Phase 4 of the NIST SP 800-171/CMMC Consulting methodology is Conformity Assessment Support. In this phase, you want the expertise of an authorized C3PAO to be sitting on your side the conformity assessment while being interviewed by DIBCAC or another C3PAO.
Peak InfoSec's NIST SP 800-171 & CMMC Consulting Methodology

Consulting Phase 4: Conformity Assessment Support

Conformity Assessment Support is where we sit with your organization on your side of the table during your formal assessment by either another C3PAO or DIBCAC.

Regardless of the C3PAO your organization chooses, you want to have someone on your side that understands the dynamics of a Conformity Assessment, the nuances in NISP SP 800-171 and CMMC requirements, and your environment.  The Assessors on the other side of the table bring their biases for how they think the requirements should be met.  Back to the NIST definition for an assessment:

The testing or evaluation of security controls [per NIST SP 800-171A Assessment Objectives] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the [NIST SP 800-171] security requirements for an information system or organization.

Source: assessment – Glossary | CSRC (

Our job is to hold them to that definition and explain how your implemented security controls achieve the intended outcome of safeguarding Controlled Unclassified Information (CUI).

While sitting on your side of the table, we have sat in three main roles:

  • Led your Conformity Assessment:  For some clients, we have sat directly across from the C3PAO or DIBCAC assessor and were the first one to explain your conformity to them.  In this role, we then guided the system administrators on what to demonstrate.
  • Facilitated throughout the Assessment:  For other clients, we have been in the room and their CISO and subject matter experts were the first line of interviewees.  We would jump in to clarify and guide where miscommunications over nuances occurred.
  • Provided End-of-Day Coaching:  This has only happened once so far where the client had us join the DIBCAC end-of-day hotwash and then we helped them in the evenings to correct deficiencies identified by DIBCAC.  This was a mature customer and not the norm we would expect.

Delta Assessment Support

A “Delta Assessment” occurs where DIBCAC or another C3PAO identifies a deficiency, and we have 180 days to correct it and have the Assessors come back to close out the open items.

Consulting Phase 4: Conformity Assessment Support Deliverables

There isn’t a defined deliverable other than to have your organization successfully complete its formal Conformity Assessment by DIBCAC or another C3PAO.

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

Information Security Turnaround Specialists