CMMC Assessment Process
Source of Reference: The CMMC Assessment Process Version 2.0 document from Cybersecurity Maturity Model Certification Accreditation Body, Inc.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
DISCLAIMER
Copyright 2024 © Cybersecurity Maturity Model Certification Accreditation Body, Inc. (d/b/a The Cyber AB)
The views, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official U.S. Government position, policy, or decision, unless designated by other documentation.
Nothing contained in this document supersedes any standard, policy, direction, or official CMMC program information that has been promulgated by the United States Department of Defense (DoD) or the National Institute of Standards and Technology (NIST). In the event of a contradiction, real or perceived, the reader should adhere to the DoD and/or NIST documentation.
NO WARRANTIES ARE MADE HEREIN. THIS MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. THE CMMC ACCREDITATION BODY, INC. MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY OR RESULTS OBTAINED FROM USE OF THE MATERIAL, NOR ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, or COPYRIGHT INFRINGEMENT.
Comments on this DRAFT CAP v2.0 are welcomed from all members of the CMMC Ecosystem, the DIB, and the public. This feedback will be used to improve the document and may help inform the publication of future editions of the CAP. Feedback can be submitted via the email address CAPComments@cyberab.org.
Introduction to the CMMC Assessment Process (CAP)
The Cybersecurity Maturity Model Certification (CMMC) Program is the U.S. Department of Defense’s (DoD) initiative for the assessment and certification of conformance to established security requirements by companies and organizations within the Defense Industrial Base (DIB).[1] Specifically, CMMC is designed to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is processed, stored, and/or transmitted during the performance of DoD contracts.
The CMMC Program is overseen by the Office of the DoD Chief Information Officer (ODCIO) and administered by the CMMC Program Management Office (CMMC PMO). The Cyber AB is the designated sole Accreditation Body for the CMMC Program. The Cyber AB supports the CMMC Program through a no- cost contract with DoD’s Washington Headquarters Services (WHS).[2]
Most of the official CMMC doctrine and documentation is provided within the Code of Federal Regulations (CFR) or by DoD and the National Institute of Standards and Technology (NIST) within the Department of Commerce. For example, the actual CMMC Level 2 security requirements themselves are codified within the NIST Special Publication 800-171, Revision 2 (NIST SP 800-171 R2), “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. The CMMC Scoping Guides and Assessment Guides that are developed, maintained, and published by DoD provide supplemental guidance and insight consistent with authoritative references for establishing the assessment boundaries as well as for evaluating the implementation of CMMC security requirements, respectively.
The CMMC Assessment Process (CAP), by comparison, is the official procedural guide for CMMC Third- Party Assessment Organizations (C3PAOs) conducting a CMMC Level 2 certification assessment (herein also referred to as an “assessment”) of an Organization Seeking Certification (OSC). The CAP is published and maintained by The Cyber AB and reviewed and approved by the CMMC PMO. It is intended as a resource for the entire CMMC Ecosystem, as well as for companies and organizations within the DIB.
The purpose of the CAP is to ensure the consistency and integrity of CMMC Level 2 certification assessments. Adherence to the CAP is required by C3PAOs and their CMMC Certified Assessors (CCAs) and is an element of the C3PAO Accreditation Scheme. The CAP is not to be confused with references to a generalized CMMC “assessment process” that appear in the Code of Federal Regulations (CFR), Title 32, part 170.
How to Use the CAP
The CAP applies only to the conduct of CMMC Level 2 certification assessments.
The CAP must be used in concert with the authoritative CMMC source material—32 CFR part 170 and those documents included by reference therein—as well as the supplemental CMMC guidance published by DoD. It neither replaces nor supersedes any requirements or directions contained in those documents. Moreover, the CAP does not reproduce nor reinterpret any of the rules, provisions, or procedures from either authoritative references or DoD supplemental guidance. Rather, it cites and references those documents throughout. Accordingly, C3PAOs and their CMMC Assessment Teams will need active access to the authoritative documents, along with the CAP, when conducting a CMMC Level 2 certification assessment.
The CAP addresses pre-assessment “preliminary proceedings” that are then followed by the actual assessment process, which is organized across four (4) phases and describes the required activities, roles, and responsibilities of CMMC assessment participants in each.
The four phases are:
- Phase 1: “Conduct the Pre-Assessment”;
- Phase 2: “Assess Conformity to Security Requirements”;
- Phase 3: “Complete and Report Assessment Results”; and
- Phase 4: “Issue Certificate and Closeout POA&M”.
These four phases have been designed to support each CMMC Level 2 certification assessment meeting the following objectives:
- Achieve the highest possible accuracy, fidelity, and quality of CMMC Level 2 certification assessments conducted by C3PAOs;
- Maximize consistency to ensure that CMMC Level 2 certification assessments conducted by C3PAOs and their CMMC Certified Assessors follow the same procedures, sequencing of activities, and production of verifiable results; and
- Instill trust and confidence in the CMMC Program by providing effective, transparent, and efficient CMMC Level 2 certification assessments that are well-planned, executed in consistent fashion, and accurately reported.
The CAP provides a logical and practical sequencing of activities and actions throughout the four phases of the assessment process to ensure procedural coherence for the parties. In certain sections of the process, a precise sequence of specific actions may be explicitly mandated in the document. In these instances, the text will make clear the necessity of following certain procedures in a manner of specific order. In all other aspects of the CAP, the C3PAO and the OSC have the latitude and flexibility to conduct the CMMC assessment with a reasonable approach of their own when applied to the general sequencing of actions throughout the preliminary proceedings and four phases.
ROLES AND RESPONSIBILITIES
A CMMC Level 2 certification assessment requires the active engagement, communication, and attention of several key individuals or organizations, which may include:
As defined in 32 CRF §170.4:
- Organization Seeking Certification (OSC)
- Affirming Official
- CMMC Third-Party Assessment Organization (C3PAO)
- - Assessment Team members
- Accreditation Body (The Cyber AB)
- CMMC Assessor and Instruction Certification Organization (The CAICO)
Other relevant individuals not directly defined in 32 CRF §170.4:
- Authorized Certifying Official: A designated official employed by the C3PAO and registered with The Cyber AB who is eligible to serve as the issuing authority and signatory for the CMMC Level 2 Certificate of CMMC Status provided to the OSC. C3PAOs may designate more than one Authorized Certifying Official.
- Lead CCA: The CMMC Certified Assessor (CCA) who satisfies the requirements of 32 CFR §170.4(b)(11) and who oversees and manages a dedicated Assessment Team on behalf of the C3PAO for the conduct of a CMMC Level 2 certification assessment. The Lead CCA serves as the counterpart to the Affirming Official. Lead CCA is a formal qualified designation issued by the CAICO. A Lead CCA may oversee multiple Assessment Teams across concurrent CMMC Level 2 certification assessments.
- OSC Point of Contact (OSC POC): The individual within or on behalf of the OSC who provides daily coordination and liaison support between the OSC and the Assessment Team. The OSC POC does not necessarily have to be an employee of the organization that is being assessed, but rather could be a contractor, consultant, or advisor, such as a CMMC Registered Practitioner (RP).
- Quality Assurance (QA) individual: An individual who manages the C3PAO’s quality assurance reviews for a CMMC Level 2 certification assessment, which includes observing the Assessment Team’s conduct and management of the assessment. A QA individual also manages a CMMC appeals process that might be initiated by an OSC.[3] A QA individual must be a CCA and cannot be a member of an Assessment Team for which they are performing a quality assurance role. A QA individual is also responsible for the uploading of assessment information into the CMMC instantiation of eMASS.
