CMMC Assessment Process - CCA 2025

The CAP applies to which level of CMMC?

Level 2

What are the four phases of the CAP?

1. Plan & Prepare. 2. Conduct the Assessment. 3. Report Assessment Results. 4. Close-Out POA&M and Assessment

What are the objectives of the CAP?

1. Highest possible accuracy, fidelity and quality

2. Maximize consistency across different assessments and C3PAO's

3. Improve cybersecurity defense posture and resiliency

Who initiates the engagement for completing the assessment?

The OSC

Once a C3PAO receives an assessment request from an OSC, the C3PAO should respond within how many days?

5 days

What is an OSC Assessment Official?

The most senior rep of the OSC who is responsible for leading, managing and decision making. Must be an employee of the OSC.

Who can be an OSC Point of Contact?

An RP, contractor, consultant, or advisor. Does not have to be an employee of the OSC.

What is the main role of the CQAP?

Ensuring all assessment packages are reviewed and validated for procedural integrity prior to upload into eMASS.

What is the CMMC Pre-Assessment Form Template, what does it include and is the use of the template mandatory?

The central record and information for the assessment.

Includes documentation of assets, CMMC assessment scope, evidence and other OSC data.

Yes, it is mandatory.

Phase 1.

What is the Virtual Assessment Evidence Preparation Template and is the use of the template mandatory?

Excel file to support the organization and presentation of virtually validated evidence.

Yes, it is mandatory.

Phase 1.

What is the CMMC Assessment Readiness Review (CA-RR) Checklist and is the use of the template mandatory?

A preliminary formal review conducted by the Lead Assessor of the OSC's and Assessment Team's readiness for phase 2.

No, it is not mandatory.

Phase 1.

What is the C3PAO and Assessor Conflict of Interest (COI) Attestation and is the use of the template mandatory?

A statement from the C3PAO and Assessment Team attesting that no conflicts of interests exist.

Yes, it is mandatory.

Phase 2.

What is the CMMC Assessment In-Brief and is the use of the template mandatory?

A PowerPoint file for formal kickoff of phase 2.

No, it is not mandatory.

Phase 2.

What is the Daily Checkpoint and is the use of the template mandatory?

A PowerPoint file that tracks daily assessment activities.

No, it is not mandatory.

Phase 2.

What is the Limited Practice Deficiency Correction Worksheet and is use of the template mandatory?

A record of implemented CMMC practices with discrepancies that require resolution for a MET score.

No, it is not mandatory.

Phase 2.

What is the CMMC Assessment Results Form and is the use of the template mandatory?

A spreadsheet that contains the official record of the Assessment results.

Yes, it is mandatory.

Phase 2, 3 & 4.

What is the CMMC Assessment Findings Briefing and is the use of the template mandatory?

A PowerPoint file used to construct the reporting of assessment results to the OSC.

No, it is not mandatory BUT a formal brief-out of assessment results is required.

Phase 2.

What is the CMMC Assessment Quality Review Checklist and is the use of the template mandatory?

A checklist of items to be verified during CQAP review.

Yes, it is mandatory.

Phase 1 & 3.

What is the Confirmation of Destruction of OSC Data and is the use of the template mandatory?

A Word template to document the surrender/destruction of OSC proprietary information at the end of assessment.

No, it is not mandatory BUT a formal notification to the OSC is required.

Phase 4.

What are the two types of scoping in phase 1?

1. Assessment Framing

2. CMMC Assessment Scope

What is Assessment Framing?

Identifying the size, scale, date, time, place, manner, resources, and level-of-effort associated with the prospective conduct of a CMMC Assessment.

What is the CMMC Assessment Scope and who initially determines it?

The boundaries within an organization's networked environment that contain all the assets that will be assessed.

Determined by OSC and validated by C3PAO.

When should an NDA be signed between the OSC and C3PAO?

During initial contractual agreement.

Under what circumstance can an OSC POC also serve as the OSC Assessment Official?

If they have decision making authority within the company.

