C3PAO CMMC Assessment
Choose KLC Consulting for Your CMMC
Level 2 Assessment
KLC Consulting is a DoD-authorized CMMC C3PAO with a team of Certified CMMC Assessors and over two decades of cybersecurity consulting experience. We’re your best choice for achieving CMMC Level 2 compliance because we’re 100% dedicated to solving the unique challenges faced by DIB companies. Our assessors advocate for you while maintaining impartiality, ensuring a thorough yet supportive assessment process. With KLC Consulting, you’re not just getting an assessment; you’re gaining a committed ally in your CMMC journey. Partner with us for a comprehensive, client-focused approach that prioritizes your compliance goals.
Secure Your CMMC
C3PAO Assessment
Don’t Get Left on the Ground. With limited C3PAOs and a growing number of DIB companies requiring CMMC Level 2 certification, securing your assessment spot is crucial. Reserve your assessment with KLC Consulting today and avoid delays.
CMMC C3PAO Assessment and
Certification Timing Options
Joint Surveillance Voluntary Assessment (JSVA)
Available NOW, this collaborative assessment, involving KLC Consulting as C3PAO, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and your organization, provides a streamlined path towards CMMC compliance. DIBCAC administers the JSVA program, including prioritizing and scheduling JSVAs.
CMMC Level 2 Certification Assessment
The window of opportunity for the JSVA program will close months before the CMMC phase-in to allow completion of all in-process assessments. So, you may be eligible for a direct CMMC Level 2 Certification Assessment before your JSVA is scheduled. KLC Consulting will conduct a JSVA or a CMMC Level 2 Certification Assessment for the same price, whichever is available first. This flexibility ensures you achieve compliance in the timeliest manner.
Remote and Onsite Assessment Activities
We can conduct assessments 100% remotely unless you handle physical CUI. In this case, our lead assessor will visit onsite to assess physical NIST 800-171 controls.
Our Assessment Process
Our DoD-cleared, CMMC-certified assessors follow the DoD’s CMMC Assessment Process (CAP) to verify compliance:
- Pre-Assessment: We collaborate to define the assessment scope and timeline, gather necessary documentation (system security plan, network diagram, asset inventory), and assess your readiness for an assessment.
- Assessment: Our assessors conduct in-depth evaluations of your CMMC/NIST 800-171 implementation through interviews, artifact examination, and testing. You’ll receive daily updates on our findings.
- Results and Reporting: We deliver a detailed report on your assessment status, serving as authoritative verification of your assessment. In a JSVA, DIBCAC records your DoD Assessment Methodology score in the Supplier Performance Risk System (SPRS).
- POA&M Close-Out Assessment (If needed): If any compliance gaps are identified, we’ll identify them through a POA&M (Plan of Action & Milestones). Contact us within 180 days to schedule a close-out assessment to confirm the resolution.
Assessment Timeline and Interview Schedule
- JSVA Timeline: A typical JSVA takes 8-10 weeks but varies based on DIBCAC scheduling considerations.
- Weekly Schedule: Our JSVA process follows a structured weekly schedule, encompassing coordination with DIBCAC and your organization, pre-assessment activities, the assessment itself, results analysis, and final reporting.
- Interview Schedule: We’ll coordinate a detailed interview schedule, typically spanning 3-5 days, covering various security domains to ensure a comprehensive assessment.