PRELIMINARY PROCEEDINGS
A CMMC Level 2 certification assessment compels a few preliminary administrative, framing, and contractual activities that should be addressed prior to the formal commencement of Phase 1 of the assessment. These interactions between the C3PAO and the OSC concern important aspects of the prospective assessment, and their successful and mutually agreeable resolution will help enable a proper, viable, and transparent CMMC Level 2 certification assessment.
Receive CMMC Assessment Request from OSC
P.1 An OSC generally initiates the engagement concerning a prospective CMMC Level 2 certification assessment by contacting an authorized or accredited C3PAO.
P.2 The updated registry of authorized or accredited C3PAOs in good standing is maintained on the CMMC Marketplace website administered by The Cyber AB. Unless otherwise notified by The Cyber AB, any C3PAO listed as “authorized” or “accredited” within the Marketplace may be considered a C3PAO in good standing and eligible to conduct a CMMC Level 2 certification assessment.[4]
Confirm the Entity/Entities to be Assessed
P.3 The C3PAO shall confirm the specific corporate legal entity that will be assessed, i.e., the precise identity of the actual “Organization Seeking Certification.”
P.4 The C3PAO shall solicit from the OSC the Commercial and Government Entity (CAGE) code, or multiple CAGE codes, that are affiliated with the CMMC Level 2 certification assessment. Technically, a Level 2 CMMC Certificate of Status is issued upon a discrete and identified information system, as defined within a System Security Plan (SSP), that is owned and operated by an OSC. The identity of the OSC is determined by the CAGE code(s), which are issued by DoD.
P.5 The C3PAO should also request the OSC’s assessment unique identifier (UID) if a previous self-assessment had generated one. The DoD Supplier Performance Risk System (SPRS) generates a UID for a Level 1 and Level 2 self-assessment. The Pre-Assessment Form should include this SPRS UID if it exists, but it is not required for a Level 2 certification assessment, as the CMMC instantiation of eMASS will generate a new UID upon successful attainment of a Level 2 Certificate of CMMC Status. The CMMC eMASS UID and the SPRS UID share the same format, serve the same purpose, and are unique for each Level 2 certification assessment and self-assessment, respectively.
P.6 All OSCs must possess a valid CAGE code and the CMMC Level 2 certification assessment cannot proceed without at least one CAGE code of record.[5] A single CMMC assessment may cover multiple entities in the event more than one CAGE code is associated with a singular CMMC Level 2 Assessment Scope.[6]
P.7 The C3PAO should ask the OSC whether any in-scope External Service Providers (ESPs), as defined by 32 CFR §170.4(b), exist and whether the OSC considers the ESP a Cloud Service Provider (CSP) or a “non-CSP” ESP under 32 CFR §170.19(c)(2).
Frame the Assessment
P.8 The C3PAO shall work with the Affirming Official and/or the OSC POC to determine the purview and planning details of the assessment. This shall include discussing schedule, the size of the organization and information system to be assessed, personnel, logistics, relevant contractual requirements, and the prospective CMMC Assessment Scope.
P.9 The CMMC Assessment Scope is the set of all assets in the OSC’s environment that will be assessed against CMMC security requirements. It must be specified prior to the commencement of the Assessment.[7] The determination of proper CMMC Assessment Scope is established in 32 CFR §170.19(c), “CMMC Level 2 Scoping”. Supplemental information on CMMC Assessment Scope is contained in the DoD manual, CMMC Assessment Scope – Level 2.
P.10 In framing the CMMC Level 2 certification assessment, the C3PAO and OSC should discuss and agree upon, at a minimum, the following aspects:
- Availability of personnel in support of the assessment;
- Availability of evidence in support of the assessment;
- OSC’s relevant documentation, including the System Security Plan (SSP); and
- An estimate for the approximate duration and timing for the assessment.
P.11 Another consideration of framing the assessment involves determining assessment location(s), including what security requirement objectives of the assessment might be assessed virtually or in-person on the OSC premises. The Lead CCA and/or the C3PAO should consider the optimal logistical approach for implementation validation of the following 18 CMMC security requirement objectives to ensure adequate assessment scope and depth:
- CM.L2-3.4.5[d]: Physical access restrictions associated with changes to the system are enforced.
- MA.L2-3.7.2[d]: Personnel used to conduct system maintenance are controlled.
- MP.L2-3.8.1[c]: Paper media containing CUI is securely stored.
- MP.L2-3.8.1[d]: Digital media containing CUI is securely stored.
- MP.L2-3.8.4[a]: Media containing CUI is marked with applicable CUI markings.
- MP.L2-3.8.4[b]: Media containing CUI is marked with distribution limitations.
- PE.L1-3.10.1[b]: Physical access to organization systems is limited to authorized individuals.
- PE.L1-3-10.1[c]: Physical access to equipment is limited to authorized individuals.
- PE.L1-3-10.1[d]: Physical access to operating environments is limited to authorized individuals.
- PE.L2-3.10.2[a]: The physical facility where organizational systems reside is protected.
- PE.L2-3.10.2[b]: The support infrastructure for organizational systems is protected.
- PE.L2-3.10.2[c]: The physical facility where organizational systems reside is monitored.
- PE.L2-3.10.2[d]: The support infrastructure for organizational systems is monitored.
- PE.L1-3.10.3[a]: Visitors are escorted.
- PE.L1-3.10.3[b]: Visitor activity is monitored.
- PE.L1-3.10.5[b]: Physical access devices are controlled.
- PE.L1-3.10.5[c]: Physical access devices are managed.
- SC.L2-3.13.12[b]: Collaborative computing devices provide indication to users of devices in use.
NOTE: For OSC CMMC-scoped environments that DO NOT have physical and/or environmental controls due to a cloud environment or other factors that negate conducting an “on-site” portion of the assessment, the applicability of these requirements should be addressed between the OSC and the C3PAO in Phase 1.
Identify and Manage Initial Conflicts of Interest (COI)
P.12 C3PAOs are ultimately responsible for managing impartiality and identifying conflicts of interest relating to a CMMC Level 2 certification assessment. This responsibility cannot be delegated to their CMMC Assessment Team or the OSC.
P.13 C3PAOs shall adhere to the impartiality requirements of ISO/IEC 17020:2012 and the conflict-of- interest disclosure provisions and COI prohibitions within the CMMC Code of Professional Conduct (CoPC). The CoPC contains additional details on impartiality requirements, including CMMC-specific examples of potential COIs that are to be mitigated or avoided.
P.14 The C3PAO shall propose to the OSC the name of the Lead CCA that it intends to assign to the OSC’s CMMC Level 2 certification assessment. The C3PAO shall coordinate with the OSC to ascertain if any conflicts of interest exist between the proposed Lead CCA and the OSC.
P.15 If a conflict of interest is disclosed or identified, by either party, the C3PAO shall work with the OSC to develop a mitigation plan for the identified conflict in question.
- P.15.1 Any mitigation measures to which the parties agree shall be documented.
- P.15.2 In the event the conflict cannot be sufficiently mitigated due to the circumstances, the C3PAO shall not proceed with the assessment.
P.16 The C3PAO should obtain concurrence of the OSC on the assignment of the Lead CCA prior to commencing with the CMMC Level 2 certification assessment.
Execute Contractual Agreement
P. 17 The C3PAO shall execute a written contractual agreement for the CMMC Level 2 certification assessment with the OSC. Neither The Cyber AB nor DoD are parties to the CMMC Level 2 certification assessment contract between the C3PAO and the OSC.
