CMMC 2.0 Preparation: Top Four Strategic Actions to Take Now

Randy Griffith, Senior Security Consultant

Key Takeaways

• Get it right before assessment. You must have all critical controls in place before your CMMC 2.0 audit. 
• Proof matters more than intent. Auditors expect complete, organized documentation and evidence across all 110 NIST 800-171 controls.
• Preparation reduces risk. Readiness work, mock audits, and gap assessments help avoid costly delays and failed assessments.
• Compliance is ongoing. Passing the audit is just the start. Continuous monitoring is required to maintain compliance over time.

There’s a famous saying: you only get one chance to make a good first impression.  

Though not quite that stringent, Defense Industrial Base (DIB) organizations going through their CMMC 2.0 audit have to have everything they need already in place before they are assessed.  Assessment results are scored as Met, Not Met, or Not Applicable, and assessors are not allowed to provide remediation guidance, risk scoring, or improvement recommendations.  

This means that DIB organizations must be prepared to demonstrate full compliance with all 110 NIST 800-171 requirements, supported by current documentation including policies and procedures, the System Security Plan (SSP), and the Plan of Action and Milestones (POA&Ms). They also need to show that their boundary scoping is accurate and validated with diagrams, and provide evidence that they meet all applicable controls. Otherwise, they may fail.  

As a certified third-party assessment organization (C3PAO), our wholly-owned subsidiary TalaTek, sees first-hand the challenges DIB organizations face in presenting their package for assessment. We know the resources required to reach this stage and the financial costs organizations can incur if they don’t pass.  

Which leads to a second famous saying: By failing to prepare, you are preparing to fail.  

We offer a range of services to help your DIB organization prepare for your assessment based on your specific maturity level, whether you are just getting started and want to see what you need or are almost ready to schedule your CMMC 2.0 assessment. Below are four strategic actions to take now to get you ready. 

1. Compare Basic Readiness and Full Advisory Services

Both Readiness and Full Advisory Services are designed to help DIB organizations that are basically starting from scratch to develop their required documentation and identify and then organize their evidence. Compare the two and decide which option works best for your needs.  

Basic Readiness Services Include:

• Documentation development and gap analysis to determine your baseline compliance readiness.
• Gap analysis: We will review your current security posture against CMMC Level 2 or NIST 800-171 requirements. 
• Documentation development: We will help create or refine key documents, such as your SSP and POA&M. 
• Policies and procedures: We will deliver baseline templates for these key documents that are tailored to your environment. 
• Initial evidence collection guidance: We will help identify your existing evidence and organize objective evidence for future audits. 
• Readiness briefing: We will create a summary of our findings and next steps to help you prepare for full advisory or audit phases. 

Full Advisory Services Include:

• Everything included in Basic Readiness services, described above. 
• 12 weeks of advisory support to guide remediation, implementation, and documentation alignment, based on the Readiness briefing we prepared in the Basic readiness phase. 
• Control implementation guidance tailored to your Azure and enclave environment. 
• Evidence preparation support to help you collect, organize, and validate objective evidence for each control. 
• Weekly or biweekly check-ins to track your progress, resolve blockers, and adjust your compliance roadmap. 

2. Complete a Mock Audit and Consider Audit Support During a C3PAO

A Mock Audit is a dry run to help you test your documentation and evidence against SP 800-171 requirements as well as your team’s knowledge and stamina during the auditor’s interview/test/and examine sessions.  

Mock Audit Services Include the Following:

• Conducting a simulated C3PAO assessment as if it were an actual audit to identify final gaps and test your readiness under realistic conditions. 
• Objective evidence review: We will evaluate your final documentation and artifacts to identify any gaps or weaknesses. 
• Practice scoring and feedback: We will provide a preliminary score for your practices and highlight any deficiencies, 
• Interview simulation: We will hold practice sessions with your key personnel to prepare them for actual auditor interviews. 
• Gap report and recommendations: After we conduct the mock audit, we will create a detailed findings report and prioritize our remediation guidance. 

In our Audit Support During a C3PAO assessment services, we help you prepare for your C3PAO audit and are then available with on-call assistance to clarify questions or auditor requests while you undergo the audit. 

Audit Support During a C3PAO services include the following:

• Pre-audit readiness review: We will provide a final look at your documentation, do an objective evidence review, and check each control implementation to ensure they all meet SP 800-171 requirements. 
• Evidence mapping assistance: We will help you align your collected evidence to CMMC Level 2/NIST SP 800-171 controls for the auditor’s review. 
• Interview preparation: We will coach your key personnel on what they can expect when participating in the C3PAO audit. 
• Real-time audit support: We will provide on-call availability during your audit to clarify documentation requests, provide additional evidence, or help you respond to your auditor’s questions. 
• Post-audit debrief: We will review any preliminary findings and offer guidance on how you can address any residual gaps or conduct follow-up actions. 

3. Schedule a Gap Assessment 

Gap assessments are one-time assessments where we identify any compliance gaps. They are key if you are confident you are ready for the CMMC assessment but want to make sure.  

Gap assessment services include the following: 

• Initial discovery session: We will do this to understand your organization’s environment, scope, and compliance goals 
• Control-by-control review: We will conduct a close review of each applicable control to evaluate your current practices against CMMC Level 2 or NIST 800-171 requirements, 
• Evidence Check: We will identify any missing or insufficient documentation and technical controls. 
• Findings Report: We will deliver a detailed gap analysis that highlights any areas of non-compliance so you can address these before your assessment.  
• Remediation Roadmap (optional): We will provide high-level recommendations for how you can close identified gaps. 

4. Don’t Forget About Continuous Monitoring with our FedRAMP-accredited GRC Tool

You passed your CMMC 2.0 audit! Congratulations! But CMMC 2.0 compliance is not a one-and-done thing. You are now required to continuously monitor your environment for three years to make sure you stay compliant and your environment remains secure according to the stringent CMMC 2.0 requirements. We will help you manage the continuous monitoring process by leveraging TiGRIS, our FedRAMP-authorized GRC tool. It automates the continuous monitoring process and helps ensure you are monitoring the controls included in each of the three year’s cycles.  

TiGRIS Services Include the Following:

• Streamlines evidence collection, control tracking, and reporting 
• Supports CMMC Level 2 compliance lifecycle with automated workflows 
• Provides continuous monitoring and compliance health checks 
• Maintains documentation and evidence for 3-year audit cycle 

DIB organizations achieving CMMC 2.0 Level 2 compliance stand to gain significant DoD business opportunities. Contact us today to see which of our preparation services will best help you succeed in making a successful first impression on your CMMC auditors.