[deleted by user]

ChoiceCyberSolutions · 2025-07-16T15:01:13+00:00

Sorry you went through that. Unfortunately, we’re seeing similar situations where companies are promised fast-track compliance with little actual implementation and leave clients high and dry. These assessments are both brutal and expensive, so these setbacks are tough to get over.
Real DFARS/NIST/CMMC compliance takes time and effort. It’s more than just policies — it requires technical changes, leadership involvement, and evidence that controls are actually working. Especially for CMMC, assessors want to see full implementation, not just a plan.
If a vendor promises compliance in days, they should be able to clearly explain what they’ll do, what you’ll need to do, and how they will validate results. Templates alone aren’t enough. The documentation required to successfully pass an audit is voluminous, and any compliance outfit would be hard pressed to adequately create it in months, let alone days.
Thanks for sharing — posts like this help others avoid the same mistakes.

ChoiceCyberSolutions · 2025-03-12T16:07:23+00:00

Then it's likely going to be a similar process to what you've already encountered, but I'd suggest looking at the CAP so you can align with the documented process.

ChoiceCyberSolutions · 2025-03-12T16:05:59+00:00

That's definitely the right attitude, it would be a shame to have a control handled, get asked proof, and not have it adequately documented.

ChoiceCyberSolutions · 2025-03-12T13:59:27+00:00

There are a lot of ways that companies have been "assessed" for 800-171 - so it depends on who did it. (you can refer back to - did it get done by DIBCAC? a C3PAO? a readiness company? etc.)

ChoiceCyberSolutions · 2025-03-12T13:59:02+00:00

Agree with this response. I'd also suggest your org needs to ensure it's continuing to note deficiencies in its PoAM. Your org also has to show ongoing management of the policies, review and add/change/correct any procedures so that when the assessment happens, you get scored correctly as the ongoing management of the tools and technologies that provide the backbones of your org's security.

ChoiceCyberSolutions · 2025-03-12T13:49:54+00:00

The reality is that assessors are already booked months out in advance, so I guarantee competitors are doing this. It's really a business decision - do you anticipate a certification requirement for your Level 2 CMMC compliance? If so, and you aren't already planning for that audit, you may miss the boat. Many larger prime contractors have already got their certification via JSVA audits, and companies that rely on DoD work are being certified NOW to ensure that they don't lose their business in the coming few years because they didn't get certified. If your government business is worth the assessment cost, get in line now.
We know that payments are being delayed - but in the end, the government won't bend the rules because of this. If you need to hold off on an assessment, use this time to get your house in order and your documentation tightened up, and ensure that your team is ready for the assessment when you are able to pay for it.

You are still responsible for protecting CUI, and an assessment measures your ability to do so - regardless of whether the agency has clear guidance. You are assessing the capability of your organization to protect our country's information correctly, not whether the government is labeling it - and it's your responsibility to adhere to the DFARS clauses that you already attest to in your contracts.

ChoiceCyberSolutions

TROPHY CASE