CMMC Assessment Process (CAP) v5.6.1 PDF

DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE Cybersecurity Maturity Model Certification (CMMC) CMMC ASSESSMENT PROCESS (CAP) Version 5...

DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE Cybersecurity Maturity Model Certification (CMMC) CMMC ASSESSMENT PROCESS (CAP) Version 5.6.1 5 August 2022 This version (5.6.1) has been authorized for Training Providers and their respective training candidates for use in training and exam preparation for the Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) programs related to the DoDs CMMC Framework V2.0 Only THIS DOCUMENT HAS NOT YET BEEN ENDORSED BY THE DEPARTMENT OF DEFENSE FOR USE IN AUTHORIZED CMMC CERTIFICATION ASSESSMENTS Copyright © 2022 Cybersecurity Maturity Model Certification Accreditation Body, Inc. DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE This page intentionally left blank. DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE DISCLAIMER Copyright 2022 © Cybersecurity Maturity Model Accreditation Body, Inc. (d/b/a The Cyber AB) Proprietary and Confidential. Not to be shared without explicit permission of The Cyber AB. The view, opinions and/or findings contained in this material are those of the author(s) and should not be construed as an official U.S. Government position, policy, or decision, unless designated by other documentation. NO WARRANTY. THIS MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. THE CMMC ACCREDITATION BODY, INC. MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY OR RESULTS OBTAINED FROM USE OF THE MATERIAL NOR ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, or COPYRIGHT INFRINGEMENT. DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE TABLE OF CONTENTS Contents DISCLAIMER.............................................................................................................................................4 TABLE OF CONTENTS........................................................................................................................................................ 5 INTRODUCTION TO THE CMMC ASSESSMENT PROCESS (CAP).................................................................1 Document Conventions.................................................................................................................................................... 3 PHASE 1 – PLAN AND PREPARE THE ASSESSMENT...................................................................................5 1.1 Receive CMMC Assessment Request from OSC..................................................................................................... 5 1.2 Establish Roles and Responsibilities...................................................................................................................... 5 1.3 Organize and Prepare Assessment Documents and Templates............................................................................. 6 1.4 Ascertain Assessment Conditions and Requirements........................................................................................... 8 1.4.1 Frame the Assessment..................................................................................................................................... 8 1.4.2 Identify Lead Assessor..................................................................................................................................... 9 1.4.3 Confirm the Corporate Identity to be Assessed................................................................................................ 9 1.4.3.1 Understanding the Corporate Identity to be Assessed............................................................................... 10 1.4.4 Validate CMMC Assessment Scope................................................................................................................ 11 1.4.5 Evaluate Model Non-Duplication................................................................................................................... 11 1.4.6 Inventory OSC Cybersecurity Practices Against CMMC Model........................................................................ 11 1.4.7 Verify and Record Evidence Against Adequacy and Sufficiency Criteria.......................................................... 12 1.5 Complete Pre-Assessment Planning............................................................................................................... 13 1.5.1 Develop Evidence Collection Approach.......................................................................................................... 13 1.5.2 Select Assessment Team Members................................................................................................................ 14 1.5.3 Identify Resources and Schedule................................................................................................................... 15 1.5.4 Identify and Manage Conflicts of Interest (COI)............................................................................................. 16 1.6 Verify Readiness to Conduct the Assessment..................................................................................................... 16 1.6.1 Access and Verify Evidence............................................................................................................................ 17 1.6.2 Make Assessment Feasibility Determination.................................................................................................. 17 1.6.3 Conduct Quality Review on Pre-Assessment Form Data................................................................................. 18 1.6.4 Upload Pre-Assessment Form into CMMC eMASS.......................................................................................... 18 1.6.5 Prepare the Assessment Team....................................................................................................................... 18 1.6.6 Execute the C3PAO-OSC Contractual Agreement........................................................................................... 18 PHASE 2 – CONDUCT THE ASSESSMENT.................................................................................................19 2.1 Convene Assessment Kickoff Meeting................................................................................................................ 19 2.2 Collect and Examine Evidence............................................................................................................................ 19 2.2.1 Examine and Analyze Evidence...................................................................................................................... 21 2.2.2 Conduct Interviews and Assess Responses..................................................................................................... 21 2.2.3 Observe Tests and Analyze Results................................................................................................................ 22 2.2.4 Identify and Document Evidence Gaps........................................................................................................... 22 2.2.5 Update Evidence Review Approach and Status.............................................................................................. 23 2.3 Score OSC Practices and Validate Preliminary Results........................................................................................ 23 2.3.1 Determine and Record Initial Scores.............................................................................................................. 24 2.3.2 Correct Limited Practice Deficiencies............................................................................................................. 24 2.4 Generate and Validate Preliminary Recommended Findings.......................................................................... 25 2.4.1 Determine Final Practice MET/NOT MET/NA Results..................................................................................... 26 2.4.2 Create and Finalize and Record Recommended Final Findings....................................................................... 27 2.4.3 Support Assessment Appeals Process............................................................................................................ 27 PHASE 3 – REPORT RECOMMENDED ASSESSMENT RESULTS.................................................................28 DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE 3.1 Deliver Recommended Assessment Results....................................................................................................... 28 3.1.1 Deliver Final Findings..................................................................................................................................... 28 3.2 Submit, Package, and Archive Assessment Documentation................................................................................ 28 3.2.1 Limited Practice Deficiency Correction Evaluation......................................................................................... 29 3.2.2 CMMC Quality Assurance Professional (CQAP) Verifies Assessment Results Package..................................... 29 3.2.3 Upload Assessment Results Package into CMMC eMASS............................................................................... 29 3.2.4 Archive or Dispose of any Assessment Artifacts............................................................................................. 29 3.2.5 Final CMMC Assessment Report Appeals Resolution...................................................................................... 30 3.2.6 Responsibility of OSC Issued CMMC L2 Conditional Certifications.................................................................. 30 PHASE 4 – CLOSE-OUT POA&MS AND ASSESSMENT..............................................................................31 4.1 Perform POA&M Close-Out Assessment............................................................................................................ 31 4.1.1 Update POA&M Closeout.............................................................................................................................. 31 4.1.2 Update POA&M – OSC Reapply..................................................................................................................... 31 4.2 Support POA&M Close-Out Assessment Appeal Resolution................................................................................ 