P.18 The format and structure of the contract is at the discretion and mutual agreement of the C3PAO and OSC.
P.19 A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).
P.20 All contractual agreements for CMMC assessments must comport to the CMMC Code of Professional Conduct. Specifically, the C3PAO is prohibited from offering any “guarantees” or “promises” relating to the results of the CMMC Level 2 certification assessment, nor may the C3PAO include any incentives or bonus payments contingent on the issuance of a Certificate of CMMC Status to the OSC.
PHASE 1 – CONDUCT THE PRE-ASSESSMENT
In Phase 1, the C3PAO will evaluate if the OSC has adequately prepared for the assessment of its implementation of CMMC Level 2 security requirements.
At the conclusion of Phase 1, the C3PAO will submit the Pre-Assessment Information Form into the CMMC instantiation of eMASS.
1.1. The Lead CCA shall supervise Phase 1 activities.
Review the System Security Plan (SSP)
1.2. C3PAO personnel shall review the OSC’s System Security Plan (SSP) and examine the document for completeness, accuracy, and consistency. By conducting this cursory review of the SSP in Phase 1, the C3PAO should be able to arrive at a reasonable expectation that the OSC has addressed the security requirements of NIST SP 800-171 R2, without regard to evaluating the adequacy or sufficiency of implementation.
Validate CMMC Assessment Scope 1.3. The Lead CCA shall validate the OSC’s CMMC Level 2 Assessment Scope in accordance with 32 CFR §170.19(c), “CMMC Level 2 Scoping”. The DoD publication, CMMC Assessment Scope – Level 2, contains additional CMMC scoping guidance.
1.4. Any disagreements or differences of opinion concerning the CMMC Assessment Scope must be resolved between the C3PAO and the OSC before the CMMC Level 2 certification assessment may proceed to Phase 2.
1.5. As part of the defined Assessment Scope requirements addressed in 32 CFR §170.19(c), the Lead CCA, Assessment Team members, and the OSC shall establish evaluation methods for CMMC Level 2 security requirement objectives, based on the OSC’s CUI Level 2 assets, and the degree of rigor to be applied to the assessment, which may include, but is not necessarily limited to, the assessment methods addressed in activity 1.10.
1.6. If the OSC has identified an ESP as being within their CMMC Assessment Scope, the Assessment Team shall confirm that a Customer Responsibility Matrix (CRM) will be available and that ESP personnel will be present and actively participating in the assessment.
1.7. If the ESP that has been identified as being within the OSC’s CMMC Assessment Scope stores, processes, or transmits CUI, the Assessment Team shall confirm that the OSC will be prepared to provide evidence of the ESP’s FedRAMP Moderate Authorization, FedRAMP Moderate equivalency, or a Level 2 Certificate of CMMC Status, as appropriate.
1.8. If the Lead CCA cannot confirm proper incorporation, documentation, and/or participation, as appropriate, of an ESP in the OSC’s CMMC Level 2 Assessment Scope, the C3PAO should confer with the OSC Affirming Official and discuss the merits of not proceeding with the CMMC Level 2 certification assessment.
Confirm Availability of Evidence
1.9. The Assessment Team will need access to various evidence and artifacts—as well as OSC personnel and ESP personnel (if applicable)—to conduct the evaluative activities in Phase 2 of the CMMC Level 2 certification assessment. The Lead CCA, in preparing for the assessment, should be confident that there will be ample evidence made accessible to the Assessment Team to render an accurate evaluation of the security requirements of NIST SP 800-171 R2 and determine if they have been properly implemented by the OSC.
Determine Readiness for Assessment
1.10. The Lead CCA shall make the determination as to the readiness of the OSC to proceed with the conduct of the CMMC Level 2 certification assessment. The determination should be based on the reviews and confirmations conducted in this Phase as well as a general confidence that the OSC is overall prepared for the conduct of the assessment. The Lead CCA should convey to the OSC that various assessment methods (e.g., reviewing, inspecting, observing, studying, analyzing, discussing, and exercising assessment objects) will be employed and may include assessment methods and associate attributes of depth and coverage as outlined in:
- NIST SP 800-171A, Appendix D, “Assessment Methods”;
- NIST SP 800-53A, 3.2.3.2 - “Depth- and Coverage-Related Considerations”;
- NIST SP 800-53A, Appendix C, “Assessment Method Descriptions”; and
- Any in-person observations of security requirement objectives as discussed in activity P.11.
1.11. The Assessment Team shall not speculate, intimate, nor make any preliminary determination of the OSC’s likelihood of a successful assessment outcome and subsequent issuance of a Certificate of CMMC Status. The sole purpose of this activity is to confirm that the OSC is sufficiently prepared to begin the evaluative portion of the assessment in Phase 2.
Compose the Assessment Team
1.12. The C3PAO shall compose the CMMC Assessment Team as established and defined in 32 CFR §170.11(b)(10). The C3PAO should propose to the OSC the names of the CMMC Certified Assessors (CCAs) and CMMC Certified Professionals (CCPs) that it intends to assign to the Assessment Team.
1.13. The C3PAO shall have implemented the personnel procedures established in Section 6.15 and 6.16 of ISO/IEC 17020:2012 in composing its Assessment Team.
1.14. The C3PAO is responsible for managing impartiality and identifying any conflicts of interest of the members of the Assessment Team prior to the commencement of Phase 2 activities. This responsibility cannot be delegated to the Lead CCA or the OSC. Any COI between a member of the Assessment Team and the OSC must be sufficiently mitigated or avoided.
Complete the Pre-Assessment Form
1.15. The C3PAO shall generate, collect, and document required pre-assessment and planning information and material via the Pre-Assessment Form pursuant to 32 CFR §170.9(b)(8). Examples of this material include the OSC CAGE code, SSP title, OSC contact information, Assessment Team information, dates of the assessment, the readiness determination for assessment, and other data. This pre-assessment information is required to be collected and uploaded into CMMC eMASS for DoD program management and oversight purposes.[8]
1.16. The C3PAO may utilize the official CMMC Level 2 Pre-Assessment Form (CMMC_PreAssessment_Template.xlsx) that is available on the CMMC eMASS website. Alternatively, C3PAOs may develop or purchase any tool that is compliant with the CMMC eMASS data standard that can generate pre-assessment data in the required JSON file format.
1.17. The C3PAO shall follow the instructions and guidance for the pre-assessment and planning information and material as contained in “The DoD CMMC eMASS Concept of Operations for CMMC Third-Party Assessment Organizations”.
1.18. The C3PAO shall not share any OSC pre-assessment information with any person or organization not involved with that specific CMMC Level 2 certification assessment, except as otherwise required by law.[9]
Conduct Quality Assurance Review of Pre-Assessment and Planning Information
1.19. A C3PAO quality assurance individual shall conduct a quality assurance review of the Pre- Assessment Form upon completion by the CMMC Assessment Team. For this quality assurance function, the C3PAO shall meet the requirements as outlined in 32 CFR §170.9(b)(13).
Upload Pre-Assessment Form into CMMC eMASS
1.20. Upon completion of a satisfactory quality assurance review, a quality assurance individual shall upload the pre-assessment form into the CMMC instantiation of eMASS. The C3PAO shall follow the CMMC eMASS data standard and upload procedures as set forth in “The Department of Defense CMMC eMASS Concept of Operations for CMMC Third-Party Assessment Organizations”.
