CMMC Assessment Process

Know What to Expect at Every Step

What is a CMMC Level 2 Assessment?

A CMMC Level 2 assessment is an assessment of your cybersecurity controls to confirm you can protect Controlled Unclassified Information (CUI) at the level your contract requires. Only an authorized C3PAO can perform this assessment.

What is the CMMC Level 2 Assessment Process?

Preparation typically starts with scoping, documentation, and a readiness review. Completing a CMMC mock Level 2 assessment is highly recommended. The organization should not start a mock until they have a complete assessment package and are ready for the certification assessment. During the mock assessment, you will gain a better understanding of what the C3PAO requires in order to assess an objective as met. There is time to make changes and submit evidence for re-evaluation during the mock assessment and there is no limit on the types of changes allowed.

A mock assessment generally includes:

• Gathering documentation, artifacts, and evidence to evaluate your readiness.
• Assessing your security posture across all 110 Level 2 controls and their 320 security objectives.
• Your team understanding the interview process and what types of questions the assessor will ask.
• The mock assessment does not provide a guarantee of a successful certification assessment.

Once remediation is complete, the formal Level 2 assessment begins. The C3PAO team collects evidence, validates your implementation, scores your practices, and prepares the assessment package for submission. Upon attaining a CMMC Status of Final Level 2 (C3PAO) the certification is valid for three years unless there are any significant changes to the CMMC environment.

What Happens After Certification?

Once certified, your controls must stay in place for the full three years to maintain your certification. Significant changes to the environment may result in the need for a new CMMC Level 2 Certification Assessment. Annually you are required to perform a self-assessment, load the score into SPRS and the Affirming Official must attest that you are still in compliance with all 320 CMMC Level 2 assessment objectives.

Annual compliance assurance helps you verify ongoing compliance, reduce risk, and stay ready for recertification. It also provides peace of mind for your Affirming Official as they attest to compliance each year. False attestation, even if you believe the attestation is accurate, can result in prosecution under the false claims act.

Your CMMC Level 2 experience is defined by the C3PAO guiding you through it. A C3PAO with high standards and clear communication makes the process easier to follow, easier to prepare for, and easier to manage from beginning to end.

McKonly & Asbury brings open and frequent communication to the table for every engagement. We are an authorized C3PAO for CMMC Level 2 certification and were among the first 34 authorized in the Cyber AB Marketplace. Our team brings more than 15 years of experience in NIST 800-53 and NIST 800-171, giving you a knowledgeable partner from planning through certification.

• CMMC Level 2 Mock Assessment: Follows the same process as the CMMC Level 2 Certification Assessment without the DoW reporting components. The final result is a status of all 320 assessment objectives with a clear explanation of why any objective is listed as not met. This does not provide any guarantees of a successful certification assessment but does provide valuable insight into the process and any areas that may need remediation.
• CMMC Level 2 Certification Assessment: As a C3PAO, we are required to follow the steps defined in the CMMC Level 2 Assessment Process (CAP) from the Cyber AB. The stages of Planning, Pre-Assessment, Assess Objectives and Reporting must be followed in order for a C3PAO to maintain authorization/accreditation as a C3PAO.
• CMMC Level 2 Annual Compliance: M&A offers this service to provide assurance that the CMMC environment is still in compliance with the current CMMC Level 2 Assessment Objectives. Having an annual compliance review conducted on interim years supports the CMMC score entered into SPRS and also reduces the risk of surprises during the CMMC Level 2 Certification Assessment.

Our process for the CMMC Level 2 Assessments follows the same steps with the exception that the CMMC Level 2 Certification Assessment includes the mandatory eMASS reporting.

1. Planning and Scoping: Define scope, timelines, schedules, and key documentation readiness. Information will be provided so you are aware of the scheduled events and what you need to do.
2. Pre-assessment: Assess the CMMC Level 2 package, verify the scope, and determine that sufficient documentation and evidence is available to begin the assessment.
3. Assess the Objectives: Assess all 320 security requirement objectives and verify sufficient evidence is provided to support a determination that the objective is Met, Not Met or N/A. This process includes frequent checkpoints where the status of the objectives is communicated. We communicate clearly why any objective is not met and what is missing. M&A will not provide any guidance or consultation on how to remediate a not met objective.

How Can We Help?

By leveraging our tiered cybersecurity services, you can prepare your organization to meet DoW and industry-related cybersecurity standards. Explore our suite of security audit and assessment solutions:

• CMMC Level 2 Mock Assessment (Non Certified)
• CMMC Level 2 Certification Assessment (C3PAO)
• CMMC Annual Level 2 Assessment (Non Certified)