Part of the process of achieving certification with CMMC is undergoing an audit to validate your security posture across all of the relevant security controls. This can’t be done internally; part of maintaining a valid security framework is using third-party assessors to do the validation, to ensure an unbiased and equitable evaluation, no matter who the client is.
If you’ve reached the point where you need to hire a CMMC assessor to start this process for you, it’s important to know what’s coming so you can prepare properly. If you feel unexpectedly blindsided by common requirements, it won’t speak well to the rest of your security.
So, let’s talk about CMMC assessors: who they are, what they do, the limits of their scope of work, and what you need to know.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontCMMC certification requires an external audit by third-party assessors to confirm security controls. Assessors verify compliance through evidence review, policy evaluation, technical control checks, and personnel interviews. They do not provide implementation advice or fix issues. Costs vary, but assessments for smaller organizations average $76,000, plus reporting fees. Level 2 assessments typically take 3-4 months. Consulting services can assist with preparation, but assessors must remain impartial. Using automation and narrowing scope can reduce costs.
Is There a Difference Between a CMMC Auditor and Assessor?
First, we have to address one common question that comes up all the time when discussing CMMC audits. Or, rather, CMMC assessments.
People talk about CMMC audits and CMMC auditors and auditing organizations, but you won’t find these terms on the CMMC official website anywhere. Instead, you find discussion of CMMC assessments and CMMC assessors, working for Certified Third-Party Assessment Organizations.
CMMC maintains a variety of certifications for a variety of roles within the CMMC ecosystem. CMMC Professionals, for example, are the entry-level assessors for CMMC. CMMC Professionals are the first step on the path of learning and certification to become CMMC Assessors, the ones who actually conduct most assessments.
There can be a surprising amount of nuance to the array of roles and definitions, which is why we wrote a whole guide to the CMMC assessor role.
Just know that there’s no such thing as an official CMMC auditor; they’re all assessors. People use the word auditor simply because that’s, effectively, what they are and what they do. It’s just not the terminology the Cyber-AB uses.
Do You Need a CMMC Assessor?
If you want to finish the process and validate all of the work you’ve been doing to implement security along the guidelines of NIST SP 800-171 to work for the Department of Defense within the overall defense supply line, yes.
If you’re not aiming for CMMC, but rather a different framework like ISO 27001 or FedRAMP, then you don’t need a CMMC assessor. Some C3PAOs that provide CMMC assessments can also do those other framework audits as well, but you won’t be working with a CMMC assessor to do it; you’d be working with the relevant specialist.
If you aren’t done implementing your security, or you haven’t even started, you also don’t need an assessor, yet. Assessors are effectively the last step in the process before either achieving certification or having it denied. If you aren’t to that point yet, a CMMC assessor isn’t going to be of help to you.
What Will Your CMMC Assessor Do?
According to the CMMC program documentation, an assessment is:
“The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.”
That’s fine for a general overview, but it’s worth thinking about what the specifics of that will be.
A CMMC assessor can conduct three different kinds of assessments.
The first is a gap assessment. Usually, these are handled by consultants and experts, rather than certified CMMC assessors, because assessors cost more. A gap assessment evaluates your current security posture and looks for deficiencies where you aren’t meeting the standards necessary to succeed. It will provide remediation advice and can be used by consultants to guide further implementation of more security controls.
The second is a mock assessment. Mock assessments are similar to real assessments. They identify deficiencies, but unlike gap assessments, a CMMC assessor is not going to provide you with tips on remediating those deficiencies. A mock assessment is effectively a trial run of the real assessment and allows the assessor to advise you on whether you’re likely to pass the real assessment or if you have more work to do.
The third is the conformity assessment. This is the “real” assessment; it does not give you advice or remediation, but it is used for final readiness analysis. IT can be used in the JSVA, for the formal CMMC assessment, or both. The results are submitted to your SPRS and to the CMMC systems, which then leads to your approval or denial of certification.
During the mock or conformity assessments, what will your CMMC assessor be doing?
They’ll analyze your evidence package. The evidence you provide involves a lot of paperwork, documentation, and artifacts proving that you’re implementing security as outlined in the CMMC framework at the impact level you need to achieve. Some of this documentation will be access to live reports, while others will be proof of implementation. We have a much more detailed rundown of your documentation for CMMC here.
They’ll evaluate your documented policies and procedures. A huge amount of modern information security is centered around employee training and company policies. You need to have those policies in place and documented. Your CMMC assessor will go through this documentation and use it when they evaluate whether or not those policies are being followed elsewhere in the assessment.
They’ll evaluate your implementation of technical controls. Many CMMC controls are technical in nature, from the use of encryption and multi-factor authentication to password complexity policy implementation to system segmentation and sandboxing. They probably won’t go through every security control and every instance of each throughout your business – they’d be there until next year – but they’ll spot-check a representative sample of your security to validate your implementation.
