Preliminary Proceedings
This legal agreement, required between the C3PAO and the OSC, protects sensitive information shared during a CMMC Level 2 assessment and may be part of the main contract or a standalone document.
What is a mutual non-disclosure agreement (NDA)?
This individual holds primary governance and decision-making authority during the Plan and Prepare phase of a CMMC Level 2 assessment, directing all pre-assessment activities to ensure procedural compliance with the CAP. Their responsibilities include evaluating the OSC’s readiness maturity, validating the sufficiency, accessibility, and relevance of proposed evidence, confirming scope and boundary accuracy, verifying fulfillment of assessment entry criteria, and determining whether conditions exist to formally authorize transition into the assessment execution phase.
Who is the Lead CCA?
This meeting is convened by the Lead CCA before starting assessment activities and conducted in-person, virtually, or a hybrid manner to establish a common understanding of the assessment objectives, procedures, roles and responsibilities, and schedule.
What is an In-Brief Meeting?
To complete, review, report, and submit the assessment results of the CMMC Level 2 certification assessment after all evaluative activity and examination of evidence has been completed by the Assessment Team.
What is primarily the purpose of the CMMC Assessment Process Phase 3?
During this CMMC assessment phase, a quality assurance individual generates the Certificate of Status upon receiving confirmation from CMMC eMASS with the UID and CMMC Status Date, then an Authorized Certifying Official must approve and sign using only standardized templates from The Cyber AB. The certificate must include 12 specific required elements including CAGE codes and NIST SP 800-171 R2 conformity statement, with copies delivered to the Affirming Official, OSC POC, and The Cyber AB via certificates@cyberab.org.
What is Phase 4 of the CMMC assessment process?
This critical planning activity involves defining the scope, logistics, schedule, and personnel needed for a CMMC Level 2 certification assessment—and is performed collaboratively by the C3PAO and the OSC.
What is assessment framing?
Before concluding Phase 1, the C3PAO confirms that assessment can proceed. This decision considers scope, personnel availability, and evidence related to the practices being verified.
What is the readiness determination?
Assessment Teams must employ this specific depth and coverage value when evaluating all Level 2 security requirements in CMMC certification assessments, using nonstatistical sampling approaches per NIST SP 800-171 R2 Appendix D methodology to evaluate representative samples of evidence while minimizing the risk of missing non-conforming items.
What is FOCUSED value?
After Phase 2 evaluative activity concludes, C3PAOs must compile assessment results according to the data standard established in this DoD document for formatting results for upload into the CMMC instantiation of eMASS.
What is CMMC eMASS Concept of Operations (CONOPS) for C3PAOs?
This CMMC status is achieved when an organization's assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8, but certain requirements are scored as NOT MET and included in a POA&M. If this status expires during contract performance, standard contractual remedies apply and the organization becomes ineligible for additional awards requiring Level 2 or higher CMMC status.
What is Conditional CMMC Status?
This is a Cyber AB-administered online resource that serves as the primary directory for OSCs to identify and select an authorized or accredited C3PAO eligible to conduct their Level 2 certification assessment, ensuring they engage a legitimate entity.
What is the CMMC Marketplace?
If an OSC is found unprepared to proceed, the Lead Assessor issues this outcome along with written justification—without suggesting how to improve or prepare.
What is an adverse readiness determination?
This CA.L2-3.12.4 required document must be current and complete during CMMC assessments to describe each information system in scope, with its absence triggering noncompliance findings under 48 CFR 252.204-7012.
What is a System Security Plan (SSP)?
This web-based DoD application is where contractors must submit their CMMC Level 1 and Level 2 cybersecurity self-assessments and affirm their compliance status to be eligible for contracts requiring specific CMMC levels.
What is the Supplier Performance Risk System (SPRS)?
This official is employed by the C3PAO and serves as the eligible issuing authority who must be registered and recognized by The Cyber AB. They serve as the signatory for the CMMC Level 2 Certificate of CMMC Status provided to the OSC, and C3PAOs may identify more than one of these officials. Only this individual can approve and sign the Certificate of CMMC Status using standardized templates provided by The Cyber AB, and they must be on file with The Cyber AB to perform their certification duties.
Who is an Authorized Certifying Official?
An Assessor uses this unique identifier, issued by the Department of Defense, to verify the specific legal entity and system being assessed during a CMMC Level 2 certification and must be provided by the OSC.
What is a CAGE code?
This mandatory deliverable, prescribed under 32 CFR §170.9(b)(8), formally captures key planning and administrative data including the OSC’s CAGE code, defined assessment window, approved assessment scope, and an initial readiness determination and must be submitted to the CMMC instance of eMASS as a prerequisite for authorization to advance beyond the Plan and Prepare phase into assessment execution.
What is the Pre-Assessment Form?
Assessment teams are obligated to execute this federally prescribed evaluation framework that functions as the authoritative measurement mechanism for assessing the degree of conformity between an OSC’s implemented security controls and the baseline requirements articulated in NIST SP 800-171 Revision 2, as mandated by regulation.
What is the CMMC Level 2 Scoring Methodology?
According to 32 CFR §170.17(c)(2), if the OSC elects to request a security requirement re-evaluation, the Lead CCA must wait a minimum of ten business days after Phase 3 completion before convening this type of meeting, which requires documented official minutes and may be conducted in-person, virtually, or hybrid to present Assessment Results Briefing containing MET/NOT MET determinations but explicitly prohibiting any remedial action recommendations.
What is an out-brief meeting?
This individual generates the Certificate of Status for C3PAO approval, enters all required information including OSC legal name and CAGE codes, uploads certificates to CMMC eMASS, and performs independent oversight reviews to ensure accuracy and completeness of assessment documentation.
What is the Quality Assurance Official in Phase 4 of the CMMC Assessment Process?
This is the first step after a C3PAO receives a CMMC Assessment request from an Organization Seeking Certification (OSC) and may include confirming the assessment target.
What is confirming the entity or entities to be assessed?
Before any evaluation begins, the assessor must confirm the OSC’s System Security Plan covers all NIST SP 800-171R2 L1 requirements. This cursory action ensures L1 practice scope is defined but does not validate implementation depth.
What is reviewing the SSP for completeness and consistency?
Pursuant to federal regulation, this individual provides continuous, independent oversight of assessment execution by evaluating procedural compliance, observing assessor conduct, and verifying proper governance of the assessment process, while remaining structurally and operationally separate from the team performing the assessment to ensure impartiality and integrity.
Who is a quality assurance individual?
This DoD system requires C3PAOs to upload certification assessment results using their DIBCAC-assessed IT environment, process data as if it were CUI, and utilize a provided Excel template (CMMC_AssessmentResults_Template.xlsx) with no system-to-system connections allowed.
What is CMMC eMASS?
This remediation instrument is prohibited entirely for Level 1 assessments, requires a minimum 80% assessment score to qualify, permits only select requirements scored as NOT MET, must be closed within 180 days of the Conditional Status Date, and is limited to certain low-impact security controls under 32 CFR 170.21.
What is a CMMC POA&M?