CMMC False Starts: What They Are and How to Avoid Them

If you are a DIB contractor pursuing Level 2 CMMC certification, you must pass the Phase 1 pre-assessment before you can move on to the Phase 2 CMMC assessment. The goal of this mandatory readiness check is to confirm that your organization has all the necessary documentation for the formal Phase 2 CMMC assessment. Failing this step results in what's been called a "false start."

As more OSCs (Organizations Seeking Certification) begin the CMMC certification process, cases of false starts have increased. Failing the pre-assessment means the scope of the assessment could not be determined and your organization will likely need to re-do the pre-assessment, which can cause delays to your CMMC certification timeline. Once the 48 CFR rule is finalized, CMMC compliance will become a contract requirement through a phased-in approach. DIB contractors that have not completed the certification process by then, may lose their eligibility to bid on DoD contracts until they have received a CMMC L2 certification.

Here's what you need to know about the pre-assessment process and how to do it right the first time.

As a CMMC Third-Party Assessment Organization (C3PAO), NSF will review the following documentation during the pre-assessment:

System Security Plan (SSP)

Outlines your organization's assessment controls, policies, and procedures. We will evaluate your SSP for completeness, accuracy, and consistency. The adequacy of your implementations will be part of the formal Phase 2 CMMC assessment.

CMMC Level 2 Assessment Scope

Defines all the assets that are in scope of the assessment and will be assessed against CMMC security requirements.

Customer Responsibility Matrix (CRM) availability

Required if your organization uses an External Service Provider (ESP) for cybersecurity services and a Cloud Service Provider (CSP). The CRM defines who is responsible for which security controls. We will also confirm that ESP personnel will participate in the assessment as applicable.

ESP compliance credentials

Required for ESPs that handle Controlled Unclassified Information (CUI). We will confirm you can provide the following credential from your ESP:

• Level 2 CMMC Certificate.

CSP credentials

Required for CSPs that process, transmit or store Controlled Unclassified Information (CUI). We will confirm you can provide one of the following credentials from your CSP:

• FedRAMP Moderate authorization, a federal certification program for cloud service providers.
• FedRAMP Moderate equivalency Body of Evidence.

Availability of evidence

We will assess whether you can provide sufficient evidence during the formal assessment to evaluate the implementation of NIST 800-171 security requirements.

Based on common failures NSF has observed in pre-assessments conducted so far, consider these recommendations to avoid false starts:

Do not underestimate the effort required

CMMC Level 2 includes 110 security requirements, each associated with one or more assessment objectives—320 in total. These 320 objectives define the criteria for compliance and form the basis of the audit. The pre-assessment serves as a checkpoint to ensure you're prepared for this comprehensive evaluation.

Get scoping right

Not all assets automatically fall within the CMMC scope. Organizations can choose between an "all-in" approach that includes all systems within the enterprise or an "enclave" approach that creates a segregated environment with only necessary assets. An enclave approach can effectively reduce complexity and cost.

Ensure your network diagram aligns with your asset inventory

This is one of the most common issues our assessors encounter. Your network diagram should accurately represent your complete system architecture and how it connects internally and externally. Every asset shown in the diagram must also correspond to entries in your asset inventory.

Conduct a mock assessment beforehand

A common factor among organizations that experience false starts is the lack of a preliminary mock assessment. While that adds an extra step, it will also help you:

• Proactively find and resolve areas where you may be struggling with CMMC requirements.
• Save time and money by avoiding a pre-assessment re-do.
• Get a realistic assessment of where you stand and what work remains before the pre-assessment.
• Gain a clearer understanding of specific types of evidence assessors expect for each assessment objective.

False starts are preventable with proper preparation. If you're planning your CMMC Level 2 certification journey, NSF can provide expert guidance, as well as mock assessments to identify potential issues early and avoid costly delays.