Here is our complete breakdown of the CMMC assessment process (CAP).
The CMMC Assessment Process (CAP) provides the procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC Level 2 Assessments of organizations seeking certification (OSCs).
There are four phases of the CAP:
The CAP supplements other official publications endorsed or published by the Department of Defense (DoD). We have an updated version of this blog which discusses the 2.0 version released December 16, 2024.
Phase 1 establishes the foundation of a well-organized engagement between an OSC and C3PAO.
This planning phase may take up to several days, depending on the OSC’s ability to provide the required information, including their proposed CMMC Assessment Scope and evidence of CMMC practice implementation.
OSCs seeking a certification assessment should consult The Cyber AB Marketplace, which provides an updated registry of authorized C3PAOs in good standing. During the initial engagement, the C3PAO should try to ascertain the general preparedness, the requested timeframes, and the geographic locations for the CMMC Level 2 assessment.
OSCs and C3PAOs shall agree upon specific terms and conditions of the contractual agreement, including pricing and payment, prior to the beginning of the assessment. All contractual agreements must conform to the CMMC Code of Professional Conduct.
The Cyber AB has prepared a range of templates for use by C3PAOs:
After putting the agreement in place between the OSC and C3PAO, the OSC Assessment Official and C3PAO plan the details of the assessment.
This includes:
Validating the CMMC Assessment Scope
The OSC has the initial responsibility to identify an inventory of various categories of assets that will be subject to CMMC Assessment. The Lead Assessor will verify its accuracy and integrity by reviewing network schematic diagrams, the System Security Plan (SSP), policies, and organizational charts.
Use of External Cloud Service Providers
The C3PAO must obtain a basic understanding of the relationship between the OSC and External Cloud Service Providers to accurately identify the CMMC Assessment Scope.
If an external connection exists, the elements that determine the security requirements for the External Cloud Service Provider are:
If the External Cloud Service Provider processes, transmits, or stores CUI, then they are subject to the requirements of DFARS 252.204-7012(b)(ii)(D) and required to meet the FedRAMP Moderate baseline security requirements and comply with paragraphs (c) through (g) for cyber incident reporting.
If the provider does not possess a valid FedRAMP Moderate certification, then the C3PAO Assessment Team will determine if their security practices are equivalent to the FedRAMP Moderate baseline.
If the External Cloud Service Provider does not store, process, or transmit CUI but they do contribute to the OSC meeting at least one or more CMMC practice requirements, then they must meet NIST SP 800-171 requirements and attain CMMC Certification.
Model Non-Duplication
Assessors not affiliated with CMMC determine conformance to other cybersecurity standards, such as ISO 27001 or FedRAMP. Absent official non-duplication policies published by DoD, conformance to alternative standards do not bestow any status or accreditation towards an OSC’s certification.
Inventory of Practices Against CMMC Model
The OSC shall provide the Assessment Team with the following:
The purpose of this procedure is to map all evidentiary materials to their respective CMMC practices and establish a mutual understanding that the OSC has addressed each of the CMMC practices with some evidentiary basis.
Verify and Record Evidence Against Adequacy and Sufficiency Criteria
The Lead Assessor determines the required interviews, observations, reviews and other related Evidence needed for each practice.
This is based on the requirements for Evidence:
Review OSC Self-Assessment
The Lead Assessor will review the most recent self-assessment against the context of the DoD’s criteria for the assessment of CMMC practices. This will result in one of three possible findings:
The C3PAO will update the Pre-Assessment Data Form throughout Phase 1 and whenever significant changes occur, including:
The Lead Assessor and OSC Assessment Official must reach agreement on the Pre-Assessment Plan for the assessment to commence. The C3PAO submits the final version into CMMC eMASS at the completion of Phase 1.
Develop Approach to Evidence Collection
The Lead Assessor will identify methods for collecting, managing and reviewing Evidence including gathering artifacts, conducting interviews, testing or observing the environment, and requests for information.
The Evidence collection approach must record the use of any virtual data collection techniques and methods used to protect sensitive data. The decision to conduct some of the Evidence collection activities in-person rests with the OSC.
The Assessment Team must observe implementation of 15 objectives unless the OSC employs a FedRAMP Moderate cloud services provider to manage these requirements.
Select Assessment Team Members
The C3PAO is responsible for ensuring that all team members possess an active status in good standing with The Cyber AB. Other considerations may include conflicts of interest with the OSC, availability for the target date range, cost, years of experience, geographic location, specialization, and professional reputation.
