Preliminary Proceedings
In comparison, the CMMC doctrine outlines the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) must follow when conducting official CMMC assessments for organizations seeking certification.
What is the CMMC Assessment Process (CAP)?
It may serve as the OSC itself or appoint a Host Unit to act as the OSC.
What is the HQ Organization?
The OSC deliver a briefing that provides a high-level overview of its organization and cybersecurity program. The OSC Assessment Official or designated OSC Point of Contact (POC) shall inform all relevant OSC personnel of their roles in supporting the Assessment, including individuals who will be interviewed and those responsible for providing evidence.
What is the Convene Assessment Kickoff Meeting?
Lead Assessor presents the summary of the recorded MET/NOT MET status of each CMMC practice within the Assessment scope, as well as additional information that provides the context for any related final recommended findings. This activity communicates the final and complete recommended Assessment results to the OSC Assessment Official and OSC participants. These findings may be in a summarized form, but the detailed findings must also be provided as backup information. In addition to the recorded final recommended findings, the details of the CMMC practice scores are also presented and must include clear traceability from each finding, score, and practice MET/NOT MET status.
What is CMMC Assessment Findings Brief Template (Appendix L)?
If all practices reviewed as part of the POA&M receive a rating of “MET,” the Lead Assessor shall close out the assessment in accordance with the procedures outlined in Phase 3, paragraphs 3.2.2 through 3.2.4. The Lead Assessor shall then recommend that the OSC be granted a CMMC Level 2 Final Certification.
What is update POA&M Closeout?
Outline the objectives, criteria, and technical guidelines used to evaluate whether Defense Industrial Base (DIB) organizations meet the cybersecurity requirements of the CMMC standard, which is based on NIST Special Publication 800-171.
What is the CMMC Assessment Guides, developed and published by the DoD?
The C3PAO shall respond to the OSC within five (5) business days by acknowledging the request and proposing a date and time for an initial coordination call or virtual meeting.
What is once the request for a CMMC Assessment is received?
Incorporates the Assessment procedures described in NIST SP 800-171A1 Section 2.11:
An Assessment procedure consists of an Assessment objective and a set of potential Assessment methods and Assessment objects that can be used to conduct the Assessment. Each Assessment objective includes a determination statement related to the [CMMC practice] that is the subject of the Assessment. The determination statements are linked to the content of the [CMMC practice] to ensure traceability of the Assessment results to the requirements. The application of an Assessment procedures to a [CMMC practice] produces Assessment findings. These findings reflect, or are subsequently used, to help determine if the [CMMC practice] has been satisfied. Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals.
What is The CMMC Assessment Guide - Level 2?
• Final Report: The detailed practices and scores, clearly traceable to each finding and score, using the CMMC Assessment Results Template (i.e., Excel workbook or spreadsheet with each practice scores, findings, comments, etc.).
• Reports must submit to the CQAP NLT 10 Business Days from the Final Findings Briefing.
• Reports must be uploaded to eMASS NLT 20 Business Days from the Final Findings Briefing.
What is Assessment artifacts results package submitted to the C3PAO by the Lead Assessor?
If any practices reviewed as part of the POA&M do not receive a rating of “MET,” the Lead Assessor shall recommend that the OSC not be granted CMMC Level 2 Final Certification. In such cases, the OSC must remediate the identified deficiencies and reapply for CMMC Level 2 Certification. Upon this determination, the CMMC Level 2 Interim Certification shall become null and void.
What is update POA&M - OSC Reapply?
Resources for the entire CMMC Ecosystem.
What is C3PAOs, Certified CMMC Assessors (CCAs), and Certified CMMC Professionals (CCPs).
- Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.0
- CMMC Assessment Guide, Level 2, Version 2.0
- CMMC Assessment Scope, Level 2, Version 2.0
- CMMC eMASS Concept of Operations (CONOPS) for CMMC Third Party Assessment Organizations; and
- CMMC Artifact Hashing Tool User Guide, Version 2.0
What is CMMC doctrine?
CMMC Assessments will be scored at the objective level featured in Appendix P. Assessors will score the objectives as MET/NOT MET/NA for each practice. Each practice with an objective(s) that is scored as NOT MET will inherently be scored as “NOT MET” for the entire practice and, accordingly, the Assess will ascribe a deduction for the practice.
What is CMMC Scoring with DoD Assessment Scoring Methodology?
Verifies assessment documentation, prior to eMASS upload, to ensure the accuracy and completeness of the Assessment Results Package. (Review Checklist in Appendix L)
What is CMMC Quality Assurance Professional (CQAP) Verifies Assessment Results Package?
