CMMC Assessment Process
Also known as: CAP
The CMMC Assessment Process (CAP) is the official methodology a C3PAO follows to conduct a CMMC Level 2 certification assessment. It defines how assessors plan the assessment, examine evidence, interview personnel, test controls, score the results, and report findings, so that assessments are consistent across the ecosystem.
Related terms
- CMMC Third-Party Assessment Organization
A CMMC Third-Party Assessment Organization (C3PAO) is an entity accredited by the Cyber AB to perform CMMC Level 2 assessments on behalf of DoD contractors. C3PAOs are not used at Level 1, Level 1 is exclusively self-assessed, and they are not used at Level 3, which is assessed by DIBCAC.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.
- Assessment Objective
An assessment objective is a discrete, atomic statement an assessor uses to determine whether a security requirement has been satisfied. NIST SP 800-171A breaks each of the 110 NIST 800-171 controls into multiple assessment objectives (approximately 320 in total), the CMMC Level 1 Assessment Guide breaks each of the 15 requirements into a smaller set of objectives.
- Defense Industrial Base Cybersecurity Assessment Center
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the Defense Contract Management Agency (DCMA) component that conducts NIST SP 800-171 assessments and CMMC Level 3 assessments on DoD contractors. DIBCAC assessments are the highest assurance level in the program.