The KLC Advantage: W2 CCAs and Client-Focused Scheduling
Achieving CMMC Level 2 certification is a complex undertaking. Your organization deserves a C3PAO that can adapt to your schedule and is committed to your success. Unlike other C3PAOs that rely on independent contractors, KLC Consulting employs a dedicated team of W2 Certified CMMC Assessors (CCAs). This allows us to offer unmatched flexibility and responsiveness, ensuring your assessment proceeds on your timeline.
Scoping CUI: A Common Challenge in CMMC Level 2 Compliance
A key challenge for many organizations is scoping Controlled Unclassified Information (CUI), particularly in software development environments. In our experience, understanding CUI’s touchpoints within IT systems and personnel resources is crucial for achieving compliance. That’s where KLC’s expertise makes a significant difference.
KLC’s Collaborative Assessment Approach: Evidence-Based, Objective, and Supportive
We approach assessments with a collaborative mindset, seeking to understand your implemented security practices. Our goal is not to find deficiencies, but to objectively assess whether you can demonstrate and show evidence that you’ve implemented the security requirements of CMMC Level 2. We exercise professional discretion within the framework of the CMMC requirements, and if we find evidence of implementation, you pass.
Understanding CMMC Assessment Outcomes: Conditional Status, POA&Ms, and More
This case study explores KLC’s unique approach, highlighting how our team’s expertise, commitment to client-driven scheduling, and objective yet supportive assessment style help OSCs confidently achieve CMMC Level 2 compliance. We’ll also address critical questions that potential clients might overlook, such as the implications of different assessment outcomes, including Conditional Status and POA&M (Plan of Action & Milestones) closeout assessments.
Preparing for Your CMMC Journey: Pricing and Operational Considerations
Finally, we’ll clarify pricing and operational nuances to prepare clients for the certification journey and maximize their potential for a successful outcome.
CASE STUDY
What is your team’s CMMC/DIBCAC assessment experience? Have you worked with SW development orgs with a mixed OS environment?
We’ve been in business since 2002. We started DoD compliance consulting in 2010. Since 2018, we’ve devoted ourselves 100% to CMMC compliance and became an authorized C3PAO in April 2023. We’ve helped companies prepare for and pass JSVA and NIST 800-171 assessments and have led JSVAs with DIBCAC. Glowing Google reviews are available here. One is from a publicly traded software development / technology company – Xometry. Tarit Mitra is Director of Cyber and Information Security.
How many lead CCAs, CCAs & QA CCAs do you have that meet the current requirements per 32 CFR? How do you ensure consistency in your assessment team’s interpretation of CMMC requirements?
Our Cyber AB Marketplace listing displays our associated CCAs. The Cyber AB Marketplace authorized C3PAO listing only lists fully authorized C3PAOs. And only CCAs who meet Cyber AB requirements are listed there. All our CCAs have attained Lead CCA status. We’re collaborative professionals, each with over 25 years of combined IT/Cyber experience serving diverse industries and company sizes, ranging from publicly traded companies with CAGE Code hierarchies to 15-person machine shop subcontractors. KLC Consulting only utilizes W2 CCAs for L2 certification assessments, which allows us greater control over our business and assessment processes than C3PAOs that utilize 1099 resources.
How is the assessment team structured?
Assessment teams are structured as follows: Lead CCA, 2nd chair CCA, Quality Assurance CCA. The lead CCA serves as POC. Communication channels and protocols are established at the outset of the engagement. We’re seasoned, top-shelf assessors and consultants. We distinguish ourselves through high personal integrity, collaborative-transparent communications, and a spirit of advocacy.
How do you handle schedule changes?
Although our good friend-colleagues Brian Hubbard and Michael Dempsey are associated with KLC, they serve as consulting resources and contingency-reserves. KLC Consulting only staffs W2 CCAs for L2 certification assessments. This allows complete flexibility to reschedule should an OSC not be ready on the anticipated assessment start date.
