The CMMC Assessment Process (CAP): A Total Breakdown

The CMMC Assessment Process (CAP) provides the procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC Level 2 Assessments of organizations seeking certification (OSCs).

There are four phases of the CAP:

1. Plan and Prepare the Assessment
2. Conduct the Assessment
3. Report Assessment Results
4. Close-Out Plans of Action and Milestones (POA&M) and Assessment (if needed)

The CAP supplements other official publications endorsed or published by the Department of Defense (DoD). We have an updated version of this blog which discusses the 2.0 version released December 16, 2024.

Phase 1 - Plan and Prepare The Assessment

Phase 1 establishes the foundation of a well-organized engagement between an OSC and C3PAO.

This planning phase may take up to several days, depending on the OSC’s ability to provide the required information, including their proposed CMMC Assessment Scope and evidence of CMMC practice implementation.

1.1 C3PAO Receives Request for Assessment From OSC

OSCs seeking a certification assessment should consult The Cyber AB Marketplace, which provides an updated registry of authorized C3PAOs in good standing. During the initial engagement, the C3PAO should try to ascertain the general preparedness, the requested timeframes, and the geographic locations for the CMMC Level 2 assessment.

1.2 Roles and Responsibilities

• OSC Assessment Official: The highest ranking representative of an OSC who’s directly responsible for leading and managing the engagement with the C3PAO Assessment Team. This must be an employee of the OSC.
• OSC Point of Contact (OSC POC): The daily liaison between the OSC and C3PAO Assessment Team. This does not need to be an employee of the OSC.
• C3PAO Assessment Team: The representative body of a C3PAO composed of certified personnel who conduct the CMMC Assessment and non-certified individuals who provide logistical or administrative support.
• Lead Assessor: A CMMC Certified Assessor (CCA) who oversees the Assessment Team.
• CMMC Quality Assurance Professional (CQAP): Each C3PAO will have at least one CQAP on staff and formally training to ensure assessment documentation packages and reviewed and validated prior to upload into DoD Enterprise Mission Assurance Support Service (eMASS).

1.3 Contractual Arrangements

OSCs and C3PAOs shall agree upon specific terms and conditions of the contractual agreement, including pricing and payment, prior to the beginning of the assessment. All contractual agreements must conform to the CMMC Code of Professional Conduct.

1.4 Assessment Documents and Templates

The Cyber AB has prepared a range of templates for use by C3PAOs:

• CMMC Pre-Assessment Form: serves as the central record for the assessment to record the requirements, agreements, risks, conflicts of interest mitigation, logistics, assets within scope, and evidence.
• Virtual Assessment Evidence Preparation Template: Excel file to support the organization of and validation of evidence during an assessment.
• C3PAO and Assessor Conflict of Interest Attestation: Assessment team members and C3PAO stating they have not provided consulting, advisory or implementation support to the OSC.
• CMMC Assessment In-Brief: PowerPoint used to construct the formal kickoff briefing.
• CMMC Assessment Results: official file documenting the final results of the assessment.
• Daily Checkpoint: PowerPoint used to coordinate and track daily assessment activities.
• Conditional Practice Deficiency Correction Worksheet: document of record for any unimplemented practices that required resolution.
• CMMC Assessment Results: spreadsheet that contains the official record of results.
• CMMC Assessment Findings Briefing: PowerPoint file used to convey reporting of results to the OSC.
• CMMC Assessment Quality Review Checklist: Checklist of items CMMC Quality Assurance Professional will review.
• Confirmation of Destruction of OSC Data: C3PAO document demonstrating their surrender and/or destruction of any OSC proprietary information at the conclusion of the assessment.

1.5 Assessment Conditions and Requirements

After putting the agreement in place between the OSC and C3PAO, the OSC Assessment Official and C3PAO plan the details of the assessment.

This includes:

• Assessment locations and if accessible virtually
• OSC Staff that will provide evidence and support the assessment
• CMMC Assessment Scope
• OSC roles and responsibilities of information technology and information security
• Evidence
• A rough estimate for the duration and timing of the assessment
• The Assessment outputs provided to the OSC upon completion

• Lead Assessor: The C3PAO assigned as Lead Assessor after reviewing the Pre-Assessment Data Form.
• Corporate Identity: The Lead Assessor and OSC Assessment Official confirm the legal entity undergoing the assessment. This could be the entire company (HQ Organization), a division or subsidiary (Host Unit), or an Enclave.

• HQ Organization: The entire legal entity delivering services under the terms of a DoD contract. Before the assessment can proceed, the HQ Organization must possess a Commercial and Government Entity (CAGE) code issued by the Department of Defense and have a Unique Entity Identifier (UEI) by registering with the General Services Administration’s (GSA) SAM.gov system.
• Host Unit: a discrete subsidiary, division, or operating component with specific people, procedures, and technology within an HQ Organization relevant to the DoD contract.
  • Enclave: A set of resources that operate within the same security domain and share the protection of a single, common, and continuous security parameter.
• Supporting Organizations: External people, procedures, and technology that support the HQ Organization.

Validating the CMMC Assessment Scope

The OSC has the initial responsibility to identify an inventory of various categories of assets that will be subject to CMMC Assessment. The Lead Assessor will verify its accuracy and integrity by reviewing network schematic diagrams, the System Security Plan (SSP), policies, and organizational charts.

Use of External Cloud Service Providers

The C3PAO must obtain a basic understanding of the relationship between the OSC and External Cloud Service Providers to accurately identify the CMMC Assessment Scope.

If an external connection exists, the elements that determine the security requirements for the External Cloud Service Provider are:

• Whether the external connection facilitates delivery of products and services
• Restricted flow of Controlled Unclassified Information (CUI)
• Any specified CUI requirements impacting either the OSC or External Cloud Service Provider

If the External Cloud Service Provider processes, transmits, or stores CUI, then they are subject to the requirements of DFARS 252.204-7012(b)(ii)(D) and required to meet the FedRAMP Moderate baseline security requirements and comply with paragraphs (c) through (g) for cyber incident reporting.

If the provider does not possess a valid FedRAMP Moderate certification, then the C3PAO Assessment Team will determine if their security practices are equivalent to the FedRAMP Moderate baseline.

If the External Cloud Service Provider does not store, process, or transmit CUI but they do contribute to the OSC meeting at least one or more CMMC practice requirements, then they must meet NIST SP 800-171 requirements and attain CMMC Certification.

Model Non-Duplication

Assessors not affiliated with CMMC determine conformance to other cybersecurity standards, such as ISO 27001 or FedRAMP.  Absent official non-duplication policies published by DoD, conformance to alternative standards do not bestow any status or accreditation towards an OSC’s certification.

Inventory of Practices Against CMMC Model

The OSC shall provide the Assessment Team with the following:

• Results of the most recent self-assessment
• A preliminary list of anticipated evidence
• The System Security Plan and other relevant documentation
• A list of all OSC personnel who play a role in the procedures that are in scope

The purpose of this procedure is to map all evidentiary materials to their respective CMMC practices and establish a mutual understanding that the OSC has addressed each of the CMMC practices with some evidentiary basis.

Verify and Record Evidence Against Adequacy and Sufficiency Criteria

The Lead Assessor determines the required interviews, observations, reviews and other related Evidence needed for each practice.

This is based on the requirements for Evidence:

• Adequacy: does the assessment team have the right evidence?
• Sufficiency: does the assessment team have enough evidence? All evidence must:
  • Cover the sampled Host Units and/or Supporting Organizations
  • Cover the model scope of the Assessment
  • Correspond to the Host Unit and/or Supporting Organization in the Evidence collection approach.

Review OSC Self-Assessment

The Lead Assessor will review the most recent self-assessment against the context of the DoD’s criteria for the assessment of CMMC practices. This will result in one of three possible findings:

• Met
• Not Met
• Not Applicable

1.6 Complete Pre-Assessment Planning

The C3PAO will update the Pre-Assessment Data Form throughout Phase 1 and whenever significant changes occur, including:

• Any changes to the framing of the assessment contract between OSC and C3PAO
• Any changes to the CMMC Assessment Scope
• Changes to the dates and times of the assessment events
• CPAO changes to the assessment team
• Unplanned disruptions

The Lead Assessor and OSC Assessment Official must reach agreement on the Pre-Assessment Plan for the assessment to commence. The C3PAO submits the final version into CMMC eMASS at the completion of Phase 1.

Develop Approach to Evidence Collection

The Lead Assessor will identify methods for collecting, managing and reviewing Evidence including gathering artifacts, conducting interviews, testing or observing the environment, and requests for information.

The Evidence collection approach must record the use of any virtual data collection techniques and methods used to protect sensitive data. The decision to conduct some of the Evidence collection activities in-person rests with the OSC.

The Assessment Team must observe implementation of 15 objectives unless the OSC employs a FedRAMP Moderate cloud services provider to manage these requirements.