31 APPENDIX A – CHANGE LOG........................................................................................................................32 APPENDIX B – GLOSSARY............................................................................................................................33 APPENDIX C – AUTHORS AND CONTRIBUTORS.............................................................................................40 APPENDIX D – CMMC PRE-ASSESSMENT DATA FORM TEMPLATE..................................................................41 APPENDIX E – VIRTUAL ASSESSMENT EVIDENCE PREPARATION TEMPLATE...................................................42 APPENDIX F – CMMC ASSESSMENT READINESS REVIEW CHECKLIST..............................................................43 APPENDIX G – C3PAO and Assessor COI Attestation TEMPLATE...................................................................49 APPENDIX H – CMMC ASSESSMENT IN-BRIEF...............................................................................................49 APPENDIX I – CMMC DAILY CHECKPOINT.....................................................................................................50 APPENDIX J – LIMITED PRACTICE DEFICIENCY CORRECTION PROGRAM WORKSHEET.................................... 51 APPENDIX K – CMMC ASSESSMENT RESULTS TEMPLATE...............................................................................52 APPENDIX L – CMMC ASSESSMENT FINDINGS BRIEF TEMPLATE....................................................................53 APPENDIX M – CMMC ASSESSMENT QUALITY REVIEW CHECKLIST................................................................54 (Pending final DoD Rulemaking)..................................................................................................................54 APPENDIX N – CONFIRMATION OF DESTRUCTION OF OSC DATA..................................................................55 (Pending final DoD Rulemaking)..................................................................................................................55 APPENDIX O – OSCS SELF-ASSESSMENT PRACTICE DEFICIENCY TRACKER.......................................................56 (Pending final DoD Rulemaking)..................................................................................................................56 APPENDIX P – CMMC SCORING WITH DOD ASSESSMENT SCORING METHODOLOGY..................................... 57 (Pending final DoD Rulemaking)..................................................................................................................57 (Pending final DoD Rulemaking)..................................................................................................................61 APPENDIX Q – CMMC ASSESSOR WAIVER PROCESS.....................................................................................71 (Pending final DoD Rulemaking)..................................................................................................................71 APPENDIX R – CMMC ASSESSMENT APPEALS PROCESS.................................................................................72 (Pending final DoD Rulemaking)..................................................................................................................72 DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE APPENDIX S– CMMC ASSESSMENT EVIDENCE COLLECTION APPROACHES.....................................................73 (Pending final DoD Rulemaking)..................................................................................................................73 DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE This page intentionally left blank. DOCUMENT UNDER DEVELOPMENT – PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE INTRODUCTION TO THE CMMC ASSESSMENT PROCESS (CAP) The Cybersecurity Maturity Model Certification (CMMC) framework is the Department of Defense’s (DoD) unifying standard for the implementation of cybersecurity measures within the Defense Industrial Base (DIB). The CMMC Assessment Guides that are developed, maintained, and published by DoD provide the objectives, specific criteria, and technical guidelines for assessing the conformance of DIB organizations seeking CMMC Certification to the applicable cybersecurity practices of the CMMC standard, which is grounded in the National Institute of Standards and Technology (NIST) Special Publication 800-171. These guides serve as the controlling technical authority for the purposes of assessing the implementation of CMMC practices. The CMMC Assessment Process (CAP), by comparison, is the CMMC doctrine providing the overarching procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC Assessments of organizations seeking CMMC Certification. This version of the CAP applies to Level Two (L2) of the CMMC Model only. The CAP, developed and maintained by the CMMC Accreditation Body and reviewed and endorsed by DoD, is an element of official CMMC canon and adherence to its procedures is required by C3PAOs and their Assessors. While tailored for specific use by C3PAOs, Certified CMMC Assessors (CCAs), and Certified CMMC Professionals (CCPs), it is intended as a resource for the entire CMMC Ecosystem. The CAP is organized across four (4) phases and describes the required activities to ensure that CMMC Assessments are conducted consistently across the DIB. The four phases are:  Phase 1: “Plan and Prepare the Assessment”;  Phase 2: “Conduct the Assessment”;  Phase 3: “Report Assessment Results”; and  Phase 4: “Close-Out POA&Ms and Assessment”. These four (4) phases have been designed to ensure that every CMMC Assessment meets the following objectives:  Achieve the highest possible accuracy, fidelity, and quality for CMMC Assessments conducted by C3PAOs; Maximize consistency to ensure that different Assessments conducted by different C3PAOs and Assessors yield the same verifiable results and outcomes each time; Improve the cybersecurity defensive posture and the cyber resiliency of the DIB by providing effective and efficient Assessments that are well-planned, executed in consistent fashion, and accurately reported. The CAP is designed to be used in conjunction with other official doctrine and publications within the CMMC Ecosystem, including the CMMC Model Overview, CMMC Assessment Guide—Level 2, CMMC Scoping Guidance—Level 2, the “CMMC eMASS Concept of Operations for CMMC Third Party Assessment Organizations,” and the “CMMC Artifact Hashing Tool User Guide”. Many of these documents are available on the official DoD CMMC website at www.acq.osd.mil/cmmc. Comments on this document, as well as on the overall CMMC framework, are welcomed from all members of the CMMC Ecosystem and the public. This feedback will be used to improve the CAP and may help inform future adjustments to the CMMC Model itself. Feedback can be submitted via the DoD CMMC website www.acq.osd.mil/cmmc/contact-us.html or also via the CMMC Accreditation Body address at [email protected]. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 1 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE This page intentionally left blank. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 2 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE Document Conventions Various syntax, naming, and terminology specifications are employed throughout this document. Category Convention Body Typeface Arial Body Font 10 Regular Phase Heading Font 14 CAPS Section Heading Font 12 CAPS Table Headings Font 9 Bold Auxiliary Verb of Compulsion “Shall”, connoting a requirement Capitalized Terms Assessment Assessment Team Member Assessor C3PAO Assessment Team Certification CMMC Quality Assurance Professional Defense Industrial Base Evidence Headquarters Unit Host Unit Lead Assessor Limited Practice Deficiency Correction Organization Seeking Certification OSC Assessment Official OSC Point of Contact Registered Practitioner Registered Practitioner Organization Supporting Organization DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 3 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE This page intentionally left blank. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 4 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE PHASE 1 – PLAN AND PREPARE THE ASSESSMENT A strong and effective CMMC Certification Assessment begins with a well-organized planning and preparation effort. The critical foundation for a successful Assessment engagement between CMMC Third- Party Assessment Organizations (C3PAOs) and Organizations Seeking Certification (OSCs) is established in Phase I. All activities in Phase I are necessary to ensure the conduct of a proper and consistent CMMC Assessment. Phase I Assessment planning could range from one (1) to several days, depending on C3PAO-OSC communication effectiveness and the OSC’s readiness and ability to provide the required information, including Evidence of CMMC practice implementation. An OSC’s understanding of the CMMC practices and its preparation for the Assessment—including the fidelity and accuracy of its proposed CMMC Assessment Scope—is the primary driver on how efficiently Phase I might be completed. 1.1 Receive CMMC Assessment Request from OSC An OSC generally initiates the engagement concerning a prospective CMMC Assessment by contacting an authorized C3PAO. The updated registry of authorized C3PAOs in good standing is maintained in the CMMC Marketplace website administered by the CMMC Accreditation Body (The Cyber AB). Unless otherwise notified by The Cyber AB, any C3PAO listed as “Authorized” within the Marketplace may be considered a C3PAO in good standing and eligible to conduct a CMMC Assessment. The initial contact from the OSC can be made via the CMMC Marketplace’s online intake form or by direct email or phone call to the C3PAO. C3PAO-OSC contact, and communications may be initiated by either party, but in no circumstances will individuals from The Cyber AB nor the Department of Defense serve in an introductory or facilitation role. Once the request for a CMMC Assessment is received, the C3PAO should respond to the OSC within five (5) business days, acknowledging the request and proposing the scheduling of an initial coordination call or virtual meeting. During this initial exchange, the C3PAO should confirm the requested timeframes and geographic location(s) for the Assessment and attempt to ascertain the general preparedness of the OSC for a CMMC Level 2 Assessment. This could include asking any outstanding questions or requesting missing information from the initial request submission. The OSC shall communicate the general parameters of its Assessment requirements, including the projected timeframe of when it would be ready for an Assessment and the physical location of its corporate assets that would be included in its CMMC Assessment Scope. Note: the OSC’s initial request may also include the identification or preference for a specific Lead Assessor or CMMC Assessment Team Member, but the authority and decision for selecting and assigning the CMMC Assessment Team rests solely with the C3PAO. 1.2 Establish Roles and Responsibilities A consistent, accurate, fair, and efficient CMMC Assessment requires the active engagement, communication, and attention of several key figures and entities, upon each of whom rests specific responsibilities:  Organization Seeking Certification (OSC): The OSC is the Defense Industrial Base (DIB) company, organization, university or college, legal entity, or discrete business division or practice area that is pursuing CMMC Certification by contracting with a C3PAO and proceeding with a CMMC Assessment. The OSC is responsible for implementing CMMC practices for the target CMMC Level to which they aspire and providing a cooperative environment for the C3PAO to conduct the Assessment.  