Keiter Technologies: CMMC Voluntary Assessment Program Insights

By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Keiter Technologies: CMMC Voluntary Assessment Program Insights

What OSCs Can Learn from Completed CMMC Voluntary Assessments

Scott McAuliffe, Risk Advisory Services Partner, shares his insights on recently completed CMMC Voluntary Assessments and the importance of ensuring employees of DoD contractors understand CMMC policies and procedures.

Article Excerpt:

Some of the particulars that we have been hearing from the voluntary assessments are:

    • The C3PAO is performing the CMMC assessment following NIST SP 800-171, while the DIBCAC is performing its assessment following DFARS requirements. The C3PAO takes the lead in the assessment meetings (e.g., asking questions, requesting live demos, etc.). The DIBCAC attends the assessment meetings and will ask any necessary questions for their assessment. The DIBCAC conducts separate meetings with the OSC that the C3PAO does not attend that are focused on DFARs 252.204.7012 (e.g., security, incident reporting, media preservation, and flow downs to subcontracts).
    • While policy maturity is not required under CMMC 2.0, OSCs still need to have documented and implemented policies and procedures. With the maturity requirement gone, the C3PAO focuses on assessing whether an OSC is doing what it is saying now versus assessing controls over a long period of time. During an assessment, the C3PAO can allow the OSC to make/implement small corrections rather than having to go on a POA&M. This is made possible because maturity is no longer required.
    • To complete the assessment, the C3PAO first reviewed the policies and procedures and supporting artifacts that are requested as part of the planning process. During the assessment fieldwork, the C3PAO will ask the OSC to demonstrate the controls being performed.

Access the full article

Interested in learning more about CMMC services for your defense contracts? Contact us. We have the qualifications to partner with your company for sound guidance on the CMMC Voluntary Assessments.

Share this Insight:

About the Author

Scott M. McAuliffe

Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, cybersecurity and information technology consulting, Sarbanes-Oxley assistance and System and Organization Controls (SOC) Exams. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. In 2021, Scott achieved the Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) status in order to provide CMMC services to Department of Defense prime and subcontractors.

More Insights from Scott M. McAuliffe

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us