Paige Langmead
My CMMC Level 2 Assessment Experience
Completing a CMMC Level 2 assessment is a rigorous process that requires careful planning, documentation, and evidence collection. Our recent experience highlighted the importance of preparation and demonstrated how meticulous attention to detail can help organizations meet all 320 control objectives outlined in the framework.
This post shares our journey from pre-assessment preparation to achieving a perfect score, providing insights for organizations aiming for CMMC Level 2 certification.
Preparing Existing SSP, Policies, and Diagrams
Before the assessment began, we had a fully developed System Security Plan (SSP) that documented implementation across all 320 control objectives. This SSP was vital to meet the cybersecurity standards required by the CMMC framework.
We also prepared detailed network and data flow diagrams showing how Controlled Unclassified Information (CUI) moves through our environment. These diagrams demonstrated environment segmentation and security measures.
Additionally, we maintained comprehensive policies and procedures across all 14 CMMC domains, such as access control, incident response, and configuration management. These documents served as evidence that our operations complied with the framework.
Operating in a Secure Virtual Enclave
A major part of our compliance approach was operating in a virtual enclave within Azure Government. By using a fully cloud-based infrastructure, we logically separated and secured our environment, reducing reliance on physical security controls. Only authorized personnel could access the enclave, minimizing potential attack surfaces and ensuring secure handling of CUI.
Gathering Evidence for 320 Control Objectives
With documentation in place, the next step was compiling evidence to prove compliance with the 320 control objectives. This included:
- Screenshots of configurations
- System logs and access records
- Live demonstrations of security measures
In many cases, we guided assessors through our systems via screen sharing to verify that controls were implemented and operational.
The Assessment Process
The CMMC Level 2 assessment spanned several days. Assessors reviewed documentation, conducted live demonstrations, and confirmed that security controls were functioning as required.
A unique feature of the assessment allowed for minor updates to documentation during the process. If changes were implemented and verified before the final briefing, the objective could still be marked as Met. This flexibility enabled us to refine our documentation without impacting our overall score.
Achieving a Perfect Score
We are proud to report that our assessment resulted in a perfect score with no Plan of Action and Milestones (POAM) items. This outcome reflects:
- Strong pre-assessment preparation
- Robust security infrastructure
- Comprehensive evidence collection
All 320 control objectives were fully met and operational from the outset.
Lessons Learned and Recommendations
Our CMMC Level 2 assessment experience underscores the importance of:
- Maintaining an updated SSP, policies, and network diagrams
- Collecting evidence in advance for all control objectives
- Leveraging secure infrastructure to streamline compliance
- Preparing teams for live demonstrations during assessments
By achieving CMMC Level 2 certification, we have demonstrated our commitment to protecting sensitive data and maintaining the highest cybersecurity standards.
Learn More
Organizations seeking CMMC Level 2 certification can benefit from expert guidance. KTL Solutions helps businesses prepare for CMMC assessments, implement secure cloud environments, and maintain compliance. For additional resources, visit CMMC Accreditation Body for official guidance on certification requirements.