CMMC Update - The CMMC Assessment Process (CAP)
During January's CMMC Accreditation Board town hall meeting, Jeff Dalton, Chairman of the CMMC-AB, introduced and discussed the progress that's been made towards formalizing the actual CMMC Assessment Process and introduced the CAP. The CAP (CMMC Assessment Process) provides the overarching procedures and guidance for C3PAOs (certified 3rd-party assessment organizations) and OSCs (organizations seeking certification) on how CMMC Assessments should be conducted.
As described by Mr. Dalton as follows, The CAP is an official document within the CMMC doctrinal canon:
NIST SP 800-171 and 172: the technical standard
CMMC Model: how the technical standard is incorporated into CMMC
CMMC Assessment Guide: how the implementation of the standard is assessed
CMMC Assessment Process (CAP): how CMMC Assessments should be conducted
The purpose of the CAP is to ensure the highest possible accuracy, fidelity and quality for CMMC Assessments and to maximize consistency. The CAP is a CMMC-AB document subject to approval by the DoD, and while tailored for specific use by C3PAOs and OSCs, the CAP will be a resource for the entire CMMC ecosystem. According to the CMMC-AB, the CAP is now being finalized and is currently under review.
This would seem to be positioned to provide some of the critical guidance that C3PAOs have been eagerly awaiting and would provide some much needed direction re the actual assessment process as the CAP supposedly 'establishes the various phases, procedures and templates that are employed in the conduct of a CMMC Assessment,' with the following detail referenced during the CMMC-AB town hall:
Phase 1: Plan and Prepare the Assessment
Phase 2: Conduct the Assessment
Phase 3: Report Assessment Results
Phase 4: Remediation
How to commence an engagement
Roles and responsibilities within the C3PAO and the OSC
Organizational definitions and scoping discussions
Developing the ROM estimate
Developing the Assessment plan
Identifying resources and determining schedule
Performing the readiness review
Collecting and examining evidence
Recording the results
Any current qualified compliance practitioner should be expected to have their own set of current processes and procedures across all of these key areas, so the formal guidance by the CMMC-AB, while eagerly awaited, will likely come under much scrutiny. The good news is that the guidance seems to be coming soon.
For more information, check out the recorded January CMMC-AB Town Hall meeting: