Preparing for CMMC the Right Way: A Q&A Deep Dive

Cole French:

CMMC assessments began on January 2nd, 2025. The phased implementation of CMMC language and contracts began on November 10th, 2025. So with the rollout a little over a year old, there’s no better time to cover some new questions and those that are still relevant.

Join us for the special Q&A style episode where we answer the questions we’re hearing, cover CMMC services, and provide some questions you should be asking to set yourself up for success.

Welcome to the Cyber Compliance and Beyond podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is the leading cybersecurity compliance advisory and assessment organization, providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now let’s get to today’s episode and help you move cybersecurity forward.

Way back in February 2025 on episode 11, we did a Q&A episode that focused on the CMMC final rule, answering some questions and providing clarification. We’re a little over a year into the CMMC implementation, so we figured this is the perfect time for another Q&A style episode. On today’s episode, we’ll dig into what’s happened with the CMMC program since we last covered it, and what kind of questions you should be asking as you get ready.

Questions like, “What is the Title 48 rule and when should I expect to see CMMC requirements and contracts? What are gap analyses, gap assessments, readiness assessments, mock assessments? Are they the same thing? Are they kind of the same thing? How are they different? What are questions I should be asking CMMC providers? And if cost is a concern, where can I look to save and still get peace of mind?”

Just like our last Q&A style episode, I’ll be sitting in both seats for today’s episode. I’ll summarize the questions and provide the answers. We hope you enjoy this episode.

Welcome to Cyber Compliance and Beyond. We’re switching things up just a bit today, bringing you a Q&A style episode. You may recall we did one of these shortly after the CMMC rule went into effect back in February 2025. I’ll drop a link in the show notes as that episode is still helpful and relevant for those of you trying to navigate the CMMC landscape.

On today’s episode, we’ll cover what’s happened since then and perhaps more importantly, talk about CMMC services that are out there and hopefully help you figure out exactly what it is you need to take as your next best step trying to navigate CMMC. So first, what’s happened since the CMMC rule went into effect is that the other CMMC rule went into effect. And which rule is that you might ask?

That’s the Title 48 or what some refer to as the procurement rule. The finalization of this rule kicked off the phased implementation of CMMC requirements being written into contracts. So to break this down just a little bit, it’s a four-phased implementation. So we’re in phase one right now as of November 2025 with a focus on self-assessments at level one and level two with the potential for DOD to write C3PAO level two assessment requirements in contracts.

So an important thing to note with this is contracting officers can write C3PAO level two assessment requirements in contracts today. This is an important thing to keep in mind as you’re navigating this, that even though what I’ll talk about in phases two through four feels like it’s more relevant, it could be relevant sooner than you realize.

So moving to phase two. Phase two of the Title 48 rollout is C3PAO level two assessments. So DOD is going to focus on making sure those are written into the majority of contracts in addition to continuing self-assessments at level one and level two. There also could be the potential for level three assessment requirements to appear in contracts as part of the phase two implementation.

And now if you don’t know, aren’t aware, level three assessments are a government-only delta assessment. So they require you to have a level two assessment first, and then the DIBCAC team at DOD will come in and conduct a level three assessment against those delta controls between level two and level three. I’ll drop more information in the show notes with specifics around what those controls are and where to look for those controls.

Moving to phase three, we’ll see C3PAO level two assessment requirements across the board, and they’re really going to focus on level three assessment requirements in phase three. And then obviously in phase four, that’s full implementation. So we’re looking at a 2028 timeframe for full implementation of the Title 48 rule. So that’s the original CMMC rule, which we did the episode on back in 2025, February of 2025.

And now we have the Title 48 rule in place. So the full CMMC program is in effect and operating today as we speak and is in the midst of that phased implementation. By 2028, we’ll be at a full implementation state with CMMC requirements, whatever they may be, level one self assessment, level two self-assessment, level two C3PAO assessment, and level three DIBCAC assessment, across the board in all DOD contracts. At least that’s the goal.

As we’ve started conducting more assessments and working with our advisory customers... And for those of you who don’t know, advisory customers, that’s a term we use for the customers that we help get ready for CMMC... We’ve noted a few trends that got me thinking an overview of what kind of CMMC services are out there would be helpful for you folks. And this is really because we’re still seeing a lot of folks struggling with CMMC. What are their requirements? What do I need to do? How do I approach it? On and on, it goes.

