Skip to content

Insights

Walk a Mile in My Shoes: CMMC Level 2 Assessment Lessons Learned

We Walked a Mile in Your Shoes

McKonly & Asbury attained the distinction of being on the list of the first thirty-four authorized Cybersecurity Maturity Model Certification (CMMC) Third-Party Assessment Organizations (C3PAO) listed in the Cyber AB Marketplace on January 2, 2025. This was our reward for a long year of dedicated effort to implement the CMMC Level 2 security requirements. The highlight of our preparation was the CMMC Level 2 Assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in December of 2024. During the assessment Joe South kept coming into my head singing “Walk A Mile in My Shoes.” It has been a long time since I have been on the other side of the audit process, and I gained a renewed appreciation for the stress incurred by auditees. Our team walked away from the assessment with valuable lessons learned for those in the Defense Industrial Base (DIB) who are preparing for a CMMC Level 2 Certification Assessment.

Why Should I Start Now?

The Department of Defense (DoD) 48 CFR part 204 CMMC Acquisition Rule is awaiting finalization. The final rule will begin the roll out of CMMC requirements in DoD contracts. Now is not too soon to begin to prepare for these new requirements. In addition, the Department of Justice (DoJ) continues to hold the DIB accountable for compliance with DoD Cybersecurity requirements. Prosecution under the False Claims Act (FCA) applies to false attestation of compliance with cybersecurity requirements.

Lessons Learned

Early Preparation

One of the most frequently cited lessons learned from the CMMC DIBCAC assessments is the importance of early preparation. The certification process can be complex and time-consuming. Not only must an organization implement the security requirements, but they must demonstrate and show evidence of consistent practices across all fourteen domains. Contractors should start working on CMMC compliance well before their scheduled assessment. This includes conducting self-assessments, ensuring that policies and procedures are in place, and addressing any potential gaps in cybersecurity controls early in the process. M&A used internal gap assessments, and continuous internal audits for our CMMC certification journey. Not all organizations have internal assessment expertise and would benefit from mock assessments conducted by trained assessors.

Documentation and Evidence

During the DIBCAC assessments, one of the most crucial elements is the provision of appropriate documentation and evidence. CMMC assessors evaluate whether the organization seeking certification (OSC) can substantiate their cybersecurity practices through written policies, procedures, and records that demonstrate compliance with CMMC requirements. OSCs need to ensure that their cybersecurity documentation is robust, well-organized, and up to date. This documentation includes security policies, system configurations, incident response plans, and training records. This not a “check the boxes” exercise.

Third-Party Support Can Accelerate the Process

A common challenge is that many contractors do not have in-house expertise to navigate the complexities of CMMC and implement the security requirements. Third-party cybersecurity consultants, auditors, C3PAOs, and cloud service providers (CSPs) can provide valuable guidance and assistance in their CMMC journey. Engaging experienced third parties early in the process can reduce the time and costs associated with preparing for the CMMC assessment. C3PAOs can provide a valuable pre-assessment that identifies potential compliance gaps and improves the likelihood of a successful assessment.

McKonly & Asbury chose to partner with PreVeil and use their FedRAMP equivalent platform as a key part of our CMMC Enclave. We also benefited from a base of CMMC documented policies and procedures which we modified to align with our policies and procedures.

Cultural Shifts Toward Cybersecurity Are Essential

Creating a cybersecurity-conscious culture within the organization was an important lesson learned. Ensuring that all employees, not just IT personnel, understand the importance of cybersecurity controls and the impact they have on the broader defense ecosystem is crucial. Companies should invest in employee education and awareness programs to create a security-first culture. This can significantly improve the organization’s ability to adhere to CMMC practices and protect sensitive data.

Conclusion

The CMMC Assessment process is a critical step in strengthening the cybersecurity posture of the DIB. Through careful preparation, robust documentation, the use of third-party support, and a commitment to continual improvement, companies can navigate the complexities of CMMC and successfully meet the required standards. By embracing these lessons and engaging with authoritative guidance, contractors will be better equipped to meet the stringent requirements of the CMMC and continue to protect sensitive information in the defense sector.

To learn more about CMMC, be sure to visit our CMMC page, and don’t hesitate to contact Elaine Nissley or Mike Murray regarding our services.

About the Author

Elaine Nissley

Elaine is a Director with McKonly & Asbury. Her primary responsibilities include management of the Internal Audit Services and Cybersecurity Maturity Model Certification (CMMC) Assessment groups. Elaine handles client relatio… Read more

Related Services

Subscribe to Our Newsletter