• Alyssa Lokits

How to Get Ready for a CMMC Certification Assessment

Updated: Oct 20

Preparing for CMMC Assessment is a new and enormous challenge for organizations seeking certification. Though CMMC is based on the NIST framework, it introduces several new concepts and tightens the security requirements to a heightened level of cybersecurity hygiene. By introducing new CMMC Processes, requiring per-subsystem evaluation of Assessment Objectives, and mandating that all POA&Ms be fully remediated and closed, CMMC Assessments truly enforce a new breed of cybersecurity professionals in the commercial space. As organizations work to digest and understand this new Standard, Archer CMMC is here to support and alleviate the challenges to manage and engage in the preparatory pre-assessment work.

The CMMC Challenge #1

Keeping track of the CMMC Practices and Processes

The first step in a CMMC self-assessment is to determine which certification level (i.e., Level 1, Level 2, Level 3, etc.) you want to achieve. Based on that level, you will need to understand which Practices and Processes are required for certification. CMMC has a total of 171 Practices and 5 Processes that are associated with different domains. Each CMMC level of certification contains a different subset of these Practices and Processes, so you want to be certain you are selecting the correct Practices and Processes for your self-assessment.

The Archer Solution

Archer has created a catalog of security requirements that directly aligns to the appropriate Maturity Levels, saving you hours of time when setting up your self-assessment while also ensuring you are assessing the correct CMMC Practices and Processes.

  • Archer CMMC maintains a catalog with the latest version of all Practices and Processes from the CMMC framework.

  • Archer CMMC automatically maps the correct Practices and Processes to your self-assessment based on the CMMC certification level you choose.

  • Archer CMMC provides reports and a snapshot view of the current assessment status of all Practices and Processes across each CMMC Domain during your self-assessment.

The CMMC Challenge #2

Ensuring all assessment objectives have been properly completed

Let’s use a CMMC Maturity Level 3 certification as an example. There are 130 Practices and 51 Processes that need to be met to achieve a Maturity Level 3 certification. There are also hundreds of Assessment Objectives that roll up to the Practices and Processes. Every system-specific Assessment Objective must be individually mapped and assessed for each subsystem in your boundary scope. That means if you have five subsystems, you must map and certify against the allocated list of Assessment Objectives five times.

As you can tell, it's very possible to have thousands of Assessment Objectives that have to be allocated and evaluated depending on how many subsystems need to be assessed. Maintaining clarity and visibility into each subsystem and all of its related Assessment Objectives, as well as the Practices and Processes, can quickly become a logistical nightmare.

The Archer Solution

Archer CMMC provides a number of capabilities to help you manage this enormous task of tracking and completing thousands of Assessment Objectives across all your subsystems.

  • Archer CMMC automatically maps every relevant Assessment Objective to each of your subsystems, ensuring you have proper alignment for assessment across all the subsystems within your boundary scope.

  • Archer allows bulk status updates and manual override options for each Assessment Objective to ensure flexibility and efficiency in your assessment workflow.

  • Archer CMMC enables evidence documentation (i.e., artifacts, comments, screenshots, etc.) at both the Practices and Processes top level as well as at the individual Assessment Objective level across each subsystem for assessment defensibility.

The CMMC Challenge #3

Managing deficiencies and remediation activities

To pass a CMMC certification assessment by a C3PAO, open POA&Ms are not permitted. This means you need to resolve all of your security requirement deficiencies during your self-assessment and maintain proof of their remediation.

The Archer Solution

Archer facilitates end-to-end lifecycle management of any gap and deficiency identified within your CMMC program. Since open POA&Ms will result in a failed CMMC assessment, Archer CMMC is designed to help you identify, manage and track deficiencies through to their closure with thorough remediation plans, workflow, and task management support.

  • Archer CMMC facilitates the identification of deficiencies at every level of CMMC preparation – from defining system components, allocated Practices, Processes, and even at the individual Assessment Objective level – to give full visibility into any potential issues, large or small.

  • Archer CMMC saves time and reduces errors by allowing you to create a library of deficiencies, as well as a library of remediation action plans, that can be used repeatedly.

  • Using native reporting capabilities, Archer CMMC gives you real time visibility into the status and prioritization of any deficiency and its remediation progress. Once resolved, this information natively integrates into your System Security Plan to be shared with your C3PAO.

Contact us to find out how Archer CMMC Management can help you manage CMMC requirements.