The C3PAO holds final authority for validating the OSC’s CMMC POA&M Close-Out findings. If the OSC believes that an incorrect approach was applied or that the timeline for corrective actions was insufficient, the OSC may submit an appeal in accordance with the Assessment Appeals Process outlined in Appendix R.
What is Support POA&M Close-Out Assessment Appeal Resolution?
It is a required component of the official CMMC canon, and both C3PAOs and their assessors must adhere to its procedures.
What is the CAP?
Document the results of this joint planning effort, including requirements, agreements, cost estimates, risks, practical considerations, schedules, logistics, and any relevant contextual information about the organization associated with the Assessment. This information shall be included in the Assessment documentation or provided as an addendum.
What is the ultimate contract between the OSC and the C3PAO?
- Practices that could lead to significant exploitation of the network or exfiltration of CUI, as listed in Appendix K, paragraphs (e) and (f);
- Any practice(s) listed on the OSC’s Self-Assessment Practice Deficiency Tracker (validated in paragraph 1.4.1);
- Practices that were not implemented by the OSC prior to the current CMMC Assessment; and
- Any practice that changes and/or limits the effectiveness of another practice that has been scored as “MET”
What is Ineligible Practices for Deficiency Corrections?
The C3PAO official holds final authority for validating the OSC’s CMMC-certified environment. If the OSC believes that discrepancies resulted in a determination of noncompliance with CMMC requirements, or if there are concerns regarding the overall CMMC certification results, the OSC may submit an appeal in accordance with the Assessment Appeals Process outlined in Appendix N.
What is Final CMMC Assessment Report Appeals Resolution?
- The specific security weakness revealed by POA&M during the CMMC L2 Assessment has been “Fully-Implemented” and scored “MET”
- All POA&M items “Fully-Implemented” do not change and/or limit the effectiveness of another practice that has been scored “MET” during the CMMC L2 assessment for which the CMMC L2 interim certification was issued
- An updated Risk Assessment shows the removal of the previous CMMC Practices listed on the POA&M
- An updated POA&M shows no CMMC practice deficiencies
What is POA&M satisfied items validated before Lead assessor can proceed to paragraph 4.1.1?
• Ensure the highest level of accuracy, fidelity, and quality in CMMC Assessments performed by C3PAOs.
• Promote consistency so that Assessments conducted by different C3PAOs and assessors produce the same verifiable results and outcomes.
• Strengthen the cybersecurity posture and resilience of the DIB by delivering effective, efficient Assessments that are well-planned, consistently executed, and accurately reported.
What is the objectives that are required to be met across all four phases of the CMMC Assessment Process (CAP)?
1) Proceed with the Assessment as planned: all preparedness requirements have been met and all planning conditions are satisfactory to conduct a CMMC Assessment;
2) Replan the Assessment: not all preparedness requirements have been met, compelling the OSC and/or C3PAO to resolve certain discrepancies before the Assessment may commence;
3) Reschedule: all preparedness requirements have been met but planning conditions have been compromised due to external factors such as personnel health issues, natural disasters, current events, etc., and the Assessment must be rescheduled for a different date range; or
4) Cancel the Assessment; the Assessment cannot proceed due to insurmountable factors such as a conflict of interest that cannot be mitigated, a failure to arrive contract terms between the C3PAO and OSC, etc.
What is 4 determinations, the Lead Assessor makes the recommendation, but the C3PAO retains ultimate decision and approval authority.
After all evidence for each CMMC in-scope practice has been reviewed, verified, rated, and discussed with the OSC participants during daily checkpoint meetings, the Lead Assessor shall record the final recommended MET/NOT MET/NA determination and prepare to present the results to the assessment participants during the final review with the OSC and its Assessment Official.
The C3PAO retains final authority for interpreting the recommended practice scores and any associated findings.
What is Determine Final Practice MET/NOT MET/NA Results?
Responsible for ensuring that all practice deficiencies identified in the validated POA&M are remediated within 180 days of the CMMC Final Findings Briefing. This responsibility includes scheduling a CMMC POA&M Close-Out Assessment in accordance with Phase 4 requirements. The Lead Assessor and/or the C3PAO that issued the CMMC Level 2 Conditional Certification is not responsible for conducting the follow-up POA&M Close-Out Assessment.
What is Responsibility of OSC Issued CMMC L2 Conditional Certifications?
Within 180 days of the Assessment Final Recommended Findings Briefing, the OSC shall select a C3PAO to conduct a POA&M Close-Out Assessment. A Lead Assessor, along with any additional assessors as needed, shall review the OSC’s updated POA&M and any accompanying evidence, including scheduled collections such as observations, interviews, or tests.
What is Perform POA&M Close-Out Assessment?