LogoNewOutline2.png
Search
  • Principia Raid

CMMC Update - The CMMC Assessment Process (CAP)


During January's CMMC Accreditation Board town hall meeting, Jeff Dalton, Chairman of the CMMC-AB, introduced and discussed the progress that's been made towards formalizing the actual CMMC Assessment Process and introduced the CAP. The CAP (CMMC Assessment Process) provides the overarching procedures and guidance for C3PAOs (certified 3rd-party assessment organizations) and OSCs (organizations seeking certification) on how CMMC Assessments should be conducted.


As described by Mr. Dalton as follows, The CAP is an official document within the CMMC doctrinal canon:

  • NIST SP 800-171 and 172: the technical standard

  • CMMC Model: how the technical standard is incorporated into CMMC

  • CMMC Assessment Guide: how the implementation of the standard is assessed

  • CMMC Assessment Process (CAP): how CMMC Assessments should be conducted


The purpose of the CAP is to ensure the highest possible accuracy, fidelity and quality for CMMC Assessments and to maximize consistency. The CAP is a CMMC-AB document subject to approval by the DoD, and while tailored for specific use by C3PAOs and OSCs, the CAP will be a resource for the entire CMMC ecosystem. According to the CMMC-AB, the CAP is now being finalized and is currently under review.


This would seem to be positioned to provide some of the critical guidance that C3PAOs have been eagerly awaiting and would provide some much needed direction re the actual assessment process as the CAP supposedly 'establishes the various phases, procedures and templates that are employed in the conduct of a CMMC Assessment,' with the following detail referenced during the CMMC-AB town hall:


PHASES

  • Phase 1: Plan and Prepare the Assessment

  • Phase 2: Conduct the Assessment

  • Phase 3: Report Assessment Results

  • Phase 4: Remediation

KEY AREAS

  • How to commence an engagement

  • Roles and responsibilities within the C3PAO and the OSC

  • Organizational definitions and scoping discussions

  • Developing the ROM estimate

  • Developing the Assessment plan

  • Identifying resources and determining schedule

  • Performing the readiness review

  • Collecting and examining evidence

  • Recording the results

  • Template inventory


Any current qualified compliance practitioner should be expected to have their own set of current processes and procedures across all of these key areas, so the formal guidance by the CMMC-AB, while eagerly awaited, will likely come under much scrutiny. The good news is that the guidance seems to be coming soon.


For more information, check out the recorded January CMMC-AB Town Hall meeting:


https://vimeo.com/670276801?embedded=true&source=vimeo_logo&owner=115783202





0 views
  • LinkedIn
  • YouTube
  • White Twitter Icon
  • White Facebook Icon

+1.888.708.0577

© 2022 by principia/RAID