1.21. Phase 1 of the CMMC Level 2 certification assessment concludes upon the successful upload of the Pre-Assessment Form into CMMC eMASS.
Adverse Determination of Assessment Readiness
1.22. In the event the Lead CCA determined that the OSC was not sufficiently prepared to undergo the CMMC Level 2 certification assessment, they should directly inform the Affirming Official of their decision and provide a full explanation in writing to the OSC as to why the recommendation to suspend the Assessment was made, without providing any remedial advice as to how the OSC could improve its documentation and preparation for the assessment.
1.23. Under no circumstances shall the C3PAO, its Assessment Team, or any other affiliated personnel offer any advice, implementation assistance, or recommendations as to how the OSC can improve or enhance their preparedness for a replanned or rescheduled CMMC Level 2 certification assessment and, pursuant to the CMMC Code of Professional Conduct (CoPC), doing so would conflict the C3PAO from eventually resuming the suspended CMMC certification assessment with that specific OSC.
1.24. In the event the OSC decides to cancel or postpone the assessment, both parties should settle all affairs, as appropriate to the terms of their agreement, including the return of any OSC proprietary information. The C3PAO and the OSC should discuss, in general terms, the option of revisiting the CMMC Level 2 certification assessment when the OSC is fully prepared, as well as the anticipated timelines for resuming the suspended assessment and returning to complete the Phase 1 pre-assessment.
1.25. In the event of an assessment postponement or cancellation, the C3PAO shall still complete, review, and upload the Pre-Assessment Form into the CMMC instantiation of eMASS as described in previous activities 1.13 through 1.19.
PHASE 2 – CONDUCT THE ASSESSMENT
The purpose of Phase 2 is to assess the implementation of CMMC practices by the OSC in conformance with the CMMC Model. The C3PAO Assessment Team will verify the adequacy and sufficiency of Evidence to determine whether the practices have met the required standard. The Assessment Team identifies, describes, and records any gaps in procedures related to model practices or procedures and presents the results of each day to the OSC during a daily checkpoint described in Phase 2.2.
Most of the activities throughout this entire Phase, from subphases 2.1.1 through 2.1.6 are iterative in nature during an Assessment.
2.1 Convene Assessment Kickoff Meeting
The Lead Assessor will convene an Assessment kickoff meeting prior to the commencement of Assessment conduct, using the CMMC Appendix D – CMMC Assessment In-Brief or equivalent presentation. This meeting may be conducted in-person, virtually, or in a hybrid manner.
Attendees for this meeting shall include, but are not limited to, the OSC Assessment Official, the OSC POC, the Assessment Team Members, and members of the OSC who will be participating in the Assessment. The OSC may elect to have their RP or RPO present as well. The Lead Assessor and/or Assessment Team Members shall brief the Assessment process, purpose, schedule, and objectives. The Lead Assessor also communicates specific information about scheduled events and the locations where they will occur.
The OSC should also deliver a briefing providing a high-level overview of their company/organization being and their cybersecurity program. During this meeting, the OSC Assessment Official or the OSC POC should inform all relevant OSC personnel of their role in supporting the Assessment, including those being interviewed and providing Evidence.
Any questions, issues, or concerns by either party should be identified, discussed, and resolved as part of this kickoff session. The Lead Assessor shall ensure that official minutes or a detailed meeting summary of the kickoff, including all questions and answers, shall be documented and retained by the C3PAO.
2.2 Collect and Examine Evidence
The CMMC Assessment Guide – Level 2 incorporates the Assessment procedures described in NIST SP 800-171A Section 2.11:
- An Assessment procedure consists of an Assessment objective and a set of potential Assessment methods and Assessment objects that can be used to conduct the Assessment. Each Assessment objective includes a determination statement related to the [CMMC practice] that is the subject of the Assessment. The determination statements are linked to the content of the [CMMC practice] to ensure traceability of the Assessment results to the requirements. The application of an Assessment procedures to a [CMMC practice] produces Assessment findings. These findings reflect, or are subsequently used, to help determine if the [CMMC practice] has been satisfied. Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals.
- Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system.
- Mechanisms are the specific hardware, software, or firmware safeguards employed within a system.
- Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic).
- Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.
- For additional information on “Terms for Referring to Assessment Objects” see NIST IR 8011 Vol. 1, Paragraph 2.2.1.
- The Assessment methods define the nature and the extent of the Assessor’s actions. These methods include examine, interview, and test.
- The examine method is the process of reviewing, inspecting, observing, studying, or analyzing Assessment objects (i.e., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain Evidence. The examination must link directly to the Assessment objectives of the relevant CMMC practice, and the results of the examination are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an artifact to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational or project procedures that can be mapped to one or more CMMC practices and those artifacts must be produced by people who understand the practice and are in the chain of command that implements the practice.
- The interview method is the process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain Evidence. The interview must link directly to the Assessment objectives of the relevant CMMC practice, and the interview results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an interview statement to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting function, or enclave procedures that can be mapped to one or more CMMC model practices. Interview affirmations must be provided by people who implement, perform, or support the practices.
- Finally, the test method is the process of exercising Assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior . The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time and institutionalization. For a test/demonstration to be accepted as Evidence in an Assessment, it must pass its requirements and criteria while being observed by the Lead Assessor and Assessment Team. Any failed test results in a “NOT MET” CMMC practice.
In all three Assessment methods, the results are used to make specific determinations called for in the determination statements and thereby achieving the objectives for the Assessment procedures.
Assessors shall follow the guidance in NIST SP 800-171A when determining which Assessment methods to use:
- Organizations [Certified Assessors] are not expected to employ all Assessment methods and objects contained within the Assessment procedures identified in this publication. Rather, organizations [Certified Assessors] have the flexibility to determine the level of effort needed and the assurance required for an Assessment (e.g., which Assessment methods and Assessment objects are deemed to be the most useful in obtaining the desired results). This determination is made based on how the organization [contractor] can accomplish the Assessment objectives in the most cost-effective manner and with sufficient confidence to support the determination that the CUI requirements have been satisfied.
The primary deliverable of an Assessment is a report that contains the findings associated with each practice. For more detailed information on Assessment methods, see Appendix D of NIST SP 800-171A. Any Evidence collection method that results in a CMMC practice being scored “NOT MET” must be evaluated using the current DoD Assessment methodology against the CMMC 2.0 Plan of Action and Milestones (POA&M) scoring criteria. The failed practice must also be recorded on the OSC’s Level 2 CA.3.12.1 “Security Control Assessment” practice documentation, under the corresponding practice as “NOT MET”.
During a CMMC Assessment, the Lead Assessor makes the final decision on preliminary recommended determination on all practices. For any practices where there is still a dispute between the Assessment Team and the OSC, the C3PAO holds the final interpretation authority for practice scorings and their related findings.
2.2.1 Examine and Analyze Evidence
Examining Evidence is an effective means to gain detailed insight about the practices implemented by the OSC and how those practices are performed. The OSC should provide a current and organized list of their Evidence and process mappings from any internal or third-party gap analysis as well as from the readiness review results. For each relevant practice in the CMMC Model, the C3PAO Assessment Team will review and collect the Evidence to demonstrate that the practice that is being performed is effectively implemented and conforms to the CMMC standard. The C3PAO Assessment Team shall be mindful of the following principles:
- The list of Evidence to be examined was provided to the Lead Assessor during Phase I, and that same list should be used to coordinate the collection of the Evidence for examination.
- Evidence artifacts might not necessarily have a one-to-one relationship with CMMC practices, resulting in a possible requirement for multiple artifacts.
