Keiter Technologies: CMMC Voluntary Assessment Program Insights

What OSCs Can Learn from Completed CMMC Voluntary Assessments

Scott McAuliffe, Risk Advisory Services Partner, shares his insights on recently completed CMMC Voluntary Assessments and the importance of ensuring employees of DoD contractors understand CMMC policies and procedures.

Article Excerpt:

Some of the particulars that we have been hearing from the voluntary assessments are:

• • The C3PAO is performing the CMMC assessment following NIST SP 800-171, while the DIBCAC is performing its assessment following DFARS requirements. The C3PAO takes the lead in the assessment meetings (e.g., asking questions, requesting live demos, etc.). The DIBCAC attends the assessment meetings and will ask any necessary questions for their assessment. The DIBCAC conducts separate meetings with the OSC that the C3PAO does not attend that are focused on DFARs 252.204.7012 (e.g., security, incident reporting, media preservation, and flow downs to subcontracts).
  • While policy maturity is not required under CMMC 2.0, OSCs still need to have documented and implemented policies and procedures. With the maturity requirement gone, the C3PAO focuses on assessing whether an OSC is doing what it is saying now versus assessing controls over a long period of time. During an assessment, the C3PAO can allow the OSC to make/implement small corrections rather than having to go on a POA&M. This is made possible because maturity is no longer required.
  • To complete the assessment, the C3PAO first reviewed the policies and procedures and supporting artifacts that are requested as part of the planning process. During the assessment fieldwork, the C3PAO will ask the OSC to demonstrate the controls being performed.

Access the full article

Interested in learning more about CMMC services for your defense contracts? Contact us. We have the qualifications to partner with your company for sound guidance on the CMMC Voluntary Assessments.