• CM.L2-3.4.5(d)- Enforce physical access restrictions associated with changes to the system.
• MA.L2-3.7.2[d]- Control personnel used to conduct system maintenance.
• MP.L2-3.8.1[c]- Securely store paper media containing CUI.
• MP.L2-3.8.1[d]- Securely store digital media containing CUI.
• MP.L2-3.8.4[a]- Mark media containing CUI with applicable CUI markings.
• MP.L2-3.8.4[b]- Mark media containing CUI with distribution limitations.
• PE.L1-3.10.1[b]- Limit physical access to organization systems to authorized individuals.
• PE.L1-3-10.1[c]- Limit physical access to equipment to authorized individuals.
• PE.L2-3.10.2[a]- Monitor the physical facility where organizational systems reside.
• PE.L2-3.10.2[d]- Monitor the support infrastructure for organizational systems.
• PE.L1-3.10.3[a]- Escort visitors.
• PE.L1-3.10.3[b]- Monitor visitor activity.
• PE.L1-3.10.5[b]- Control physical access devices.
• PE.L1-3.10.5[c]- Manage physical access devices.
• SC.L2-3.13.12[b]- Collaborative computing devices provide indication to users of devices in use.

Select Assessment Team Members

The C3PAO is responsible for ensuring that all team members possess an active status in good standing with The Cyber AB. Other considerations may include conflicts of interest with the OSC, availability for the target date range, cost, years of experience, geographic location, specialization, and professional reputation.

Identify Resources and Schedule

The final assessment plan should detail a schedule for each day. The C3PAO works with the OSC to meet all planning requirements, including:

• Identifying detailed resource needs beyond general estimates
• Listing all assessment participants, including:
  • OSC Names and titles of interviewees
  • OSC Names and functions of support personnel (if any)
  • OSC Organizational affiliation of participants
  • C3PAO Assessment Team Members, roles and qualifications
• List of all OSC facilities made available to the assessment team, including location, seating capacity, support equipment and room configuration.
• Recording schedule goals and limitations, including length of time for key activities
• Noting any travel requirements
• Identifying any triggers that would require updating of the assessment plan

Identify and Manage Conflicts of Interest

The C3PAO is responsible for identifying organizational and individual conflicts of interests (COI) and if identified, the Lead Assessor will document them in the Pre-Assessment Plan. The Assessment Team must attest by signature the “Absence of Conflict-of-Interest Confirmation Statement” prior to commencing the assessment.

All parties should be familiar with the CMMC Code of Professional Conduct and take action to avoid COIs or implement verifiable measures to mitigate them. If COIs are not sufficiently mitigated, the C3PAO should not proceed with the assessment.

1.7 Verify Readiness to Conduct The Assessment

The readiness review process ensures the OSC is adequately prepared, the Assessment Team is ready, and the Evidence is available and accessible. After analyzing all information collected in Phase 1, the lead assessor recommends and the C3PAO decides one of four possible determinations:

1. Proceed with the Assessment as planned
2. Replan the Assessment
3. Reschedule
4. Cancel the Assessment

Evidence Access and Verification

The Assessment Team will perform a cursory review of the actual Evidence mapped against CMMC practices in Phase 1.4 to ensure that it exists and is ready for evaluation. The Virtual Assessment Evidence Preparation Template, which does not exist yet, will facilitate the virtual assessment of evidence.

The Lead Assessor will verify that any practices marked as “Not Applicable” do not apply to the Host Unit or Supporting Organization. The Assessment Team cannot provide any advice or recommendations to the OSC during this preliminary review of the Evidence.

Assessment Feasibility Determination

Following the verification of Evidence, the Lead Assessor recommends if conducting the Assessment is practical and the C3PAO and OSC decide whether to proceed or not.

Quality Review on Pre-Assessment Form Data

The CQAP will verify the Pre-Assessment Form data is properly structured in the JavaScript Object Notation (JSON) format prior to uploading into CMMC eMASS.  

Upload Pre-Assessment Form into CMMC eMASS

The Pre-Assessment Form Template, which was not provided in the pre-decision draft, will provide a template for the Pre-Assessment Form. C3PAOs may develop a spreadsheet or use a third party tool to upload the Pre-Assessment Form data into CMMC eMASS using the required JSON file format.

Prepare the Assessment Team

The Lead Assessor shall assign roles and responsibilities to the Assessment Team and ensure their preparation, having reviewed the OSC’s Assessment Scope and System Security Plan.

