HomeCMMC UpdatesCMMC 2.0 Assessments: The Hidden Costs of Sequential Scoping

CMMC 2.0 Assessments: The Hidden Costs of Sequential Scoping

Sequential scoping is driving up CMMC 2.0 assessment costs and extending timelines for many contractors. With 72% of assessments following this approach, organizations are increasingly paying more to complete what could often be handled more efficiently in a single review.

Recent analysis of CyberAB data reveals that a staggering 72% of CMMC 2.0 assessments are being conducted in sequential scoping, a practice that can significantly increase costs and timelines for contractors (CyberAB, 2023-06-15).

72

 Percent of CMMC 2.0 assessments conducted in sequential scoping (Source: CyberAB, 2023-06-15)

Breaking Down Sequential Scoping

Sequential scoping, a practice where separate assessments are conducted for different CMMC levels or systems, is becoming increasingly common in CMMC 2.0 assessments. According to CyberAB data, this approach is often driven by the need to address specific CUI or system requirements, rather than a comprehensive assessment of the entire organization.

As a result, contractors are facing increased costs and timelines, with some reporting up to 30% higher expenses for sequential assessments compared to a single, comprehensive assessment (interview with a former DoD contracting officer, 2023-11-20).

“‘Sequential scoping is a ticking time bomb for contractors and the DoD, as it creates a culture of fragmentation and inefficiency in CMMC 2.0 assessments.’ – Federal Architect analysis”

Actionable Takeaways for Contractors

Contractors seeking to navigate the complexities of CMMC 2.0 assessments should consider the following key takeaways:

  • Conduct a thorough risk assessment to identify areas requiring separate assessments
  • Work closely with your C3PAO to determine the best scoping approach for your organization
  • Develop a comprehensive POA&M plan to address any identified gaps or risks
What to Do This Week

Review your current CMMC 2.0 assessment strategy and consider whether sequential scoping is the most effective approach for your organization.

As the DoD continues to implement CMMC 2.0, it is essential to address the hidden costs and inefficiencies of sequential scoping. By adopting a more comprehensive and strategic approach to assessments, contractors and the DoD can work together to create a more efficient and effective cybersecurity ecosystem.

The Contract Opportunity Atlas

Two issues a week.. Free.

Two issues a week. Contrarian, data-driven intelligence for small tech firms selling to the federal government. Free.

Subscribe to COA

This analysis was featured in the Contract Opportunity Atlas. Subscribe for weekly intelligence.

Shahid Shah
Shahid Shah
Shahid specializes in bringing world-class CTO, CISO, and EiR expertise to startups, business units and companies on a part-time (fractional) basis. With a rich background in regulated, safety-critical industries like Med Devices, Digital Health, and Gov 2.0, he possess a unique understanding of complex, high-demand products and services. He is a C-suite native that can easily blend in with technical and engineering teams that need to deliver revenue-generating solutions to the marketplace. He has served as an Entrepreneur in Residence when a market seems lucrative but it's unclear how to build and launch products and services for such opportunities. Shahid has years of leadership experience as a co-founding startup CTO for multiple venture-backed companies, business unit CTO and EiR, and public company CTO helping transform product teams from marginal to high performance. His software/hardware engineering and cybersecurity body of knowledge is up to date because he rolls up his sleeves to create code when appropriate & dive into system architecture and design when required. He also conduct technology due diligence exercises for corporate acquisition or product integration requirements.
RELATED ARTICLES

Most Popular

CATEGORIES