OSC Assessment Official: The most senior representative of an Organization Seeking Certification who is directly and actively responsible for leading and managing the OSC’s engagement in the Assessment and who possesses decision-making authority for the OSC with DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 5 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE regard to the CMMC Assessment. The OSC Assessment Official must be an employee of the organization that is being assessed.  OSC Point of Contact (OSC POC): The individual within the OSC who provides daily coordination and liaison support between the OSC and the Assessment Team. The OSC POC does not necessarily have to be an employee of the organization that is being assessed, but rather could be a contractor, consultant, or advisor like a CMMC Registered Practitioner (RP).  CMMC Third-Party Assessment Organization (C3PAO): An authorized and independent conformity-Assessment body that contracts with the Organization Seeking Certification to conduct CMMC Assessments and issues the CMMC Certification. Authorized C3PAOs are listed on the CMMC Marketplace.  C3PAO Assessment Team: The representative body of a C3PAO composed of certified personnel who conduct a CMMC Assessment. Also referred to as the “Assessment Team”.  Lead Assessor: The CMMC Certified Assessor (CCA) who oversees and manages a dedicated CMMC Assessment Team for the Assessment of an OSC. Lead Assessors hold the formal designation as such from the CMMC Accreditation Body.  Assessment Team Members: Individuals who comprise the C3PAO Assessment Team.  CMMC Quality Assurance Professional (CQAP): The formally trained individual who is responsible for ensuring Assessment documentation completeness and accuracy. Each C3PAO is required to have at least one (1) CQAP on staff for ensuring all Assessment packages are reviewed and validated for procedural integrity prior to upload into eMASS or any other official CMMC repository system or application. 1.3 Organize and Prepare Assessment Documents and Templates The C3PAO Assessment Team shall maintain regular familiarity and currency with the full body of CMMC Assessment doctrine. C3PAOs should have these documents “at the ready” when communicating with OSCs prior to, and during, a CMMC Assessment engagement. In addition to this CAP, the compendium of CMMC doctrine includes the following:  Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.0  CMMC Assessment Guide, Level 2, Version 2.0  CMMC Assessment Scope, Level 2, Version 2.0  CMMC eMASS Concept of Operations (CONOPS) for CMMC Third Party Assessment Organizations; and  CMMC Artifact Hashing Tool User Guide, Version 2.0 Many of the above documents are available for download at the Department of Defense’s CMMC Program Management Office website: https://www.acq.osd.mil/cmmc/documentation.html. In addition, C3PAOs will need to utilize a range of templates throughout a CMMC Assessment engagement in order to properly document Assessment activities and findings. The Cyber AB has prepared the following templates as appendices to this CAP for use by C3PAOs and their Assessment Team Members:  CMMC Pre-Assessment Form Template: provides the central record and information for the Assessment, to include the documentation of assets and CMMC Assessment Scope, Evidence, and other OSC data. Use of this template is mandatory.  Virtual Assessment Evidence Preparation Template: Excel file to support the organization and presentation of Evidence that will be validated virtually during an Assessment. Use of this template is mandatory.  CMMC Assessment Readiness Review (CA-RR) Checklist - A preliminary but formal review conducted by the Lead Assessor and, as applicable, Assessment Team, verifying the OSC’s and Assessment Team’s readiness to conduct the Phase 2 portion of the Assessment against the DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 6 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE identified Assessment planning parameters and Assessment scope.  C3PAO and Assessor Conflict of Interest (COI) Attestation: Short statement in which both the C3PAO and its Assessment Team Members confirm that they have not provided consulting, advisory, or CMMC implementation support to the OSC that they will be assessing and that no conflicts of interest (COI) exist with that OSC. The use of this template is mandatory.  CMMC Assessment In-Brief: PowerPoint file that can be used to construct the formal kickoff briefing for the commencement of the actual conduct of the CMMC Assessment (Phase 2). The use of this template is not mandatory.  Daily Checkpoint: PowerPoint file that supports the coordination and tracking of daily Assessment activities. Use of this template is not mandatory.  Limited Practice Deficiency Correction Worksheet: Documentation of record for any OSC implemented CMMC practices that were assessed with discrepancies that require resolution for a “MET” score. Use of this template is not mandatory.  CMMC Assessment Results: spreadsheet that contains the official record of the Assessment results. Use of this template is mandatory.  CMMC Assessment Findings Briefing: PowerPoint file that can be used to construct the reporting of the Assessment results to the OSC. While use of this template is not mandatory, the formal brief-out of Assessment results from the C3PAO to the OSC is required.  CMMC Assessment Quality Review Checklist: Checklist of items to be verified during the CMMC Quality Assurance Professional’s review of documentation. Use of this template is mandatory.  Confirmation of Destruction of OSC Data: MS Word template to be used by the C3PAO to document their surrender and/or destruction of any OSC proprietary information at the conclusion of the Assessment. While use of this template is not mandatory, the formal notification that proprietary information is no longer being retained by the C3PAO (in the absence of expressed written consent by the OSC) is required. Tables 1.3 and 1.4 summarize the CMMC templates and other forms and documents, respectively, that are used or referenced in the CMMC Assessment Process. Table 1.3 CMMC Assessment Templates Template Name Format Appendix Phase(s) Mandatory CMMC Pre-Assessment Form Template Excel D 1 Y Virtual Assessment Evidence Preparation Excel E 1 Y Template CMMC Assessment Readiness Review (CA-RR) PDF F 1 N Checklist C3PAO and Assessor COI Attestation MS Word G 2 N CMMC Assessment In-Brief PowerPoint H 2 N Daily Checkpoint PowerPoint I 2 N Limited Practice Deficiency Correction Program Worksheet PDF J 2 Y CMMC Assessment Results Form Excel K 2/3/4 Y CMMC Assessment Findings Briefing PowerPoint L 2 N CMMC Assessment Quality Review Checklist PDF M 1/3 Y Confirmation of Destruction of OSC Data MS Word N 4 N DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 7 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE Table 1.4 Select CMMC Forms and Documents Form/Document Name Format Appendix Phase(s) OSC Self-Assessment Practice Deficiency Tracker Excel O 1 CMMC Scoring with DoD Assessment Scoring Methodology PDF P 2/4 CMMC Assessor Waiver Process PDF Q 1 CMMC Assessment Appeals Process PDF R 2/3/4 CMMC Assessment Evidence Collection Approaches PDF S 2/3 Note: C3PAOs and their Assessment Team Members shall be familiar with all applicable templates and have them available for use as an engagement with an OSC commences. 1.4 Ascertain Assessment Conditions and Requirements Upon agreement between the parties (i.e., C3PAO and OSC) to proceed with planning a CMMC Assessment, the C3PAO works with the OSC Assessment Official and the OSC POC to determine the purview and planning details of the Assessment. This will include discussing schedule, size of the organization, personnel, logistics, relevant contractual requirements, and the prospective CMMC Assessment Scope. It is very important to make a distinction here between the two types of “scoping” activity that a C3PAO will encounter in Phase 1 of a CMMC Assessment: 1) Assessment framing, which is the high-level contract scoping discussed and agreed to at the onset of C3PAO-OSC engagement; and 2) CMMC Assessment Scope, which is an official and technical CMMC term. Both C3PAOs and OSCs must understand the respective definitions of both terms and, to avoid confusion and miscommunication, take measures to use both words in their proper context, and always differentiate between the two:  Assessment framing: the practice of identifying the size, scale, date, time, place, manner, resources, and level-of-effort associated with the prospective conduct of a CMMC Assessment. High-level contract framing is performed jointly by the C3PAO and the OSC and is conducted at the beginning of their engagement.  CMMC Assessment Scope: the boundaries within an organization’s networked environment that contain all the assets that will be assessed. CMMC Assessment Scope is initially determined by the OSC and then validated by the C3PAO. More information on how to consider and determine an OSC’s proper CMMC Assessment Scope can be found in the DoD manual, CMMC Assessment Scope - Level 2. 