Phase 2 - Conduct The Assessment

The Assessment Team will verify the adequacy and sufficiency of Evidence to determine whether the practices have met the required standard.

2.1 Assessment Kickoff Meeting

The Lead Assessor will use the CMMC Assessment In-Brief, not included at the time of the initial CAP release, to conduct the assessment kickoff meeting. The Lead Assessor will convene a kickoff meeting attended by the OSC Assessment Official, OSC POC, Assessment Team members and members of the OSC who will be participating in the assessment.

The Lead Assessor will provide a timeline of scheduled events and locations where they will occur. They will also keep the official minutes or provide a detailed summary of the kickoff meeting, including all questions and answers. The OSC should provide a high-level overview of their organization, their cybersecurity program, and inform all OSC personnel of their role in supporting the assessment.

2.2 Collect and Examine Evidence

An assessment procedure consists of an assessment objective and a set of potential assessment methods and assessment objects.

Determination statements express assessment objectives related to the practice. For example, practice AC.L1-3.1.1 contains six objectives:

Assessment objects identify the specific items that could potentially have a security defect and can include:

• Document-based artifacts (policies, procedures, security plans, security requirements, functional specifications, and architectural designs associated with a system.
• Mechanisms employed within a hardware, software, or firmware safeguard.
• Activities that involve people (conducting system backup operations, exercising a contingency plan, and monitoring network traffic).
• Individuals, or groups of individuals, applying the activities, mechanisms or document-based artifacts.

Further reading of the recommended supplement NIST IR 8011 identifies additional examples of assessment objects to include credentials, accounts, privileges, and things granted privileges (including data and physical facilities).

Assessment objects relate to the three types of assets defined in the CMMC Assessment Scope (People, Technology and Facilities).

Assessment methods define the nature of the Assessor’s actions, including:

• Examine - reviewing an assessment object (document-based artifacts)
• Interview - holding discussion with individuals or groups of individuals
• Test - observed activities or mechanisms

The Lead Assessor produces a preliminary assessment finding of satisfied (“MET”) or other than satisfied (“NOT MET”), which indicates potential anomalies the OSC needs to address. For any disputed practice findings, the C3PAO holds the final interpretation authority.

Examine Evidence

The OSC provided the C3PAO with an organized list of Evidence and process mappings in Phase 1. The Assessment Team will now evaluate the Evidence based on the assessment objectives and ensure that the artifact examined is current and produced by the individuals who are performing the work. Assessment artifacts that represent policies and procedures must also demonstrate adoption by the relevant OSC personnel.

Conduct Interviews

The Lead Assessor will schedule single or group interview sessions with OSC staff or third parties who perform procedures or have a role in supporting relevant cybersecurity activities. During the interview, the Assessment Team will ask questions to gain clarity of the practice or process implementation and map the responses to CMMC practices. The Assessment Team will ensure confidentiality and non-attribution so the interviewees can speak openly without fear of retribution.

Observe Tests

With the help of the OSC, the Lead Assessor will identify staff who perform procedures and schedule a test or demonstration observation to gain insight into the effectiveness of practice implementation. The Assessment Team will ask questions of the OSC staff and verify corresponding artifacts or procedures, mapping their notes back to the relevant practices.

Determine FedRAMP Moderate Equivalency for Cloud Computing Providers

The Assessment Team is responsible for determining if External Cloud Service Providers meet the security requirements equivalent to FedRAMP Moderate per the DFARS 252.204-7012(b)(2)(ii)(D) requirement. The External Cloud Service Provider may submit a body of evidence (BOE) or their SSP to describe the system environment and current status of the FedRAMP Moderate baseline controls. They may also submit a Customer Responsibility Matrix summarizing how they meet each control and which party handles maintaining that control.

An independent, credible, professional source (this may not include a CMMC RP or RPO employed, contracted or under a paid engagement with the OSC) should attest the BOE. The Assessment Team is not conducting a quasi-FedRAMP certification audit.

Identify Evidence Gaps

Evidence examined by the Assessment Team must address adequacy and sufficiency for the full CMMC Assessment Scope. If the examined artifact does not provide enough of the right evidence, an Evidence gap exists that may point to a deficiency in the implementation of cybersecurity measures.  Examples of Evidence gaps include:

• Incomplete documents (e.g. access control list missing new personnel)
• Illegitimate affirmations (e.g. attestations from employees who are not relevant)
• Unendorsed policies (e.g. policies not signed by a relevant position of authority)

Evidence Review Approach

The Assessment Team records any impacts on duration resulting from Evidence collection efforts on a daily basis. If the C3PAO or OSC make significant changes to how they collect Evidence, the Pre-Assessment Data Form should reflect those changes.

