Making Sense of the CMMC Assessment Process (CAP)

The Cybersecurity Maturity Model Certification (CMMC) initiative was first announced by the Department of Defense (DoD) in 2019 to unify the implementation of cybersecurity measures within the Defense Industrial Base (DIB).

Since then, the DoD finished an internal assessment of the initial implementation of the CMMC framework based on the feedback it received from the Defense Industrial Base (DIB) and upgraded CMMC from version 1.0 to version 2.0.

Now, we have reached another important milestone with the release of the pre-decisional draft of the CMMC Assessment Process (CAP) by the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, on July 26, 2022.

What Is the CMMC Assessment Process (CAP)?

The recently released pre-decisional draft defines the CAP as a doctrine that provides the overarching procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC Assessments of organizations seeking CMMC Certification.

The goal of the CAP is to increase the accuracy and consistency of assessments conducted by C3PAOs and ensure that all organizations that undergo voluntary assessments have a very similar experience.

The currently available version of the CAP applies to Level Two (L2) of the CMMC Model only, and it is divided into four phases:

While the CAP is developed for C3PAOs, Certified CMMC Assessors (CCAs), and Certified CMMC Professionals (CCPs), all current and future members of the CMMC ecosystem can benefit from familiarizing themselves with it.

The CAP Is Still Work in Progress

While C3PAOs are yet to start performing assessments based on the CAP pre-decisional draft, some of those who follow the CMMC ecosystem closely have already pointed out multiple mistakes and omissions.

“CyberAB has taken the next step of giving additional guidance on how the assessment process will be performed. That is amazing news! Unfortunately, the document is still very much in draft form, contains multiple errors, and is unclear in multiple significant areas,” says Justin Weeks, VP Cybersecurity and Compliance at Aligned Technology Solutions.

For example, Table 1.1 references the CMMC Pre-Assessment Form as Appendix D, but section 1.7.4 references it as Appendix A. Another example can be found in section 2.3.2.2 Eligible Practices for Limited Deficiency Correction Consideration, which includes MA.L2-3.7 instead of MA.L2-3.7.3 as the only authorized practices.

“Additionally, [the CAP] appears to direct assessors to perform assessments in such a way that is not in alignment with DFARS. Thankfully, the CyberAB knew that the document would have its shortcomings and has opened it up for public comments. The missing clarity in the document does beg the question whether the CyberAB is capable of creating a CAP that will address these concerns, or if DoD is directly responsible for the CyberAB not to achieve its mission through unclear guidance on the unclear topics,” adds Weeks.

According to Cyber Accreditation Body Chief Executive Officer Matt Travis, the current version is an 80 percent solution—if not more—and it serves as a good conversation starter.

Conclusion

The CMMC Assessment Process is now available as a pre-decisional draft, giving everyone from CMMC Third-Party Assessment Organizations to Organizations Seeking Certification a valuable opportunity to familiarize themselves with the overarching procedures and guidance for CMMC Assessments.

    Filter articles

Latest Articles

Contact us to get started today!

Call us at (703) 740-9797 or fill out the form below to schedule your free consultation. We will get back to you shortly.

*All fields are required.

This site uses cookies to optimize functionality and give you the best possible experience. If you continue to navigate this website beyond this page, cookies will be placed on your browser. To learn more about cookies, click here.