CMMC Level 2 Assessment Guide

A Checklist to Help You Prepare for Your CMMC Level 2 Certification Assessment

Our CMMC Level 2 Assessment Guide outlines all the key steps and tasks you, as the Organization Seeking Certification (OSC), are required to complete for your CMMC Level 2 Certification Assessment. KLC Consulting is an authorized C3PAO. We determine if companies meet CMMC Level 2 requirements and certify them when they do.

Before Your CMMC Assessment

Laying the Foundation

Several important steps must be taken before the formal assessment begins:

Provide Essential Information

• Furnish C3PAO with the Highest-Level Order (HLO) CAGE Code and all other applicable CAGE codes.
• If applicable, provide the assessment Unique Identifier (UID) from any prior self-assessment.
• Disclose all in-scope External Service Providers (ESPs) and identify any that are considered Cloud Service Providers (CSPs).

Define the Assessment Scope

Work with KLC Consulting to clearly define the CMMC Assessment Scope. This includes:

• Identify all assets that process, store, or transmit CUI.
• Clearly delineate the boundaries of the information system to be assessed.
• Address the applicability of physical and environmental controls, especially in cloud environments or where on-site assessment is impractical.

Ensure Resource Availability

• Make personnel available for interviews and information gathering during the assessment.
• Ensure all necessary evidence and artifacts are readily accessible to the assessment team.

Deliver Required Documentation

• Provide C3PAO with all required documentation, including a complete and accurate System Security Plan (SSP).

Address Conflicts of Interest

• Actively participate with the assigned Lead Certified CMMC Assessor (CCA) to identify and mitigate any conflicts of interest.

During Your CMMC Assessment

Navigating the CAP

The Official CMMC Assessment Process (CAP) involves three key phases during the assessment:

Conduct the Pre-Assessment: CAP Phase 1

• SSP Validation: Ensure your SSP is complete, accurate, and consistent with NIST SP 800-171 r2.
• Scope Resolution: Promptly resolve any discrepancies in the defined CMMC Assessment Scope.
• Evaluation Methods: Work with the assessment team to establish appropriate evaluation methods.
• ESP Considerations (If Applicable):
  • Confirm the availability of a Customer Responsibility Matrix (CRM).
  • Ensure ESP personnel will participate in the assessment.
  • Provide evidence of the ESP’s FedRAMP authorization or CMMC Level 2 certificate.
• Evidence Access: Grant the assessment team access to all necessary evidence and artifacts.
• Readiness Demonstration: Demonstrate your readiness for the assessment and familiarity with the assessment methods.

Assess Conformity to Security Requirements: CAP Phase 2

• In-Brief Meeting: Attend and actively participate in the in-brief meeting.
• Evidence Collection: Facilitate evidence collection, whether in-person or virtually.
• CUI Protection: Safeguard CUI during any virtual evidence sharing.
• ESP Considerations (If Applicable):
  • Ensure the CRM is current and comprehensive.
  • Verify that ESP personnel can demonstrate knowledge and ownership of their security responsibilities.
  • Provide documentation to verify FedRAMP authorization or equivalency for CSPs.
• The CAP Phase 2 daily assessment interview schedule is as follows:
  • Monday through Thursday – virtual sessions:
    • Morning session
    • Lunch break
    • Afternoon session
    • Mid-afternoon break
    • Daily Checkpoint Meetings: To summarize progress, identify any challenges, and discuss additional items for coordination.
    • Thursday/Friday: Meet onsite with C3PAO to facilitate assessment of applicable physical security practices when required.
  • NOTE: Assessors may re-evaluate the NOT MET security requirements identified during the assessment and for ten (10) business days following the active assessment period (i.e., the conclusion of CAP Phase 2 activities) in accordance with the requirements established in 32 CFR §170.17(c)(2). 

Complete and Report Assessment Results: CAP Phase 3

• Out-Brief Meeting: Attend and participate in the out-brief meeting.
• Artifact Retention: Retain all hashed artifacts used as assessment evidence for a minimum of six years.
• Hashing Information:
  • Use a NIST-approved hashing algorithm for this purpose.
  • Provide the assessment team with a list of artifact names, corresponding hash values, and the hashing algorithm used.
  • Guidance for hashing artifacts can be found in the supplemental guidance document, “CMMC Hashing Guide.”