Now, I think this is largely the result of not knowing where to look for the right information. And some of you may hear that and think that’s crazy. There’s CMMC information everywhere and I think that’s exactly the problem. There is so much information from so many places. It’s hard to navigate and figure out what’s the right information and what should I pay attention to and really most importantly in any sort of implementation, what do I do next?

It’s one thing to see all of this information, to read it all, to digest it, but that doesn’t necessarily tell me what I need to do next. So really my rundown here that I’m going to go through is really to help you all figure out what is the next thing I can do on my CMMC journey? Now, a quick caveat before I run through all of this. So these are services. What I’m about to talk about are services that we offer here at Kratos.

And I’ll also touch on some services provided by others, but that said, in general, other service providers out there should be providing similar services. What we’re providing really isn’t groundbreaking or any different than any other provider out there in the CMMC space should be offering. Obviously, you’ll get an idea of what Kratos delivers, but understand that you can use what we’re delivering in your evaluation of what other folks are delivering, right? They should be pretty similar.

And really my overall hope is that this will help you navigate working with those CMMC providers and asking the right questions so that you get the help that you need. So, without further ado, I’m going to walk through CMMC services and I’m going to start with advisory services. And like I mentioned a minute ago, our advisory services are consulting engagements. So these are engagements where we are coming alongside and we are helping organizations navigate CMMC requirements specific to their particular situation, implementation and contract requirements.

So the first and what I call, I think the most important engagement and really an engagement that I think would benefit a lot of you out there who are navigating this is what we call our boundary identification and definition support. And so this is an engagement focused on helping define the boundary for a CMMC assessment. Now, what is the boundary you ask? So the boundary is the assets and we call those people, processes and technologies, that make up your CMMC implementation.

And at a high level, this can either be an enclave within your environment or your entire enterprise. So an enclave, just a subset of your environment that can be hosted entirely in the cloud, that can be a mixture of what we call a hybrid implementation of some of what you have on site mixed with some of your cloud service provider implementations.

And this type of service is best for customers who know they need CMMC, generally understand the requirements, but are struggling with the right path forward in terms of what their scope of assessment should be. And depending on the outcome of this engagement, an organization could seek what I’ll generally call “technical implementation services.”

And technical implementation services would be used to build an enclave or otherwise implement technical solutions that constitutes some or part of an organization’s CMMC boundary. Now we don’t provide those type of services here at Kratos, but there are plenty of organizations out there who do offer technical implementations.

And we do partner with a team at CAPE Endeavors who does provide out of the box custom-built enclaves that can secure the processing, storing, handling, and securing of CUI. Now moving on to our next engagement, a gap analysis or a gap assessment. So, this is the same service.

These are two different names, and this will come up. I’ll talk about this a little bit more, but this is another problem I think is very pervasive out there in the CMMC space is differing terminology to describe the same or different things, which I think causes confusion.

So a gap analysis or a gap assessment, think of those two things interchangeably or as the same thing, at least at the beginning. You can ask questions. Some people do have a different definition for these, but in general, we equate them to be the same thing. And what is that you’re asking?

It’s a CMMC assessment that includes advisory support and recommendations at the end. So it’ll be conducted just like a CMMC assessment, with the difference being that we’ll provide recommendations and consulting both during and as part of the output of the analysis. So any findings that we identify throughout a gap analysis or gap assessment, we’ll also provide you with a recommendation on how we think you should address that particular finding.

And even further, we can perform or support implementation of that recommendation if a customer so desires. And one thing I want to point out that’s really important with a gap analysis or a gap assessment, you can scope these to cover only part of your environment. And this can be especially helpful if cost is a major concern. And I think that’s another thing out there that’s making things difficult in the CMMC space is a lot of organizations, mostly smaller organizations with small CUI footprints, maybe one or two contracts and a very, very small CUI footprint.

Really, the cost of this is a lot. So think about maybe pursuing a gap analysis or gap assessment that only covers part of your environment or potentially even part of the control set. There is no requirement that a gap analysis or gap assessment cover all 110 controls. It could only cover the controls that require the controls that are not allowed to be put on a POAM.

Maybe you want to focus on those because that’s what’s going to put your assessment at most risk when the time comes. So moving from there, we have what we call documentation support services. And this is a full-scale evaluation of your organization’s documentation to ensure that it meets CMMC requirements. We can also extend this to do a full scale authoring of your documentation needed to meet CMMC requirements, and we can do everything in-between. This is kind of our most open-ended advisory engagement.

