What OSCs Can Learn from Completed CMMC Voluntary Assessments
Scott McAuliffe, Risk Advisory Services Partner, shares his insights on recently completed CMMC Voluntary Assessments and the importance of ensuring employees of DoD contractors understand CMMC policies and procedures.
Some of the particulars that we have been hearing from the voluntary assessments are:
- The C3PAO is performing the CMMC assessment following NIST SP 800-171, while the DIBCAC is performing its assessment following DFARS requirements. The C3PAO takes the lead in the assessment meetings (e.g., asking questions, requesting live demos, etc.). The DIBCAC attends the assessment meetings and will ask any necessary questions for their assessment. The DIBCAC conducts separate meetings with the OSC that the C3PAO does not attend that are focused on DFARs 252.204.7012 (e.g., security, incident reporting, media preservation, and flow downs to subcontracts).
- While policy maturity is not required under CMMC 2.0, OSCs still need to have documented and implemented policies and procedures. With the maturity requirement gone, the C3PAO focuses on assessing whether an OSC is doing what it is saying now versus assessing controls over a long period of time. During an assessment, the C3PAO can allow the OSC to make/implement small corrections rather than having to go on a POA&M. This is made possible because maturity is no longer required.
- To complete the assessment, the C3PAO first reviewed the policies and procedures and supporting artifacts that are requested as part of the planning process. During the assessment fieldwork, the C3PAO will ask the OSC to demonstrate the controls being performed.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.