September 6, 2024

Last Updated on September 6, 2024

Organizations in the US defense industrial base (DIB) that handle controlled unclassified information (CUI) will soon need a certificate of compliance with the Cybersecurity Maturity Model Certification (CMMC) framework at Level 2. It is expected that these certification assessments, conducted mainly by Certified Third-Party Assessor Organizations (C3PAOs), will be rigorous and comprehensive.

How should DIB contractors prepare for a successful CMMC Level 2 assessment? A key step is to become familiar with the CMMC Assessment Process (CAP) handbook that your C3PAO will be using to conduct your assessment. The CAP offers invaluable insights into how your C3PAO will perform your assessment and what they will be looking for in your cybersecurity controls and compliance artifacts.

This article overviews what business and cybersecurity leaders most need to know about the CAP and how to apply it for maximum benefit.

 

What is the CAP?

The CAP document describes in detail the requirements, responsibilities, and timeline of activities for CMMC Level 2 assessments, including what organizations seeking certification (OSCs) should do to prepare. In the words of the Cyber AB:

The CMMC Assessment Process (CAP), developed and maintained by the CMMC Accreditation Body and reviewed and endorsed by DoD, is an element of official CMMC canon and adherence to its procedures is required by C3PAOs and their Assessors. While tailored for specific use by C3PAOs, Certified CMMC Assessors (CCAs), and Certified CMMC Professionals (CCPs), it is intended as a resource for the entire CMMC Ecosystem.

The Cyber AB further states:

The CAP is the CMMC doctrine providing the overarching procedures and guidance for CMMC C3PAOs conducting official CMMC assessments of organizations seeking CMMC certification.

In short, all C3PAOs must follow the CAP. The goal of this uniformity is to ensure that every CMMC assessment:

  • Achieves the highest possible accuracy, fidelity, and quality.
  • Maximizes consistency to ensure that assessments conducted by different C3PAOs and their assessors achieve comparable results.
  • Improves the DIB’s overall cybersecurity posture and cyber resiliency.

 

What are the CAP’s 4 phases and their key takeaways for OSCs?

Being first and foremost a resource for assessors, the CAP is divided into four phases:

Phase 1 – Plan and Prepare the Assessment

Making up about 40% of the document, this section offers details on pre-assessment steps. Some useful information for OSCs about Phase 1 includes:

  • Steps the C3PAO must perform to ensure the OSC is ready for the assessment, such as confirming that your scoping is appropriate and you have evidence of control operation in hand.
  • The 15 CMMC practices that require in-person C3PAO validation unless the OSC uses a cloud service provider (CSP) with a FedRAMP Moderate authority to operate (ATO).

Phase 2 – Conduct the Assessment

During this phase, the C3PAO will evaluate how well the OSC complies with the CMMC requirements. Rather than being prescriptive, the Phase 2 requirements give C3PAOs significant flexibility to decide on the effort level and assurance scenario (e.g., which in-scope physical locations to assess/sample) for each assessment.

This section also covers how C3PAOs should evaluate CSPs that do not have FedRAMP Moderate ATOs. It is critical to know well before your assessment whether your in-scope CSP relationship(s) will make the grade or threaten your certification.

Phase 3 – Report Recommended Assessment Results

During Phase 3 of the assessment, the C3PAO will share the results and reveal whether the OSC met the requirements for certification unconditionally, met them conditionally with Plans of Action & Milestones (POA&Ms), or failed to merit certification.

According to the CAP, an OSC must meet 80% of practices to attain a conditional CMMC Level 2 certification with POA&Ms, good for up to 180 days. It also details the 52 practices for which the DoD will allow POA&Ms. OSCs that fail to implement one of the 58 mandatory practices cannot be awarded CMMC Level 2 certification.

Phase 4 – Close-Out POA&Ms (if necessary) and Assessment

For OSCs that were awarded a conditional CMMC Level 2 certification at Phase 3, there is a fourth and final step—to close out all POA&Ms within 180 days. The C3PAO will then verify whether all POA&Ms are closed, and if so award an unconditional CMMC Level 2 certification.

 

Where does the CAP fit in the CMMC document ecosystem?

The CAP is primarily intended for C3PAOs to use alongside other official CMMC documents released by the US Department of Defense (DoD), including:

  • The CMMC Model Overview
  • CMMC Assessment Guide—Level 2
  • CMMC Scoping Guidance—Level 2
  • CMMC eMASS Concept of Operations for CMMC Third Party Assessment Organizations
  • CMMC Artifact Hashing Tool User Guide (still under development)

Several of these documents, especially the overview, assessment guidance, and scoping guidance, can also help organizations seeking certification (OSCs) to understand assessors’ expectations, identify and produce the expected results, and otherwise prepare both technologically and psychologically for their assessments.

Documents published by the DoD to provide guidance and support for CMMC Level 2 certifications are must-reads for OSCs that handle CUI. These include:

  • CMMC Model Overview Version 2.0 (PDF)
  • CMMC Model 2.0 in spreadsheet format, which includes mappings to CMMC 1.x practices (XLSX download)
  • CMMC Level 2 Self-Assessment Guide for contractors to perform annual CMMC Level 2 self-assessments (separate from the triennial C3PAO assessment) (PDF)

For more information on CMMC program guidance, visit this page in the Federal Register.

 

Is the CMMC assessment process a moving target?

The current CAP document is at version 1.0. It was released following the Cyber AB’s town hall meeting on July 26, 2022. This is a “pre-decisional draft” that “… has not been endorsed by the DoD and is not yet authorized for use in CMMC certification assessments.”

The Cyber AB allowed a 30-day comment period on the CAP, which ended on August 25, 2022.

Back in February 2024, CEO Matthew Travis stated that the Cyber AB plans to release a CAP version 2.0 draft for public comment before the DoD completes its rulemaking to finalize the CMMC program. This was reiterated during the July 2024 Cyber AB town hall meeting.

While the new CAP 2.0 will probably arrive by early 2025, DIB contractors seeking the competitive benefits of a successful CMMC Level 2 assessment should still learn all they can from today’s CAP 1.0 draft.

 

What is the current CMMC assessment regime?

All organizations that want to continue doing business with the DoD will need to achieve CMMC certification at the level their contract specifies:

  1. Businesses that do not handle CUI but only federal contract information (FCI) are only required to meet CMMC Level 1. All OSCs at Level 1 are eligible to perform a self-assessment for certification.
  2. As noted above, OSCs that handle CUI will need to comply with CMMC Level 2, which is based on NIST SP 800-171 revision 2. A small percentage of these businesses at lower risk levels will be eligible to perform a self-assessment for certification. The majority of OSCs at Level 2 will require a third-party assessment by a C3PAO every 3 years, as well as annual self-assessments.
  3. Businesses handling the most sensitive unclassified information and must therefore guard against advanced persistent threats (APTs) will need to comply with CMMC Level 3. These organizations will first need to pass a Level 2 assessment with a C3PAO. Then they will undergo a separate Level 3 assessment with auditors from the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

If your company is eligible to conduct a CMMC self-assessment, it must be conducted annually and be accompanied by an affirmation of full compliance from a senior executive. These self-assessment results and senior executive affirmations are registered in the DoD’s Supplier Performance Risk System (SPRS) database.

 

What’s next?

CBIZ Pivot Point Security has been helping hundreds of clients prove they are secure and compliant for over 20 years. We offer a full range of services to help OSCs achieve and maintain CMMC compliance at their required level.

Contact us to schedule a complimentary discussion with a CMMC expert.