While we await the release of the CMMC assessment process from the AB we can look to how Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducted Level Three assessments of Certified Third Party Assessment Organization (C3PAO) to understand the methodology.
As we know Cybersecurity Maturity Model Certification (CMMC) assessments happen four phases. At each step you decide to continue with the assessment. At a brown bag luncheon DIBCAC released their go/no-go decision trees.
This provides a road map for companies that may want to prepare for their CMMC journey now.
If you do not have a documented System Security Plan (SSP) you can not get scored against the 171 framework or CMMC.
If you utilize the NIST templates for 171a self-assessments your SSP will not include all of the domains, practices, and assessment objectives necessary for CMMC.
Policy, Procedures, and Plans
Do you know how much documentation CMMC takes? A lot a lot, like hand falls off from writing amounts.
At level two you need a policy for every single of the 17 domains in CMMC (though you do not need 17 different documents but you can). At level three you need to document the procedures for implementing these policies AND have a plan to budget and resource for these procedures.
If you miss any of the policies, procedures, and plans you do not proceed. If any of these three exist in draft form you do not proceed. If you confused procedures and plans you do not proceed.
You need to certify that you have assessed yourself and have no open action items on the 705 assessment objectives of CMMC.
The information owner of the organziation seeking certification must validate the completion of the self assessment.
No Open Plans of Action
CMMC is a binary assessment. You do or do not. Yoda rules. There is no try. If you score 704/705, a 99.85% of assessment objectives you fail.
Customer Responsibilities Matrix
If you use a Managed Service Provider or a Managed Security Service Provider you need to know what assessment objectives they help you meet, which ones they do not, and those you share.
You then have to work these matrices into your procedures to make sure you complete your shared obligations.
If either step goes missing you do not proceed.
Procedures are Repeatable
You have written your procedures in a way that an assessor can repeat them and get the same result you get every time.
If you can not follow your procedures you do not proceed.