They will interview key personnel. Again, a lot of security is human behavior. Your assessor will likely want to interview a variety of employees, from high-level directors to everyday employees who have access to controlled systems. They will ask about policies; how well they’ve been explained, what training has been done, and if they’re aware of what they should be. This is where many organizations fail, because employee training is hard.
There’s a lot that goes into a thorough CMMC assessment. We’re talking primarily about a level 2 assessment here, because that’s where the vast majority of organizations are going to aim. Level 3 assessments are even more stringent and cover even more ground.
Will There Be More Than One CMMC Assessor?
Most of the time, yes. For small businesses aiming for level 1 certification, a single individual assessor may be able to do the job. For most businesses, however, a C3PAO is going to come in with a team of assessors. Usually, at minimum, you will have a lead assessor and a secondary assessor. You may have different assessors looking at different aspects of CMMC; one might be more well-versed in the technical controls, while another is more skilled at performing personnel interviews.
Generally speaking, you’ll be hiring a C3PAO to conduct your assessment, and the number of assessors who come to conduct the assessment will depend on the scope and scale of your organization, as well as your intended level of certification.
What Do CMMC Assessors NOT Do?
While your CMMC assessor has a lot of specific duties to carry out in their analysis of your overall security and implementation of NIST SP 800-171, there are also limitations to what they do.
Your assessor will not conduct a gap analysis for you. CMMC assessors are capable of doing so, but if they do, they will generally be considered to have a stake in your organization and will not be eligible to be your conformity assessor later.
Your assessor will not provide implementation advice or guidance. For the same reason as the above, your assessor is only there to tell you if you got it right or not, and to report that to the CMMC records system. If they give you advice, they’re no longer impartial.
Your assessor will not help you fix the problems uncovered in the assessment. Their job is to tell you if there are problems; your job is to figure out what went wrong and fix the issues.
Your assessor will not comb through your federal contracts or other requirements, and will not analyze compliance with secondary clauses or other frameworks. If it’s not directly part of CMMC, it’s not under their purview.
As an organization seeking CMMC validation, you can go it alone and figure out what you need to do along the way, or you can hire a consultant to help you throughout the process. A C3PAO may be able to provide those consulting services, but they cannot also be your assessors when it’s time for final certification.
Though it may seem redundant to hire an expert for implementation and another for assessment, it’s much faster and more effective to do so than to try to muddle through it until your assessment fails.
How Much Will a CMMC Assessor Cost to Hire?
The specific costs of undergoing an assessment depend on the size of your organization and the specific C3PAO you hire to conduct the assessment for you. The DoD estimates that the assessment itself can cost an average of $76,000 for businesses under 500 employees and under $7.5 million in annual revenue. Reporting the results of the assessment is an additional $3,000. Depending on whether or not you count it, preparation for the assessment is also an additional $20,000 on average.
Much smaller businesses will cost less. Organizations aiming for level 1 certification will cost less. Organizations with limited and well-defined systems may cost less. Hiring certain C3PAOs over others may cost less. However, larger organizations, more complex systems, or level 3 certification will all cost more.
Keeping your scope narrow, being proactive with effective documentation, and leveraging automation as much as possible can all speed up the assessment process and help reduce costs. Since many of the costs of the assessment are simply in the per-hour rate for the assessors, the more you can cut out the work they need to do, the cheaper the assessment will be.
How Long Does a CMMC Assessment Take?
This is another area where the numbers vary significantly and will depend on the scale and scope of your organization and your systems, the number of employees you have, the intended impact level you’re seeking, and other factors.
It’s usually estimated that a typical level 2 assessment can take up to 3-4 months. However, not all of that is active time. Usually, because of the lead time and scarcity of assessors, you will need to schedule your assessment 2-3 months in advance. Some consider this part of the timeframe; others are more proactive with scheduling and work on their compliance in the meantime.
The actual assessment process, where assessors evaluate your technical controls, personnel training, policies and adherence, and documentation, will usually take around 1-3 weeks. As you might expect, the more complex your systems – or the more faults you have – the longer it will take.
Additional POA&M development and remediation can take 2-4 weeks after; POA&Ms have defined timelines and time limits as well.
Level 3 assessments are harder to pin down because they’re both much rarer and they vary so much based on the specific contractor involved. Often, though, the timelines are at least double those of level 2.
Can Ignyte Help?
Of course! We can help in four different ways.
Our blog and podcast are both excellent resources filled with answers to many of the questions you have.
The Ignyte Assurance Platform is a framework-agnostic centralized documentation and collaboration tool that helps make documenting, accumulating artifacts, and presenting your documentation to your assessors later.
As experts in CMMC and other federal frameworks like FedRAMP, we can help you as consultants to perform gap assessments and help with remediation as necessary.
As a C3PAO listed in the Cyber-AB marketplace, we’re capable of performing CMMC assessments for organizations.
So, whether you want to request a demo of our platform or reach out and contact us for our assessment or consulting services, we’re here to help.
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.