CMMC Assessment Postmortem with Chris Haigh of C3PAO Meerkat Cyber

compliance
Written By Brian Wane

Summary: CMMC Level 2 Assessment Experience (Meerkat Cyber / Chris Haye)

Overview

  • Discussion focused on the practical experience of undergoing a CMMC Level 2 assessment and becoming a C3PAO (Certified Third-Party Assessor Organization).

  • Chris Haye from Meerkat Cyber, a certified instructor and assessor, described Meerkat’s preparation and assessment process.

  • Meerkat has guided 13 organizations through CMMC assessments with perfect scores.

Preparation for a CMMC Level 2 Assessment

1. Building a compliant enclave

  • Most commercial environments are not CMMC-compliant, especially standard Microsoft commercial cloud.

  • Meerkat created a new enclave specifically for performing assessments, which is what the DoD evaluates.

  • The enclave included:

    • Microsoft GCC (Government Community Cloud)

    • Minimal software stack (Office + one additional security layer: XQ)

  • Best practice: minimize the technology stack and only deploy tools necessary to perform the mission.

Biggest Preparation Challenge

Documentation is the largest workload.

  • CMMC requires hundreds or thousands of pages of documentation, including:

    • System Security Plan (SSP)

    • Policies

    • Configuration documentation

    • Procedures

    • Control implementation evidence

Key issues:

  • Most organizations begin with little documentation.

  • Even experienced organizations require hundreds of hours to prepare a compliant policy set.

  • Documentation must exactly match the real environment.

Importance of Scoping the Environment

Reducing scope significantly simplifies compliance.

Example approach:

  • If a company has 100 employees but only 5 handle CUI, only those 5 should be in the CMMC enclave.

Benefits:

  • Fewer systems to secure

  • Fewer employees subject to restrictions

  • Lower cost and complexity

Meerkat’s enclave scope:

  • Only assessor laptops

  • Microsoft GCC environment

  • XQ for secure email/file sharing

Role of MSPs (Managed Service Providers)

Meerkat did not use an MSP due to internal expertise, but most organizations should.

MSP responsibilities often include:

  • Logging and monitoring

  • User provisioning

  • Endpoint configuration

  • System configuration management

  • Infrastructure maintenance

Important requirement:

  • MSP must understand CMMC controls and shared responsibility.

Organizations should maintain a Shared Responsibility Matrix defining which controls the MSP handles.

GCC vs GCC High Decision

Meerkat chose Microsoft GCC instead of GCC High.

Reasons:

  1. Cost structure

    • GCC High requires annual upfront payment.

    • Can be expensive for small companies.

  2. Use case requirements

    • GCC High mainly needed when:

      • ITAR restrictions require U.S.-only personnel access

      • Foreign support access must be prevented.

  3. Alternative controls

    • Additional security layers (such as XQ encryption and access controls) can restrict data access even within GCC.

Surprising Assessment Issue

A disagreement arose during the assessment regarding collaborative computing devices.

Control requirement:

  • Devices with cameras (e.g., conference room video systems) must have indicators when recording.

Meerkat policy:

  • No collaborative devices in the enclave.

Unexpected interpretation:

  • One DoD assessor argued Microsoft Teams qualifies as a collaborative computing device, even though the control appears to refer to physical hardware.

Outcome:

  • Meerkat updated documentation to reflect Teams usage.

  • Demonstrates that interpretation differences among assessors still exist.

Assessor Interaction Best Practices

Organizations should:

  • Be respectful and diplomatic.

  • Ask clarifying questions rather than confront assessors.

  • Remember the assessor determines pass/fail.

Recommendation:

  • Bring compliance advisors or assessors to the assessment.

Reason:

  • They can challenge interpretations if necessary without putting the client in conflict with assessors.

Cost Expectations

Typical costs for CMMC Level 2 preparation and certification:

Compliance preparation

  • Industry estimates: ~$150,000 average

  • Some organizations can achieve compliance for less depending on architecture and scope.

Assessment costs

  • Typical range: $45,000–$65,000

  • Rare cases below $40,000 for very small cloud-only environments.

Cost drivers:

  • Number of users

  • Number of physical locations

  • Endpoint assessments

  • Travel for assessors

  • Complexity of architecture

Scheduling Challenges

  • Most C3PAOs are booked 6–9 months out.

  • Only ~1% of the Defense Industrial Base has been assessed, meaning demand will increase significantly.

Most Common Reasons Organizations Fail

1. Poor documentation

Common issues:

  • Missing System Security Plan (SSP)

  • Incomplete policy documentation

2. Documentation not matching reality

Assessors verify implementation against written policies.

Example:

  • Policy states five failed login attempts triggers lockout.

  • If the system allows six attempts, the control can fail.

Key takeaway:

  • Configuration must exactly match documented policy.

Key Takeaways

  • Create a small, tightly scoped enclave for CUI.

  • Keep the technology stack minimal.

  • Invest heavily in documentation preparation.

  • Ensure documentation aligns precisely with system configuration.

  • Use experienced advisors or assessors during the assessment.

  • Expect $45K–$65K for the assessment and potentially six-figure preparation costs.

  • Be prepared for interpretation differences among assessors, especially as the ecosystem matures.

Brian Wane
Next

Federal Cybersecurity Compliance Is Evolving — And Zero Trust Data Is the Catalyst