Assessment Weekly Schedule Table
Phase | Week | Activity |
Phase 1 | 4 – 8 weeks prior | C3PAO & DIBCAC coordinate with OSC and schedule the assessment dates |
Lead Assessor identification | ||
2 – 4 weeks prior | Formal Kickoff with KLC and the OSC | |
1 | Pre-assessment Readiness Review and Evidence Collection | |
Pre-assessment Planning and Collaboration on Evidence Collection Methods | ||
Phase 2 | 4 – 6 | Conduct Assessment (may include 1 day of onsite review) |
The Assessment Team Analyzes Results and Documents Test and Evidence Gaps | ||
Phase 3 | KLC Scores Practices and Validates Preliminary Results / Quality Assurance | |
6 – 8 | KLC Creates and Presents Final Assessment Report | |
KLC submits assessment results to the DoD |
Assessment Interview Schedule Table
Session | Security Area | Time Estimate | Domains Covered |
1 | Network Diagram, CUI Assets Diagram, CUI Data Flow Diagram | 1.5 hour | Review overall architecture and assets (Led by OSC) |
2 | Identification and Access Management | 5 hours | AC, AU, IA |
3 | Cybersecurity Oversight and Management | 3 hours | AT, PS, PE, RA, CA |
4 | Configuration Management | 3 hours | CM, MA, MP |
5 | Network Defense | 3 hours | IR, SC, SI |
6 | Overflow, Onsite Physical walkthrough, TBD | 4 hours | Cover any previously not covered domains (time ran out, schedule conflicts, etc). |
The schedule will be coordinated between KLC, DIBCAC, and the OSC. |
Joint Surveillance Voluntary Assessment interviews are typically conducted on consecutive days over a 3–5-day period.
What is a C3PAO, and Why Choose KLC
A C3PAO (CMMC Third Party Assessment Organization) is authorized by the DoD to conduct CMMC assessments. KLC Consulting is a proud DoD-authorized Massachusetts C3PAO with extensive experience helping organizations achieve CMMC compliance.
Reserve Your CMMC Level 2 Assessment Now!
With only a few dozen authorized C3PAOs and approximately 77,000 DIB companies needing CMMC Level 2 certification, the demand for assessments is spiking. Don’t risk missing out on DoD contract opportunities – secure your spot in line by reserving your CMMC Level 2 assessment with KLC Consulting today. A nominal deposit will hold your place in our assessment queue. Don’t wait, contact us today!
Our CMMC Assessment and Certification Services
CMMC Readiness (Mock) Assessment
Simulate a real C3PAO assessment to gauge your readiness and identify areas for improvement.
Joint Surveillance Voluntary Assessments (JSVA)
Gain a competitive advantage by demonstrating your commitment to DoD cybersecurity requirements. DIBCAC enters your assessment results into the DoD’s Supplier Performance Risk System (SPRS). And KLC Consulting provides you with a letter of attestation to share with your prime customers
CMMC Assessments
KLC Consulting is authorized to conduct CMMC assessments and certify organizations upon completion of DoD final rulemaking.
Ready to get CMMC certified? Contact KLC Consulting today to discuss your assessment needs and secure your future in the defense industrial base.
Read transcript of our CMMC Level 2 Certification Assessments - What You Should Know from a C3PAO
click here to close
Video Index
- Introduction to KLC Consulting
- The CMMC 2.0 Final Rule Timeline
- DoD’s Four-Phase Rollout Plan for CMMC
- The Shortage of CMMC Assessors
- Why Start the CMMC Certification Process Now?
- KLC’s “Reserve Your Spot” Offer
- Understanding CMMC Level 2
- NIST SP 800-171 and CMMC Level 2
- Benefits of CMMC Level 2 Certification
- Common Misconceptions about CMMC
- Four Phases of a CMMC Level 2 Assessment
- Assessor’s Playbook
- How KLC Consulting Checks for NIST SP 800-171 Compliance
- What to Expect During a CMMC Assessment
- A CMMC Success Story
- Biggest Challenges and Recommendations
- Conclusion
CMMC Level 2 Certification Assessments – What You Should Know from a C3PAO
Introduction to KLC Consulting
Kelly McDermott: Hello! My name is Kelly McDermot, and I work with KLC Consulting. We were founded in 2002, and we bring over two decades of experience and the expertise of a C3PAO (CMMC Third-Party Assessment Organization) to help organizations navigate the CMMC (Cybersecurity Maturity Model Certification) landscape. Our mission is to demystify CMMC, assist you in understanding its requirements, and work collaboratively to achieve certification quickly and efficiently.
Today, I’m thrilled to introduce Kyle Lai, our president and chief security officer. With over 25 years in cybersecurity, Kyle is a leading expert in CMMC compliance. He’s a certified CMMC assessor and a key player in the C3PAO community. Kyle is uniquely qualified to guide you through the CMMC certification process.
