Our DIBCAC re-assessment for the certification we need to remain a C3PAO came at a busy time for Kieri. From November 2024 through February 2025, we nearly doubled in size, from 15 full-time employees to nearly 30 full-time employees with less reliance on 1099’s. In the middle of this, the IT team was onboarding a new full-time IT person and bringing them up to speed with our compliance requirements while also completing our annual Cybersecurity Checklist (aligned with NIST SP 800-171 and CMMC Level 2 controls), the document we use to verify that we continuously monitor the security controls of our own environment, which includes a full self-assessment. This reassessment was a critical part of maintaining our readiness under the CMMC (Cybersecurity Maturity Model Certification) framework.

Preparing for a CMMC Level 2 Audit: Integrating and Tracking

We had been discussing the upcoming need since mid-January, but finally pulled the trigger in mid-February when we got the scheduling finalized with DIBCAC and the Cyber-AB (Cybersecurity Accreditation Body). We were on the books for an assessment the second week of April. This of course immediately triggered waves of leadership meetings, meetings amongst our small IT team to discuss expectations, and scheduling with our 1099 based CISO (Chief Information Security Officer). Between these, work needed to continue for our customers as well, as almost all of us wear two or three hats, as is common in small companies. Late February focused heavily on clearing ticket queues, getting our new IT person on their legs to free up my time to focus on compliance paperwork, and then full reviews of every policy, procedure, and their references in the SSP (System Security Plan).

Even this far out, the upcoming assessment loomed large.

We exchanged several correspondences with DIBCAC and as they made clear what they wanted from us; we better integrated our inheritances from Microsoft for our GCC-High SaaS infrastructure throughout our SSP to better serve our assessors. There was a delay in early March as most of the IT team served on an assessment for a customer, but by mid-March we were confident in our work, and after our first virtual “face to face” meeting with our soon to be assessors, we confirmed the dates for the assessment and our SSP and the supporting forms DIBCAC had us complete were submitted.

At this moment we made a SharePoint site dedicated to this assessment and started putting every single piece of evidence we sent to DIBCAC in that SharePoint to ensure at the end everything could be hashed as required. It is important to start this early in the process.

Finalizing Documentation and Cybersecurity Checklist Review

After this, we turned our focus to clearing as many Change tickets as we reasonably could, most notably a Windows 10 to Windows 11 migration that had been handled slowly to reduce impact to the company. Then, we rotated to supporting documents, ensuring that the last two years of Cybersecurity Checklists (we perform at least some functions every week) had perfect completion without a single field missed. These checklists serve as our internal validation mechanism to support ongoing CMMC compliance efforts.

During this time, we were still hiring and onboarding users, so each time we did that, multiple reviews were done to ensure that the heavy extra mental load didn’t cause mistakes. This, as much as anything else, led to quite a few long nights and a few weekends of work for the IT team.

Quarterly Cybersecurity Checklist and Inventory Review

The beginning of April triggered our Quarterly Cybersecurity Checklist, which has quite a considerable amount of work to complete, and it was focused on heavily to ensure it was done before our assessment. Never let anyone tell you that compliance does not have manpower costs.

During this time, we also did a full review of all of our various inventories to ensure that no spot check would ever find an error. By April 4th we had declared a moratorium on changes to the information system and notified all users. April 7th our assessment began.

Assessment Week: April 7 to April 9

I would like to say that in all this review for three months we never found a single error. I can say that we found incredibly few. I believe that, had we done none of this work, we likely would have been fine in our assessment. But only in doing this extra legwork did I approach our April 7th begin date with mild trepidation instead of outright terror. Our ability to function as a C3PAO was on the line.

The first day with DIBCAC started with a half-hour PowerPoint presentation, and a few minutes available for questions and answers. This, along with all that was to come, was very familiar to me based on my experience with JSVAs (Joint Surveillance Voluntary Assessments) in the past pre-CFR 32 ruling. It also wasn’t far off from our own procedures, which were also based largely on our JSVA experience as a company. After the presentation, we started not with the Access Control family, as is common, but with Awareness and Training (CMMC AT domain). We completed AT, CA (Assessment, Authorization, and Monitoring), PE (Physical Protection), PS (Personnel Security), and RA (Risk Assessment) in the morning, and IR (Incident Response), SC (System and Communications Protection), and SI (System and Information Integrity) in the afternoon of that first day.

