%201.png)
%201.png)
The CMMC Assessment Process (CAP) provides procedures for CMMC Level 2 Assessments. CMMC Third-Party Assessment Organizations conduct assessments of organizations seeking certification (OSCs). The Cyber AB released a pre-decisional draft in August of 2022. The Cyber AB published version 2.0 in December of 2024.
The CAP only applies to the conduct of CMMC Level 2 certification assessments. The CAP supplements publications endorsed or published by the Department of Defense (DoD). It does not replace or supersede any authoritative CMMC source material. The Cyber AB maintains the CAP with approval by the CMMC Program Management Office. The CAP ensures the consistency and integrity of CMMC Level 2 certification assessments.
The CAP addresses pre-assessment “preliminary proceedings”. It then organizes four phases of the assessment process:
In each phase, it describes the required activities, roles, and responsibilities of participants. It provides a logical sequencing of activities throughout the assessment process. In certain sections, it may mandate a precise sequence of specific activities. These sections specify following the procedures in the prescribed order. In all other spaces, the C3PAO and OSC may conduct the assessment with a reasonable approach of their own.
A CMMC Level 2 certification assessment requires engagement from several key roles. These key individuals or organizations may include:
As defined in 32 CFR §170.4 Acronyms and Definitions
Other relevant individuals not defined in 32 CFR § 170.4:
Level 2 certification assessments compel a few preliminary administrative, framing, and contractual activities. OSCs and C3PAOs should address these before commencing Phase 1 of the assessment. These activities concern important aspects of the prospective assessment. Their successful resolution enables a proper, viable, and transparent Level 2 certification assessment.
P.1 An OSC generally initiates an assessment by contacting an authorized or accredited C3PAO.
Authorized and accredited describe the status of the CMMC accreditation body. Authorized is an interim term. It describes C3PAOs until the CMMC AB achieves ISO/IEC 17011:2017(E) compliance. Authorized C3PAOs must achieve ISO/IEC 17020:2012(E). C3PAOs have to achieve and maintain compliance within 27 months of their authorization.
P.2 The Cyber AB maintains an updated Marketplace of authorized or accredited C3PAOs. C3PAOs listed as "authorized" or "accredited" are eligible to conduct Level 2 assessments.
P.3 C3PAOs must confirm the corporate legal entity for Organization Seeking Certification (OSC).
P.4 The C3PAO should receive the OSC's Commercial and Government Entity (CAGE) code(s). This should include all CAGE codes affiliated with the Level 2 certification assessment. C3PAOs issues a Level 2 Certificate of Status to a discrete information system. The System Security Plan (SSP) identifies the system owned and operated by the OSC. The DoD issues CAGE code(s) which determine the identity of the OSC.
P.5 The C3PAO should receive the OSC’s assessment unique identifier (UID). This may only exist if a previous self-assessment had generated one. The DoD Supplier Performance Risk System (SPRS) generates a UID for self-assessments. The Pre-Assessment Form should include this SPRS UID if it exists. It is not required for a Level 2 certification assessment. The CMMC instantiation of eMASS will generate a new UID upon attainment of Level 2. The CMMC eMASS UID and the SPRS UID share the same format and serve the same purpose. They are unique for each Level 2 certification assessment and self-assessments.
P.6 All OSCs must have a valid CAGE code. The Level 2 certification assessment cannot proceed without at least one CAGE code. A single CMMC assessment may cover more than one entity. OSCs may associate more than one CAGE code with a Level 2 Assessment Scope.
P.7 The C3PAO should ask whether any in-scope External Service Providers (ESPs) exist. 32 CFR §170.4(b) defines ESPs. OSCs should categorize in-scope ESPs as a Cloud Service Provider (CSP) or a “non-CSP” ESP under 32 CFR §170.19(c)(2).
P.8 The C3PAO will work with the Affirming Official or OSC POC to plan the assessment. This includes the schedule, personnel, logistics, and relevant contractual requirements. Details are dependent on the size of the organization and the CMMC Assessment Scope.
P.9 The CMMC Assessment Scope includes all assets assessed against CMMC security requirements. The OSC must specify the scope before the commencement of the Assessment. 32 CFR §170.19(c), “CMMC Level 2 Scoping” establishes the determination of the CMMC Assessment Scope. DoD manual, CMMC Assessment Scope – Level 2 contains supplemental information.
