Lessons Learned from C3PAOs CMMC ML3 Assessments

By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Lessons Learned from C3PAOs CMMC ML3 Assessments

Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.


Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

CMMC Certification Process Insights

For those that have missed the most recent Cybersecurity Maturity Model Certification (CMMC) Accreditation Board (AB) town hall meetings, there are now five organizations that have successfully completed a CMMC Maturity Level 3 (ML3) assessment that was conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These five organizations are now listed on the CMMC marketplace as approved C3PAOs. However, while the organizations have been approved, they cannot yet perform assessments of OSCs (Organizations Seeking Certification).

The CMMC AB is still in the process of getting through certain administrative requirements that are necessary before CMMC assessments can begin. Additionally, there are two important documents that still need to be completed/published to guide organizations through the CMMC Assessment process:

1) the Scoping Appendix to the CMMC Guide being developed by the DoD and

2) the CMMC Assessment Process (CAP) being developed by CMMC AB.

The CMMC AB did indicate that OSCs can begin discussions with the approved C3PAOs. The CMMC AB stated that there are over 300 OSCs that are actively engaged with one of the approved C3PAOs.

At the latest town hall meetings, the CMMC AB has had approved C3PAOs provide lessons learned from their ML3 assessments.

7 Key ML3 Assessment Lessons

  1. Performing a scoping exercise to identify where all the data (CUI and FCI) is maintained is paramount. This helps the organization ensure it knows where all the data resides and also provides it with the opportunity to look for ways to reduce the data footprint and thereby reduce the scope of the assessment.
  2. In one instance, the C3PAO organization setup a new enclave, which is an environment to encapsulate FCI/CUI, with a FedRamp certified cloud provider. This allowed them to exclude the rest of the organization’s technology environment from their CMMC scope.
  3. Consider going through the process of mapping every CMMC ML3 practice to a specific policy and procedure, which helps to identify gaps that needed to be corrected.
  4. Make sure documentation is rock solid. Ensure every policy and process has an owner, which could be someone outside the IT department. The assessment process goes far beyond IT. It can involve accounting/finance, human resources, marketing, and other departments.
  5. Even if you are conducting self-assessments, C3PAO’s recommended having someone independent look at your procedures to verify they reflect your actual procedures.
  6. Take the time to test employees to ensure they understand and are following the policies.
  7. Know your network inside and out. Make sure your monitor your security posture on a daily basis.

Takeaways for DoD Contractor’s Seeking CMMC

The above insights are very important because OSCs that are looking to go through the Certification process will likely face the same rigors that these C3PAOs faced. It was interesting to hear the struggles these organizations had – all of which have been performing cyber assessments and understand documentation requirements.

As an OSC can tell, it will be important for them to properly scope the assessment, identify who/what has access to FCI/CUI and where it resides within the environment, and ensure that documentation (e.g., policies and procedures) is comprehensive and reflective of actual processes.

To really drive down the costs of complying with CMMC Framework, OSCs will need to be strategic of where FCI/CUI is maintained and how and who can access it. Subcontractors should work with primes to determine if the prime can maintain all FCI/CUI and provide access to the subcontractor.

Many DoD contractors will not have the expertise or resources needed to perform a CMMC CMMC RPOreadiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

Share this Insight:

About the Author

Scott M. McAuliffe

Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, cybersecurity and information technology consulting, Sarbanes-Oxley assistance and System and Organization Controls (SOC) Exams. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. In 2021, Scott achieved the Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) status in order to provide CMMC services to Department of Defense prime and subcontractors.

More Insights from Scott M. McAuliffe

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us