CAP

From Cooey Wiki

The "CAP" or CMMC Assessment Process v2.0 was released in December 2024.

Selecting a C3PAO

  • If you are an Organization Seeking Certification (OSC) or an Organization Seeking Assessment (OSA), first ensure that the Assessor is part of a CMMC Third-Party Assessment Organization (C3PAO) listed as "authorized" or "accredited" on the CMMC Marketplace.
  • Then, verify that the C3PAO is in good standing and eligibility to conduct the Level 2 certification assessment.

Preparations

  • If you are an Organization Seeking Certification (OSC) or an Organization Seeking Assessment (OSA), confirm your organizations unique CAGE code(s), as assessments cannot happen without at least one.
  • Establish the assessment scope by defining all in-scope assets, which align with the organization's System Security Plan (SSP) and NIST SP 800-171 R2 requirements. In some cases, this scoping will be part of the quoting process with a C3PAO, but it's helpful to have a generic idea as to your environment to be assessed in advance of submitting requests for bids to C3PAOs.

Conflict of Interest (COI) Management

  • The C3PAO must manage impartiality and identify potential conflicts of interest (COI) in compliance with ISO/IEC 17020:2012 and the CMMC Code of Professional Conduct. This includes making sure they are not also a consult to the organization they are to assess.
  • The OSC/OSA and the C3PAO must agree on the Lead Certified Assessor (CCA), ensuring no COIs exist.

Contractual Agreements and Assessment Team Composition

  • Once OSC/OSA has chosen a C3PAO, it signs a contract that includes mutual non-disclosure agreements (NDA)s and any provisions prohibiting any guarantees or outcome-based incentives.
  • Confirm the credentials of the assessment team members.

Evidence and Readiness

Once signed up with a C3PAO and scheduled for an assessment, the OSC/OSA should begin to gather the documentation necessary for the assessment (guided by the assessor), and determine what necessary personnel and resources will be required to support the assessment. Physical or virtual access to evidence and systems may be required, depending on the scope of the assessment.

Assessment Phases Overview

Phase 1: Pre-Assessment

  • The C3PAO reviews your SSP and readiness.
  • Pre-assessment forms are uploaded into the CMMC eMASS system.

Phase 2: Security Implementation Assessment

  • Security requirements are evaluated through examination, interviews, and testing.
  • Sampling methods are applied to achieve depth and coverage.

Phase 3: Reporting Results

  • The C3PAO compiles results and conducts a quality assurance review.
  • Results are presented during an out-brief meeting.

Phase 4: Certification and Plans of Action and Milestones (POA&M) Closeout

  • Certificates of Status are issued based on the results.
  • Any POA&Ms are addressed for conditional certifications.

Post-Assessment

  • The hashed artifacts should be retained as evidence for six years.
  • A different C3PAO may be used for closing out POA&Ms.

Appeals Process

An OSC/OSA should understand its rights to appeal an assessment result and understand the process involved with both the C3PAO and The Cyber AB. This information can be found in the CAP.

Retrieved from "https://cooey.wiki/index.php?title=CAP&oldid=110"