And really, if you’re out there talking to other CMMC service providers and you need help with documentation, make sure that they’re willing to meet you where you are with your documentation and work with you. The alternative to that is organizations that want to come in and say, “Hey, this is how your documentation should be.” That is not a CMMC requirement.

There are no prescriptive requirements from a documentation standpoint with CMMC. There’s a million-and-a-half ways to address the documentation requirements. And generally speaking, most organizations have some or part of what’s required, and there’s no need to reinvent the wheel. You want to work with a provider who will come in and work with what you have and help you get where you need to be.

Now, of course, if you don’t have anything, we certainly can come in and help you from top to bottom write all of that documentation that you need. So now, moving on to perhaps where it gets most complicated, is our readiness assessment and mock assessment. Now these are terms you’re going to hear thrown out quite a bit and these are important to hone in on because oftentimes people mean different things by these, but for us, we treat them as the same thing.

So what is a readiness assessment or mock assessment? It’s an assessment that exactly mirrors a CMMC assessment, but at the end, it’s only findings and context, right? So I’m only going to provide what the finding is and why it’s a finding. I’m not going to provide any recommendations. I’m not going to provide any consulting either during the assessment or as any output from the assessment.

So the most important aspect of this is that we as a C3PAO in such an engagement retain our impartiality and can still come back and conduct a level two assessment. And the readiness assessment has tremendous value because it provides a dry run on how an assessment will look, feel, and sound, and those findings with the context that I mentioned can be used to address findings ahead of an assessment, and that really gives you a strong assurance that the assessment will go smoothly.

And also, similar to a gap analysis or gap assessment, you can scope a readiness assessment to cover only certain controls or only a certain part of the scope or mix the two. Really, however you want to do it, make sure that your C3PAO, or if you’re doing this in a consulting light, because you can also do a readiness or mock assessment as a consulting engagement.

You can do it and keep the option to provide consulting if you feel like that’s necessary as you go through it. But either way, make sure that your service provider is willing to provide this as a scoped engagement. Again, drives that value, right? I don’t feel like I need to cover all 110 controls. I really just want to hit those controls that I cannot put on a POAM.

I want to make for sure that those are in place. Make sure that your service provider is willing to do that. So, to close up the discussion on a readiness assessment, mock assessment, all that, I just want to highlight when you’re talking with CMMC service providers out there, the whole gap analysis, gap assessment, readiness assessment, mock assessment, remember to ask what includes what?

There’s a lot of confusion about these terms and what they mean. So ask questions. Use what I’ve just described as a guide. And specifically, you can also ask questions like these, and I’ll include these in the show notes so that you have them for reference. Does the assessment allow me to still leverage you as a C3PAO?

Does the assessment mimic a formal assessment entirely, including all evidence collection? And this is important as some folks’ definition only includes interviews and live demonstrations, but doesn’t include formal evidence gathering. Can I use evidence in one of these preparatory assessments during my formal assessment? Generally the answer is yes, but a good rule of thumb is that the evidence shouldn’t be more than 90 days old during the formal assessment.

As I just mentioned, do you offer a scoped preparatory assessment? Some organizations are comfortable with most of their implementation, but they have some questions about other areas. Alternatively, you may want to cover only the controls for which a POAM is not allowed. Ask if these are a possibility. They’ll save you money, time, and give you the peace of mind you’re looking for.

So the bottom line, make sure you’re getting solid definitions of these preparatory assessments as the terms thrown out are often interchangeable, but the difference in definitions can make a huge difference in your actual preparation.

And of course, this all brings us to the biggest and most important engagement of them all, and that’s a level two assessment. That’s where we’re all trying to get to here, the level two assessment, the real thing. And I don’t think there’s too much to cover here, but this is the end of the road where you’ll either achieve certification or, well, I don’t think we all want to go there, but we do know that’s a possibility, which highlights the need to make sure you’re covering all of the items we discussed above and really hitting on those questions we talked about.

Ask your service provider questions. I hope these questions are helpful and I hope they’ll help you get the help that you need as you navigate CMMC. In closing, I just want to say I hope this rundown was helpful as you continue to navigate CMMC and prepare for your journey to certification.

Wherever you may be on that journey, we’re here to help. I’ll drop some reference material, including contact information and some of the other stuff I noted throughout this episode in the show notes. We hope you enjoyed this episode.

Thank you for joining us on the Cyber Compliance and Beyond Podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss, or you just have some feedback for us? Let us know on LinkedIn and Twitter at KratosDefense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode and until then keep building security into the fabric of what you do.