibility matrices, and boundary diagrams. 

While assessors don’t dive into specific controls at this stage, they ensure your documentation is thorough and your scoping is accurate. Think of this phase as the foundation for everything that follows. 

Phase 2: Assessment  

This is where the real evaluation begins. Assessors examine your documentation, interview subject matter experts, and test controls to ensure they are both implemented and effective. Each control must meet all associated assessment objectives to pass. In practice, this means addressing 320 individual objectives, not just 110 controls.  

Phase 3: Review and reporting 

After the assessment, organizations have a 10-day window to submit any additional requested artifacts. Assessors then finalize their report and upload the results to the Enterprise Mission Assurance Support Service (EMAS).

Phase 4: Certification 

Organizations that meet all requirements receive their CMMC certificate and a unique ID. However, if any controls are found to be insufficient, a conditional certificate may be issued, giving the organization 180 days to address outstanding issues. 

Strategies for success 

Prepare comprehensive documentation 

Start by ensuring your documentation is comprehensive and tailored to your environment. While SSP templates can be a helpful starting point, they should be customized to reflect your organization’s specific scoping, diagrams, and compensating controls. Avoid marking controls as “Not Applicable” unless absolutely necessary. Instead, describe how compensating measures address any gaps.  

Understand controls and assessment objectives 

Certification isn’t just about passing overarching controls—it’s about meeting every specific objective. For example, controls related to authorized access require clear evidence, such as Active Directory exports or audit logs, to verify compliance. 

Address physical and digital media protection 

For physical Controlled Unclassified Information (CUI), such as paper documents or USB drives, assessors may require site visits to verify secure storage practices. This could include locked drawers for documents or policies governing the physical control of media during transit. For removable media, using encrypted, password-protected devices is essential. Be sure to validate configurations to ensure compliance with standards like FIPS. 

Technical tips for a smooth assessment 

Nonessential programs: Clearly define what constitutes essential and nonessential programs within your environment and be ready to provide software inventories. 

Physical site visits: Assessments requiring site visits are typically brief, lasting an hour or so. Focus on clear documentation and practices demonstrating physical security controls. 

Removable media: If using encrypted, password-protected media, ensure you have tracking policies in place and validate configurations 

Proactive compliance is key 

Compliance doesn’t stop after certification. While CMMC Level 2 certificates are valid for three years, organizations are expected to maintain compliance continuously. Lapses in compliance can lead to legal exposure, particularly under regulations like the False Claims Act. 

The most successful organizations treat the assessment as a partnership with their assessor. By preparing consistently, maintaining organized documentation, and addressing gaps early, you can streamline the process and secure a certification that you — and your customers — can trust.