By Scott M. McAuliffe, CPA, CISA, CFE, Partner, Risk Advisory Services
CMMC Assessment Process (CAP) Draft
In case you missed it, the Cyber AB released a pre-decisional draft of the CMMC Assessment Process (CAP) after its town hall meeting on July 26, 2022. The CAP provides CMMC Third-Party Assessment Organizations (C3PAOs) a standard process for conducting assessments. As a corollary, the release of the CAP has been highly anticipated by the CMMC ecosystem in hopes that it would provide valuable insights into how assessments would be performed and how Organizations Seeking Certification (OSCs) would be evaluated.
Four Phase Plan
Upon first review of the document, the following stood out:
- The assessment process is divided into four phases:
- Phase 1 – Plan and Prepare the Assessment
- Phase 2 – Conduct the Assessment
- Phase 3 – Report Recommended Assessment Results
- Phase 4 – Close-Out POA&Ms and Assessment
- Close to 40% of the document is dedicated to Phase 1 – Plan and Prepare the Assessment. Phase 1 details normal planning items such as scoping, identifying the team, scheduling the assessment, and establishing the approach. The most notable items in Phase 1 are:
- The C3PAO must perform procedures to determine if OSC is ready for the assessment such as confirming there is evidence for each practice area and the scoping appears complete/appropriate.
- The C3PAO cannot use the planning process to identify weaknesses in the evidence so that the OSC can take corrective action prior to the actual Assessment being performed in Phase 2.
- It identifies 15 CMMC practices that require in-person validation by the C3PAO unless the OSC uses a cloud service provider that holds a FedRAMP Moderate certification or baseline equivalency.
- Only 20% of the CAP is dedicated to Phase 2 Conducting the Assessment. The CAP does not provide a lot of detail in Phase 2 that you might think is necessary to provide for a standard, consistent assessment process. In fact, the CAP speaks to providing flexibility to the Assessor in determining the level of effort needed and the assurance required for an Assessment. The lack of detailed Phase 2 guidance appears to contradict the Cyber AB’s goal of providing consistency to the assessment process. As an example, the CAP does not indicate where sample testing should be used, nor does it provide guidance on sample So, if an OSC has ten locations that are in-scope, one Assessor’s approach could be to assess one location; another Assessor might assess a sample of locations; a third Assessor could assess all locations. The lack of detail could result in significant differences in the level of effort expended to evaluate a CMMC practice and ultimately varying costs to OSCs.
- Phase 2 does provide detail on the handling of External Cloud Service Providers that do not have, at least, a FedRAMP moderate certification. In these cases, the C3PAO must determine if (1) the OSC or the External Cloud Service Provider has provided a “body of evidence” documenting how the External Cloud Service Provider’s security controls are equivalent to those provided by the FedRAMP Moderate baseline standard; and (2) that the body of evidence has been attested to by an independent, credible, professional source. The body of evidence will most likely include an SSP, customer shared responsibility matrix, and any Plans of Action & Milestones (POA&Ms).
- While the CAP is silent on areas of consequence, such as standards/methodology for evaluating a practice, it is highly opinionated in seemingly inconsequential areas. For example, it provides a requirement that the C3PAO have a daily debrief with the OSC. Logistical details such as the cadence of status updates should be discussed and agreed to by the OSC and the C3PAO based on what makes sense given the scope, scale, and complexity of the assessment and availability of staff.
- In Phase 3 – the CAP indicates that OSCs will need to meet 80% of the practices (88/110 practices “MET”), to obtain Conditional CMMC Level 2 Certification. It further details the specific 52 practices for which POA&Ms are allowed. OSCs that have met 80% of practices, including all practices that do not allow POA&Ms will be provided with Conditional CMMC Level 2 Certification. The OSC will then be provided with 180 days to complete the POA&M(s). If the POA&M(s) is not completed within the 180 days, the OSC will not be recommended for CMMC Level 2 Final Certification.
- In keeping with the traditions of American jurisprudence and DoD contracting, the CAP provides an appeals process for OSC’s who do not agree with the scoring of a practice or believes there was a technical error or ethical breach with the assessment process. However, the pre-decisional draft does not include the Template that details the appeals process.
- The Cyber AB is yet to publish the majority of the Appendices and Templates that are referenced throughout the CAP.
Participate in the Comment Period by August 25, 2022
The Cyber AB currently has a 30-day comment period on the CAP that ends August 25, 2022, which can be submitted at CAPcomments@cyberab.org. It is important that the CMMC ecosystem review the CAP and take advantage of this opportunity to provide constructive feedback to the Cyber AB to best ensure consistency between C3PAOs in performing CMMC Assessments.
Is the CMMC Certification Process Finally Starting to Gain Momentum?
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.