The Cybersecurity Maturity Model Certification (CMMC) initiative was first announced by the Department of Defense (DoD) in 2019 to unify the implementation of cybersecurity measures within the Defense Industrial Base (DIB).
Since then, the DoD finished an internal assessment of the initial implementation of the CMMC framework based on the feedback it received from the Defense Industrial Base (DIB) and upgraded CMMC from version 1.0 to version 2.0.
We have reached another critical milestone with the release of the pre-decisional draft of the CMMC Assessment Process (CAP) by the Cyber AB on July 26, 2022 (formerly known as the Cybersecurity Maturity Model Certification Accreditation Body).
What Is the CMMC Assessment Process (CAP)?
The recently released pre-decisional draft defines the CAP as a doctrine that provides the overarching procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC Assessments of organizations seeking CMMC Certification.
The goal of the CAP is to increase the accuracy and consistency of assessments conducted by C3PAOs and ensure that all organizations that undergo voluntary assessments have a similar experience.
The currently available version of the CAP applies to Level Two (L2) of the CMMC Model only, and it is divided into four phases:
While the CAP is developed for C3PAOs, Certified CMMC Assessors (CCAs), and Certified CMMC Professionals (CCPs), all current and future members of the CMMC ecosystem can benefit from familiarizing themselves with it.
The CAP Is Still a Work in Progress
While C3PAOs are yet to start performing assessments based on the CAP pre-decisional draft, some of those who follow the CMMC ecosystem closely have already pointed out multiple mistakes and omissions.
“CyberAB has taken the next step of giving additional guidance on how the assessment process will be performed. That is amazing news! Unfortunately, the document is still in draft form, contains multiple errors, and is unclear in multiple significant areas,” says Justin Weeks, VP of Cybersecurity and Compliance at Aligned Technology Solutions.
For example, Table 1.1 references the CMMC Pre-Assessment Form as Appendix D, but Section 1.7.4 references it as Appendix A. Another example can be found in Section 126.96.36.199 Eligible Practices for Limited Deficiency Correction Consideration, which includes MA.L2-3.7 instead of MA.L2-3.7.3 as the only authorized practices.
“Additionally, [the CAP] appears to direct assessors to perform assessments in such a way that is not in alignment with DFARS. Thankfully, the CyberAB knew that the document would have its shortcomings and has opened it up for public comments. The missing clarity in the document does beg the question whether the CyberAB is capable of creating a CAP that will address these concerns, or if DoD is directly responsible for the CyberAB not to achieve its mission through unclear guidance on the unclear topics,” adds Weeks.
According to Cyber Accreditation Body Chief Executive Officer Matt Travis, the current version is an 80 percent solution—if not more—and serves as a good conversation starter.
The CAP is Now Available
The CMMC Assessment Process is now available as a pre-decisional draft. It gives everyone from CMMC Third-Party Assessment Organizations to Organizations Seeking Certification a valuable opportunity to familiarize themselves with the overarching procedures and guidance for CMMC Assessments.