CMMC Certification Prep SOP

Sub-procedure of cmmc-sop.md

Overview

Detailed procedures for preparing organizations for CMMC certification assessment, including C3PAO selection guidance, evidence organization, personnel preparation, mock assessments, and final readiness validation. This sub-procedure covers the final preparation phase before C3PAO engagement.

Scope

Parent SOP: CMMC Assessment Pillar: Protect (Security & Compliance) Service Area: CMMC Certification Preparation

Prerequisites

• Parent SOP requirements met
• CMMC gap assessment completed
• All critical and high gaps remediated
• POA&M items within acceptable limits (<80% and 180-day window)
• SSP finalized and accurate
• SPRS score updated and submitted
• Certification budget approved

Procedure

Step 1: C3PAO Selection

Objective: Select appropriate CMMC Third-Party Assessment Organization

C3PAO Selection Criteria:

Factor	Weight	Evaluation Approach
CyberAB Authorization	Required	Verify on CyberAB Marketplace
CMMC Level Authorization	Required	Confirm Level 2 authorization
Industry Experience	High	Request DIB client references
Assessor Availability	High	Check lead times (typically 3-6 months)
Pricing	Medium	Compare quotes (assessment days x day rate)
Geographic Location	Low	Remote vs on-site considerations
Communication Style	Medium	Assess during proposal process

C3PAO Marketplace Search:

1. Navigate to CyberAB Marketplace
2. Filter by authorized C3PAOs
3. Review C3PAO profiles for relevant experience
4. Request quotes from 3-5 qualified C3PAOs

C3PAO Evaluation Matrix:

C3PAO	Authorization	Experience	Availability	Price	Score
[Name]	☐ L2	☐ DIB	[Date]	$X,XXX	/5
[Name]	☐ L2	☐ DIB	[Date]	$X,XXX	/5
[Name]	☐ L2	☐ DIB	[Date]	$X,XXX	/5

C3PAO Selection Checklist:

• Verified CyberAB authorization on Marketplace
• Confirmed Level 2 assessment authorization
• Obtained 3+ quotes for comparison
• Checked references from similar DIB contractors
• Confirmed availability for target assessment window
• Reviewed proposed assessment approach
• Negotiated pricing and payment terms
• Executed engagement agreement

Step 2: Evidence Package Preparation

Objective: Organize complete evidence package for C3PAO assessment

Evidence Organization Structure:

/CMMC-Certification-Evidence/
├── 01-Scope-Boundary/
│   ├── CUI-Asset-Inventory.xlsx
│   ├── CUI-Flow-Diagram.pdf
│   ├── Network-Diagram.pdf
│   └── Enclave-Definition.docx
├── 02-SSP/
│   ├── SSP-Current.docx
│   └── SSP-Appendices/
├── 03-POAM/
│   ├── POAM-Current.xlsx
│   └── POAM-Evidence/
├── 04-Policies/
│   ├── Information-Security-Policy.pdf
│   ├── Access-Control-Policy.pdf
│   └── [All policies]/
├── 05-By-Control-Family/
│   ├── AC-Access-Control/
│   ├── AT-Awareness-Training/
│   ├── AU-Audit-Accountability/
│   ├── CA-Security-Assessment/
│   ├── CM-Configuration-Mgmt/
│   ├── IA-Identification-Auth/
│   ├── IR-Incident-Response/
│   ├── MA-Maintenance/
│   ├── MP-Media-Protection/
│   ├── PE-Physical-Protection/
│   ├── PS-Personnel-Security/
│   ├── RA-Risk-Assessment/
│   ├── SC-System-Comms-Protection/
│   └── SI-System-Info-Integrity/
└── 06-Supporting-Docs/
    ├── Org-Chart.pdf
    ├── Training-Records/
    └── Vendor-Assessments/

Evidence Per Control Family:

Family	Evidence Types Required
AC	Access policies, user lists, access reviews, MFA config, termination evidence
AT	Training policy, training records, awareness materials
AU	Audit policy, log configuration, log samples, retention settings
CA	Assessment reports, POA&M, continuous monitoring evidence
CM	Baseline documentation, change records, configuration standards
IA	Authentication policy, MFA enrollment, password policy settings
IR	IR plan, incident log, tabletop records
MA	Maintenance policy, maintenance logs, remote maintenance controls
MP	Media policy, sanitization records, transport procedures
PE	Physical security policy, access logs, visitor logs
PS	Personnel security policy, screening records, termination procedures
RA	Risk assessments, vulnerability scans, remediation tracking
SC	Encryption configuration, boundary protection, network segmentation
SI	Malware protection, patch management, monitoring configuration

Step 3: SSP Finalization

Objective: Ensure SSP is complete, accurate, and assessment-ready

SSP Sections Checklist:

Section	Content	Status
System Identification	System name, owner, security officer	☐ Complete
System Categorization	FIPS 199 categorization, CUI types	☐ Complete
System Environment	Architecture, network, hardware, software	☐ Complete
System Interconnections	External connections, ISAs	☐ Complete
Control Implementation	All 110 controls documented	☐ Complete
Responsible Parties	POCs for each control area	☐ Complete
Approval	Executive signature, date	☐ Complete