What are the TWO main roles associated with an OSC Assessment Official?

1. Ensuring the OSC is carrying out required actions, including assessment funding and payment.

2. Delegating an additional OSC representative in addition to the OSC POC.

Who can agree to, sign and approve the framing and terms of the assessment?

The Assessment Official

What is a Host Unit?

The specific people, procedures, and technology within a HQ Organization that would be applied to the DoD contract and that are to be considered the OSC for CMMC Assessment purposes.

What is HQ Organization?

The legal entity that will be delivering services or products under the terms of a DoD contract. The HQ Organization itself could be the OSC, or it could designate a Host Unit as the OSC.

What is an enclave?

A set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter.

A segmentation of an organization's network or data that is intended to "wall off" that network or database from all other networks or systems.

What is a Supporting Organization?

The people, procedures, and technology external to the HQ Organization that support the Host Unit.

Do the Supporting Organizations themselves need to be included in the assessment? Why or why not?

No.

The assets affiliated with Supporting Organizations may need to be included as part of the CMMC Assessment Scope, but the Supporting Organizations themselves would NOT receive a CMMC Certification during the OSCs' Assessment.

What is a CAGE code and is it required for the assessment?

Commercial and Government Entity code possessed by the HQ Org or Host Unit issued by the DoD.

Yes, it is required for the assessment.

What is a UEI and is it required for the assessment?

Unique Entity Identifier issued via registration with General Services Administration's SAM.gov possessed by the HQ Org or Host Unit.

Yes, it is required for the assessment.

In addition to the Assessment Scope, what else does the OSC need to provide to the Lead Assessor?

Supporting documentation - network schematic diagrams, SSP, policies, organizational charts.

Who is required to validate the CMMC Assessment Scope?

The Lead Assessor

What four inventory documents must the OSC provide to the C3PAO?

1. Most recent self-assessment results

2. List of anticipated evidence

3. SSP

4. OSC personnel who play a role in the in-scope procedures

What is Adequacy in the context of CMMC?

Criteria needed to determine if a given artifact, interview response, demo, or test demonstrates performance of a CMMC practice.

What question does Adequacy answer?

Does the Assessment Team have the right Evidence?

What is Sufficiency in the context of CMMC?

Criteria needed to verify that CMMC domain and practice coverage by the OSC is enough to rate against each practice.

What question does Sufficiency answer?

Does the Assessment Team have enough of the right Evidence?

What is the purpose of the Pre-Assessment Data Form?

To record requirements, agreements, risks, conflicts of interest mitigation, and logistics for the assessment.

The final version of the Pre-Assessment Plan is submitted to where, during what phase of the CAP and by who?

1. Submitted to eMASS

2. At completion of Phase 1.

3. By the C3PAO or Lead Assessor

What do you do if changes occur after the Pre-Assessment Plan is uploaded?

Upload new data. Previous data uploads are retained in eMASS.

What does ROM stand for?

Rough Order of Magnitude

Upon analyzing all information collected in phase 1, the Lead Assessor must arrive at what four possible determinations?

1. Proceed

2. Replan

3. Reschedule

4. Cancel

True or False?

The Assessment Team can provide advice and recommendations on the sufficiency or adequacy of the OSC's evidence.

False

True or False?

If an assessment is replanned or rescheduled, the C3PAO can offer advice and recommendations to help OSC preparedness.

False

What kind of training does a CQAP need?

CMMC eMASS training provided by DoD.

What is the purpose of Phase 2?

To assess the implementation of CMMC practices by the OSC in conformance with the CMMC Model

When does the Kickoff Meeting happen?

The first step of Phase 2 before the assessment starts.

In the context of the assessment in Phase 2, what are Specifications?

Document based artifacts associated with a system (policies, procedures, architecture designs, security plans).

In the context of the assessment in Phase 2, what are Mechanisms?

The Specific Hardware, software or firmware safeguards that are employed within a system.

In the context of the assessment in Phase 2, what are Activies?