P.10 In framing the assessment, the C3PAO and OSC should agree upon the following aspects: some text
P.11 Another consideration of framing the assessment involves determining assessment location(s). This includes identifying requirements and objectives to assess remote and in-person. The C3PAO or Lead CCA should optimize validation of the following 18 objectives. The C3PAO or Lead CCA should ensure adequate assessment scope and depth for each.
NOTE. OSC CMMC-scoped environments may NOT have physical and/or environmental controls. Cloud environments or other factors may negate conducting an “on-site” assessment. The OSC and the C3PAO should address the applicability of these requirements in Phase 1.
P.12 C3PAOs are responsible for managing impartiality and identifying conflicts of interest. C3PAOs cannot delegate this responsibility to their CMMC Assessment Team or the OSC.
P.13 C3PAOs must adhere to ISO/IEC 17020:2012 and the CMMC Code of Professional Conduct (CoPC). The CoPC contains details on conflict-of-interest disclosure provisions and COI prohibitions. The CoPC includes CMMC-specific examples of potential COIs to mitigate or avoid.
P.14 The C3PAO must provide to the OSC the name of the Lead CCA they intend to assign to the assessment. The C3PAO must coordinate with the OSC to identify any conflicts of interest.
P.15 Either party may identify or disclose a conflict of interest. The C3PAO must work with the OSC to mitigate the identified conflict in question.
P.15.1 The C3PAO must document any mitigation measures to which the parties agree.
P.15.2 The C3PAO cannot proceed with an assessment without sufficient conflict of interest mitigation.
P.16 The C3PAO should receive concurrence from the OSC on the assignment of the Lead CCA. This must occur before commencing with the CMMC Level 2 certification assessment.
P.17 The C3PAO will execute a written contract with the OSC for the Level 2 assessment. Neither The Cyber AB nor DoD are parties to the Level 2 assessment contract between the C3PAO and the OSC.
P.18 The format and structure of the contract is at the discretion and mutual agreement of the C3PAO and OSC.
P.19 A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).
P.20 All contracts for assessments must conform to the CMMC Code of Professional Conduct. The C3PAO cannot offer “guarantees” or “promises” relating to the assessment results. They cannot include any incentives contingent on issuing a Certificate of CMMC Status.
In Phase 1, the C3PAO will determine if the OSC has prepared for the assessment.
The C3PAO will complete the Pre-Assessment Information Form at the end of Phase 1. The C3PAO will submit the form into the CMMC instantiation of eMASS.
1.1 The Lead CCA will supervise Phase 1 activities.
1.2 C3PAO personnel will review the OSC’s System Security Plan (SSP). They will examine the document for completeness, accuracy, and consistency. This cursory review should provide an expectation that the OSC met the requirements. The certification assessment will assess the adequacy or sufficiency of their implementation.
1.3 The Lead CCA validates the OSC’s CMMC Level 2 Assessment Scope under 32 CFR §170.19(c), “CMMC Level 2 Scoping”. The DoD publication, CMMC Assessment Scope – Level 2, contains supplemental CMMC scoping guidance.
1.4 The C3PAO and the OSC must resolve any scoping disagreements before the assessment.
1.5 32 CFR §170.19(c) addresses Assessment Scope requirements. The Assessment Team and the OSC will establish evaluation methods for security objectives. Methods may depend on the OSC's CUI Level 2 assets and the degree of rigor applied to the assessment. Methods may include, but are not limited to, the assessment methods addressed in activity 1.10.
1.6 For in-scope ESPs, the OSC must have a Customer Responsibility Matrix (CRM). The Assessment Team will confirm availability of the CRM. The Assessment Team will confirm availability of ESP personnel participating in the assessment.
1.7 If the ESP stores, processes, or transmits CUI it must have one of the following:some text
The Assessment Team will confirm evidence of the ESP’s appropriate certification. The DoD defines a CSP based on the cloud computing definition from NIST SP 800-145.
1.8 The Lead CCA must confirm incorporation, documentation, and/or participation of in-scope ESPs. Without confirmation, the parties should discuss the merits of not proceeding. This discussion should include the C3PAO and OSC Affirming Official.