1.4.1 Frame the Assessment The C3PAO works with the OSC to frame the Assessment. The initial discussion may be conducted between a C3PAO corporate representative and any OSC representative, including the OSC POC, but follow-on substantive conversations should be between the C3PAO and the OSC Assessment Official. Note: It is recommended that the C3PAO and OSC sign a non-disclosure agreement (NDA) as part of the initial contractual arrangement in order to protect and give legal grounds to the OSC in the event of disclosure or loss of proprietary information by the C3PAO and/or Assessment Team members. While it is not recommended, the OSC POC may serve as the OSC Assessment Official if that individual has decision-making authority within the company and is able to bound the OSC in agreements with the C3PAO. The OSC Assessment Official is responsible for ensuring all OSC-required actions during the Assessment are carried out, including the funding and payment for the Assessment. If needed, the OSC Assessment Official can delegate a separate individual within the OSC, in addition to the OSC POC, to DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 8 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE serve as an additional OSC representative, who will also work with the Lead Assessor on a regular and operational basis for planning, preparing, and executing the Assessment. For Assessment framing, the C3PAO and OSC shall discuss and agree upon the following elements of the prospective Assessment:  Assessment location(s), including what aspects and activities of the Assessment will be conducted virtually;  Identification of OSC staff that will provide Evidence and support for the Assessment;  OSC’s CMMC Assessment Scope;  OSC’s relevant documentation, including roles and responsibilities of its information and technology and information security staff(s),  Evidence;  A rough order-of-magnitude (ROM) estimate for the approximate duration and timing for the Assessment; and  The Assessment outputs that will be provided to the OSC Assessment Official upon completion of the Assessment; and  The Lead Assessor and OSC POC should validate OSCs Self-Assessment Practice Deficiency items Note: only the OSC Assessment Official can agree to and sign and approve the framing and terms of the Assessment, codified in a valid legal contract, once determined through coordination with the Lead Assessor and C3PAO. 1.4.2 Identify Lead Assessor The C3PAO reviews the CMMC Pre-Assessment Data Form or other initially submitted information and then considers prospective Certified CMMC Assessors to assign as Lead Assessor for the engagement. The C3PAO should consider the experience of the Lead Assessor and how that relates to the size and complexity of the prospective Assessment, the geographical location(s) of the Assessment, the Lead Assessor’s familiarity with the OSC’s lines of business, and any potential conflicts of interest with the OSC. Once the C3PAO selects and assigns a Lead Assessor, the C3PAO replies to the OSC in writing and introduces the Lead Assessor to begin the engagement with the OSC. 1.4.3 Confirm the Corporate Identity to be Assessed The Lead Assessor works with the OSC Assessment Official and/or the OSC POC to confirm the specific corporate legal entity that will be assessed, i.e., the precise identity of the actual “Organization Seeking Certification.” The actual OSC could be the entirety of the company itself, referred to as the Headquarters Organization (HQ Organization). Alternatively, the actual OSC could be a discrete subsidiary, division, or operating component—referred to as the “Host Unit”—of the larger corporation. It is also important for the C3PAO to understand the existence of any Supporting Organizations affiliated with the OSC that might factor into the CMMC Assessment Scope. The following definitions are used to designate the various elements of an assessed organization:  HQ Organization: The legal entity that will be delivering services or products under the terms of a DoD contract. The HQ Organization itself could be the OSC, or it could designate a Host Unit as the OSC.  Host Unit: The specific people, procedures, and technology within an HQ Organization that would be applied to the DoD contract and that are to be considered the OSC for CMMC Assessment purposes. ‒ Enclave: A set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter. A segmentation of an organization’s network or data that is intended to “wall off” that network DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 9 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave.  Supporting Organizations: The people, procedures, and technology external to the HQ Organization that support the Host Unit. The assets affiliated with Supporting Organizations may need to be included as part of the CMMC Assessment Scope, but the Supporting Organizations themselves would NOT receive a CMMC Certification during the OSCs’ Assessment. Table 1.4.3 Examples of CMMC Organizational Definitions Name Unit Description HQ Acme Heavy Industries, Inc. Parent Company Organization Acme Defense Mission Systems, Ltd. Host Unit OSC Business entity that supports the OSC Supporting All-American Cloud Services, Inc. but may or may not necessarily be Organization part of the CMMC Assessment The HQ Organization or the Host Unit, depending on the corporate structure, must possess a Commercial and Government Entity (CAGE) code issued by the Department of Defense. The Assessment cannot proceed if the OSC does not have a valid CAGE code. In addition, the HQ organization or the Host Unit, depending on the corporate structure, must also have registered with the General Services Administration’s (GSA) SAM.gov system and have been issued a Unique Entity Identifier (UEI). Note: Small and medium-sized businesses may not have a multi-level corporate architecture that necessitates the delineation of a Host Unit, whereas larger corporations may not necessarily outsource certain functions to Supporting Organizations. 1.4.3.1 Understanding the Corporate Identity to be Assessed The figure 1.4.3.1, gives two examples using the definitions above to confirm the Corporate Identity to be Assessed (aka High-level scoping), providing a visual understanding of each entity: Figure 1.4.3.1 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 10 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE 1.4.4 Validate CMMC Assessment Scope Determining the proper and accurate CMMC Assessment Scope is essential for conducting a valid Assessment. The OSC has the initial responsibility to establish the CMMC Assessment Scope of their networked environment, to include identifying and taking inventory of the various categories of assets contained therein that will be the subject of the CMMC Assessment. For guidance on how to conduct this scoping, refer to the Department of Defense’s CMMC Assessment Scope - Level 2, December 2021. The OSC presents the CMMC Assessment Scope to the Lead Assessor, who then proceeds to verify its accuracy and integrity. In support of understanding and interpreting the CMMC Assessment Scope, the OSC must also provide to the Lead Assessor with supporting documentation, such as network schematic diagrams, the System Security Plan (SSP), policies, and organizational charts. In doing so, the OSC should ensure that any proprietary information is clearly marked as such. If possession of these materials is granted to the Lead Assessor or other Assessment Team Members, a non-disclosure agreement between the OSC and the C3PAO should be considered since a formal Assessment contract will likely not yet exist between the parties. Regardless, OSC documentation does not necessarily have to leave OSC control at this point of the process. Note: Throughout the Assessment engagement, it is neither prohibited nor improper for a C3PAO to receive company proprietary information from the OSC and maintain access and/or possession of such information during the Assessment process. To be clear, however, upon completion of the Assessment or Assessment engagement (in the event the parties do not actually proceed with the Assessment itself) the C3PAO must return and/or destroy any and all OSC proprietary information. It is a violation of the CMMC Code of Professional Conduct (and of the CMMC Assessment Process) for a C3PAO to retain OSC proprietary information past the conclusion of the C3PAO-OSC engagement. As previously stated, a non-disclosure agreement should be in place between the parties prior to any proprietary information being shared. The Lead Assessor is required to validate the OSC’s CMMC Assessment Scope. Any disagreements or differences of opinion concerning the CMMC Assessment Scope must be resolved before the actual Assessment may commence. 1.4.5 Evaluate Model Non-Duplication Some OSCs may possess alternative cybersecurity certifications or findings, such as those of ISO 27001, FedRAMP, or other conformance regimes. Conformance to these standards is determined by external assessors not affiliated with CMMC in this capacity. Accordingly, absent subsequent official non-duplication policies published by the Department of Defense, other cybersecurity conformance regimes that may have been implemented by an OSC do not bestow any status or credit toward an OSC’s CMMC Assessment or Certification. 1.4.6 Inventory OSC Cybersecurity Practices Against CMMC Model Working under the guidance of, and in coordination with, their assigned Lead Assessor, the OSC shall provide to the C3PAO Assessment Team the following information:  Results of most recent OSC self-Assessment or any pre-Assessment conducted by an RP or Registered Practitioner Organization (RPO);  A preliminary list of anticipated Evidence;  The System Security Plan and other relevant documentation; and  A list of all OSC personnel who play a role in the procedures that are in scope. The Assessment Team then collaborates and coordinates with the OSC to correlate all the above information to each of the CMMC practices. The purpose of this procedure is to do a preliminary “triage” of all of the available evidentiary materials and “map” or “cross-walk” each item to their respective CMMC practices in order to establish the mutual understanding that the OSC has, at a minimum, addressed each of the CMMC practices with some evidentiary basis. This inventory does not establish that any or all CMMC practices have been implemented adequately sufficiently in accordance with the CMMC standard, but rather that no “gaps” exist with regards to a particular CMMC practice to ensure that the practice was neither neglected, ignored, or dismissed. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 11 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE 1.4.7 Verify and Record Evidence Against Adequacy and Sufficiency Criteria The Lead Assessor determines and confirms the estimate of needed interviews, observations, reviews, and related Evidence that is needed for each practice or process that corresponds to the organizational functional areas and process roles. This is based on the requirements for Evidence:  Adequacy: criteria needed to determine if a given artifact, interview response (affirmation), demo, or test demonstrates performance of a CMMC practice. Adequacy answers the question, “Does the Assessment Team have the right Evidence?”  