Login

u/ResilientTechAdvisor

▲ 7 r/CMMC

Why would any OSC say they need to reassess?

According to the new FAQs, "significant change" and the need for a reassessment are being left in the hands of the OSCs. Wondering what the thought process is here. If you're a student of game theory, you would probably conclude that the decision will more often than not be "I don't need a reassessment."

ETA: here's a link to the May 2026 FAQs https://dowcio.war.gov/Portals/0/Documents/CMMC/CMMC-FAQsv5.pdf

reddit.com
u/ResilientTechAdvisor — 5 days ago
▲ 7 r/CMMC

Mocking

For those of you who passed your CMMC level 2 and you did a mock assessment before your live assessment, did you find the mock assessment to be helpful?

reddit.com
u/ResilientTechAdvisor — 9 days ago
▲ 32 r/defensecontracting+1 crossposts

We attended the CyberAB Town Hall this week and they indicated that there is a lot of misunderstanding around the November 2026 deadline. Some people are under the impression that they have to have a C3PAO assessment done by November 2026.

The November "deadline" is not a hard deadline the way people are characterizing it. CMMC is a phased approach. The ecosystem is currently in phase 1 where self assessments are the focus. In November 2026, C3PAO assessment requirements will *begin* appearing in contracts as a rule rather than the exception.

Anyone who has a C3PAO assessment requirement in their contracts already knows. The primes already sent notices out. Some primes have even set their own deadlines in advance of November 2026 and others are using November 2026 as their deadline.

CMMC compliance can be expensive and it can be what many would call "painful." However, companies within the ecosystem have had more than a decade to prepare and some have been saying that they were compliant anyway as they were delivering on contracts. (insert wink here)

Sharing a few related thoughts...

Money-

For businesses in the defense industrial base, it's important to understand what work you want to pursue or continue delivering and what you're willing to invest to be able to do it. That's the very first part of the calculus: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2026/cmmc-as-a-business-design-decision-part-1-decide-what-work-you-want

Knowing what and when-

If you're a sub already delivering on DIB contracts and you're not sure if / when you need to be CMMC compliant and to what level (L1 or L2), reach out to your Prime and have a conversation.

Get help if you need it-

If you've decided that you're going to pursue DIB work, do not go it alone - *if you don't have a CCP or a CCA on staff*, hire an implementation consultant. The consultant should do a deep dive with you on your CUI business processes so that they can help you with scope.

Scope-

*Scope is where a lot of organizations fall down.*

Remember that scope is a noun and a verb in the CMMC world. And, it's a single most important word in your CMMC journey: You need to make sure that you've identified all of the people, processes, and technology that store, process, or transmit CUI - and you need to separate them from everyone and everything else.

Some organizations don't even make it out of the pre-assessment phase to be able to move forward with their assessment because of improper scoping.

Engineering-

Do not treat CMMC as an engineering project. CMMC is a compliance program. The technology is typically the least challenging part. If you let engineers lead your CMMC compliance journey, you probably will not be successful. Compliance and engineering need to work hand-in-hand.

Think "minimum necessary" when purchasing or designing your CUI environment - do not gold plate or allow tinkering with the environment after you've decided on the design. *Freeze* the enclave design as soon as you can. Enclave tinkering can destroy your scope.

What you write down needs to be real-

Documentation must absolutely match implementation and operations. Here's why:

CMMC level two has 110 security requirements and 320 assessment objectives. The assessor will evaluate each of those objectives and rate each one as "met" or "not met".

The assessor will review your documentation, which includes your policies and procedures. There are two other assessment methods… "interview" and "test". That is how the assessor will determine whether your documentation matches how things really work in your organization. *This is the other place where organizations tend to fall down.*

So...a C3PAO assessor may ask your team member(s) how a particular assessment objective within their scope of duties is achieved (interview). They may choose to ask your team member to *demonstrate* how a particular assessment objective is achieved within their scope of duties (test). Think screen sharing and walk-throughs.

One of the quickest paths to an assessment objective being rated as "not met" by an assessor is documentation that doesn't match implementation or operations.

u/ResilientTechAdvisor — 21 days ago