1.9 The Assessment Team will need access to various evidence and artifacts. They will also need access to OSC personnel and ESP personnel (if applicable). Access enables evaluative activities in Phase 2 of the certification assessment. The Lead CCA should have confidence that ample evidence is accessible. This enables accurate evaluation of the NIST SP 800-171 R2 security requirements' implementation.
1.10 The Lead CCA will determine the readiness of the OSC to proceed with the assessment. The determination incorporates reviews and confirmations conducted in this Phase. It also includes a general confidence of OSC preparations for the assessment. The Lead CCA should convey the planned use of various assessment methods to the OSC. This may include reviewing, inspecting, observing, studying, analyzing, discussing, and exercising assessment objects. It may also include methods and attributes of depth and coverage as outlined in:some text
1.11 The Assessment Team will not make any preliminary determination of the assessment outcome. The purpose of this activity is to confirm that the OSC's preparation to begin the assessment.
1.12 The C3PAO will compose the CMMC Assessment Team as established and defined in 32 CFR §170.11(b)(10). The C3PAO will propose the names of the CCAs and CCPs that it intends to assign to the Assessment Team to the OSC.
1.13 The C3PAO must follow the personnel procedures when composing its Assessment Team. Sections 6.15 and 6.16 of ISO/IEC 17020:2012 define the procedures.
1.14 The C3PAO must manage impartiality and identify any conflicts of interest. This must occur before the commencement of Phase 2 activities. The C3PAO cannot delegate this responsibility to the Lead CCA or the OSC. The C3PAO must mitigate or avoid any COI between Assessment Team members and the OSC.
1.15 The C3PAO will generate, collect, and document pre-assessment and planning information and material. 32 CFR §170.9(b)(8) requires the C3PAO to submit the Pre-Assessment Form. This form includes:
The C3PAO will upload the pre-assessment information into CMMC eMASS. DoD will use the information for program management and oversight purposes.
1.16 The C3PAO may use the official CMMC Level 2 Pre-Assessment Form on the CMMC eMASS website. C3PAOs may also use a tool that can generate pre-assessment data in the required JSON file format. Tools must follow the CMMC eMASS data standard.
1.17 The C3PAO will follow the instructions and guidance for the pre-assessment. The CMMC eMASS Concept of Operations for C3PAOs contains planning information and material.
1.18 The C3PAO will not share OSC pre-assessment information with anyone outside the assessment. C3PAOs may only share information with individuals not involved when required by law.
1.19 Once completed, a C3PAO QA individual will conduct a review of the Pre-Assessment Form. For this quality assurance function, the C3PAO will meet the requirements as outlined in 32 CFR §170.9(b)(13).
1.20 After the quality assurance review, a QA individual will upload the form into CMMC eMASS. The C3PAO will follow the CMMC eMASS data standard. “The CMMC eMASS Concept of Operations for C3PAOs” sets forth the upload procedures.
1.21 Phase 1 concludes upon upload of the Pre-Assessment Form into CMMC eMASS.
1.22 The Lead CCA may determine that the OSC was not prepared to undergo the assessment. In this case, they will inform the Affirming Official of their decision. They will provide an explanation in writing explaining they suspended the Assessment. They will not provide advice on improving documentation or assessment preparations.
1.23 Under no circumstances will the C3PAO offer advice on improving the OCS's preparedness. This prohibition extends to the Assessment Team and any other affiliated personnel. The CoPC prohibits C3PAOs from providing advisory services to assessment clients. Doing so would prohibit the C3PAO from resuming the assessment for that OSC.
1.24 The OSC may decide to cancel or postpone the assessment. In this case, both parties should settle all affairs according to their agreement. This includes the return of any OSC proprietary information. Both parties should discuss the option of revisiting the assessment at a later date. This includes the anticipated timelines for resuming the suspended assessment. If resumed, the assessment would return to Phase 1.
1.25 The C3PAO will still complete the Pre-Assessment Form for postponed or cancelled assessments. After a QA review, the C3PAO will upload the Pre-Assessment Form into CMMC eMASS. Previous activities 1.13 through 1.19 describe these activities.
The purpose of Phase 2 is to assess the implementation of CMMC Level 2 security requirements by the OSC. The assessment will determine if the OSC has met the objectives of NIST SP 800-171A. The Assessment Teams will follow the FOCUSED value for both depth and coverage.