What is your availability?
The reality is that our availability in 2025 diminishes with each passing week. I signed an OSC in Alaska and another in New Hampshire this week already. 77,000 OSCs require Level 2 certification assessments; today, only 45 C3PAOs are authorized to serve. Although that number is slowly increasing, there aren’t enough authorized C3PAOs to assess the DIB. As careful planners, we know how many assessments we can complete this year. What should be of critical importance to you as an OSC is to contract your L2 certification assessment when you comfortably anticipate being ready. And to contract with a C3PAO that only staffs W2 assessors to provide for the aforementioned scheduling flexibility. C3PAOs who must utilize 1099 resources can’t offer that flexibility because their 1099 staff are in demand with other C3PAOs.
How do you determine suitability for an assessment? Do you have a checklist for customers to use before we start meeting or do you need to see our package first (Phase I of CAP)?
As you mentioned, assessments follow the CAP, and preparedness is determined during Phase 1. If you aren’t ready, we’ll inform you of what’s missing and will reschedule based on your ETA of when you will be.
What is your process before, during, after assessment?…
The process is CAP-driven and comprehensive. We cover it during Phase 1. Some deficiencies can be fixed during the assessment +10 days following, while others cannot. We are a collaborative team of W2-only, top-shelf, Lead CCA caliber professionals. We distinguish ourselves by approaching certification assessments with a spirit of advocacy on behalf of the OSC. We want and hope you will pass and exercise professional discretion within the constraints of the security requirements, e.g., when we see sufficient evidence that you meet a requirement – you “Meet” it. We’re not “gotcha” auditors who seek to find the exceptions to fail you. However, CMMC does not allow a POA&M for 5-point and 3-point security practice deficiencies. Your score would calculate to <88, and you wouldn’t attain even Conditional Status. Generally speaking, it’s a good idea to undertake a CMMC Gap Analysis or Mock L2 Assessment with a C3PAO/CCA prior to undertaking your official L2 certification assessment.
What are the most difficult 800-171 requirements you’re running into with other clients? What do teams misinterpret? What should we be worried about in an assessment?
Scoping CUI remains the greatest challenge, owing to the nascent protection requirements. Companies have been required to reverse engineer IT and personnel resources to understand CUI, where it touches people, processes, technology, and facilities – and protect it. This is perhaps more so for companies that develop software.
Which of our sites do you feel you need to visit?
The homogeneity of your access control systems and business operations determine the sites we will visit. TBD.
Where do you store our assessment artifacts? (cloud, on-prem)
We prefer we access your secure environment to review your SSP and supporting artifacts. However, it’s okay if we use our secure environment. It was assessed with a perfect score of 110 by DIBCAC.
Are there parts of our technology stack that you are not comfortable with or familiar with?
We aren’t familiar with your CUI environment today. However, Kyle and John have DevSecOps backgrounds. CMMC compliance and assessment for software development companies is an emerging niche service for KLC Consulting. We find that few C3PAOs / CCAs are knowledgeable.
During the assessment, will you share why a control is not met? We don’t expect to learn how to fix it, just your perspective on what we missed. Also, we would like to know when we are just meeting the minimum for a control so we can improve for the future.
As your C3PAO, we will inform you which security practices you meet and don’t meet if the latter is true. And we’ll explain why. As you allude, a C3PAO is prohibited from explaining how to remediate deficiencies owing to the CoPC independence COI. Suggesting improvements is beyond what a C3PAO is authorized to do.
What have we not asked you that we should have asked you or others typically ask you?
- What are your possible assessment outcomes and the consequences of each?
- What happens if you attain Conditional Status (Conditional Certification) and don’t get a perfect score of 110 on the first POA&M closeout assessment attempt?
- What is the pricing for a POA&M closeout assessment if you attain conditional status?
- Implications of Operational Plan of Action and differences from a POA&M.