Control Implementation Statement Quality:

Quality Element	Requirement	Check
Completeness	Addresses all parts of requirement	☐
Specificity	References specific systems, processes, tools	☐
Accuracy	Reflects current implementation	☐
Evidence Reference	Links to supporting evidence	☐
Responsibility	Identifies responsible parties	☐

SSP Review Process:

1. Technical Review - IT/Security review of control statements
2. SBK Review - Alignment with CMMC expectations
3. Control Owner Review - Verification of accuracy
4. Executive Review - Final approval and signature
5. Version Control - Final version locked before assessment

Step 4: Personnel Preparation

Objective: Prepare team members for C3PAO assessment interactions

Assessment Team Roles:

Role	Responsibilities	Required Availability
Executive Sponsor	Final authority, opening/closing meetings	Assessment start/end
Assessment Coordinator	C3PAO liaison, logistics, evidence	Full assessment
IT Security Lead	Technical control demonstrations	Full assessment
System Administrator	Technical evidence, system access	As needed
HR Representative	Personnel security evidence	1-2 days
Facilities Manager	Physical security demonstration	1 day
Control Owners	Domain-specific evidence and answers	As needed

Interview Preparation Training:

Topic	Content	Duration
CMMC Overview	Assessment process, what to expect	30 min
Assessor Interactions	How to respond, what to avoid	30 min
Evidence Presentation	How to demonstrate controls	30 min
Practice Questions	Common assessor questions	60 min
Escalation Procedures	When to defer, who to contact	15 min

Key Interview Guidelines:

1. Answer truthfully - Dishonesty will be discovered and is worse than gaps
2. Stay in scope - Only discuss CUI-related systems and controls
3. Provide evidence - Offer to show documentation for claims
4. Know your role - Don't speak to areas outside your responsibility
5. Take notes - Document what was discussed
6. Follow up quickly - Provide requested information promptly

Step 5: Mock Assessment (Recommended)

Objective: Validate readiness through simulated assessment

Mock Assessment Scope:

Component	Activities	Duration
Document Review	SSP, POA&M, policy review	1 day
Evidence Sampling	Sample testing per control family	1-2 days
Interviews	Key personnel interviews	0.5-1 day
Technical Validation	Control demonstrations	0.5-1 day
Findings Debrief	Results and recommendations	0.5 day

Mock Assessment Focus Areas:

Focus Area	Assessment Activities
High-Risk Controls	Controls most likely to have issues
New Implementations	Recently remediated controls
Complex Controls	Multi-component or technical controls
POA&M Items	Items still on POA&M
Documentation	SSP accuracy, evidence completeness

Mock Assessment Deliverables:

Deliverable	Purpose
Findings Report	Identified gaps and risks
Interview Feedback	Personnel preparation needs
Evidence Gap Analysis	Missing or insufficient evidence
Remediation Recommendations	Actions before C3PAO assessment
Readiness Score	Overall readiness assessment

Step 6: Final Readiness Validation

Objective: Confirm readiness immediately before C3PAO assessment

Pre-Assessment Checklist (T-14 days):

Category	Validation Item	Status
Documentation	SSP final version approved	☐
Documentation	POA&M current and within limits	☐
Documentation	All policies current and approved	☐
Evidence	Evidence package complete	☐
Evidence	Evidence organized per structure	☐
Technical	All controls implemented and functioning	☐
Technical	Demo environments prepared	☐
Personnel	Assessment team briefed	☐
Personnel	Interview schedules confirmed	☐
Logistics	Assessment space reserved	☐
Logistics	Secure file sharing established	☐
Logistics	Network access for assessors (if needed)	☐

Go/No-Go Decision Criteria:

Criteria	Go	No-Go
SSP Complete	Yes	No
POA&M Compliant	<80%, within 180 days	>80% or expired items
Critical Controls	All implemented	Any critical gaps
Evidence	>95% complete	Significant gaps
Personnel	Key personnel available	Critical absences

Deliverables

Deliverable	Format	Owner
C3PAO Selection Summary	Document	SBK Lead
Evidence Package	Organized folder structure	Audit Coordinator
Final SSP	Word/PDF	SBK Consultant
Final POA&M	Excel	SBK Consultant
Interview Preparation Guide	Document	SBK Consultant
Mock Assessment Report	PDF	SBK Lead
Readiness Validation Report	Checklist	SBK Lead
Assessment Schedule	Calendar	Audit Coordinator

Quality Gates

• C3PAO selected and engaged
• Evidence package complete and organized
• SSP finalized, accurate, and approved
• POA&M compliant (<80%, all items within 180 days)
• All control implementations validated
• Assessment team briefed and prepared
• Mock assessment completed (if applicable)
• Final readiness validation passed
• Go decision confirmed

Related Documents

• Parent SOP: CMMC Assessment
• CMMC Assessment SOP
• CMMC Gap Remediation SOP
• Cross-Pillar SOPs
• Templates

---

Last Updated: February 2026 Parent SOP: cmmc-sop.md