Identify Resources and Schedule
The final assessment plan should detail a schedule for each day. The C3PAO works with the OSC to meet all planning requirements, including:
Identify and Manage Conflicts of Interest
The C3PAO is responsible for identifying organizational and individual conflicts of interests (COI) and if identified, the Lead Assessor will document them in the Pre-Assessment Plan. The Assessment Team must attest by signature the “Absence of Conflict-of-Interest Confirmation Statement” prior to commencing the assessment.
All parties should be familiar with the CMMC Code of Professional Conduct and take action to avoid COIs or implement verifiable measures to mitigate them. If COIs are not sufficiently mitigated, the C3PAO should not proceed with the assessment.
The readiness review process ensures the OSC is adequately prepared, the Assessment Team is ready, and the Evidence is available and accessible. After analyzing all information collected in Phase 1, the lead assessor recommends and the C3PAO decides one of four possible determinations:
Evidence Access and Verification
The Assessment Team will perform a cursory review of the actual Evidence mapped against CMMC practices in Phase 1.4 to ensure that it exists and is ready for evaluation. The Virtual Assessment Evidence Preparation Template, which does not exist yet, will facilitate the virtual assessment of evidence.
The Lead Assessor will verify that any practices marked as “Not Applicable” do not apply to the Host Unit or Supporting Organization. The Assessment Team cannot provide any advice or recommendations to the OSC during this preliminary review of the Evidence.
Assessment Feasibility Determination
Following the verification of Evidence, the Lead Assessor recommends if conducting the Assessment is practical and the C3PAO and OSC decide whether to proceed or not.
Quality Review on Pre-Assessment Form Data
The CQAP will verify the Pre-Assessment Form data is properly structured in the JavaScript Object Notation (JSON) format prior to uploading into CMMC eMASS.
Upload Pre-Assessment Form into CMMC eMASS
The Pre-Assessment Form Template, which was not provided in the pre-decision draft, will provide a template for the Pre-Assessment Form. C3PAOs may develop a spreadsheet or use a third party tool to upload the Pre-Assessment Form data into CMMC eMASS using the required JSON file format.
Prepare the Assessment Team
The Lead Assessor shall assign roles and responsibilities to the Assessment Team and ensure their preparation, having reviewed the OSC’s Assessment Scope and System Security Plan.
The Assessment Team will verify the adequacy and sufficiency of Evidence to determine whether the practices have met the required standard.
The Lead Assessor will use the CMMC Assessment In-Brief, not included at the time of the initial CAP release, to conduct the assessment kickoff meeting. The Lead Assessor will convene a kickoff meeting attended by the OSC Assessment Official, OSC POC, Assessment Team members and members of the OSC who will be participating in the assessment.
The Lead Assessor will provide a timeline of scheduled events and locations where they will occur. They will also keep the official minutes or provide a detailed summary of the kickoff meeting, including all questions and answers. The OSC should provide a high-level overview of their organization, their cybersecurity program, and inform all OSC personnel of their role in supporting the assessment.
An assessment procedure consists of an assessment objective and a set of potential assessment methods and assessment objects.
Determination statements express assessment objectives related to the practice. For example, practice AC.L1-3.1.1 contains six objectives:
Assessment objects identify the specific items that could potentially have a security defect and can include:
Further reading of the recommended supplement NIST IR 8011 identifies additional examples of assessment objects to include credentials, accounts, privileges, and things granted privileges (including data and physical facilities).
Assessment objects relate to the three types of assets defined in the CMMC Assessment Scope (People, Technology and Facilities).
Assessment methods define the nature of the Assessor’s actions, including:
The Lead Assessor produces a preliminary assessment finding of satisfied (“MET”) or other than satisfied (“NOT MET”), which indicates potential anomalies the OSC needs to address. For any disputed practice findings, the C3PAO holds the final interpretation authority.
Examine Evidence
The OSC provided the C3PAO with an organized list of Evidence and process mappings in Phase 1. The Assessment Team will now evaluate the Evidence based on the assessment objectives and ensure that the artifact examined is current and produced by the individuals who are performing the work. Assessment artifacts that represent policies and procedures must also demonstrate adoption by the relevant OSC personnel.
Conduct Interviews
The Lead Assessor will schedule single or group interview sessions with OSC staff or third parties who perform procedures or have a role in supporting relevant cybersecurity activities. During the interview, the Assessment Team will ask questions to gain clarity of the practice or process implementation and map the responses to CMMC practices. The Assessment Team will ensure confidentiality and non-attribution so the interviewees can speak openly without fear of retribution.
Observe Tests
With the help of the OSC, the Lead Assessor will identify staff who perform procedures and schedule a test or demonstration observation to gain insight into the effectiveness of practice implementation. The Assessment Team will ask questions of the OSC staff and verify corresponding artifacts or procedures, mapping their notes back to the relevant practices.