Sufficiency: criteria needed to verify, based on CMMC Assessment Scope, that CMMC domain and practice coverage by the OSC is enough (sufficient) to rate against each practice. Sufficiency answers the question: “Does the Assessment Team have enough of the right Evidence?” All Evidence must: ‒ Cover the sampled Host Units and/or Supporting Organizations; ‒ Cover the model scope of the Assessment (CMMC Scoping Guidance—Level 2); and ‒ Correspond to the Host Unit and/or Supporting Organizations in the Evidence collection approach. Adequate and sufficient Evidence will be required to determine if the OSC is ready for the Assessment, which is outlined in Section 1.6.3. Review OSC Self-Assessment and DoD Assessment Findings Criteria The Lead Assessor and the OSC POC shall jointly review the OSC’s most recent CMMC self-assessment (either conducted by themselves or by a trusted third party, such as their RP or RPO) against the context of the DoD’s criteria for the assessment of CMMC practices. This joint review is conducted to ensure that the C3PAO Assessment Team and the OSC are aligned in terms of expectations and requirements as they relate to the OSC’s CMMC Assessment Scope and the framing of the Assessment engagement contract. The DoD Assessment findings criteria can be found in the CMMC Assessment Guide – Level 2, Version 2.0, pages 9-10: The assessment of a CMMC practice results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE. To achieve a specific CMMC level, the contractor will need a finding of MET or NOT APPLICABLE finding on all CMMC practices required for the desired level as well as for all lower levels. For example, a contractor will need a MET or NOT APPLICABLE finding on all CMMC practices at Levels 2 and to achieve a CMMC Level 2 certification. MET: The contractor successfully meets the practice. For each practice marked MET, the Certified Assessor includes statements that indicate the response conforms to all objectives and documents the appropriate evidence to support the response. Assessment Criteria and Methodology CMMC Assessment Guide – Level 2 | Version 2.0 10 NOT MET: The contractor has not met the practice. For each practice marked NOT MET, the Certified Assessor includes statements that explain why and documents the appropriate evidence that the contractor does not conform fully to all of the objectives. NOT APPLICABLE (N/A): The practice does not apply for the assessment. For each practice marked N/A, the Certified Assessor includes a statement that explains why the practice does not apply to the contractor. For example, SC.L1-3.13.5 might be N/A if there are no publicly accessible systems. A contractor can inherit practice objectives. A practice objective that is inherited is MET if adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice objective. An ESP may be external people, technology, or facilities that the contractor uses, including cloud service providers, managed service providers, managed security service providers, cybersecurity-as-a- service providers. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 12 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE Evidence from the enterprise or the entity from which the objectives are inherited should show they are applicable to in-scope assets and that the assessment objectives are met. For each practice objective that is inherited, the Certified Assessor includes statements that indicate how they were evaluated and from whom they are inherited. If the contractor cannot demonstrate adequate evidence for all assessment objectives, through either contractor evidence or evidence of inheritance, the contractor will receive a NOT MET for the practice. 1.5 Complete Pre-Assessment Planning The Pre-Assessment Data Form is essentially the holistic planning document for the Assessment itself. The template’s purpose is to record the requirements, agreements, risks, conflicts-of-interest mitigation, and logistics for the CMMC Assessment. The Pre-Assessment Data Form must be maintained up to date throughout Phase 1 as the CMMC Assessment Scope and other conditions may evolve. The Pre- Assessment Data Form must be updated whenever any significant change occurs, including, but not limited to: 1. If/when any significant changes to the framing of the Assessment and the OSC-C3PAO contract occur; 2. Any change to the OSC’s CMMC Assessment Scope (e.g., added or removed assets or removed process roles) is declared; 3. Changes to dates/times or scheduled Assessment events, including the scheduled dates for the Assessment itself are agreed upon; 4. C3PAO effects changes to the makeup of its Assessment Team; and 5. Any unplanned disruptions (e.g., COVID-19 travel restrictions or protocols, natural disasters, etc.) emerge. The Lead Assessor and the OSC Assessment Official must ultimately reach agreement on the content and submission of the final Pre-Assessment Plan for the Assessment to commence. The final version of the Pre-Assessment Data Form is submitted via upload into CMMC eMASS at the completion of Phase 1. It must be uploaded by a CMMC eMASS-authorized C3PAO representative. If changes occur after the Pre- Assessment Plan, a new data upload is required. Previous data uploads are retained in CMMC eMASS to allow for audit tracking. Any official CMMC Certification Assessment must have a documented and current Assessment Plan, using the required CMMC Assessment plan template, or a C3PAO equivalent document with the same data. 1.5.1 Develop Evidence Collection Approach The Lead Assessor shall identify methods, techniques, and responsibilities for collecting, managing, and reviewing Evidence, including:  Artifact gathering and availability;  Interview approach;  Test or demonstration observation approach; and  Requests for information (email or surveys). The Evidence collection approach has implications for the following aspects of the Assessment:  The amount of time and effort expended by the OSC in preparing for the Assessment;  Ability of the Assessment Team to make accurate judgments;  Usefulness and accuracy of the Assessment results; and  Overall cost of the Assessment. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 13 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE During Phase 1, the Evidence collection approach must record the use of any virtual data collection techniques, including any risks and mitigations, and how any Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and/or OSC proprietary information will be managed and protected. During Phase 2, the C3PAO Assessment Team will conduct affirmation sessions (interviews or demonstrations) either in person (face-to-face) or virtually (using video teleconference technology) with participants (interviewees) from the OSC. Upon mutual agreement, much of the Evidence collection process may be conducted virtually, utilizing a stable and commercially secure video conference system of a web-based collaboration platform. The ultimate decision as to whether or not some of the Evidence collection activities will be conducted virtually or “on premises, in-person” rests with the OSC. That notwithstanding, implementation validation of the following 15 CMMC practice objectives must be observed by the C3PAO Assessment Team in-person and on the premises of the OSC and the Evidence collection thereof is precluded from being conducted virtually:  CM.L2-3.4.5[d]: Physical access restrictions associated with changes to the system are enforced.  MA.L2-3.7.2[d]: Personnel used to conduct system maintenance are controlled.  MP.L2-3.8.1[c]: Paper media containing CUI is securely stored.  MP.L2-3.8.1[d]: Digital media containing CUI is securely stored.  MP.L2-3.8.4[a]: Media containing CUI is marked with applicable CUI markings.  MP.L2-3.8.4[b]: Media containing CUI is marked with distribution limitations.  PE.L1-3.10.1[b]: Physical access to organization systems is limited to authorized individuals.  PE.L1-3-10.1[c]: Physical access to equipment is limited to authorized individuals.  PE.L2-3.10.2[a]: The physical facility where organizational systems reside is monitored.  PE.L2-3.10.2[d]: The support infrastructure for organizational systems is monitored.  PE.L1-3.10.3[a]: Visitors are escorted.  PE.L1-3.10.3[b]: Visitor activity is monitored.  PE.L1-3.10.5[b]: Physical access devices are controlled.  PE.L1-3.10.5[c]: Physical access devices are managed.  SC.L2-3.13.12[b]: Collaborative computing devices provide indication to users of devices in use. If the OSC has security barriers, e.g., a firewall that prevents access to artifacts by the Assessment Team, ensure at least one (1) Assessment Team Member for each C3PAO team has access to the artifacts (i.e., physically onsite, OSC-provided hard copy, or electronic files). Please see Appendix S – “CMMC Assessment Evidence Collection Approaches” on various techniques, methods, and responsibilities for Evidence collection. 1.5.2 Select Assessment Team Members The identification and assignment of C3PAO Assessment Team Members should be conducted with deliberate consideration and thought. This important activity should be viewed as a shared responsibility of both the C3PAO and the Lead Assessor that the C3PAO has selected for a specific OSC’s CMMC Assessment. These personnel decisions entail much more than just selecting names off a CCA or CCP roster. The composition of a C3PAO Assessment Team should incorporate several factors. First and foremost, the C3PAO is responsible for verifying that all Assessment Team Members possess an active status in good standing as a CMMC Certified Assessor or CMMC Certified Professional, which can be confirmed on The Cyber AB’s CMMC Marketplace. Other considerations for assigning Assessment Team Members should include, but are not necessarily limited to, the following:  Absence of any conflicts of interest with the OSC;  Availability for the targeted date range of Assessment; DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 14 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE  Cost, especially the hourly rate of independent (i.e., “1099”) Assessors;  Years of experience;  Geographic location of the Assessor;  Specialization with a particular DIB sub-sector that aligns with the OSC’s lines of business; and  Professional reputation within the CMMC Ecosystem. C3PAOs and Lead Assessors may, at times, receive requests from OSCs for a specific Assessor. While OSCs have no authority or standing to insist on any particular individual as an Assessment Team Member, C3PAOs may take into consideration such requests in composing their team as long as no conflict of interest exists between the Assessor and the OSC. 1.5.3 Identify Resources and Schedule The C3PAO works with the OSC Assessment Official to determine an anticipated level-of-effort and associated cost estimate to conduct the CMMC Assessment. Once agreed upon by the C3PAO and the OSC Assessment Official, this “rough order of magnitude (ROM)” estimate becomes the basis for determining the specific pricing structure of the ultimate contract agreement. It important that the Lead Assessor verifies the accuracy and completeness of the CMMC Pre-Assessment information as this—the general organization and preparedness of the OSC—will serve as one of the determinators of costs. Through iterative dialogue, the Lead Assessor and the OSC Assessment Official determine the resources, cost, and schedule within which the Assessment is to be conducted. The statutory requirements of a CMMC Assessment and the preferences of the OSC Assessment Official, along with the consequent costs, logistics, size of the C3PAO Assessment Team, and schedule factors are balanced to arrive at an efficient and effective resource plan for the Assessment. The Lead Assessor has the primary responsibility for verifying that all planning requirements have been met in constructing the ROM, including:  Providing and recording detailed resource needs and costs beyond general boilerplate estimates;  Identifying and documenting all Assessment participants, including: ‒ The names and titles of individuals who are candidates for affirmation, i.e., interviewees; ‒ The names and functions of Assessment support personnel within the OSC (if any); ‒ The organizational or project affiliation of all participants; and ‒ Assessment Team Members, roles, and verified qualifications.  