- The OSC’s Evidence should be evaluated based on the Assessment objectives defined in the CMMC Level 2 Assessment Guide.
- For recently implemented practices, the implementation should demonstrate that the practices and/or procedures will show sufficient confidence to support the determination that the CUI protection requirements have been MET.
- It is incumbent upon the Assessment Team to ensure that the artifact being examined is current and that it was produced by the same individuals who are performing, implementing, or supporting the work.
- Assessment artifacts that represent policies and procedures must also demonstrate deployment and adoption by the affected OSC personnel.
2.2.2 Conduct Interviews and Assess Responses
Interviews are another effective means by which to glean insight into the CMMC conformance of an OSC, including an understanding of how those practices or procedures are performed employees, contract staff, and Supporting Organizations. The Lead Assessor works with the OSC POC to identify staff within the OSC or third parties who perform procedures or have a role in supporting relevant cybersecurity activities. The Lead Assessor schedules affirmation or interview sessions with identified staff as part of the Assessment planning activities. These may be single or group interviews, as determined by the Lead Assessor’s understanding of the OSC’s stated roles and responsibilities of its staff and any Customer Responsibility Matrix (CRM) that might be in place with any of its Supporting Organizations.
During the interview session, the Lead Assessor and, if applicable, the Assessment Team:
- Takes steps to ensure and verify that confidentiality and non-attribution is addressed for interviewees so that they can speak openly without fear or concern about retribution from any member of the OSC;
- Asks questions of OSC staff to get clarity and understanding of practice or process implementation, and then review or verify any corresponding artifacts to determine CMMC practice implementation and records their answers in the form of notes; and
- Maps responses from interviewees to CMMC model practices to aide in determining and supporting the rating of that practice.
Conducting interviews may be an iterative activity, requiring some follow-up interview sessions or requests for information. Interviews resulting from daily checkpoint sessions should also be recorded and verified by the Lead Assessor and Assessment Team.
2.2.3 Observe Tests and Analyze Results
Observing live tests or demonstrations provides the Lead Assessor and Assessment Team with detailed operational insight into the effectiveness of the CMMC practices implemented in the OSC, including an understanding of how those practices are executed or supported through the use of a given technology application, system, test, or other similar approach.
The Lead Assessor works with the OSC POC to identify staff in the OSC who perform procedures or have a role in supporting the practice under review. The Lead Assessor schedules test or demonstration observations with identified staff as part of the Assessment planning activities. These may be single or group tests or demonstrations, as determined by the OSC’s stated roles and responsibilities of its staff and any Customer Responsibility Matrix (CRM) that might be in place with any of its Supporting Organizations.
During the test or demonstration observation session, the Lead Assessor and, if applicable, Assessment Team:
- Takes steps to ensure and verify that confidentiality and non-attribution is addressed for anyone conducting a test or demonstration so that they can speak openly without fear or concern about retribution from any member of the OSC.
- Asks questions of OSC staff to get clarity of the test approach and results, and to verify any corresponding artifacts or procedures to verify and determine CMMC practice implementation and records their answers in the form of notes; and
- Maps responses from tests and demonstrations to CMMC practices to aide in determining and supporting the rating of that practice.
Any test or demonstration that successfully demonstrates how the CMMC practice is implemented will be noted as “MET”. Conversely, any test or demonstration that fails to demonstrate how a CMMC practice is implemented results in a “NOT MET” for that CMMC practice.
2.2.4 Determine FedRAMP Moderate Equivalency for Cloud Computing Providers
If the OSC is utilizing a Supporting Organization that is an External Cloud Service Provider, the C3PAO Assessment Team will be responsible for ascertaining and determining if the External Cloud Service Provider meets the security requirements “equivalent” to the FedRAMP Moderate baseline as per the DFARS 252-204-7012(b)(2)(ii)(D) requirement.
The OSC can ensure that the External Cloud Service Provider meets security requirements equivalent to FedRAMP Moderate in the same way the OSC would normally ensure any services or product being contracted for will meet its requirements. For example, an External Cloud Service Provider may choose to provide evidence that it meets the security requirements equivalent to FedRAMP Moderate by providing a body of evidence (BOE) that attests to and describes how the External Cloud Service Provider meets the FedRAMP Moderate baseline security requirements.
Examples of items that could be included in such a BOE are an SSP that describes the system environment, system responsibilities, and the current status of the FedRAMP Moderate baseline controls required for the system, as well as a Customer Implementation Summary/Customer Responsibility Matrix that summarizes how each control is met and which party is responsible for maintaining that control.
In determining whether the External Cloud Service Provider meets the FedRAMP moderate “equivalency” requirement, the C3PAO Assessment Team shall examine whether the OSC has met the following two criteria:
- The OSC or the External Cloud Service Provider has provided a body of evidence documenting how the External Cloud Service Provider’s security controls are equivalent to those provided by the FedRAMP Moderate baseline standard; and
- Said body of evidence has been attested to by an independent, credible, professional source.
If the C3PAO Assessment Team’s examination concludes that both criteria have been met, the OSC’s External Cloud Service Provider can be considered to have met the FedRAMP Moderate equivalency requirement and the C3PAO should consider the DFARS 252-204-7012(b)(2)(ii)(D) requirement satisfied. If the C3PAO Assessment Team’s examination concludes that both criteria have not been met, then the Assessment findings shall reflect the in-scope CMMC practices for which the External Cloud Service Provider is responsible be scored as NOT MET.
To be clear, the C3PAO Assessment Team is not conducting a quasi-FedRAMP certification audit of the External Cloud Service Provider, for which it is neither authorized nor certified. Rather, the C3PAO is applying the two criteria established by DoD to determine if FedRAMP Moderate “equivalency” has been attained and can be recognized.
Note: With regard to criterion #2, a CMMC RP or RPO employed, contracted, or under a paid engagement with the OSC may not serve as the independent, credible, professional source for attesting to the FedRAMP Moderate body of evidence. A FedRAMP Third-Party Assessment Organization (3PAO), however, retained by the OSC, may serve in this role to attest to the credibility of the body of evidence.
2.2.5 Identify and Document Evidence Gaps
The primary intent of this activity is to derive whether, from the Evidence gathered and reviewed, that an Evidence gap exists between that which the OSC’s Evidence shows and what the C3PAO Assessment Team requires to support a claim that conformance to the CMMC practice has been attained. During this phase, the Lead Assessor and Assessment Team verify both Evidence adequacy and sufficiency. All Evidence examined by the C3PAO Assessment Team must address the full CMMC Assessment Scope of the OSC. As a reminder from Phase I:
- Adequacy criteria will determine if a given artifact, interview response (affirmation), demonstration, or test meets the CMMC practice. Adequacy answers the question: “Does the Assessment Team have the right Evidence?”
- Sufficiency criteria is needed to verify, based on Assessment and organizational scope, that coverage by domain, practice and Host Units, Supporting Units, and enclaves is enough (sufficient) to rate against each practice by the process role performing the work. Sufficiency answers the question: “Does the Assessment Team have enough of the right Evidence?”