Protection related actions supporting a system that are applied by the OSC's individuals.

What are the three assessment methods?

1. Examine

2. Interview

3. Test

Assessors shall follow which document when determining which assessment methods to use?

NIST 800-171a

What is the primary deliverable of an assessment?

A report of the findings associated with each practice.

Practices scored as "Not Met" must be evaluated against what document?

POA&M Scoring Criteria

Assessments are scored against what document?

CMMC Scoring with DoD Assessment Scoring Methodology

What is the Limited Practice Deficiency Correction accommodation for?

For practices that may have been effectively implemented, not necessarily documented

What are the four reasons why a Not Met practice is ineligible for Limited Practice Deficiency Correction?

1. The practice may lead to significant exploitation.

2. The practice is already listed on the OSC's Self-Assessment Practice Deficiency Tracker

3. The practice was not implemented until after the assessment started

4. The practice changes or limits the effectiveness of another MET practice

What are the two criteria for a practice to be tracked under the Limited Practice Deficiency Correction program?

1. Practice was implemented, but missing minor updates

2. There is consensus that the practice does not change or limit the effectiveness of another MET practice

When there is a dispute between the Assessment Team and the OSC, who holds the final interpretation authority for the recommended practice scores and their findings?

C3PAO

Under what circumstance does the OSC receive a final finding of "Not Achieved"?

The overall score results in less than 80%, even after scoring eligible Limited Practice Deficiency practices

If an OSC does not pass the assessment, what must they do?

Correct deficiencies and reapply for certification

After the Final Findings Briefing, how many days does an OSC have to correct deficiencies?

Five calendar days

What is the purpose of the POA&M?

To manage the progress of corrective efforts for security weaknesses found in an organization's programs and system

Assessment reports are submitted to the CQAP within how many days from the Final Findings Briefing?

10 Business Days

Reports are uploaded into eMASS within how many days from the Final Findings Briefing?

20 Business Days

Assessment reports are uploaded into eMASS using what format?

JSON

Who is responsible for maintaining and protecting notes and information from the assessment?

Lead Assessor

Assessment notes, information and the results package are retained for how many years?

3 years

The Lead Assessor must ensure that the OSC has hashed all artifacts in accordance with what document? The OSC must retain artifacts for how many years?

1. CMMC Artifact Hashing Tool Guide

2. 3 years

Practice deficiencies listed on the POA&M must be corrected within how many days from the Final Findings Briefing?

180 days

To support the Assessment Team, a C3PAO is required to have who on staff?

CQAP

List the mandatory assessment templates.

(There are 5 according to the CAP)

1. Pre-Assessment Form

2. Virtual Assessment Evidence Preparation

3. Limited Practice Deficiency Correction Program Worksheet

4. Assessment Results Form

5. Assessment Quality Review Checklist

For the assessment to commence, which two individuals must ultimately reach agreement on the content and submission of the final pre-assessment plan?

The Lead Assessor and OSC Assessment Official

Who identifies the methods, techniques and responsibilities for collecting, managing and reviewing evidence?

The Lead Assessor

Who determines whether or not some of the evidence collection activities are conducted virtually or in-person?

The OSC

How many practice objectives are required to be assessed in-person?

15 practice objectives

What are some considerations when C3PAO's are assigning assessment team members?

Absence of COI, availability, cost, years of experience, geographic location of the Assessor

True or False:

C3PAO's must select assessors that the OSC requests.

False

OSC's can request a specific assessor but the C3PAO has the ultimate authority.

Who verifies the accuracy and completeness of the CMMC Pre-Assessment information?

The Lead Assessor

Who is primarily responsible for verifying that all planning requirements have been met in constructing the ROM?

The Lead Assessor

What is the primary deliverable of an assessment?

A report containing the findings associated with each practice.

If a Lead Assessor determines an alternative date for an OSC to correct deficiencies prior to uploading the Final Findings Report in eMASS, that date cannot exceed how many days?

5 calendar days

What are POA&Ms not allowed for?

Highest-weighted requirements