Day Two and Three: AC, AU, IA, and Beyond

The assessors did not always interpret the controls exactly as I would, nor as I had seen DIBCAC consider them in the past. They sometimes accepted an answer where I, as an assessor, would have asked for more detail. They sometimes dug into details I considered extraneous. But in the end, they asked leading questions that drove me to provide details I might not realize I was providing in my answers, and they verified what needed verification in addition to the copious artifacts we provided beforehand.

The second day, the assessor in charge of AC (Access Control), AU (Audit and Accountability), and IA (Identification and Authentication) was feeling better and we spent the entire day on their controls. Again, I definitely disagreed with some of their takes on controls, but DIBCAC is not a good sounding board for arguments, so in each case I sought to answer their needs instead of what I believed was required, only twice gently seeing if I could push them back to my understanding of a control. There were a few artifacts they needed by the next day, and that made for a very late night for a few of us, and a very early morning the next day.

The artifacts we were able to provide answered all lingering questions from Tuesday’s controls, and the final day was CM (Configuration Management), MA (Maintenance), and MP (Media Protection), most of which is either N/A or, in our case, satisfied by policy but not practice as we are a fully virtual configuration with no physical premises other than Alternate Worksites, and no physical CUI (Controlled Unclassified Information).

By Wednesday afternoon on the 9th of April, we were completing our outbrief with a score of 110 and it was over. Of course, customers still needed assistance, and while they were very understanding, “I’m still trying to catch my breath” is rarely a good reason to push back paid and scheduled work. Successfully navigating this process not only reaffirmed our status as a C3PAO but also demonstrated our operational alignment with CMMC Level 2 expectations. That very afternoon, we ran the DOD Hashing Tool (PowerShell-based tool for verifying file integrity) against the SharePoint contents, and then every part of that was moved to an archival folder that very few people have access to. We will hold that for a minimum of six years.

Lessons Learned from Our CMMC Journey

Items of note and lessons learned:

1. DIBCAC gives five document changes. Ask early whether they mean you can change five documents, or you can, five times, change whatever documents you have errors in for a control. Abide by that decision.
2. DIBCAC tries hard to be very accommodating. They cannot always manage it, but they try. They were respectful of our calendar, and helpful in the execution. They showed a level of flexibility not always present in government entities.
3. When using the KCD/KRA the Cybersecurity Checklist answers SO MANY questions that by the end of the assessment, the assessors would ask me a question, and as I opened my mouth to answer they would say, “That’s in the Cybersecurity Checklist that you monitor that, right, got it.”
4. When an assessor says, “That appears to be trending MET,” STOP TALKING. So often I was very proud of all the steps we took to enforce a control, and an assessor would be halfway through knowing it all and consider it sufficient at that point, and I would want to say more. Fight this urge.
5. When you are being assessed, have multiple monitors/screens. Have a running conversation with your team on one screen so that others can chime in and help you if you pause or get hung up. On another screen keep your SSP open at all times and on the control being assessed. This is the document where you said how you meet your control. Always keep an eye on it to ensure you don’t wander into the wrong control or wrong methodology. Further, if possible, keep the current document/artifact being discussed visible somewhere.
6. On the topic of evidence, especially with DIBCAC, but also with a C3PAO assessment, there will be a lot of screen sharing. I suggest picking one monitor that does not have your SSP or that chat on it and just sharing the whole screen. Never drag anything across that screen but try not to repeatedly close and open it. Don’t share a single “window” of a browser as you will very often go to gesture to something in another tab and the assessor will have to stop you.
7. Check the schedule given to you by your assessor and strive to have the people involved in a control either already in the room if you can afford to do so, or on “hot standby” if not. Keep in mind that certain assessment objectives can take longer than others. Note above how many assessment families were done some days and how few others. Notify everyone in the room who you consider a SME (Subject Matter Expert) on an issue that they may chime in. Try not to have a single person answer absolutely every question, unless the IT department is a one- or two-person shop. I have seen several assessments where a five person IT team is represented only by one person in an assessment and then they struggle on the work items they do not do on a regular basis but still do not tag in the SME.
8. When working with DIBCAC, they will likely send you two DoD SAFE links every time you need one. Save the spares, they can come in handy.