If the examined artifact does sufficiently answer both the adequacy and sufficiency questions, an Evidence gap exists. Evidence gaps may point to a deficiency or weakness in the OSC’s implementation of its cybersecurity measures, which exposes them to greater security risk. Examples of Evidence deficiencies could include:
- Documents that are incomplete (e.g., authorized access control list missing new personnel)
- Affirmations that are illegitimate (e.g., attestation from an employee who is not the proper owner/operator/supervisor of the system or information being examined)
- Policies that lack endorsement by senior management (e.g., policies that are not signed, or signed by individuals not in a position of authority within the OSC)
The Assessment Team methodically works its way through the Evidence and records any gaps against CMMC model practices. For any in-scope practices that are determined to be “NOT MET,” the Assessor making that determination should ensure that the Lead Assessor is informed and has visibility on the “NOT MET” practice.
(Similarly, the Assessment Team also records all practices determined to be MET during the Evidence examination).
2.2.6 Update Evidence Review Approach and Status
The Evidence collection and review approach provides a means for the Assessment Team to continuously monitor progress toward sufficient and adequate coverage of the CMMC practices being assessed. The Assessment Team regularly reviews any additional time or duration impacts resulting from additional Evidence collection efforts and records the status on a minimum of a daily basis throughout the Assessment. The Evidence collection status summarizes the differences between the Evidence reviewed thus far, and the Evidence needed to support the completion of the Assessment results, including the recommended findings and findings. If significant changes are incurred to the manner or nature of how the OSC’s Evidence is being collected and examined, those changes should be reflected in the Pre- Assessment Data Form and updated file should be exported to CMMC eMASS.
2.3 Score OSC Practices and Validate Preliminary Results
The Assessment Team shall score each in-scope CMMC practice based on the examination of the presented Evidence. The Assessment Team shall then review and validate these scores with representatives of the OSC during the daily review. The OSC, as appropriate, may then present additional Evidence, as agreed upon and accepted by the Lead Assessor, which the Assessment Team may then use to update or verify practice scores.
These activities in this Assessment phase will be iterative based on the daily review results.
2.3.1 Determine and Record Initial Scores
When the initial Evidence for each CMMC in-scope practice has been reviewed, verified, and scored, the Assessment Team records the initial MET/NOT MET/NA scores and prepares to review them with the Assessment participants during the daily checkpoint.
CMMC Assessments will be scored at the objective level using the “CMMC Scoring with DoD Assessment Scoring Methodology” as featured in Appendix K. Assessors will score the objectives as MET/NOT MET/NA for each practice. Each practice with an objective(s) that is scored as NOT MET will inherently be scored as “NOT MET” for the entire practice and, accordingly, the Assess will ascribe a deduction for the practice.
For example, if the Assessor for CMMC practice AC.L1-3.1.20 has found that the OSC has not effectively achieved objective [a], “connections to external systems are identified,” because the Assessor discovered a multiple-level protection scheme (MLPS) connection that is not annotated in any OSC documentation, this makes the entire practice, “NOT MET” due to this external connection having not been identified.
Note: If a practice is assessed to have an implementation discrepancy or deficiency that is eligible for remediation in a Plan of Action and Milestones (POA&M), that practice will be individually tracked using the CMMC Assessment Results Template.
2.3.2 Correct Limited Practice Deficiencies
On occasion, certain OSC practices may have been effectively implemented, but not necessarily documented correctly. In consonance with the implicit nature of a maturity model program and associated standards conformance regime (as opposed to a regulatory inspection or compliance audit), a Limited Practice Deficiency Correction accommodation exists for OSCs, to be implemented and cleared within a restricted timeframe.
2.3.2.1 Ineligible Practices for Deficiency Corrections
It is important for the C3PAO Assessment Team to understand first what OSC practices are not eligible for consideration under the Limited Practice Deficiency Correction provision. The following criteria below render any applicable CMMC practices as ineligible for said treatment and Assessors shall not track them under the Limited Practice Deficiency Correction Program:
- Practices that could lead to significant exploitation of the network or exfiltration of CUI, as listed in Appendix K, paragraphs (e) and (f);
- Any practice(s) listed on the OSC’s Self-Assessment Practice Deficiency Tracker (validated in paragraph 1.4.2);
- Practices that were not implemented by the OSC prior to the current CMMC Assessment; and
- Any practice that changes and/or limits the effectiveness of another practice that has been scored as “MET”.
2.3.2.2 Eligible Practices for Limited Deficiency Correction Consideration
The following are the only practices authorized for Limited Practice Deficiency correction as they have a limited or indirect effect on the security of the network and its data:
AC.L1-3.1.20 | AC.L2-3.1.14 | CM.L2-3.4.3 | IR.L2 3.6.3 | PE.L2-3.10.6 | SC.L2-3.13.14 |
AC.L1-3.1.22 | AC.L2-3.1.15 | CM.L2-3.4.4 | MA.L2-3.7 | RA.L2-3.11.3 | SC.L2-3.13.16 |
AC.L2-3.1.3 | AC.L2-3.1.21 | CM.L2-3.4.9 | MA.L2-3.7.6 | CA.L2-3.12.4 | |
AC.L2-3.1.4 | AT.L2-3.2.3 | IA.L2-3.5.4 | MP.L2-3.8.4 | SC.L2-3.13.3 | |
AC.L2-3.1.6 | AU.L2-3.3.3 | IA.L2-3.5.5 | MP.L2-3.8.5 | SC.L2-3.13.4 | |
AC.L2-3.1.7 | AU.L2-3.3.4 | IA.L2-3.5.6 | MP.L2-3.8.6 | SC.L2-3.13.7 | |
AC.L2-3.1.8 | AU.L2-3.3.6 | IA.L2-3.5.7 | MP.L2-3.8.9 | SC.L2-3.13.9 | |
AC.L2-3.1.9 | AU.L2-3.3.7 | IA.L2-3.5.8 | PE.L1-3.10.3 | SC.L2-3.13.10 | |
AC.L2-3.1.10 | AU.L2-3.3.8 | IA.L2-3.5.9 | PE.L1-3.10.4 | SC.L2-3.13.12 | |
AC.L2-3.1.11 | AU.L2-3.3.9 | IA.L2-3.5.11 | PE.L1-3.10.5 | SC.L2-3.13.13 |
For any of the practices listed above, if the OSC’s implementation of the individual practice meets the criteria below, that practice may be placed on the Limited Practice Deficiency Correction program:
- A practice that was implemented, but missing minor updates (e.g. updates to policy signatures, procedural documentation that exists but is outdated, etc.), but where the practice Evidence demonstrates the implementation has been in place for a period of time; and
- Consensus among the C3PAO Assessment Team that the practice in question does not change and/or limit the effectiveness of another practice that has been scored as “MET.”
Both criteria must be in play for a particular practice to be tracked under the Limited Practice Deficiency Correction program.
Any CMMC practice that meets the above criteria can be placed on the Limited Practice Deficiency Correction program by the Lead Assessor. All practices placed on the Limited Practice Deficiency Correction program will be scored as “NOT MET” and recorded on the CMMC L2 Limited Practice Deficiency Correction Program Worksheet.
2.4 Generate and Validate Preliminary Recommended Findings
Based on the examination of Evidence, the C3PAO Assessment Team shall begin generating and validating the preliminary recommended findings. To begin, the Lead Assessor generates preliminary recommended findings to summarize all practice MET/NOT MET scores and indicate the extent to which the in-scope practices conform to the CMMC standard. Preliminary recommended findings should start being entered by the Assessment Team Members into the draft CMMC Assessment Findings Brief Template found in Appendix I.
Preliminary Findings must be presented to the OSC prior to the Final Findings presentation. The Lead Assessor shall keep the OSC updated as the draft findings are being developed, which can be accomplished during the daily checkpoint meeting. During this session, Assessment participants should be instructed that all additional Evidence will be verified by the Assessment Team as adequate, sufficient, and then rated accordingly during the next day’s activities.