The CMMC 2.0 Final Rule Timeline
Kelly: Hi, Kyle. Thanks for joining us today. When can we expect the final CMMC rule to drop, and what does that mean for DoD (Department of Defense) contractors?
Kyle: The DoD has submitted the CMMC 2.0 final rule to the Office of Information and Regulatory Affairs (OIRA) for review. We expect the CMMC rule to be finalized around Q4 2024 or Q1 2025.
Once the rule is finalized, DoD contractors should expect to see CMMC requirements in DoD contracts. Both prime and subcontractors are responsible for meeting the CMMC assessment and certification criteria by the contract award date.
DoD’s Four-Phase Rollout Plan for CMMC
Kyle: The DoD has a four-phase rollout plan:
- Phase 1 (Months 1-6): Level 1 and 2 self-assessment requirements in new contracts.
- Phase 2 (Months 7-18): Level 2 certification requirements for new contracts.
- Phase 3 (Months 19-30): Level 2 certification requirements for existing contracts and some Level 3 certifications.
- Phase 4 (After Month 30): No exceptions; all DoD contracts will have CMMC requirements.
The Shortage of CMMC Assessors
Kelly: Everyone knows CMMC compliance is coming, but is there a shortage of assessors? How will that impact the timeline for getting certified?
Kyle: There is currently a shortage of CMMC-certified assessors and C3PAOs. With only 54 authorized C3PAOs and approximately 77,000 DIB (Defense Industrial Base) companies requiring CMMC Level 2 certification, there will be a huge demand. It’s crucial to act now and get in line for a CMMC Level 2 certification assessment.
Why Start the CMMC Certification Process Now?
Kelly: Why should companies start the process now? What do they need to know?
Kyle: If you’re a prime contractor, you’ll want to look for subcontractors that are certified or are in line to be certified when the CMMC rule is finalized. It’s mandatory for subcontractors to have CMMC Level 2 certification by the contract award date. If you’re a subcontractor handling CUI (Controlled Unclassified Information), you need to find an authorized C3PAO and sign up for a CMMC Level 2 certification.
KLC’s “Reserve Your Spot” Offer
Kelly: KLC offers a “Reserve Your Spot” program. Can you explain what that entails?
Kyle: We guarantee two things:
- We’ll reserve a spot for your CMMC Level 2 certification assessment.
- We offer the “Best Price Guarantee,” provided we have the same terms and conditions.
You’ll need to make a $5,000 deposit to reserve your spot.
Understanding CMMC Level 2
Kelly: Can you break down what CMMC Level 2 means? What does it protect, and why is it so important?
Kyle: CMMC Level 2 is the minimum requirement for companies to handle CUI. CUI is sensitive information that is required to be protected by laws, regulations, and government-wide policies. DoD will not award contracts that handle CUI to companies without CMMC Level 2 certification.
NIST SP 800-171 and CMMC Level 2
Kelly: How does NIST SP 800-171 fit into the framework of CMMC Level 2?
Kyle: CMMC Level 2 certification is based on NIST SP 800-171 revision 2. It has 110 controls, which consist of 320 assessment objectives. The DoD NIST SP 800-171 assessment methodology, also called the SPRS (Supplier Performance Risk System) scoring methodology, is used to generate the summary level score. The perfect score is 110.
Benefits of CMMC Level 2 Certification
Kelly: What are the benefits of getting CMMC Level 2 certified? Is it worth the effort?
Kyle: The benefits include:
- Increased opportunities to work with DoD or prime contractors
- Demonstration of your company’s cybersecurity capabilities and compliance
- Ability to market yourself to handle contracts that involve CUI
- Boosted competitive edge
- Recognized commitment to protecting CUI
Common Misconceptions about CMMC
Kelly: What are the most common misconceptions about CMMC?
Kyle: One common myth is that if you have any gaps, you’ll fail the certification assessment. This is false. If you have a few POA&M (Plan of Action and Milestones) items or gaps that are allowed under CMMC, you can still get a conditional certification, provided you have a score of 88 points or 80% or above. You’ll have 180 days to remediate these gaps.