Determine FedRAMP Moderate Equivalency for Cloud Computing Providers
The Assessment Team is responsible for determining if External Cloud Service Providers meet the security requirements equivalent to FedRAMP Moderate per the DFARS 252.204-7012(b)(2)(ii)(D) requirement. The External Cloud Service Provider may submit a body of evidence (BOE) or their SSP to describe the system environment and current status of the FedRAMP Moderate baseline controls. They may also submit a Customer Responsibility Matrix summarizing how they meet each control and which party handles maintaining that control.
An independent, credible, professional source (this may not include a CMMC RP or RPO employed, contracted or under a paid engagement with the OSC) should attest the BOE. The Assessment Team is not conducting a quasi-FedRAMP certification audit.
Identify Evidence Gaps
Evidence examined by the Assessment Team must address adequacy and sufficiency for the full CMMC Assessment Scope. If the examined artifact does not provide enough of the right evidence, an Evidence gap exists that may point to a deficiency in the implementation of cybersecurity measures. Examples of Evidence gaps include:
Evidence Review Approach
The Assessment Team records any impacts on duration resulting from Evidence collection efforts on a daily basis. If the C3PAO or OSC make significant changes to how they collect Evidence, the Pre-Assessment Data Form should reflect those changes.
Each day, the Assessment Team will score practices based on the examination of Evidence presented. The OSC may present additional Evidence, as agreed upon and accepted by the Lead Assessor, which the Assessment Team may use to update or verify practice scores.
Record Initial Scores
The Assessment Team will record MET, NOT MET, and NA scores daily and present them during the daily checkpoint with the OSC. The CMMC Scoring with DoD Assessment Scoring Methodology, which was not provided at the time of the draft CAP release, will provide a template for the CMMC scoring.
Correct Limited Practice Deficiencies
A limited practice deficiency correction accommodation exists for OSCs.
Ineligible Practices for Deficiency Corrections
Eligible Practices for Limited Deficiency Correction Consideration
Any practices listed above on the Limited Practice Deficiency Correction Worksheet, not yet provided at the time of the release of the CAP, if they meet the criteria below:
The lead assessor will generate preliminary recommended findings to summarize all practice MET and NOT MET scores. They will insert these findings into the CMMC Assessment Findings Brief Template which is not yet available.
The Assessment Team will present these preliminary findings to the OSC during the daily checkpoint meetings. The OSC will have the opportunity to present additional Evidence that may result in modifications to the preliminary findings.
Determine Final Practice MET / NOT MET / NA Results
After reviewing all Evidence and presenting the preliminary findings to the OSC, the Lead Assessor records the final recommended score. The C3PAO holds the final interpretation authority for practice scores.
Determine Final Practice Results
If the overall score is less than 80% (88/110 practices “MET”), then the OSC will receive a finding of “Not Achieved”. If the overall score is greater than 80%, the OSC must correct deficiencies within five (5) business days from the Final Findings Briefing or by an alternative date set by the Lead Assessor (not to exceed five calendar days prior to the submission of the Final Findings Report into eMASS.
Execute POA&M Review
CMMC 2.0 allows for limited use of POA&Ms to remediate practices not satisfied at the time of the assessment. The OSC must remediate any deficiencies within 180 days from the Assessment Final Recommended Findings Briefing. The highest-weighted CMMC requirements are not eligible on POA&Ms at the time of the certification assessment and the OSC must meet 88 of the 110 practices to receive a Level 2 conditional certification.
The POA&M should document the actions required to remediate deficiencies and the respective timeframe to do so. It should detail the up to date progress of the corrective actions.
Validate OSC POA&M
A credible POA&M should include, at a minimum, the following:
The Lead Assessor is responsible for reviewing the POA&M at the time of the assessment closeout and ensuring proper documentation for all practices authorized by DoD.
Create and Finalize Recommended Findings
The Assessment Team will update The CMMC Assessment Findings Brief with MET / NOT MET scores and describe any practice deficiencies.
Support Assessment Appeals Process
The OSC can dispute the results of the assessment if they feel there is substantial evidence showing ALL the objectives of a practice have been “MET”. The Assessment Appeals Process, not available at the time of the CAP publication, will outline the process an OSC can appeal their assessment results.
The Lead Assessor shall deliver the recommended results to the OSC during the Final Findings Briefing. They will then submit the assessment packet to the CQAP and C3PAO who will verify completeness and accuracy prior to upload into eMASS.
The Lead Assessor will provide the assessment results to the OSC Assessment Offical either at the final daily checkpoint or in a separately scheduled findings review.
Deliver Final Findings
The Assessment Findings Brief Template, which is not yet available, will provide a summary of the recorded MET and NOT MET status for each practice.
