After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP). The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification. The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.
Aimed at increasing the accuracy and consistency of assessments conducted by C3PAOs, the CAP is segmented into four distinct phases:
Phase 1: Plan and Prepare the Assessment;
Phase 2: Conduct the Assessment;
Phase 3: Report Assessment Results; and
Phase 4: Close-Out Plan of Action and Milestones (POAMs) and Assessment.
While the assessment process is still in draft form, DoD contractors should familiarize themselves with the proposed structure and conduct of CMMC assessments, as these parameters will be critical to companies attaining CMMC certification at the level requisite for future government contract awards.
The Cyber AB is currently accepting comments on the draft CAP.