HOW-TO Master the CMMC Level 2: Insights into Conformity Assessment

Navigating CMMC Level 2 Conformity Assessment

‍

The intended purpose of Phase 2 of the CMMC Assessment Process (CAP) is to look at and assess the overall implementation of the CMMC Level 2 security requirements, both in-depth and in the coverage area, by the Organization Seeking Certification (OSC) and determine if the implementation has met the assessment objectives of NIST SP 800-171A. The CMMC Third-Party Assessment Organization (C3PAO) will conduct the CMMC Level 2 Certification Assessment in accordance with 32 CFR § 170.17, NIST SP 800-171A, the CAP, and ISO/IEC 17020:2012 to ensure DoD cybersecurity compliance and conformity with the CMMC Program.

‍

Conducting the In-Brief Meeting

The Lead CMMC Certified Assessor (CCA) will schedule and conduct an In-Brief Meeting. The In-Brief Meeting must be conducted before assessing the OSC's implementation of CMMC security requirements. This meeting may be conducted in person, virtually, or hybrid. The overall purpose of this In-Brief Meeting is to establish a shared understanding and address the following:

• Assessment objectives

• Introduce the assessment team members and invite the introduction of key OSC personnel to include: (a) Assessment Team – Lead CCA and assessment team members (b) OSC – Affirming Official, OSC POC, consultants, and/or External Service Provider (ESP) personnel

• Confirm the CMMC Assessment Scope

• Explain the CMMC Level 2 assessment methodology outlined in 32 CFR §170.17(c)

• Review and confirm the assessment schedule

• Reconfirm the absence of or disclose any conflicts of interest previously identified

• Inform the OSC of its rights to appeal the assessment results and describe the C3PAO's appeals process

• Ask any questions or issues needing clarification from the OSC

‍

The Lead CCA shall also ensure that the C3PAO documents and retains official minutes or a detailed meeting summary of the In-Brief Meeting.

‍

Assessing Implementation of Security Requirements

The assessment team will evaluate the OSC's implementation of security requirements in accordance with NIST SP 800-171A and 32 CFR §170.17(c). The assessment team will use the examine, interview, and test assessment method outlined in NIST SP 800-171A (2.1), Assessment Procedures. The value purpose of the methods is described below:

• Examine - To facilitate understanding, achieve clarification, or obtain evidence

• Interview - The process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence

• Test - the process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior

‍

The figure below illustrates an example of an assessment procedure for CUI security requirement 3.1.3 from NIST SP 800- 171.  

‍

‍

Addressing External Service Providers

The assessment team shall determine how the OSC is utilizing ESPs and ensuring adherence to cybersecurity standards. The Customer Responsibility Matrix (CRM) is a key document in identifying security responsibilities and addresses all in-scope CMMC security requirements performed wholly, partially, or jointly by the ESP.

‍

Handling Cloud Service Providers

One of the challenges with CSPs is determining if the OSC represents the CSP cloud environment supporting them, which is currently authorized at the Moderate baseline within FedRAMP. From there the assessment team can either determine the current Authorization baseline and status of the cloud offering by checking both the "Impact Level" and "Status" or if the CSP is not FedRAMP Authorized but meets the security requirements of FedRAMP Moderate (or higher) equivalency, the Assessment Team shall determine if equivalency has been attained in accordance with current DoD CIO policy on equivalency at the time of the OSC's Level 2 certification assessment.

‍

Quality Assurance in Phase 2

The C3PAO shall conduct periodic quality assurance reviews throughout the assessment process to observe the Assessment Team's conduct and management of the CMMC assessment process. This quality assurance review is separate from the Pre-Assessment Form, and the Final Assessment Report discussed in Phases 1 and 3.

‍

Daily Checkpoint Meetings

The Assessment Team should host a daily checkpoint meeting with the OSC POC and other OSC personnel at the end of each assessment day to summarize progress, identify any challenges, and discuss additional items for coordination moving forward.

‍

Challenges and Best Practices in Phase 2

The CMMC Level 2 assessments present several challenges for OSCs and C3PAOs; some of those challenges are:

• Assessment Readiness: The OSC can frequently encounter difficulties in ensuring that all of the required documentation and evidentiary materials are compiled and ready for review prior to assessment commencement.
• Scope Validation: The CMMC Assessment Scope's definition often proves challenging for both OSCs and C3PAOs, potentially leading to discrepancies in assessment expectations.
• External and Cloud Service Provider Management: Addressing the security posture and responsibilities of ESPs and CSPs often introduces complexities in the assessment of control responsibility.
• Conflict of Interest Mitigation: The proper identification and management of potential conflicts of interest between the C3PAO and the OSC are crucial for maintaining assessment integrity and impartiality.

To ensure efficient and effective CMMC Level 2 assessments, OSCs and C3PAOs should consider adopting the following strategies:

• Thorough Pre-Assessment: Conduct a comprehensive review of the OSC's System Security Plan (SSP) and validate the CMMC Assessment Scope before initiating Phase 2 of the assessment. This will help align expectations between the OSC and the C3PAO and identify potential gaps early on.
• Clear Communication: Open communication channels between the OSC and C3PAO is vital. Daily checkpoint meetings throughout the assessment process will ensure ongoing dialogue, address issues promptly, and foster mutual understanding.
• Quality Assurance Reviews: Integrating ongoing quality assurance reviews by the C3PAO throughout the assessment process enables proactive identification and remediation of potential issues, minimizing delays and setbacks.
• Structured Assessment Methodology: Adhering to the assessment methodology in NIST SP 800-171—examine, interview, and test—guarantees uniformity and a methodical evaluation of all in-scope CMMC security requirements.

‍

Preparing for Phase 3: Reporting and Results

For DoD contractors following the conformity assessment, the CAP transitions into a series of critical steps to finalize the results and prepare for CMMC Level 2 certification:

• Compiling Assessment Findings and Evidence: The Assessment Team will meticulously document all findings and evidence collected during Phase 2, including detailed records of how security requirement is implemented and any identified non-conformities. This comprehensive evaluation forms the basis for the assessment report.
• Organizing Data for the Assessment Report: The assessment report is meticulously prepared under the guidance of the lead CCA. The CCA will ensure it adheres to the format and content requirements of the CMMC Program Management Office (PMO). This standardized approach ensures consistency and clarity in reporting throughout all CMMC Assessments.
• Preparing for the Quality Assurance Review: An independent quality assurance (QA) individual who is a certified CCA but not a member of the Assessment Team conducts a thorough review of the assessment results. This critical step validates the accuracy and completeness of the findings, ensuring an objective and unbiased evaluation.
• Planning the Out-brief Meeting: The Assessment Team will facilitate an out-brief meeting with the OSC to discuss the assessment results. This meeting is a valuable opportunity to review findings, address any questions or concerns the OSC raises, and foster a shared understanding of the assessment outcome.
• Uploading Results into CMMC eMASS: The QA individual is responsible for uploading the finalized assessment information into the CMMC Enterprise Mission Assurance Support Service (eMASS). This secure repository serves as the official system of record for assessment results, enabling efficient tracking and processing.
• Familiarizing with Assessment Appeals Procedures: The CAP outlines a well-defined process for OSCs to appeal their assessment results if necessary. The QA individual manages any appeals process initiated by the OSC, ensuring fair and due process.

These activities ensure a thorough, transparent, and defensible conclusion to the OSC's CMMC Level 2 certification assessment. This comprehensive and structured approach prepares all parties for the final phase: issuing the certificate and closing out any identified Plan of Action and Milestones (POA&M), signifying the achievement of CMMC Level 2 compliance.

‍