The purpose of this step is to retain all assessment documentation and artifacts. The Lead Assessor will produce the CMMC Findings Briefing or equivalent document. The C3PAO will submit the CMMC Assessment Results into eMASS. The OSC, Assessment Team or other authorized official, will hash all artifacts using the CMMC Artifact Hashing Tool User Guide. The final daily checkpoint will include results from all discussed practices (artifact reviews, interviews, and examinations/tests) including any resulting actions and due dates.
Limited Practice Deficiency Correction Evaluation
The C3PAO will review any new Evidence provided by the OSC required to close out items on the Limited Deficiency Correction Program. If the OSC corrects all items for that practice, the score will change to MET. If the OSC corrects all practices on the Limited Deficiency Correction Program, the Lead Assessor will recommend granting the OSC a Level 2 Certification.
The Lead Assessor will recommend moving any remaining NOT MET deficiencies to a POA&M using the steps outlined in Phase 2. After executing a POA&M review, the overall score must equal or exceed 80% (88/110 practices, MET) to move the OSC to the POA&M and Close-Out Assessment option.
Verify Assessment Results Package
The CMMC Assessment Quality Review Checklist, not yet available at the time of the publication of the CAP, will provide a process for the CQAP to verify the assessment documentation prior to eMASS upload.
Upload Assessment Results Package into CMMC eMASS
The C3PAO will upload all assessment results, whether successful or not, into eMASS. The assessments results package must include a Final Report that details practice scores with traceability to each finding using the CMMC Assessment Results Template (i.e. Excel workbook or spreadsheet with each practice score, finding and comment). The eMASS upload must occur within 20 business days from the date of the Final Findings Briefing using the prescribed JSON format.
Archive or Dispose of any Assessment Artifacts
The C3PAO must retain and protect the Assessment Results Package for a period of three years. The Lead Assessor must ensure that the OSC has hashed all artifacts and report the OSC’s hash into eMASS. The OSC must retain these artifacts for three years.
The Cyber AB will provide a template for the protection and destruction of contractor assessment materials to verify disposal of assessment artifacts from all Assessment Team members. The C3PAO will retain each signed document for a period of three years.
Adjudicate Any Assessment Appeals
The OSC can submit an official appeal of the Assessment findings using Assessment Appeals Process, which was not available at the time of the CAP publication.
Schedule a CMMC POA&M Close-Out Assessment (if necessary)
The OSC is responsible for scheduling a POA&M Close-Out Assessment within 180 days from the CMMC Final Findings Briefing. The OSC can hire the same or another Authorized C3PAO and Lead Assessor to conduct the POA&M Close-Out Assessment.
Post assessment, the OSC may correct practice deficiencies, either found during the assessment or documented prior. Only the highest-weighted requirements, according to the DoD Assessment Scoring Methodology, are ineligible for post-assessment corrective action.
The OSC will have 180 days from the Assessment Final Recommended Findings Briefing to select a C3PAO to conduct the POA&M Close-Out Assessment. The Assessment Team will review the OSC’s updated POA&M and Evidence or schedule Evidence collection (observations, interviews, tests). The Lead Assessor will validate all POA&M with the following criteria:
Update POA&M Close-Out
The Lead Assessor will recommend the OSC issued a Level 2 Certification if all practices on the POA&M result in a score of MET.
Update POA&M Reapply
The Lead Assessor will recommend the OSC not receive a Level 2 Certification if any practices on the POA&M fail to result in a score of MET.
The C3PAO is the final interpreting authority for validating the POA&M Close-Out findings. If the OSC feels that a technical error or ethical violation compromised the process, they can submit an appeal using the Assessment Appeals Process (template not yet available).
In nec dictum adipiscing pharetra enim etiam scelerisque dolor purus ipsum egestas cursus vulputate arcu egestas ut eu sed mollis consectetur mattis pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus mauris aliquam ornare nisl purus at ipsum nulla accumsan consectetur vestibulum suspendisse aliquam condimentum scelerisque lacinia pellentesque vestibulum condimentum turpis ligula pharetra dictum sapien facilisis sapien at sagittis et cursus congue.
Convallis pellentesque ullamcorper sapien sed tristique fermentum proin amet quam tincidunt feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Vel etiam vel amet aenean eget in habitasse nunc duis tellus sem turpis risus aliquam ac volutpat tellus eu faucibus ullamcorper.
Sed pretium id nibh id sit felis vitae volutpat volutpat adipiscing at sodales neque lectus mi phasellus commodo at elit suspendisse ornare faucibus lectus purus viverra in nec aliquet commodo et sed sed nisi tempor mi pellentesque arcu viverra pretium duis enim vulputate dignissim etiam ultrices vitae neque urna proin nibh diam turpis augue lacus.