Stop Thinking CMMC Practices and Processes. Start Worrying about Assessment Objectives

So many CMMC numbers thrown around. You hear 110, 131, Delta 20s, 99s, 97s, 98s.

None of this matters as much as the assessment objectives. In the Cybersecurity Maturity Model Certification porgram you must have compliance of all assessment objectives for all practices and process at the maturity level you seek. Furthermore an assessor will hold you responsible for all the objectives at lower levels. The model builds maturity through the accumulation of compliance with assessment objectives.

If one assessment objective falls out of compliance you fail your CMMC assessment (well you get a 90 adjudication period but more on that later….when we know more on that).

CMMC By The Numbers

What does it Mean for me?

Do not talk to any vendor who tries to sell you compliance on Practices and Processes without mentioning assessment objectives. They do not know anything.

While the numbers sound daunting many of the Assessment Objectives, especially the 98 and 97 process assessment objectives will overlap with Oberservable evidence you collect at part of you System Security Plan.

You can find good templates out there that will measure both the CMMC assessment objectives and also include the DoD Assessment Methodology DAM for a 171a self assessment against NIST SP-800-171.

You may have th4e wrong numbers because your documents fell out of date. If the version of the CMMC model documents come from version 1.02, you have outdated information. Go find the CMMC Assessment Guides (v1.10) on A&S website. The Appendices no longer matter. Do not use them.

One tip we often tell people to do to improve the assessment guide is to cut the page in half so you only have the Assessment Objectives left.

 

Thank you to Amira Armond and Jacob Horne for verifying and accounting the assessment objectives for everyone. If you need any CMMC compliance help the CT CMMC Coalition highly recommends both Kieri Solutions and DefCert.

Leave a comment

Your email address will not be published. Required fields are marked *