Identifying and records any facilities to be used, including the location, seating capacity, required support equipment, and room configuration;  Determining and recording schedule aspirations and constraints, including the estimated duration of key activities;  Identifying and recording costs associated with travel, including meals and incidentals;  Identifying and recording any potential triggers for when replanning and/or updating of the Assessment plan will be required (e.g., schedule overruns, unavailability of resources, etc.) The C3PAO should also develop a proposed schedule for each day of the Assessment and show how the team effort estimates are applied over the scheduled Assessment duration. The Lead Assessor and the OSC should also determine if there will be any anticipated constraints or limitations in accessing necessary data for the Assessment. The C3PAO shall document the results of this joint planning effort, including the requirements, agreements, costs estimates, risks, and practical considerations, schedules, logistics, and any contextual information about the organization associated with the Assessment and should include all of this information in—or as an addendum to—the ultimate contract between the OSC and the C3PAO. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 15 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE 1.5.4 Identify and Manage Conflicts of Interest (COI) A basic conflict of interest is a situation or set of circumstances in which an individual or an organization involved in multiple interests—financial, organizational, or otherwise—and acting in the best interest of one, could simultaneously serve as working against the best interests of another. Conflicts of interest—or the perception of them—can undermine objectivity, including that of the Assessment Team, and must be avoided or mitigated within the CMMC Ecosystem. The International Standards Organization (ISO) regime to which C3PAOs will ultimately be held accountable, ISO/IEC 17020, “Conformity Assessment— Requirements for the operation of various types of bodies performing inspection,” includes specific measures for ensuring impartiality of conformity Assessments. For CMMC Assessments, the Lead Assessor and Assessment Team Members are responsible for identifying potential COIs. The Lead Assessor will document them in the Pre-Assessment Plan and take decisive action to either avoid them or develop and implement verifiable measures to mitigate them. All parties should be familiar with—and refer to regularly—the conflict-of-interest provisions and prohibitions within the “CMMC Code of Professional Conduct.” If a conflict of interest is disclosed or identified, by either party, the Lead Assessor should work with the OSC Assessment Official to develop a mitigation plan for the identified conflict in question. Any mitigation measures to which the parties agree should be documented and signed accordingly. In the event the conflict cannot be sufficiently mitigated due to the circumstances, the C3PAO must not proceed with the Assessment. In addition, prior to commencing the Assessment, the Lead Assessor and all Assessment Team Members must attest (by signature) and submit to the CMMC Accreditation Body the “Absence of Conflict-of-Interest Confirmation Statement,” as outlined in Phase 2. 1.6 Verify Readiness to Conduct the Assessment The final step of Phase 1–for which the Lead Assessor is responsible—is to confirm that all parties are ready and positioned to conduct the CMMC Assessment. This includes ensuring that the OSC is adequately prepared, the C3PAO Assessment Team is established and ready, that Evidence is available and accessible, and that risks have been identified—all of which contribute to the overall feasibility of conducting the Assessment as planned. The Lead Assessor must also verify that all necessary logistics have been planned and that the C3PAO and the OSC have agreed to contract terms. The readiness review is not intended to be a comprehensive determination of whether an OSC will necessarily meet any targeted CMMC Level and be successful in attaining Certification. Rather, the readiness review is the process of confirming that both parties are sufficiently prepared to conduct the Assessment. Upon analyzing all the information collected and discussions conducted during Phase I, the Lead Assessor shall arrive at one of the following four (4) possible determinations: 1) Proceed with the Assessment as planned: all preparedness requirements have been met and all planning conditions are satisfactory to conduct a CMMC Assessment; 2) Replan the Assessment: not all preparedness requirements have been met, compelling the OSC and/or C3PAO to resolve certain discrepancies before the Assessment may commence; 3) Reschedule: all preparedness requirements have been met but planning conditions have been compromised due to external factors such as personnel health issues, natural disasters, current events, etc., and the Assessment must be rescheduled for a different date range; or 4) Cancel the Assessment; the Assessment cannot proceed due to insurmountable factors such as a conflict of interest that cannot be mitigated, a failure to arrive contract terms between the C3PAO and OSC, etc. In all four determinations, the Lead Assessor makes the recommendation, but the C3PAO retains ultimate decision and approval authority. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 16 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE 1.6.1 Access and Verify Evidence With the list of Evidence that was inventoried and “mapped” against the CMMC practices in Phase 1.4.6, the Lead Assessor and/or Assessment Team Members shall now perform a cursory review of the actual Evidence to verify that it exists and is ready for the formal scrutiny that will be applied by the C3PAO Assessment Team during the conduct of the Assessment in Phase 2. While previously, in Phase 1.4.6, the Lead Assessor was only reviewing an unverified list of the Evidence the OSC intended to present, in this step the Lead Assessor and/or Assessment Team Members are obtaining said Evidence and confirming that it is present, accessible, and available to satisfy the requirement to assess the Evidence for CMMC Certification purposes in Phase 2. Note: To reiterate, Evidence is only being verified at this stage; it is not being examined by the C3PAO Assessment Team. If aspects of the CMMC Assessment will be conducted virtually, the Lead Assessor should ensure that the Virtual Assessment Evidence Preparation Template (Appendix E) has been utilized, that all practices have been annotated, and that the necessary Evidence and the manner in which it will be presented is accounted for on the form. Note: The CMMC Accreditation Body does not permit a C3PAO to perform a readiness review with the intent of identifying weakness in the Evidence so the OSC can take corrective action prior to the conduct of the actual Assessment in Phase 2. At no time during this preliminary review of the Evidence shall the Assessment Team provide any advice or recommendation on how the OSC could improve or enhance the sufficiency or adequacy of their presented Evidence. Additionally, the Lead Assessor is responsible for verifying any in-scope CMMC practices that the OSC proposes to claim as “Not Applicable” or “N/A” for that Host Unit or Supporting Organization. The Lead Assessor must also ensure that no proprietary data is to leave the OSC’s environment without the express written consent of the OSC Assessment Official. 1.6.2 Make Assessment Feasibility Determination Based on the verified existence of Evidence, along with the aforementioned resource estimates, Assessment objectives, plans, and schedule, the Lead Assessor shall determine if conducting the Assessment, as framed, is feasible. The Lead Assessor makes his or her Assessment feasibility determination known to the OSC and the C3PAO and documents the recommendation in writing. The C3PAO retains the ultimate decision authority on whether or not to proceed with the conduct of the Assessment, obviously dependent upon the willingness of the OSC to proceed as well. If the C3PAO makes the decision to proceed with the Assessment as planned, the Lead Assessor and Assessment Team Members shall prepare the Pre-Assessment Form to be uploaded into CMMC eMASS. In the event that the C3PAO elects to either replan or reschedule the Assessment, the C3PAO and the OSC should agree upon the specific way forward and make arrangements accordingly to resume the engagement at a future date. Under no circumstances shall the C3PAO offer any advice, implementation assistance, or recommendations as to how the OSC can improve or enhance their preparedness for a replanned or rescheduled CMMC Assessment and doing so is an explicit violation of the CMMC Code of Professional Conduct. If the C3PAO or the OSC decides to cancel the Assessment, both parties should settle all affairs—including the return of any OSC proprietary information—and formally close out the engagement. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 17 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE 1.6.3 Conduct Quality Review on Pre-Assessment Form Data C3PAOs shall have at least one CMMC Quality Assurance Professional (CQAP) supporting its CMMC Assessment Teams. One of the primary roles of the CQAP is to verify, prior to uploading into CMMC eMASS, the Pre-Assessment Form data as captured throughout Phase I to ensure the accuracy and completeness of the information. In addition to the quality of the data, the CQAP also ensures that the Pre- Assessment information is properly structured in the JavaScript Object Notation (JSON) format to facilitate successful exporting into CMMC eMASS. For guidance on the proscribed JSON schema, please refer to the “CMMC eMASS Concept of Operations (CONOPS) for C3POs.” Formatting assistance is also available on the CMMC eMASS tool/website at https://cmmc.emass.apps.mil. 1.6.4 Upload Pre-Assessment Form into CMMC eMASS Upon completion of the quality assurance review, the Lead Assessor shall direct one of the C3PAO’s approved CMMC eMASS account holders to upload the Pre-Assessment Form into CMMC eMASS. The Pre-Assessment Form Template provided in Appendix A may be used for this purpose. C3PAOs may elect to develop an in-house spreadsheet or purchase a third-party tool to facilitate the upload of the Pre-Assessment Form data into CMMC eMASS. Any such application must be incorporate all required Pre-Assessment Form data fields, meet DoD security requirements, and generate Pre- Assessment Form data in the required CMMC eMASS JSON file format. Note: C3PAOs are required to send representatives to attend a free CMMC eMASS training session provided by the Department of Defense before they can be granted access to the system. Scheduling facilitation assistance for these training sessions is provided by the CMMC Accreditation Body. Prior to uploading the Pre-Assessment Form data to CMMC eMASS, the C3PAO CMMC eMASS account holder must contact the CMMC Program Management Office (PMO) administrator in order to have a record created for the OSC being assessed. This important step configures access controls to assure the data uploaded by the C3PAO is protected from access by other C3PAOs. 1.6.5 Prepare the Assessment Team Prior to commencing Phase 2, the Lead Assessor shall verify that all Assessment Team Members are sufficiently prepared for performing the planned Assessment activities. This preparation includes ensuring Assessment Team Members are familiar with the CMMC Assessment Scope of the OSC and its System Security Plan. The Lead Assessor shall assign and communicate specific roles and responsibilities for each Assessment Team Member before conduct of the Assessment commences. 1.6.6 Execute the C3PAO-OSC Contractual Agreement At the completion of Phase 1, all the pertinent Assessment planning details will have been gathered, discussed, and reviewed to create the Assessment plan that will be carried out as part of the contract between the C3PAO and OSC. Prior to beginning the Assessment, the contractual agreement between these two parties shall be signed by authorized representatives of the C3PAO and the OSC Assessment Official and executed accordingly in good faith. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 18 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE PHASE 2 – CONDUCT THE ASSESSMENT The purpose of Phase 2 is to assess the implementation of CMMC practices by the OSC in conformance with the CMMC Model. The C3PAO Assessment Team will verify the adequacy and sufficiency of Evidence to determine whether the practices have met the required standard. The Assessment Team identifies, describes, and records any gaps in procedures related to model practices or procedures and presents the results of each day to the OSC during a daily checkpoint described in Phase 2.2. Most of the activities throughout this entire Phase, from subphases 2.2.1 through 2.2.6 are iterative in nature during an Assessment. 2.1 Convene Assessment Kickoff Meeting The Lead Assessor will convene an Assessment kickoff meeting prior to the commencement of Assessment conduct, using the CMMC Appendix H – CMMC Assessment In-Brief or equivalent presentation. This meeting may be conducted in-person, virtually, or in a hybrid manner. Attendees for this meeting shall include, but are not limited to, the OSC Assessment Official, the OSC POC, the Assessment Team Members, and members of the OSC who will be participating in the Assessment. The OSC may elect to have their RP or RPO present as well. The Lead Assessor and/or Assessment Team Members shall brief the Assessment process, purpose, schedule, and objectives. The Lead Assessor also communicates specific information about scheduled events and the locations where they will occur. The OSC should also deliver a briefing providing a high-level overview of their company/organization being and their cybersecurity program. During this meeting, the OSC Assessment Official or the OSC POC should inform all relevant OSC personnel of their role in supporting the Assessment, including those being interviewed and providing Evidence. Any questions, issues, or concerns by either party should be identified, discussed, and resolved as part of this kickoff session. The Lead Assessor shall ensure that official minutes or a detailed meeting summary of the kickoff, including all questions and answers, shall be documented and retained by the C3PAO. 2.2 Collect and Examine Evidence The CMMC Assessment Guide – Level 2 incorporates the Assessment procedures described in NIST SP 800-171A1 Section 2.11: An Assessment procedure consists of an Assessment objective and a set of potential Assessment methods and Assessment objects that can be used to conduct the Assessment. Each Assessment objective includes a determination statement related to the [CMMC practice] that is the subject of the Assessment. The determination statements are linked to the content of the [CMMC practice] to ensure traceability of the Assessment results to the requirements. The application of an Assessment procedures to a [CMMC practice] produces Assessment findings. These findings reflect, or are subsequently used, to help determine if the [CMMC practice] has been satisfied. Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals.  Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system.  Mechanisms are the specific hardware, software, or firmware safeguards employed within a system.  Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic). DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 19 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE  Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.  For additional information on “Terms for Referring to Assessment Objects” see NISTIR 8011 Vol. 1, Paragraph 2.2.1. The Assessment methods define the nature and the extent of the Assessor’s actions. These methods include examine, interview, and test.  The examine method is the process of reviewing, inspecting, observing, studying, or analyzing Assessment objects (i.e., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain Evidence. The examination must link directly to the Assessment objectives of the relevant CMMC practice, and the results of the examination are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an artifact to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational or project procedures that can be mapped to one or more CMMC practices and those artifacts must be produced by people who understand the practice and are in the chain of command that implements the practice.  The interview method is the process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain Evidence. The interview must link directly to the Assessment objectives of the relevant CMMC practice, and the interview results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an interview statement to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting function, or enclave procedures that can be mapped to one or more CMMC model practices. Interview affirmations must be provided by people who implement, perform, or support the practices.  Finally, the test method is the process of exercising Assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior1. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time and institutionalization. For a test/demonstration to be accepted as Evidence in an Assessment, it must pass its requirements and criteria while being observed by the Lead Assessor and Assessment Team. Any failed test results in a “NOT MET” CMMC practice. In all three Assessment methods, the results are used to make specific determinations called for in the determination statements and thereby achieving the objectives for the Assessment procedures (CMMC Assessment Guide – Level 2, Version 2.0). Assessors shall follow the guidance in NIST SP 800-171A when determining which Assessment methods to use: Organizations [Certified Assessors] are not expected to employ all Assessment methods and objects contained within the Assessment procedures identified in this publication. Rather, organizations [Certified Assessors] have the flexibility to determine the level of effort needed and the assurance required for an Assessment (e.g., which Assessment methods and Assessment objects are deemed to be the most useful in obtaining the desired results). This determination is made based on how the organization [contractor] can accomplish the Assessment objectives in the most cost- effective manner and with sufficient confidence to support the determination that the CUI requirements have been satisfied. The primary deliverable of an Assessment is a report that contains the findings associated with each practice. For more detailed information on Assessment methods, see Appendix D of NIST SP 800-171A. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 20 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE Any Evidence collection method that results in a CMMC practice being scored “NOT MET” must be evaluated using the current DoD Assessment methodology against the CMMC 2.0 Plan of Action and Milestones (POA&M) scoring criteria. The failed practice must also be recorded on the OSC’s Level 2 CA.3.12.1 “Security Control Assessment” practice documentation, under the corresponding practice as “NOT MET”. During a CMMC Assessment, the Lead Assessor makes the final decision on preliminary recommended determination on all practices. For any practices where there is still a dispute between the Assessment Team and the OSC, the C3PAO holds the final interpretation authority for practice scorings and their related findings. Phase 2.2 Required Outputs: Recorded and Presented Opening Briefing To be completed and presented by the Lead Assessor Detailed Records of Evidence Reviewed and Using the Appendix I – CMMC Daily Checkpoint or Examined equivalent tool. 2.2.1 Examine and Analyze Evidence Examining Evidence is an effective means to gain detailed insight about the practices implemented by the OSC and how those practices are performed. The OSC should provide a current and organized list of their Evidence and process mappings from any internal or third-party gap analysis as well as from the readiness review results. For each relevant practice in the CMMC Model, the C3PAO Assessment Team will review and collect the Evidence to demonstrate that the practice that is being performed is effectively implemented and conforms to the CMMC standard. The C3PAO Assessment Team shall be mindful of the following principles:  The list of Evidence to be examined was provided to the Lead Assessor during Phase I, and that same list should be used to coordinate the collection of the Evidence for examination.  