2.3 Score OSC Practices and Validate Preliminary Results

Each day, the Assessment Team will score practices based on the examination of Evidence presented. The OSC may present additional Evidence, as agreed upon and accepted by the Lead Assessor, which the Assessment Team may use to update or verify practice scores.

Record Initial Scores

The Assessment Team will record MET, NOT MET, and NA scores daily and present them during the daily checkpoint with the OSC. The CMMC Scoring with DoD Assessment Scoring Methodology, which was not provided at the time of the draft CAP release, will provide a template for the CMMC scoring.

Correct Limited Practice Deficiencies

A limited practice deficiency correction accommodation exists for OSCs.

Ineligible Practices for Deficiency Corrections

• Practices that could lead to significant exploitation of the network or exfiltration of CUI
• Any practices listed on the OSC’s Self-Assessment Practice Deficiency Tracker
• Practices that were not implemented by the OSC prior to the Assessment
• Any practice that changes the effectiveness of another practice already scored as MET

Eligible Practices for Limited Deficiency Correction Consideration

Any practices listed above on the Limited Practice Deficiency Correction Worksheet, not yet provided at the time of the release of the CAP, if they meet the criteria below:

1. An implemented  practice was missing minor updates (e.g. policy signature or outdated documentation) but where the practice Evidence demonstrates the implementation has been in place for a period of time; and
2. Consensus among the Assessment Team that the practice does not limit the effectiveness of another practice scored as MET.

2.4 Generate Preliminary Recommeded Findings

The lead assessor will generate preliminary recommended findings to summarize all practice MET and NOT MET scores. They will insert these findings into the CMMC Assessment Findings Brief Template which is not yet available.

The Assessment Team will present these preliminary findings to the OSC during the daily checkpoint meetings. The OSC will have the opportunity to present additional Evidence that may result in modifications to the preliminary findings.

Determine Final Practice MET / NOT MET / NA Results

After reviewing all Evidence and presenting the preliminary findings to the OSC, the Lead Assessor records the final recommended score. The C3PAO holds the final interpretation authority for practice scores.

Determine Final Practice Results

If the overall score is less than 80% (88/110 practices “MET”), then the OSC will receive a finding of “Not Achieved”. If the overall score is greater than 80%, the OSC must correct deficiencies within five (5) business days from the Final Findings Briefing or by an alternative date set by the Lead Assessor (not to exceed five calendar days prior to the submission of the Final Findings Report into eMASS.

Execute POA&M Review

CMMC 2.0 allows for limited use of POA&Ms to remediate practices not satisfied at the time of the assessment. The OSC must remediate any deficiencies within 180 days from the Assessment Final Recommended Findings Briefing. The highest-weighted CMMC requirements are not eligible on POA&Ms at the time of the certification assessment and the OSC must meet 88 of the 110 practices to receive a Level 2 conditional certification.

The POA&M should document the actions required to remediate deficiencies and the respective timeframe to do so. It should detail the up to date progress of the corrective actions.

Validate OSC POA&M

A credible POA&M should include, at a minimum, the following:

• The specific security weakness tied to a specific practice;
• The severity of each weakness;
• The scope of each weakness within the assessed environment;
• The proposed mitigation approaches;
• The estimated costs for remediation;
• Documented records of mitigation status and delays; and
• A risk assessment of the deficiency

The Lead Assessor is responsible for reviewing the POA&M at the time of the assessment closeout and ensuring proper documentation for all practices authorized by DoD.

Create and Finalize Recommended Findings

The Assessment Team will update The CMMC Assessment Findings Brief with MET / NOT MET scores and describe any practice deficiencies.

Support Assessment Appeals Process

The OSC can dispute the results of the assessment if they feel there is substantial evidence showing ALL the objectives of a practice have been “MET”. The Assessment Appeals Process, not available at the time of the CAP publication, will outline the process an OSC can appeal their assessment results.

Phase 3 - Report Recommended Assessment Results

The Lead Assessor shall deliver the recommended results to the OSC during the Final Findings Briefing. They will then submit the assessment packet to the CQAP and C3PAO who will verify completeness and accuracy prior to upload into eMASS.

3.1 Deliver Recommended Assessment Results

The Lead Assessor will provide the assessment results to the OSC Assessment Offical either at the final daily checkpoint or in a separately scheduled findings review.

