Navigating CMMC Level 2 Conformity Assessment
Phase 2 of the CMMC Assessment Process evaluates implementation of CMMC Level 2 security requirements by the Organization Seeking Certification (OSC). The C3PAO conducts assessments per 32 CFR 170.17, NIST SP 800-171A, and ISO/IEC 17020:2012 standards.
Conducting the In-Brief Meeting
The Lead CCA schedules an in-person, virtual, or hybrid In-Brief Meeting before assessing security requirements. Key purposes include:
- Establishing shared understanding of assessment objectives
- Introducing assessment team and OSC personnel
- Confirming CMMC Assessment Scope
- Explaining Level 2 assessment methodology
- Reviewing assessment schedule
- Reconfirming absence of conflicts of interest
- Informing OSC of appeal rights
- Clarifying questions
Official minutes or detailed meeting summaries must be documented and retained.
Assessing Implementation of Security Requirements
Assessment teams evaluate OSC security requirement implementation using three methods from NIST SP 800-171A:
- Examine — Facilitating understanding, clarification, or evidence gathering
- Interview — Discussions with individuals or groups for understanding, clarification, or evidence
- Test — Exercising assessment objects under specified conditions to compare actual versus expected behavior
Addressing External Service Providers
Assessment teams determine ESP utilization and cybersecurity adherence. The Customer Responsibility Matrix identifies security responsibilities for requirements performed wholly, partially, or jointly by ESPs.
Handling Cloud Service Providers
Teams determine if OSC's CSP cloud environment is FedRAMP Moderate baseline authorized. If not FedRAMP authorized but meeting FedRAMP Moderate (or higher) equivalency, teams verify equivalency per DoD CIO policy.
Quality Assurance in Phase 2
C3PAOs conduct periodic quality assurance reviews throughout assessment, separate from Pre-Assessment Forms and Final Assessment Reports.
Daily Checkpoint Meetings
Assessment teams host daily meetings with OSC POC and personnel summarizing progress, identifying challenges, and discussing coordination items.
Challenges and Best Practices in Phase 2
Challenges
- Assessment Readiness — Difficulties compiling required documentation and evidentiary materials
- Scope Validation — Challenges defining Assessment Scope, potentially causing discrepancies
- External and Cloud Service Provider Management — Complexities addressing security posture and responsibilities
- Conflict of Interest Mitigation — Proper identification and management of potential conflicts
Best Practices
- Thorough Pre-Assessment — Comprehensive SSP review and CMMC Assessment Scope validation before Phase 2
- Clear Communication — Open channels between OSC and C3PAO with daily checkpoint meetings
- Quality Assurance Reviews — Ongoing reviews enabling proactive identification and remediation
- Structured Assessment Methodology — Adhering to examine, interview, and test methodology
Preparing for Phase 3: Reporting and Results
- Compiling Assessment Findings and Evidence — Documenting all Phase 2 findings and evidence, including implementation records and non-conformities
- Organizing Data for the Assessment Report — Lead CCA prepares reports per CMMC PMO format requirements
- Preparing for Quality Assurance Review — Independent certified CCA conducts thorough review validating accuracy and completeness
- Planning the Out-brief Meeting — Assessment Team discusses results with OSC
- Uploading Results into CMMC eMASS — QA individual uploads finalized assessment information
- Familiarizing with Assessment Appeals Procedures — QA individual manages any OSC appeals
This comprehensive approach ensures thorough, transparent conclusion to CMMC Level 2 certification assessment, preparing parties for certificate issuance and Plan of Action and Milestones closure.