The daily checkpoint meeting may provide the OSC an opportunity to locate and present additional Evidence and may result in modifications to the Assessment Team’s recorded practice scores and findings (as well as the inventory of Evidence if additional artifacts are presented.)
2.4.1 Determine Final Practice MET/NOT MET/NA Results
After all Evidence for each CMMC in-scope practice has been reviewed, verified, and rated, and discussed with the OSC participant during the daily checkpoints, the Lead Assessor records the final recommended MET/NOT MET/NA score and prepares to present the results to the Assessment participants during the final review with the OSC and its Assessment Official.
The C3PAO holds the final interpretation authority for the recommended practice scores and their related findings.
2.3.1.1 Determine Final Practice Results (Considering Limited Practice Deficiency Correction)
If the overall scoring of the Assessment after placing eligible items on the Limited Practice Deficiency Correction program results in less than 80% (88/110 practices “MET”), the OSC will receive a final finding of “Not Achieved” for CMMC Level 2 Certification. The OSC will be required to correct deficiencies and reapply for CMMC L2 Certification.
If the overall scoring of the Assessment after placing items on the Limited Practice Deficiency Correction program results in greater than or equal to 80% (88/110 practices “MET”), the OSC will be required to correct deficiencies within five (5) business day from the Final Findings Briefing or by an alternative date determined by the Lead Assessor, but a date not to exceed five (5) calendar days prior to the submission of the Final Findings Report into CMMC eMASS.
2.4.1.1 Execute POA&M Review
CMMC will allow conditional use of Plans of Action and Milestones (POA&M) to remediate practices that are not fully or successfully implemented. The POA&Ms will be strictly time-bound with a validity period of no more than 180 days from the Assessment Final Recommended Findings Briefing (Phase 3). POA&Ms will not be allowed for the highest-weighted CMMC requirements. Rather, the Department of Defense has established a minimum-score requirement to support Certification.
The Certified CMMC Assessor evaluating CA.L2-3.12.2, will validate the following criteria for an OSC to satisfy the requirements for CA.L2-3.12.2 and receive a CMMC Level 2 Conditional Certification:
- 80% of all CMMC Level L2 practices scored “MET”
- Current CMMC L2 scoring would result in 88/110 Practices must be found as “MET”
- All POA&M items must meet the criteria in Appendix K, “CMMC Scoring with DoD Assessment Scoring Methodology”
The POA&M’s purpose is to identify, assess, prioritize, and monitor the progress of corrective efforts for security weaknesses found in an organization’s programs and system.
A POA&M must document all proposed actions to remediate deficiencies and the respective timeframe for doing so. The POA&M should detail the progress of corrective actions as they are carried out and thus be updated regularly.
2.4.1.2 Validate OSC POA&M
The Lead Assessor is solely responsible for reviewing and determining the legitimacy and validity of a POA&M at the time of the assessment closeout. A credible and effective POA&M should include, at a minimum, the following:
- The specific security weakness (see 2.1.5 Evidence Gaps) revealed in the Assessment and tied to specific practice;
- The severity of each weakness;
- The scope of each weakness with the assessed environment;
- The proposed mitigation approaches;
- The estimated costs for remediation;
- Documented records of mitigation status and delays; and
- A risk Assessment of the deficiency
The Lead Assessor will ensure all practices that are authorized by DoD to be on a POA&M for CMMC are documented correctly on the CMMC Assessment Results Form.
2.4.2 Create and Finalize and Record Recommended Final Findings
The CMMC Assessment Findings Brief must be updated to its final recommended state, based on all Evidence received and reviewed by the Assessment Team throughout the Assessment, including any results from the daily checkpoint reviews. It must include MET/NOT MET scores at the OSC aggregated level and describe any practice has not been implemented in enough detail as to show how the score was derived by the Assessment Team. This includes a summary chart of all CMMC practices their MET/NOT MET status for each practice.
2.4.3 Support Assessment Appeals Process
If the OSC feels that there is an issue with the scoring on a practice and there is substantial evidence showing ALL the objectives of the practice have been “MET”, the OSC can submit a dispute using the Assessment Appeals Process outlined in Appendix N.
PHASE 3 – REPORT RECOMMENDED ASSESSMENT RESULTS
The formal submission of the final Assessment results codifies the adjudication of the CMMC Assessment. In this phase, the Lead Assessor (with or without the Assessment Team Members) shall deliver the recommended Assessment results to the OSC during the Final Findings Briefing. Following that, the CMMC Quality Assurance Professional (CQAP), Lead Assessor, and C3PAO will verify completeness and accuracy of the Assessment packet prior to its upload into CMMC eMASS.
3.1 Deliver Recommended Assessment Results
The Lead Assessor shall provide the OSC Assessment Official and OSC participants with the Assessment results.
Using the CMMC Final Findings Briefing, along with the Pre-Assessment Form data, the Assessment results are delivered to the OSC Assessment Official either during the final daily checkpoint, or in a separately scheduled findings and recommendations review.
3.1.1 Deliver Final Findings
The Lead Assessor presents the final recommended findings, using the required Assessment Findings Brief Template, a summary of the recorded MET/NOT MET status of each practice within the CMMC Assessment Scope, as well as any additional information that provides more context for the findings. This activity communicates the final and complete recommended Assessment results to the OSC Assessment Official and OSC participants. These findings may be in a summarized form, but the detailed findings must also be provided as backup information. In addition to the recorded final recommended findings, the details of the CMMC practice scores are also presented and must include clear traceability from each finding, score, and practice status (i.e., MET/NOT MET).
As per CMMC Assessment reporting requirements, the same results of the findings summary, practice, and respective scores are submitted to the C3PAO for review. Once the C3PAO CQAP completes the internal quality review (paragraph 3.2.2), the results are then submitted by the designated C3PAO CMMC eMASS account holder into CMMC eMASS (section 3.2.3).
3.2 Submit, Package, and Archive Assessment Documentation
The purpose of this phase is to package, baseline, and retain all Assessment documentation and artifacts.
Phase 3.2 Required Outputs: | |
---|---|
Recorded and Presented Final Recommended Findings | To be completed and presented by the Lead Assessor, using the required CMMC Findings Briefing template or equivalent. |
Submitted and archived Assessment Results Package into CMMC eMASS | Final Report, CMMC Assessment Results |
OSC Artifacts Hash | Using the CMMC Artifact Hashing Tool User Guide |
Recorded and final updated Daily Checkpoint | Must include results from all discussed practices (artifact reviews, interviews, and examinations/tests) including any resulting actions and due dates |
3.2.1 Limited Practice Deficiency Correction Evaluation
The C3PAO Assessment Team will review Evidence provided by the OSC to close out items on the Limited Practice Deficiency Correction Program. If all items are found to be corrected and “fully implemented”, the OSC’s score for that practice will be changed to “MET”. For any practices in which the evidence still shows deficiencies, the score will remain, “NOT MET.”
If all practices on the Limited Practice Deficiency Correction Program result in a score of “MET,” the Lead Assessor will close out the Assessment using the steps in Phase 3, paragraph 3.1-3.2. The Lead Assessor shall then recommend the OSC be granted a Final CMMC Level 2 Certification.
If any practices on the Limited Practice Deficiency Correction Program FAIL to result in a score of “MET,” the Lead Assessor will recommend moving the OSC’s practice deficiencies to a POA&M using the steps in paragraph 2.3.1.2 of Phase 2.
