The Assistance Visit
The ‘Assistance Visit’ is an engagement long embraced by many organizations, primarily in government. The intent is to provide access to experts in appropriate areas of interest to assess, advise and instruct the organization to improve some business process. An end result may be preparation for an audit, assessment or certification, an increase in productivity, added efficiency, or any other business process improvement.
What’s in a Name?
Amongst many of us in the CMMC Ecosystem, especially Registered Provider Organizations (RPO) and Registered Practitioners (RP), we’ve been struggling with naming types of engagements with clients and Organizations Seeking Certification (OSC). The consulting and assistance side of things is fairly routine, very similar to our cybersecurity consulting efforts thus far. But, there’s an engagement type that many have asked for, and we just haven’t quite figured out a name for it. That engagement is a an effort to help ensure the organization is fully prepared for a formal assessment.
That Name is Taken
Many might call this type of event a Pre-Assessment. Unfortunately, that moniker is already taken. According to the CMMC Advisory Board, a pre-assessment event is conducted by a C3PAO’s Assessment Team to ensure the OSC has appropriately prepared and is ready for the formal inspection. It is not, however, meant to provide any material assistance. Rather, to make sure prerequisite information is available, points of contact are selected, and other administrative details are in order.
This One is Confusing
So, to avoid confusion and misrepresentation, we should probably avoid using that term. What’s left? Many have suggested using the term Gap Assessment. This is fairly well known in other compliance frameworks and is meant as a measure to identify the gaps between where an organization currently stands, and where they want or need to be. But, the term doesn’t seem to resonate well with those not already familiar with it.
The CMMC Compliance Assistance Visit
I propose the Assistance Visit, or more appropriately for us, the CMMC Compliance Assistance Visit (CAV). The wording itself seems self-descriptive and informative enough that even those not familiar with the term should be able to easily decode its intent. A CMMC CAV makes available expertise in CMMC requirements, goals, and objectives, as well as potentially other valuable skills – Cybersecurity Controls, Governance, Risk Management, Policy Development, etc. The goal of the CMMC CAV is to provide an OSC with insight as to whether they’re truly prepared for a formal CMMC Assessment, or if they have more work to do to prepare.
The CMMC CAV might be requested by an OSC as they’re planning, scheduling, and resourcing for a formal assessment. Or, it might be requested of an RPO by a C3PAO prior to formally engaging with client as a risk mitigation task.
Help Us Make the CMMC CAV a Valuable Service Offering and Tool
We solicit feedback and recommendations from others in the community to help fill in the details on what should be included, and whether some standardization might be warranted.