I've seen a lot of misunderstandings and false information floating around the past few weeks, so I've decided to tackle a few questions posted on various online forums.

We'll get assessed, fail, fix things and do it again

At least twice in the past week, I've responded to queries online from folks who have this as their game plan. This is risky. The CMMC Assessment Process (CAP) tells us:

1.20 Upon completion of a satisfactory quality assurance review, a quality assurance individual shall upload the pre-assessment form into the CMMC instantiation of eMASS....

1.21. Phase 1 of the CMMC Level 2 certification assessment concludes upon the successful upload of the Pre-Assessment Form into CMMC eMASS.

The CMMC final rule (32 CFR 170) tells us:

The C3PAO must submit the Level 2 certification assessment results into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS.

If an official assessment is begun and then abandoned because the OSC (Organization Seeking Assessment -- that's you) wasn't prepared, the failure is recorded in eMass and automatically transmitted to SPRS. If you begin an official assessment and fail, it could jeopardize future contracts.

Better plan: get a mock assessment from a C3PAO or independent CCA

Generally speaking, a mock assessment will be less expensive than an official assessment, so you will save money and have your mistakes pointed out before they get reported to DoD. You can get a mock assessment from the same C3PAO who will do your official assessment, as long as they don't provide any consulting services (advice or recommendations) during the mock. Chances are, at the end of the mock the C3PAO will either recommend you get a CCA to help you prepare, or they will offer to help you prepare with the understanding that a different C3PAO will do your official assessment. The CMMC final rule strictly prohibits a C3PAO from both consulting with and officially assessing an OSC. (The CMMC Code of Professional Conduct (CoPC) provides additional discussion.)

The Cooey Wiki has a great list of questions to ask potential C3PAOs. (FYI, I am one of the contributors to this list.) The National Defense Information Sharing and Analysis Center (ND-ISAC) also published a C3PAO shopping guide last year. Finally, the most valuable resource I can recommend is the Cooey Center of Excellence Discord server (CCOE), where many qualified CMMC professionals answer questions for free every day of the week (including myself).

Ah, yes, another topic full of misunderstandings. The Cyber AB touts this class as your preferred consultants and implementors, but the truth is, the training required for RP/RPA is only a few hours of videos and open-book, online quizzes. There are no education, experience or prior certification requirements for RP/RPA. These designations are primarily a marketing tool to be listed in the Cyber AB Marketplace.

On the other hand, CMMC Certified Professionals (CCP) must undertake 40 hours of instructor-led training (curriculum approved by DoD) and pass a high stakes exam. CMMC Certified Assessors (CCA) must first become CCP, then take another 40 hours of instructor-led training (curriculum approved by DoD) and pass yet another high stakes exam. CCAs must also have at least three years of cybersecurity experience, one year of assessment or audit experience, and hold at least one baseline certification aligned to the Intermediate and/or Advanced Proficiency Level for the Career Pathway Certified Assessor 612 from the DoD Manual 8140.3 Cyberspace Workforce Qualification & Management Program. Further, Lead CCAs must have at least 5+ years of cybersecurity experience, 5+ years of managerial experience, 3+ years of assessment or audit experience, and hold one active Personnel Certification aligned to Advanced Proficiency Level of the DoD Cyberspace Workforce Framework's Security Control Assessor (612) Work Role, from DoD Manual 8140.03

Not to say that RPOs are worthless, nor that individuals registered as RP/RPA don't know what they are doing, but it definitely should not be your sole source of determining their competence. Many CCPs and CCAs also hold these registrations, and some RP/RPAs have vast experience in the field and simply don't bother with the certifications. (Note that we were among the first RPO and RP registered in 2020 but later dropped out of the RPO/RP program in favor of CCP/CCA.)

Bottom line: Do your homework. Ask questions. Read their blogs, their LinkedIn posts. Watch their videos. Don't fall for "get compliant quick" schemes. Make your own determinations about who's been around for years and really knows their stuff, preferably with prior experience with other compliance standards and frameworks, as opposed to those who jumped on the CMMC bandwagon hoping to make a quick buck.

Need help? You know where to find me!

PS -- Are you planning to attend the NCMS Annual Training Seminar June 9-12? I'll be doing three different talks on CMMC! Look me up when you get there.

Sincerely,

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107