The current score of the Assessment, after executing a POA&M review, must be greater than or equal to 80% (88/110 practices “MET”), to move the OSC to the POA&M Close-Out Assessment option. In this course of action, the OSC will remain on their Conditional CMMC Level 2 Certification, with their original start date.
If it is found that the POA&M Close-Out Assessment option cannot be utilized, the Lead Assessor will recommend the OSC NOT be recommend for CMMC Certification. As a result, the OSC will be required to correct deficiencies and reapply for another Assessment.
3.2.2 Verify Assessment Results Package
The CMMC Quality Assurance Professional (CQAP) shall verify Assessment documentation, prior to eMASS upload, to ensure the accuracy and completeness of the Assessment Results Package. (see CMMC Assessment Quality Review Checklist in Appendix L). The Final Report must be submitted to the CQAP for review no later than ten (10) business days from the Final Findings Briefing.
3.2.3 Upload Assessment Results Package into CMMC eMASS
All Assessment results, successful or not, are to be uploaded into CMMC eMASS for official recording and tracking.
The Assessment results package submitted to the C3PAO by the Lead Assessor must include the following Assessment artifacts:
- Final Report: The detailed practices and scores, clearly traceable to each finding and score, using the CMMC Assessment Results Template (i.e., Excel workbook or spreadsheet with each practice scores, findings, comments, etc.).
- Reports must be uploaded to eMASS no later than twenty (20) Business Days from the Final Findings Briefing.
The C3PAO must use the proscribed CMMC eMASS JSON schema detailed in the eMASS CONOPS or an Assessment template the meets the format and field requirements for uploading into CMMC eMASS.
3.2.4 Archive or Dispose of any Assessment Artifacts
The Lead Assessor is responsible for maintaining and protecting any additional notes and information from the Assessment. These, along with the Assessment Results Package, must be retained and protected from a confidentiality, non-disclosure, and any other CUI perspective for three (3) years.
Because the artifacts of the Assessment are proprietary to the OSC and will remain with them, the Assessment Team Members will not take organizational artifacts offsite during or at the conclusion of the Assessment. Therefore, the Lead Assessor must ensure that the OSC has hashed all artifacts in accordance with the CMMC Artifact Hashing Tool User Guide. The OSC must hash and retain artifacts for three (3) years. The C3PAO will report the OSC’s hash into CMMC eMASS.
THE PROTECTION AND DESTRUCTION OF CONTRACTOR ASSESSMENT MATERIALS TEMPLATE CAN BE USED TO VERIFY DISPOSAL OF ASSESSMENT ARTIFACTS FROM ALL ASSESSMENT TEAM MEMBERS. EACH ASSESSOR’S SIGNED DOCUMENT SHALL BE RETAINED BY THE C3PAO FOR THREE (3) YEARS.
3.2.5 Adjudicate Any Assessment Appeals
If the OSC believes their Assessment was compromised by either technical error or a breach of ethical conduct, the OSC can submit an official appeal of the Assessment and its findings using the Assessment Appeals Process outlined in Appendix N.
3.2.6 Schedule a CMMC POA&M Close-Out Assessment (if necessary)
The OSC is responsible for ensuring that all practice deficiencies listed on the validated POA&M are corrected within the 180-day timeframe from the CMMC Final Findings Briefing. This includes scheduling a CMMC POA&M Close-Out Assessment as described in Phase 4. While the same Lead assessor and/or C3PAO issuing the Conditional CMMC Certification IS NOT responsible for conducting the follow-up POA&M Close-Out Assessment, a Lead Assessor representing an Authorized C3PAO is still required to conduct the activities in Phase 4.
PHASE 4 – CLOSE-OUT POA&MS AND ASSESSMENT (IF NECESSARY)
The purpose of this phase is to allow OSCs that received a Conditional CMMC Level 2 Certification during Phase 3 to close out all practices validated on Plans of Action and Milestones (POA&M) during the C3PAO Assessment. With the introduction of CMMC v2.0, practice deficiencies that were documented prior to the CMMC Level 2 Assessment or created because of deficiencies found during the Assessment that meet the CMMC Scoring with DoD Assessment Scoring Methodology will be corrected post-Assessment. The final OSC POA&M must be validated in Phase 2 by the Lead Assessor and C3PAO prior to upload of the Assessment results into CMMC eMASS in Phase 3.
4.1 Perform POA&M Close-Out Assessment
Within 180 days from the Assessment Final Recommended Findings Briefing, the OSC will select a C3PAO to conduct a POA&M Close-Out Assessment. A Lead Assessor, and any additional Assessor, if necessary, will review the OSC’s updated POA&M with any accompanied Evidence or scheduled collections (observations, interviews, or tests). Once all POA&M items have been validated by the below criteria, the Lead Assessor should proceed to paragraph 4.1.1.
- The specific security weakness revealed by POA&M during the Assessment has been “fully-implemented” and scored as “MET”;
- All POA&M items “fully-implemented” do not change and/or limit the effectiveness of another practice that has been scored as “MET” during the Assessment for which the Conditional CMMC Level 2 Certification was issued;
- An updated risk assessment documents the removal of the previous CMMC practices listed on the POA&M; and
- An updated POA&M reflects no CMMC practice deficiencies.
In the event it was determined that one of the items above could not be satisfied, the Lead Assessor should proceed to paragraph 4.1.2.
4.1.1 Update POA&M Closeout
If all practices on the POA&M Review result in a score of “MET,” the Lead Assessor will close out the Assessment using the steps in Phase 3, paragraph 3.2.2-3.2.4. Accordingly, the Lead Assessor will recommend the OSC be granted a CMMC Level 2 Final Certification.
4.1.2 Update POA&M – OSC Reapply
If any practices on the POA&M Review fail to result in a score of “MET,” the Lead Assessor will recommend the OSC NOT be recommended for a CMMC Level 2 Final Certification. As a result, the OSC will be required to correct deficiencies and reapply for a CMMC Level 2 Certification. Upon this determination, the Conditional CMMC Level 2 Certification will be rendered null and void.
4.2 Support POA&M Close-Out Assessment Appeal Resolution
The C3PAO holds the final interpretation authority for validating the OSC’s CMMC POA&M Close-Out findings. If the OSC feels that technical error or an ethical violation compromised the process, the OSC can submit an appeal using the Assessment Appeals Process outlined in Appendix N.
Notes
- ↑ Specifically, CMMC assesses conformance to the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252-204-7021, “Assessing Contractor Implementation of Cybersecurity Requirements”.
- ↑ The Cyber AB is the “doing business as (d/b/a)” name for the Cybersecurity Maturity Model Certification Accreditation Body, Inc., an independent, tax-exempt 501(c)(3) charitable organization that supports the Department of Defense’s CMMC Program via a no-cost contract (Department of Defense contract #HQ003420H0003)
- ↑ 32 CFR §170.9(b)(13)
- ↑ In no circumstances will individuals from The Cyber AB, the CAICO, or DoD provide recommendations or facilitate introductions to any C3PAO.
- ↑ For access to SPRS, the OSC will also need to obtain a Unique Entity ID that is generated from registration in SAM.gov.
- ↑ In addition, the HQ organization or the Host Unit, depending on the corporate structure, must also have registered with the General Services Administration’s (GSA) SAM.gov system and have been issued a Unique Entity Identifier (UEI).
- ↑ 32 CFR §170.19(a)
- ↑ 32 CFR § 170.9(b)(8)
- ↑ 32 CFR § 170.11(b)(9)