The C3PAO will conduct the assessment based on:
2.1 The Lead CCA will convene an In-Brief Meeting before commencing the assessment. They may conduct this meeting in-person, through remote means, or in a hybrid manner. The purpose of the In-Brief Meeting is to establish a common understanding of:
2.2 The Lead CCA will ensure there is documentation of official minutes of the kickoff. This will include all questions and answers. The C3PAO will keep documentation of these kickoff meeting minutes.
2.3 Attendees for the in-brief meeting will include, but are not limited to:
Members of the CMMC Assessment Team may not attend the In-Brief Meeting. The Lead CCA will inform the OSC of the identity of the absent member(s). They will also introduce those team members to the OSC at a later point in the assessment.
2.4 The OSC may have other employees, consultants, ESP personnel, or observers present. The C3PAO may include individuals outside the Assessment Team to observe the assessment. The C3PAO must receive permission from the Affirming Official or OSC POC to do so.
2.5 The Lead CCA will address the following issues with the OSC during the In-Brief Meeting:some text
2.6 The Assessment Team will assess requirements based on NIST SP 800-171A and 32 CFR §170.17(c). The three (3) assessment methods include examination, interview, and test. The assessment guide derives these methods from NIST SP 800-171A. The Assessment Team CCAs will adhere to these methods for assessing security requirements.
2.7 Upon mutual agreement, the parties may collect and assess evidence using remote means. Parties may use a secure video conference system or web-based collaboration platform. The C3PAO has final authority on whether to collect some evidence in person. C3PAOs can base this decision on internal procedures and risk evaluation. Both parties will ensure CUI is not shared via electronic means. This applies to evidence collection and evaluation. There is a single exception to this rule. Parties may share CUI within CMMC Level 2-conforming environments on both sides.
2.8 The Assessment Team’s sampling balances the thoroughness and efficiency of the assessment. Evaluations cover assets, people, policies, and procedures. The assessment should achieve an accurate and proper determination of conformity. Efficient assessments should remain manageable and cost-effective. Achieving that balance involves selecting representative samples of evidence. The assessment includes a sample that minimizes the risk of overlooking non-conforming items.
2.9 The Assessment Team will use a nonstatistical sampling approach. NIST SP 800-171A R2, Appendix D, “Assessment Method Descriptions” describes this approach. The Assessment Teams will use the FOCUSED value for both depth and coverage.
2.10 The Assessment Team may increase the sample size when they encounter inadequate evidence.
2.11 The Assessment Team will account for all relevant CAGE codes in the sample.
2.12 The Assessment Team should consider whether system boundaries account for all physical locations. Different locations may use different physical control methods. They should also consider whether scan results cover systems at all locations.
2.13 The Assessment Team will use the CMMC Level 2 Scoring Methodology. 32 CFR §170.24 defines NIST SP 800-171 R2 security requirements implementation scoring.
2.14 The DoD CMMC Scoring Methodology references the following:
2.14.1 Assessment Findings: 32 CFR §170.24(b)some text
2.14.2 Scoring: 32 CFR §170.24(c)some text
2.15 Assessors may re-evaluate NOT MET security requirements during the assessment. Assessors may also re-evaluate them within ten (10) business days following the assessment. The active assessment period ends at the conclusion of Phase 2 activities. 32 CFR §170.17(c)(2) provides guidance on re-evaluating NOT MET security requirements.
2.16 32 CFR §170.16(a)(2) and 32 CFR §170.16(a)(3) establish criteria for in-scope ESPs. The Assessment Team will determine the OSC’s use and disposition of an in-scope ESP. Consult the CMMC PMO published FAQ on this issue for clarification on the use of ESPs.
2.17 The Assessment Team will ensure the ESP's Customer Responsibility Matrix (CRM) is up-to-date. The CRM should include all relevant parties with security responsibilities. It should address all in-scope CMMC security requirements. This includes requirements performed as a whole or in part by the ESP.
2.18 Assessors may use the interview method to verify requirements on the CRM assigned to the ESP. The ESP respondent must show enough knowledge and credible “ownership” of those requirements. This is no different for security requirements under the responsibility of the OSC. The Assessment Team may use the examine and test methods on CRM inheritance claims.
