What is the purpose of the CMMC Assessment Process (CAP)?
To ensure all assessments are accurate, consistent, and improve cybersecurity across the Defense Industrial Base (DIB).
Who conducts CMMC Level 2 certification assessments?
A Certified Third-Party Assessment Organization (C3PAO) and a Certified CMMC Assessor.
What organization initiates the CMMC assessment?
The Organization Seeking Certification (OSC).
What are the four phases of the CMMC Assessment Process?
1.Plan and Prepare the Assessment
2.Conduct the Assessment
3.Report and Recommend Findings
4.Perform POA&M Close-Out Assessment
What roles exist within the OSC during an assessment?
OSC Assessment Official: decision authority for the assessment
OSC POC: main contact coordinating between OSC and assessment team
Who leads the assessment team?
The Lead Assessor, assigned by the C3PAO.
What is the purpose of the Readiness Review in CAP?
To confirm both parties (OSC and C3PAO) are ready to conduct the assessment
What document must exist before the assessment starts?
A formal Assessment Plan based on the CAP template (or C3PAO equivalent).
What are the three primary assessment methods used in CAP?
Examine, Interview, and Test.
What are artifacts in a CMMC assessment?
Tangible evidence (e.g., policies, screenshots, logs) showing practices are performed.
What does “Inherited Practice” mean in CAP?
A practice objective performed by another entity (e.g., cloud or managed service provider) with sufficient evidence provided to the assessor.
What is the Limited Practice Deficiency Correction (LPDC) program?
Allows OSCs to fix documentation errors or minor gaps in a short timeframe before final scoring.
Which practices cannot use Limited Practice Deficiency Correction?
Practices not implemented before assessment or those critical to CUI protection.
What is the POA&M Close-Out Assessment?
A follow-up review within 180 days for OSCs to demonstrate that previously “NOT MET” practices are now complete.
What is the CAP scoring method aligned with?
The DoD Assessment Scoring Methodology (based on NIST SP 800-171).
How are results finalized and reported?
The Lead Assessor submits the assessment report and all evidence to The Cyber AB via eMASS.
What system is used to upload assessment results?
CMMC eMASS (Enterprise Mission Assurance Support Service).
What document is used for quality review of assessments?
The CQAP (Certified Quality Auditor) Checklist
Who can participate as a team member in an assessment?
A Certified CMMC Professional (CCP) may assist the Lead Assessor but cannot lead the assessment.
What are the three main types of evidence collection approaches in Appendix S?
Document review, technical testing, and personnel interviews.
What document outlines the scope, timeline, and participants of the assessment?
The Assessment Plan (created jointly by the OSC and Lead Assessor).
What does the Organization Seeking Certification (OSC) provide the Lead Assessor to help understand the CMMC Assessment Scope?
Supporting Documentation
-
CCP49
-
CMMC Foundation and Ecosytem13
-
Federal Regulations, Clauses, and Standards22
-
Controlled Unclassified Information (CUI) Management18
-
CMMC Model Structure and Levels24
-
Scoping and Asset Identification16
-
CMMC Assessment Process22
-
CAP: Phase 1: Plan and Prepare the Assessment3
-
CAP: Phase 2: Conduct the Assessment13
-
CAP: Phase 3: Report, Recommend, and Submit Results9
-
CAP: Phase 4: POA&M Close-Out Assessment flashcards8
-
Code of Conduct15
-
Questions from Testings15
-
CAP Process Test Questions5
-
Random Questions37