Deliver Final Findings

The Assessment Findings Brief Template, which is not yet available, will provide a summary of the recorded MET and NOT MET status for each practice.

3.2 Submit, Package, and Archive Assessment Documentation

The purpose of this step is to retain all assessment documentation and artifacts. The Lead Assessor will produce the CMMC Findings Briefing or equivalent document. The C3PAO will submit the CMMC Assessment Results into eMASS. The OSC, Assessment Team or other authorized official, will hash all artifacts using the CMMC Artifact Hashing Tool User Guide. The final daily checkpoint will include results from all discussed practices (artifact reviews, interviews, and examinations/tests) including any resulting actions and due dates.

Limited Practice Deficiency Correction Evaluation

The C3PAO will review any new Evidence provided by the OSC required to close out items on the Limited Deficiency Correction Program.  If the OSC corrects all items for that practice, the score will change to MET. If the OSC corrects all practices on the Limited Deficiency Correction Program, the Lead Assessor will recommend granting the OSC a Level 2 Certification.

The Lead Assessor will recommend moving any remaining NOT MET deficiencies to a POA&M using the steps outlined in Phase 2. After executing a POA&M review, the overall score must equal or exceed 80% (88/110 practices, MET) to move the OSC to the POA&M and Close-Out Assessment option.

Verify Assessment Results Package

The CMMC Assessment Quality Review Checklist, not yet available at the time of the publication of the CAP, will provide a process for the CQAP to verify the assessment documentation prior to eMASS upload.

Upload Assessment Results Package into CMMC eMASS

The C3PAO will upload all assessment results, whether successful or not, into eMASS. The assessments results package must include a Final Report that details practice scores with traceability to each finding using the CMMC Assessment Results Template (i.e. Excel workbook or spreadsheet with each practice score, finding and comment). The eMASS upload must occur within 20 business days from the date of the Final Findings Briefing using the prescribed JSON format.

Archive or Dispose of any Assessment Artifacts

The C3PAO must retain and protect the Assessment Results Package for a period of three years. The Lead Assessor must ensure that the OSC has hashed all artifacts and report the OSC’s hash into eMASS. The OSC must retain these artifacts for three years.

The Cyber AB will provide a template for the protection and destruction of contractor assessment materials to verify disposal of assessment artifacts from all Assessment Team members. The C3PAO will retain each signed document for a period of three years.

Adjudicate Any Assessment Appeals

The OSC can submit an official appeal of the Assessment findings using Assessment Appeals Process, which was not available at the time of the CAP publication.

Schedule a CMMC POA&M Close-Out Assessment (if necessary)

The OSC is responsible for scheduling a POA&M Close-Out Assessment within 180 days from the CMMC Final Findings Briefing. The OSC can hire the same or another Authorized C3PAO and Lead Assessor to conduct the POA&M Close-Out Assessment.

Phase 4 - Close-Out POA&Ms and Assessment (if necessary)

Post assessment, the OSC may correct practice deficiencies, either found during the assessment or documented prior. Only the highest-weighted requirements, according to the DoD Assessment Scoring Methodology, are ineligible for post-assessment corrective action.

4.1 Perform POA&M Close-Out Assessment

The OSC will have 180 days from the Assessment Final Recommended Findings Briefing to select a C3PAO to conduct the POA&M Close-Out Assessment. The Assessment Team will review the OSC’s updated POA&M and Evidence or schedule Evidence collection (observations, interviews, tests). The Lead Assessor will validate all POA&M with the following criteria:

• The security weakness on the POA&M has been “fully implemented” and scored as MET.
• All POA&M items “fully-implemented” do not change and/or limit the effectiveness of another practice previously scored as MET.
• An updated risk assessment documents the removal of the previous CMMC practices listed on the POA&M.
• An updated POA&M reflects no CMMC practice deficiencies.

Update POA&M Close-Out

The Lead Assessor will recommend the OSC issued a Level 2 Certification if all practices on the POA&M result in a score of MET.

Update POA&M Reapply

The Lead Assessor will recommend the OSC not receive a Level 2 Certification if any practices on the POA&M fail to result in a score of MET.

4.2 Support POA&M Close-Out Assessment Appeal Resolution

The C3PAO is the final interpreting authority for validating the POA&M Close-Out findings. If the OSC feels that a technical error or ethical violation compromised the process, they can submit an appeal using the Assessment Appeals Process (template not yet available).