2.19 The Assessment Team should accept a lower effort from ESPs with a Level 2 or Level 3 Certificate of CMMC Status. The Assessment Team will confirm the ESP has a valid Certificate of CMMC Status. They may consider requirements under the ESP's responsibility already validated. The Assessment Team will still ensure the implementation and maintenance of inherited requirements. ESP may attest that implementations remain in the same state from their assessment. ESP personnel still need to take part in Phase 2 to answer questions of the Assessment Team.
2.20 The Assessment Team will verify CSPs represented as FedRAMP Moderate Authorized. They will refer to the FedRAMP Marketplace and verify the CSP as a “Provider”. They will verify the specific cloud service offering documented in the OSC’s SSP. They will verify the listed offering under the column heading “Service Offering”. The Assessment Team can then determine the current Authorization baseline status. They should check both the “Impact Level” and “Status” column headings for the offering. Once verified, they should accept the FedRAMP Moderate baseline of the cloud service. The assessment team should note the verification in the assessment results.
2.21 CSP cloud environments may not have FedRAMP Authorizations. Cloud environments may meet the security requirements of FedRAMP Moderate (or higher) equivalency. The DoD CIO policy defines equivalency requirements. The Assessment Team will determine the attainment of equivalency using DoD CIO policy.
2.21.1 The Assessment Team will verify the CSP’s FedRAMP Moderate body of evidence (BoE). Verification includes ensuring it is complete, intact, and within the established periodicity. The Assessment Team will use the following definitions when reviewing the BoE:some text
The Assessment Team will verify the above elements of the cloud service offering. The Assessment Team will document equivalency verifications in the assessment results.
2.21.2 The Assessment Team is not evaluating the offering's conformance to the FedRAMP standard. Nor is the Assessment Team conducting a qualitative examination of any BoE elements. This includes testing results. The review is only verifying the BoE is complete, intact, and within periodicity.
2.22 The C3PAO will conduct quality assurance reviews during the assessment. 32 CFR §170.9(b)(14) requires C3PAOs to observe the Assessment Team's conduct and management. A QA individual who is not a part of the Assessment Team will perform this review. These reviews supplement the quality assurance requirements related to Phases 1 and 3. Phase 1 quality assurance reviews cover the Pre-Assessment Form. Phase 3 quality assurance reviews cover the Final Assessment Report.
2.23 The Assessment Team will host a Daily Checkpoint Meeting with the OSC. This should occur at the end of each assessment day. The meeting should summarize progress, identify any challenges, and discuss items for coordination.
The purpose of Phase 3 is to complete, review, report, and submit the assessment results. The Assessment Team should complete all evaluative activity before reaching Phase 3.
3.1 The Assessment Team will compile and compose the assessment results. CMMC eMASS requires specific formatting for uploading assessment results.
3.2 The C3PAO will follow the CMMC eMASS data standard. “The DoD CMMC eMASS Concept of Operations for C3PAO” defines this standard.
3.3 C3PAOs may use the Assessment Results Template available on the CMMC eMASS website. C3PAOs may develop or use any tool compliant with the CMMC eMASS data standard. Tools must generate assessment results data in the required JSON file format.
3.4 The Lead CCA may assess all requirements as MET. If met, the results will reflect a recommendation for a CMMC Level 2 Final Certificate of CMMC Status.
3.5 The Lead CCA may assess some requirements as NOT MET. The OSC may have a valid POA&M that meets 32 CFR §170.21. The results will reflect a recommendation for a Conditional Certificate of CMMC Status. 32 CFR §170.21 stipulates that:
3.6 The Lead CCA may determine that security requirements have deficiencies. If a valid POA&M is not attainable, the results will recommend no issuance of a Level 2 Certificate of CMMC Status.
3.7 The C3PAO will conduct a formal QA review of the assessment results. The C3PAO will conduct the QA review of the results before the Out-Brief Meeting.
3.8 The C3PAO will ensure that this QA is a CCA and not a member of the Assessment Team conducting the assessment. The QA reviewer will not interact with the Assessment Team on the assessment while it is in progress.
3.9 The QA review will check the accuracy and completeness of the evaluation. This review includes all security requirements. The review also checks for conformance to required reporting formats and data fields.
3.10 The Lead CCA will convene the Out-Brief Meeting upon the completion of the quality review. The OSC may elect to request a re-evaluation of security requirements. 32 CFR §170.17(c)(2) permits re-evaluations when all the following conditions exist:
The Lead CCA may convene the Out-Brief no sooner than ten business days after Phase 3 evaluations. The Lead CCA may conduct The Out-Brief Meeting in-person or through remote means. The purpose of the Out-Brief Meeting is to convey the results of the assessment to the OSC.
3.11 Attendees will include the Lead CCA, the OSC Official, the OSC POC, and all Assessment Team Members. The Lead CCA will inform the OSC of the identity of any absent member(s). The OSC retains the right to insist upon the presence of all Assessment Team members. The OSC may delay the Out-Brief until all Assessment Team members are available. The OSC may proceed with the Out-Brief without full attendance by the Assessment Team.
3.12 The OSC may have employees, consultants, ESP personnel, and observers at the Out-Brief. The C3PAO may ask to have individuals external to the Assessment Team at the Out-Brief. The C3PAO must receive permission from the Affirming Official or OSC POC to do so.
3.13 The Lead CCA will ensure there is documentation of official minutes of the Out-Brief. This includes all questions and answers. The C3PAO will keep this documentation.
3.14 The Assessment Team will prepare an Assessment Results Briefing documenting the assessment results. The Assessment team will deliver the briefing to the OSC during the Out-Brief.
The Assessment Team will develop the Assessment Results Briefing using a presentation application. Common applications include Microsoft PowerPoint, Google Slides, and Apple Pages. The Assessment Team may provide a PDF file format as well.
The Assessment Team will include the following information in the Assessment Results Briefing.
3.15 Under no circumstances will the Assessment Results Briefing contain any remedial actions. This includes any information that communicates, references, or insinuations recommended or suggested actions.
3.16 The Assessment Team will make the OSC aware of their artifact retention responsibilities. The OSC must keep hashed artifacts used as assessment evidence in the assessment for six (6) years. This term begins on the CMMC Status Date that will appear on their Certificate of CMMC Status. The OSC must hash the artifact files using a NIST-approved hashing algorithm. The OSC must provide the Assessment Team with a list of the following for upload into CMMC eMASS:
The CMMC Hashing Guide provides guidance for hashing artifacts.
3.17 A C3PAO QA individual will upload the certification assessment results into CMMC eMASS. The C3PAO will follow the CMMC eMASS data standard and upload procedures. The DoD CMMC eMASS Concept of Operations for C3PAOs provides more guidance.
3.18 C3PAOs may use the assessment results template available on the CMMC eMASS website.
3.19 Assessment results at the point of creation may not meet the formal definition of CUI. C3PAOs and Assessment Teams will protect assessment results as if they were CUI.
3.20 The C3PAO must use the environment within their CMMC Level 2 Assessment Scope. This environment may access and upload certification assessment results into CMMC eMASS. The workspace used to upload assessment results must be within their DIBCAC-assessed environment. There will be no “system-to-system” connections from C3PAOs to CMMC eMASS. Upload requires a valid user workspace or end point.
3.21 The C3PAO QA individual will include the OSC’s hashes in the assessment results. The QA individual will incorporate hashes before uploading into CMMC eMASS.
3.22 Once uploaded, the QA individual will receive from CMMC eMASS the following information:
3.23 The C3PAO will address any appeals. This includes appeals on the findings, results, and/or Certificate of Status determination. 32 CFR §170.9(b)(19) provides guidance on OSC and C3PAO appeals. The OSC must file an initial appeal with the same C3PAO that conducted its assessment.
3.24 C3PAOs will have a time bound internal appeals process to address appeals received. The C3PAO appeals process must follow ISO/IEC 17020 (2012). This process will remain on file with The Cyber AB. The C3PAO will follow its own appeals process and not deviate from the version that is on file with The Cyber AB.
3.25 A QA individual will manage the assessment appeals process. This QA individual cannot be a part of the Assessment Team that conducted the assessment. This QA individual cannot have performed any QA reviews of the assessment.
3.26 The C3PAO will complete its assessment appeals process. They will render a decision on the OSC’s assessment appeal. They will convey their adjudication decision to the OSC in writing. This decision will include their supporting rationale.
3.27 The C3PAO will enter the required Assessment Appeal information into CMMC eMASS. They will use the required assessment appeals template. The QA individual will perform a quality review of the assessment appeals template. The QA individual will complete their review before uploading into CMMC eMASS.