After Your CMMC Assessment

Issue Certificate / (Closeout POA&M if necessary): CAP Phase 4

• C3PAO issues Certificate of CMMC Status (Final or Conditional) within 30 days.
• If the C3PAO issues a Conditional Level 2 Status Certificate:
  • Close out your POA&M within 180 days.
  • Engage a C3PAO (which may be the same or different from the assessing C3PAO) for a POA&M closeout assessment.
  • Participate in any conflict-of-interest disclosures and mitigation efforts related to POA&M closeout.
  • Participate in a POA&M out-brief meeting if applicable

What if I Score less than 110?

It’s important to understand your ramifications and options if you don’t attain a perfect score of 110 during your CMMC Assessment. We discuss ALL the possibilities and your BEST NEXT STEPS to certification – HERE.

KLC’S CMMC Assessment Guide

CMMC Assessment Process Overview Table

Contract Signing	OSC contracts its CMMC Level 2 Certification Assessment with C3PAO KLC and submits the initial deposit to secure a place on our CMMC Level 2 Assessment calendar.
Initial Planning Call	OSC and C3PAO KLC plan assessment activities and establish a secure file-sharing repository. Note: We’ll utilize your platform if you use Teams or a GRC tool like Future Feed or Exostar. Otherwise, we use KLC’s secure file share.
Week(s) Relative to Assessment Week Interviews	Activity
7 weeks before	(1) OSC submits the 2nd contract Installment Payment, (2) C3PAO KLC sends the pre-assessment package request to the OSC, including the Artifact Request List and scoping artifact guidance, (3) OSC uploads the completed pre-assessment documents to the secure file-share location.
5 weeks before	C3PAO KLC sends the assessment schedule, and scoping call agenda to the OSC.
4 weeks before	(1) OSC returns the completed Artifact Request List to C3PAO KLC, (2) C3PAO KLC reviews the submitted documents to determine the OSC’s Assessment Readiness per CAP Phase 1: Conduct the Pre-Assessment.
3 weeks before	(1) C3PAO KLC issues a Decision regarding the OSC’s Assessment Readiness, Upon C3PAO KLC’s Determination of OSC’s Readiness: (2) C3PAO KLC holds the Assessment Kickoff Meeting. OSC presents its CUI scope, diagrams, SSP, and other essential artifacts.
2 weeks before	OSC completes final versions of assessment artifacts and uploads them to the secure file location.
1 week before	(1) C3PAO KLC’s Lead CCA confirms completeness of the assessment package and artifacts received or communicates the need for additional information, (2) OSC and C3PAO KLC formalize the Assessment Plan, (3) OSC submits 3rd and final contract Installment Payment.
3 DAYS before	C3PAO KLC Assessment Lead finalizes the Assessment Plan.
ASSESSMENT WEEK INTERVIEWS	(1) C3PAO KLC holds the Assessment In-Brief on Day 1, (2) C3PAO KLC virtually assesses OSC Conformance to Security Requirements per CAP Phase 2 – each day and visits the OSC facility as required, (3) C3PAO KLC holds Daily afternoon Checkpoint Meetings to summarize progress, identify challenges, and discuss additional items for coordination, (4) C3PAO KLC presents preliminary findings of OSC security practices MET vs. NOT MET on the last day of the Assessment Week Interview.
10 DAYS after	C3PAO KLC may re-evaluate OSC’s “NOT MET” security requirements during the assessment and for ten (10) business days following the active assessment period (i.e., the conclusion of CAP Phase 2 activities) in accordance with the requirements established in 32 CFR §170.17(c)(2)
2 weeks after	OSC receives the C3PAO KLC assessment deliverables and results summary.
30 DAYS after	(1) C3PAO KLC uploads the assessment results into eMASS and submits them to the CMMC Program Management Office (PMO), (2) C3PAO KLC issues the CMMC Certificate of Status (Conditional or Final).

This comprehensive CMMC Assessment Guide helps you understand your responsibilities and the information you’ll need to provide throughout the CMMC Level 2 certification assessment process.