We have been talking with CMMC maturity Level 1 and Level 3 seekers for months now, and one thing we keep hearing is, “I am looking for a C3PAO to do our CMMC audit.”
My immediate reaction is, “Oh, so you ready for the audit? You have all 110+ controls covered, with 300 or so artifacts, 6 months of logs and reports that show that you have been compliant?” To which the answer is almost always, “Well, no…”
Look folks, here is the deal. You don’t know what you don’t know and what you don’t know could fail you. Just like an athlete would not go onto the field without practice and coaching, why would you take “we’ll just wing it” strategy with your business? The CMMC audit is something that you must prepare for, you make changes to your infrastructure for, you get a POA&M and follow that to a T, you make the changes in advance, so when it comes time to face the certified auditors you can demonstrate that your business meets the requirements.
Here are three compelling reasons why having your CMMC audit done without having a NIST 800-171 assessment is a BAD IDEA:
· The clock is ticking. When the CMMC requirements open and changes are made, you may not be ready with a track record of compliance. This is very different from self-certification. You must be able to DEMONSTRATE that you are compliant. What happens if you are unable to meet a few controls? You will most likely fail your audit. This can have a financial impact on contracts, hindering your business.
· Money. Unless you have unlimited budgets, if you don’t pass a CMMC audit on the first try, you will have to pay to have another audit done. Assessments uncover a lot of things that you may not know are requirements but are things that need to be fixed. If you wait until those are uncovered during your audit, and then attempt to schedule a second audit, there will likely be stampede of other companies already lined up to get their business shored up. Want to jump the line? you might be able to, but you will probably be asked to pay more.
· An Impartial Assessment. If you have been DIY’ing the compliance thing in your business, that’s great, but like having someone double check the grammar on a mass e-mailing before you hit send. it is wise to have an independent assessment done, as there are always things that are uncovered that you weren’t aware of or just glanced over. We can work with your team so that they can do the remediation, which saves time and money. Bringing in a “coach” is the only way to prepare your team for the big game, which is the CMMC audit. Let the assessor give you a game plan, marching orders for things that need to be addressed or strengthened. AND if your internal team has done a perfect job preparing for the CMMC audit, that extra set of eyes can help you breathe easy.
How can we help?
At Summit, our Security Team has the playbook for CMMC audit readiness. If you would like to talk more about this or have other CMMC questions, click here. Someone from our Security Team will give you a call and help you with your unique situation.