Four Phases of a CMMC Level 2 Assessment
Kelly: What is the typical journey like for a CMMC Level 2 assessment? How do you ensure it won’t be a painful process?
Kyle: There are typically four phases:
- Pre-assessment: We review your documentation, such as your CUI scope diagram, asset inventory, and System Security Plan (SSP), to ensure you’re ready for the assessment.
- Assessment: We conduct the actual assessment, typically over five days. We provide daily briefings to keep you informed of our progress.
- Results and Reporting: We document the results and any POA&M items. We submit the report to DIBCAC, which updates the SPRS system.
- POA&M Close-Out Assessment (Optional): If you have POA&M items, we can conduct a close-out assessment within 180 days to convert your conditional certification to a final certification.
Assessor’s Playbook
Kyle: Would you like to see the “Assessor’s Playbook” we follow during a CMMC Level 2 certification assessment? It’s #5 on this list of free tools we provide here.
How KLC Consulting Checks for NIST SP 800-171 Compliance
Kelly: How do you go about checking if someone is meeting all those NIST SP 800-171 requirements?
Kyle: Our CMMC-certified assessors conduct the assessment based on the CMMC Assessment Guide against 110 requirements and 320 assessment objectives. We’ll expect to see supporting documents, policies and procedures, screenshots, configuration settings, and more. We’ll interview the people responsible for the controls and requirements, review your processes and technologies, and assess your physical security.
What to Expect During a CMMC Assessment
Kelly: What happens if a company finds security gaps during the assessment? Can you help them fix those issues?
Kyle: As a C3PAO, we maintain independence and cannot provide consulting services. We’ll identify the issues but cannot tell you how to remediate them.
Kelly: I’ve heard horror stories about some audits that have gone wrong. How do you ensure the process is collaborative and not just about finding problems?
Kyle: Our assessors have many years of experience conducting various assessments. We focus on collaboration and understanding the intent of your controls. We provide a playbook for CMMC assessors to help you prepare and understand the expectations. Clear communication is key to a smooth and successful assessment.
A CMMC Success Story
Kelly: Can you share a success story where you helped a company get CMMC certified?
Kyle: We helped a small manufacturing company prepare for and pass their CMMC Level 2 assessment. We worked closely with them and their managed service provider to ensure they were ready. There were a few minor gaps, but they were able to remediate them and achieve a final certification.
Biggest Challenges and Recommendations
Kelly: What are the biggest challenges to overcome in the CMMC certification process? What would you suggest that a contractor look for when seeking help?
Kyle: The biggest challenge is often underestimating the level of effort required. It’s crucial to get senior management buy-in, secure the necessary funding and staffing, and choose a C3PAO with experienced assessors. A mock assessment is also highly recommended to ensure a smooth and successful final assessment.
Conclusion
Kelly: Thank you, Kyle, for sharing your expertise. CMMC Level 2 is coming soon, and securing your assessment spot is crucial. KLC is here to help you navigate the CMMC landscape and achieve certification. Please don’t hesitate to contact us for a free consultation or a quote.
Kyle: Thank you, Kelly
click here to close
Our Guarantee of the Best Price
C3PAO authorization distinguishes the expert from the wannabe. KLC Consulting will beat the fair market price offered by any other authorized C3PAO for the same consulting or assessment service. Let’s talk.
"*" indicates required fields
Conquer Your Assessment with Our Free Playbook
Demystify your CMMC Level 2 Assessment! Our free playbook simplifies the official “Objective Evidence List” from the DCMA DIBCAC. Get clear insights into C3PAO expectations for each security practice and what evidence they’ll require. Be fully prepared to ace your assessment.
CMMC Consulting
KLC Consulting’s DoD cybersecurity experts coordinate with your team to support and help remediate your POAM items to become CMMC compliance. Let’s get started!
Learn More About KLC Consulting
Our cybersecurity team educates, protects and empowers clients.
Protect and Secure Your Assets with Vulnerability Assessments and Penetration Testing