By Amy Williams
With more than six months of CMMC Level 2 assessments now completed, one pattern is clear: confusion about “pre-assessments” vs. “mock assessments” can cost organizations time, money, and their shot at certification.
First, let’s take a look at the pre-assessment, what it is and what happens during this process. The pre-assessment is actually an early step in the formal CMMC certification assessment process. It involves the OSC sending their Systems Security Plan (SSP) and related artifacts along with some additional documentation such as an asset inventory, network diagram, and CUI dataflow diagram to the C3PAO for review.
These documents represent the baseline for review, but they’re not necessarily the full list. Some C3PAOs may request additional documentation as part of the pre-assessment. The timing also varies by provider, but the purpose remains the same: to confirm that all required documentation exists, appears complete, and is logically aligned.
Specifically, the pre-assessment checks that:
This process helps ensure the C3PAO can proceed with confidence and flags any critical gaps before the formal assessment begins.
Accordingly, the pre-assessment should be conducted at least a couple of weeks in advance and preferably a couple of months in advance of the assessment, in the event that anything is missing.
Having more time between the pre-assessment and formal certification will allow the OSC time to pivot to a new plan if the Lead Assessor from the C3PAO determines that there is insufficient evidence to proceed.
An important point regarding what the pre-assessment is NOT: It is not a full analysis of each control and control objective against the evidence presented to determine whether or not the OSC is going to pass their certification assessment. Rather, the pre-assessment is a confirmation check that the OSC has adequate and sufficient documentation sufficient to undergo an assessment. No controls are evaluated as MET or NOT MET during the pre-assessment.
OSCs can elect to undergo a full, independent assessment by a C3PAO for the sole purpose of knowing how a trained and authorized CMMC team will score them on each control prior to undergoing the formal certification assessment, where scores are uploaded to eMASS to be recorded in SPRS.
A full assessment, where scores are not recorded or reported, is what Coalfire Federal calls a mock assessment. Terminology across the CMMC ecosystem is inconsistent. Some providers call a mock assessment a “readiness assessment,” while others use that same term for pre-assessments. This overlap causes confusion, but the differences are critical.
The Coalfire Federal mock assessments follow the same processes and protocols as required by a formal CMMC certification assessment with the only difference being that the score at the end goes to the OSC and only the OSC rather than being uploaded to eMASS and reported to SPRS. Mock assessments have quickly become one of our most popular services because it lets the OSCs team practice talking to assessors and most importantly, helps them understand if any controls or control objectives are not yet met.
Because our mock assessments mirror the certification process, clients who complete a mock with us often require less time during the formal review — which qualifies them for a discounted certification engagement.It is important to understand that we cannot advise or coach an OSC in how to meet any controls that are identified as insufficient during a mock, but there is powerful information in simply knowing what is inadequate. In addition, the CMMC Assessment Process guide (CAP) is publicly available (CMMC Assessment Guide Level 2). Accordingly, with the assessment guide and an understanding of the NOT MET controls, the OSC has a full roadmap to conduct final preparations for the certification process with a lot more confidence than an OSC that has not performed a Mock.
A mock assessment provides critical insight into your readiness, but it’s a snapshot in time. It validates that your current implementation meets the standard — at that exact moment. Once your mock is complete, the real work begins: holding the line.
That includes:
It’s important to schedule your mock assessment after your environment is fully prepared. Otherwise, your mock score won’t reflect your actual certification outcome. Changes in infrastructure equals changes in how controls are met.
Unfortunately, we have witnessed clients investing in a mock and then making major changes to their environment. Controls that were met earlier were not longer met as a result of those changes.
To ensure your certification goes smoothly after a successful mock:
Get on the calendar now.
Whether you're ready for your mock or certification assessment, we can help you time it right and keep your environment assessment-ready. Talk to one of our CMMC experts today.
Amy Williams began her career in Accounting Information Systems, a precursor to cybersecurity that imbued her with the talents and knowledge that she uses today. A member of multiple fields of study, Dr. Williams has ample experience understanding fraud, system errors in internal systems, and internet security protection. She has been on the forefront of developing cyber strategies for supply chains since the world wide web made the internet popular for sharing data in business. With both a Master’s Degree and PhD from Virginia Tech, Amy Williams has held prestigious positions with the NY Citizens Crime Commission where she built an alliance with the FBI, and she led the development of BlueVoyant's CMMC and CIS Advisory Practices prior to joining Coalfire Federal.