Evidence artifacts might not necessarily have a one-to-one relationship with CMMC practices, resulting in a possible requirement for multiple artifacts.  The OSC’s Evidence should be evaluated based on the Assessment objectives defined in the CMMC Level 2 Assessment Guide.  For recently implemented practices, the implementation should demonstrate that the practices and/or procedures will show sufficient confidence to support the determination that the CUI protection requirements have been MET.  It is incumbent upon the Assessment Team to ensure that the artifact being examined is current and that it was produced by the same individuals who are performing, implementing, or supporting the work.  Assessment artifacts that represent policies and procedures must also demonstrate deployment and adoption by the affected OSC personnel. 2.2.2 Conduct Interviews and Assess Responses Interviews are another effective means by which to glean insight into the CMMC conformance of an OSC, including an understanding of how those practices or procedures are performed employees, contract staff, and Supporting Organizations. The Lead Assessor works with the OSC POC to identify staff within the OSC or third parties who perform procedures or have a role in supporting relevant cybersecurity activities. The Lead Assessor schedules affirmation or interview sessions with identified staff as part of the Assessment planning activities. These may be single or group interviews, as determined by the Lead Assessor’s understanding of the OSC’s stated roles and responsibilities of its staff and any Customer Responsibility Matrix (CRM) that might be in place with any of its Supporting Organizations. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 21 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE During the interview session, the Lead Assessor and, if applicable, the Assessment Team:  Takes steps to ensure and verify that confidentiality and non-attribution is addressed for interviewees so that they can speak openly without fear or concern about retribution from any member of the OSC;  Asks questions of OSC staff to get clarity and understanding of practice or process implementation, and then review or verify any corresponding artifacts to determine CMMC practice implementation and records their answers in the form of notes; and  Maps responses from interviewees to CMMC model practices to aide in determining and supporting the rating of that practice. Conducting interviews may be an iterative activity, requiring some follow-up interview sessions or requests for information. Interviews resulting from daily checkpoint sessions should also be recorded and verified by the Lead Assessor and Assessment Team. 2.2.3 Observe Tests and Analyze Results Observing live tests or demonstrations provides the Lead Assessor and Assessment Team with detailed operational insight into the effectiveness of the CMMC practices implemented in the OSC, including an understanding of how those practices are executed or supported through the use of a given technology application, system, test, or other similar approach. The Lead Assessor works with the OSC POC to identify staff in the OSC who perform procedures or have a role in supporting the practice under review. The Lead Assessor schedules test or demonstration observations with identified staff as part of the Assessment planning activities. These may be single or group tests or demonstrations, as determined by the OSC’s stated roles and responsibilities of its staff and any Customer Responsibility Matrix (CRM) that might be in place with any of its Supporting Organizations. During the test or demonstration observation session, the Lead Assessor and, if applicable, Assessment Team:  Takes steps to ensure and verify that confidentiality and non-attribution is addressed for anyone conducting a test or demonstration so that they can speak openly without fear or concern about retribution from any member of the OSC.  Asks questions of OSC staff to get clarity of the test approach and results, and to verify any corresponding artifacts or procedures to verify and determine CMMC practice implementation and records their answers in the form of notes; and  Maps responses from tests and demonstrations to CMMC practices to aide in determining and supporting the rating of that practice. Any test or demonstration that successfully demonstrates how the CMMC practice is implemented will be noted as “MET”. Conversely, any test or demonstration that fails to demonstrate how a CMMC practice is implemented results in a “NOT MET” for that CMMC practice. 2.2.4 Identify and Document Evidence Gaps The primary intent of this activity is to derive whether, from the Evidence gathered and reviewed, that an Evidence gap exists between that which the OSC’s Evidence shows and what the C3PAO Assessment Team requires to support a claim that conformance to the CMMC practice has been attained. During this phase, the Lead Assessor and Assessment Team verify both Evidence adequacy and sufficiency. All Evidence examined by the C3PAO Assessment Team must address the full CMMC Assessment Scope of the OSC. As a reminder from Phase I:  Adequacy criteria will determine if a given artifact, interview response (affirmation), demonstration, or test meets the CMMC practice. Adequacy answers the question: “Does the Assessment Team have the right Evidence?”  Sufficiency criteria is needed to verify, based on Assessment and organizational scope, that coverage by domain, practice and Host Units, Supporting Units, and enclaves is enough DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 22 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE (sufficient) to rate against each practice by the process role performing the work. Sufficiency answers the question: “Does the Assessment Team have enough of the right Evidence?” If the examined artifact does sufficiently answer both the adequacy and sufficiency questions, an Evidence gap exists. Evidence gaps may point to a deficiency or weakness in the OSC’s implementation of its cybersecurity measures, which exposes them to greater security risk. Examples of Evidence deficiencies could include: – Documents that are incomplete (e.g., authorized access control list missing new personnel) – Affirmations that are illegitimate (e.g., attestation from an employee who is not the proper owner/operator/supervisor of the system or information being examined) – Policies that lack endorsement by senior management (e.g., policies that are not signed, or signed by individuals not in a position of authority within the OSC) The Assessment Team methodically works its way through the Evidence and records any gaps against CMMC model practices. For any in-scope practices that are determined to be “NOT MET,” the Assessor making that determination should ensure that the Lead Assessor is informed and has visibility on the “NOT MET” practice. (Similarly, the Assessment Team also records all practices determined to be MET during the Evidence examination). 2.2.5 Update Evidence Review Approach and Status The Evidence collection and review approach provides a means for the Assessment Team to continuously monitor progress toward sufficient and adequate coverage of the CMMC practices being assessed. The Assessment Team regularly reviews any additional time or duration impacts resulting from additional Evidence collection efforts and records the status on a minimum of a daily basis throughout the Assessment. The Evidence collection status summarizes the differences between the Evidence reviewed thus far, and the Evidence needed to support the completion of the Assessment results, including the recommended findings and findings. If significant changes are incurred to the manner or nature of how the OSC’s Evidence is being collected and examined, those changes should be reflected in the Pre- Assessment Data Form and updated file should be exported to CMMC eMASS. 2.3 Score OSC Practices and Validate Preliminary Results The Assessment Team shall score each in-scope CMMC practice based on the examination of the presented Evidence. The Assessment Team shall then review and validate these scores with representatives of the OSC during the daily review. The OSC, as appropriate, may then present additional Evidence, as agreed upon and accepted by the Lead Assessor, which the Assessment Team may then use to update or verify practice scores. These activities in this Assessment phase will be iterative based on the daily review results. Phase 2.2 Required Outputs: Recorded and Presented Preliminary To be completed and presented by the Lead Recommended Findings Assessor, using CMMC Assessment Findings Brief Template (Appendix L) Detailed Records of Evidence Reviewed and Using the CMMC Assessment Results Template Examined, Resulting Practice Scores and (Appendix K), Practices Tab Justification Evidence Hashed Value See CMMC Artifact Hashing Tool User Guide found at https://www.acq.osd.mil/cmmc/documentation.html for specific procedures for hashing Evidence. DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE CMMC Assessment Process (CAP) v5.6.1 Page 23 DOCUMENT UNDER DEVELOPMENT - PUBLIC TRAINING RELEASE Recorded and updated Daily Checkpoint (Appendix I) Which must include results from all discussed practices (artifact reviews, interviews, and examinations/tests) including any resulting actions and due dates 2.3.1 Determine and Record Initial Scores When the initial Evidence for each CMMC in-scope practice has been reviewed, verified, and scored, the Assessment Team records the initial MET/NOT MET/NA scores and prepares to review them with the Assessment participants during the daily checkpoint. CMMC Assessments will be scored at the objective level using the “CMMC Scoring with DoD Assessment Scoring Methodology” as featured in Appendix P. Assessors will score the objectives as MET/NOT MET/NA for each practice. Each practice with an objective(s) that is scored as NOT MET will inherently be scored as “NOT MET” for the entire practice and, accordingly, the Assess will ascribe a

CMMC Assessment Process (CAP) v5.6.1 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue