As the Department of Defense (“DoD”) continues its efforts to establish the Cybersecurity Maturity Model Certification (“CMMC”), version 2.0, The Cyber AB, formerly known as the Cybersecurity Maturity Model Accreditation Body, recently released a pre-decisional draft of the CMMC Assessment Process (“CAP”) at the end of July. While not yet endorsed by the DoD, contractors can and should familiarize themselves with the proposed process for assessing the implementation of cybersecurity measures.
CMMC 2.0 is expected to have three levels for certificates: Level 1 (foundational) for contractors handling Federal Contract Information (“FCI”); Level 2 (advanced) for contractors handling CUI; and Level 3 (expert) for contractors handling the highest priority programs with CUI. The draft CAP currently is structured to apply to CMMC Level 2 certifications.
The draft CAP describes the CMMC doctrine and provides the overarching procedures and guidance for CMMC Third-Party Assessment Organizations (“C3PAOs”) that will assess organizations seeking CMMC certification.
The draft CAP provides four phases for the assessment:
- Plan and Prepare the Assessment
- Conduct the Assessment
- Report Assessment Results; and
- Close-Out Plan of Action and Milestones (POAMs) and Assessment.
C3PAOs will begin conducting four voluntary assessments, using the draft CAP, starting this month and next (the weeks of August 22, August 29, and September 12) – a joint surveillance voluntary assessment. While rulemaking is still underway and voluntary assessments occur, the release of the draft CAP leaves contractors with insight as to the process that should help them successfully satisfy the CMMC Level 2 requirements.
A copy of the draft CAP can be found here.