3.28 Should the OSC oppose the decision, they may elevate their appeal to The Cyber AB. The OSC must elevate appeals in writing to The Cyber AB within fifteen business days of the decision. All Assessment Appeals decisions rendered by The Cyber AB are final. The Cyber AB website defines their Assessment Appeals Process on their website.
The final phase of the assessment centers on the C3PAO issuing a CMMC Level 2 Certificate of CMMC Status. It may also include closing out any Plan of Action and Milestones (POA&Ms) that might exist.
The completion of Phase 4 brings the certification assessment to its formal conclusion.
4.1 After receiving the results, CMMC eMASS will confirm the Level 2 Status, UID, and Status Date. This applies to both FINAL and CONDITIONAL Level 2 Statuses. A QA individual will then generate the Certificate of Status for approval by the C3PAO.
4.2 The C3PAO will only use a standardized Level 2 Certificate of CMMC Status template. This applies to both FINAL and CONDITIONAL Level 2 Statuses. The Cyber AB approves and provides standardized templates.
4.3 The Authorized Certifying Official must approve and sign all Certificates of CMMC Status. The Cyber AB will keep Authorized Certifying Officials on file.
4.4 A QA individual will enter the following onto the Certificate of CMMC Status:
Entering this information will occur before approval by the Authorized Certifying Official.
4.5 An Authorized Certifying Official will review and sign the Certificate. This authorization conveys formal issuance on behalf of the C3PAO.
4.6 The C3PAO will produce the approved Certificate of CMMC Status in PDF file format.
4.7 A C3PAO QA individual will upload the Certificate of CMMC Status into CMMC eMASS. The “DoD CMMC eMASS Concept of Operations for C3PAOs” provides certificate uploading guidance.
4.8 The C3PAO will deliver a copy of the Level 2 Certificate of CMMC Status to the Affirming Official, and the OSC POC. Delivery may include either in electronic or physical form. The Level 2 Certificate of CMMC Status is not considered CUI.
4.9 The C3PAO will deliver an electronic copy of the Certificate of CMMC Status to The Cyber AB. The email address for this correspondence is certificates@cyberab.org.
4.10 An assessment may results in a CONDITIONAL Level 2 Certificate of CMMC Status. An OSC may hire an authorized or accredited C3PAO to close out their Plan of Action & Milestones (POA&M). The OSC may engage a C3PAO different from the one that conducted their assessment. The POA&M Closeout C3PAO assumes the responsibility for FINAL CMMC Status determination. The OSC must meet the POA&M closeout requirements. If satisfied, the POA&M Closeout C3PAO issues the FINAL Certificate of Status.
4.11 The C3PAO will document a conflict-of interest disclosure and mitigation review. This will occur before commencing a POA&M closeout for the OSC.
4.12 The C3PAO will meet the requirements for closing out a POA&M. 32 CFR part 170.17(a)(1)(ii)(B) defines these procedures.
4.13 A QA individual will conduct a QA review of the POA&M close-out upon completion by the Assessment Team. The C3PAO will ensure the QA individual(s) is a CCA. The QA individual cannot be a member of the POA&M closeout Assessment Team.
4.14 The QA review checks the evaluation accuracy and completeness of the closeout assessment. The QA review also checks the conformance to the reporting format and data fields. The C3PAO will conduct the QA review of the POA&M closeout before uploading into CMMC eMASS.
4.15 The Assessment Team may choose to offer the OSC a POA&M Out-Brief Meeting, but one is not required. The Assessment Team will convey the POA&M closeout results in writing. They will also convey the remaining administrative next steps to the OSC.
4.16 The C3PAO may refute the findings of the CMMC Assessment Team during the POA&M closeout. The C3PAO retains the right to appeal the findings, results, and/or CMMC Level 2 Status decision. The process for POA&M closeout appeals is identical to those in Phase 3. The Phase 4 C3PAO that closed out the POA&M controls the assessment appeals process.
4.17 The C3PAO will submit the POA&M closeout results to CMMC eMASS. Successful closure of the POA&M will result in issue a FINAL Level 2 Certificate of CMMC Status. The C3PAO will follow the procedures established in activities 4.1 through 4.9.
