CMMC Level 2 Assessment Guide

A Checklist to Help You Prepare for Your CMMC Level 2 Certification Assessment

Our CMMC Level 2 Assessment Guide outlines all the key steps and tasks you’ll be required to complete during your CMMC Level 2 Certification Assessment. KLC Consulting is an authorized C3PAO. We determine if companies meet CMMC Level 2 requirements and certify them when they do.

Before the CMMC Assessment

Laying the Foundation

Several important steps must be taken before the formal assessment begins:

Provide Essential Information

• Furnish C3PAO with the Highest-Level Order (HLO) CAGE Code and all applicable CAGE codes.
• If available, provide the assessment Unique Identifier (UID) from any prior self-assessment.
• Disclose all in-scope External Service Providers (ESPs) and identify any that are considered Cloud Service Providers (CSPs).

Define the Assessment Scope

Work with KLC Consulting to clearly define the CMMC Assessment Scope. This includes:

• Identify all assets that process, store, or transmit CUI.
• Clearly delineate the boundaries of the information system to be assessed.
• Address the applicability of physical and environmental controls, especially in cloud environments or where on-site assessment is impractical.

Ensure Resource Availability

• Make personnel available for interviews and information gathering during the assessment.
• Ensure all necessary evidence and artifacts are readily accessible to the assessment team.

Deliver Required Documentation

• Provide C3PAO with all required documentation, including a complete and accurate System Security Plan (SSP).

Address Conflicts of Interest

• Actively participate with the assigned lead CCA in identifying and mitigating any conflicts of interest.

During the C3PAO Assessment

Navigating the CAP

The CMMC Assessment Process (CAP) involves three key phases during the assessment itself:

Conduct the Pre-Assessment: CAP Phase 1

• SSP Validation: Ensure your SSP is complete, accurate, and consistent with NIST SP 800-171 r2.
• Scope Resolution: Promptly resolve any discrepancies in the defined CMMC Assessment Scope.
• Evaluation Methods: Work with the assessment team to establish appropriate evaluation methods.
• ESP Considerations (If Applicable):
  • Confirm the availability of a Customer Responsibility Matrix (CRM).
  • Ensure ESP personnel will participate in the assessment.
  • Provide evidence of the ESP’s FedRAMP authorization or CMMC Level 2 certificate.
• Evidence Access: Grant the assessment team access to all necessary evidence and artifacts.
• Readiness Demonstration: Demonstrate your readiness for the assessment and familiarity with the assessment methods.

Assess Conformity to Security Requirements: CAP Phase 2

• In-Brief Meeting: Attend and actively participate in the in-brief meeting.
• Evidence Collection: Facilitate evidence collection, whether in-person or virtually.
• CUI Protection: Safeguard CUI during any virtual evidence sharing.
• ESP Considerations (If Applicable):
  • Ensure the CRM is current and comprehensive.
  • Verify that ESP personnel can demonstrate knowledge and ownership of their security responsibilities.
  • Provide documentation to verify FedRAMP authorization or equivalency for CSPs.
• The CAP Phase 2 daily assessment interview schedule is as follows:
  • Monday through Thursday – virtual sessions:
    • Morning session
    • Lunch break
    • Afternoon session
    • Break mid-afternoon
    • Attend Daily Checkpoint Meetings to summarize progress, identify any challenges, and discuss additional items for coordination.
    • Thursday/Friday: Meet onsite with C3PAO to facilitate assessment of applicable physical security practices when necessary.
  • NOTE: Assessors may re-evaluate NOT MET security requirements during the assessment and for ten (10) business days following the active assessment period (i.e., the conclusion of Phase 2 activities) in accordance with the requirements established in 32 CFR 32 CFR §170.17(c)(2). 

Complete and Report Assessment Results: CAP Phase 3

• Out-Brief Meeting: Attend and participate in the out-brief meeting.
• Artifact Retention: Retain all hashed artifacts used as assessment evidence for a minimum of six years.
• Hashing Information:
  • Use a NIST-approved hashing algorithm for this purpose.
  • Provide the assessment team with a list of artifact names, corresponding hash values, and the hashing algorithm used.
  • Guidance for hashing artifacts can be found in the supplemental guidance document, “CMMC Hashing Guide.”

Post-Assessment:

Issue Certificate / (Closeout POA&M if necessary): CAP Phase 4

• If a Conditional Level 2 Status Certificate is issued:
  • Close out the POA&M within 180 days.
  • Engage a C3PAO (which may be the same or different from the assessing C3PAO) for POA&M closeout activities.
  • Participate in any conflict-of-interest disclosures and mitigation efforts related to POA&M closeout.
  • If requested, participate in a POA&M out-brief meeting.
  • C3PAO issues Certificate of CMMC Status (Final or Conditional) within 30 days.

KLC’S CMMC Level 2 Assessment Guide

C3PAO Assessment Process Overview Table

Week(s) Relative to Assessment Week	Activity
Contract Signing	OSC contracts its CMMC Level 2 Certification Assessment with C3PAO KLC and submits the initial deposit to secure a place on our CMMC Level 2 Assessment calendar.
Initial Planning Call	OSC and C3PAO KLC establish a secure file-sharing repository. Note: We’ll utilize your platform if you use Teams or a GRC tool like Future Feed or Exostar. Otherwise, we use KLC’s secure file share.
7 weeks before	(1) OSC submits the 2nd contract Installment Payment, (2) C3PAO KLC sends the pre-assessment package request to the OSC, including the Artifact Request List and scoping artifact guidance, (3) OSC uploads completed pre-assessment documents to the secure file-sharing location.
5 weeks before	C3PAO KLC sends the assessment schedule, and scoping call agenda to the OSC.
4 weeks before	(1) OSC returns the Artifact Request List to C3PAO KLC, (2) C3PAO KLC reviews the submitted documents to determine the OSC’s Assessment Readiness, (3) C3PAO KLC provides a Decision regarding the OSC’s Assessment Readiness.
2 weeks before	OSC completes final versions of assessment artifacts and uploads them to the secure file location.
1 week before	(1) OSC submits 3rd and final contract Installment Payment, (2) C3PAO KLC Assessment Lead confirms completeness of the assessment package/artifacts received or continues communication for additional information needed, (3) OSC and C3PAO KLC negotiate the Assessment Plan.
3 DAYS before	C3PAO KLC Assessment Lead finalizes the Assessment Plan.
ASSESSMENT WEEK	(1) C3PAO KLC holds the Assessment Meeting/Assessment kickoff, where the OSC presents its scope, diagrams, SSP, and other essential artifacts. (2) C3PAO KLC virtually conducts the assessment of Conformance to Security Requirements daily and visits the OSC facility if required, (3) C3PAO KLC holds Daily Checkpoint Meetings to summarize progress, identify any challenges, and discuss additional items for coordination. (4) C3PAO KLC presents preliminary findings of OSC security practices MET vs. NOT MET.
10 DAYS after	Assessors may re-evaluate NOT MET security requirements during the assessment and for ten (10) business days following the active assessment period (i.e., the conclusion of Phase 2 activities) in accordance with the requirements established in 32 CFR 32 CFR §170.17(c)(2)
2 weeks after	OSC receives the C3PAO KLC assessment deliverables and results summary.
30 DAYS after	(1) C3PAO KLC uploads the assessment results into eMASS and submits them to the CMMC Program Management Office (PMO), (2) C3PAO KLC issues the CMMC Certificate of Status (Conditional or Final).

This comprehensive CMMC Assessment Guide helps you understand your responsibilities and the information you’ll need to provide throughout the CMMC Level 2 certification assessment process.