Before your Level 2 assessment, the MNS Group and all C3PAOs follow the standard and required process from the CAP. This makes sure the system is fair and predictable for everyone!
The assessment process is broken into phases.
During the first phase, you have an opportunity to get to know the expectations of your assessor. There are a few items you can expect requests for:
- Meetings with the C3PAO to plan, share an overview of the process, set a time to receive documents, determine who from your company will need to attend the Phase 2 meetings, and schedule Phase 2 details with your team.
- Details about your company, including points of contact, ownership, and CAGE codes, and an overview of the type of work you perform.
- The SSP (System Security Plan).
- Customer Responsibility Matrix (CRM) for any external service providers that delineates how responsibilities are shared between your organizations.
- Assessment environment boundaries diagrammed
- Policies and documentation “package” for the assessment team to review.
- The SPRS score from your self-assessment.
The second phase is where the CMMC Assessors meet with your team to review, objective by objective, whether your system meets the controls. Most meetings occur over a virtual meeting and will require a working camera, microphone, and the ability to share your screen.
Ahead of time, your company and the assessor will agree on a schedule for the assessment that reviews all objectives. For each section, the subject matter expert will need to be in attendance, ready to answer questions and demo or screen share if the assessor asks.
What the assessor wants to see is that your team can demonstrate the “muscle memory” to navigate to the appropriate places in your information system if asked to do so, and knows how to answer the questions with accuracy. Your team should take the time to prepare ahead of time by reviewing their section- and use your SSP! The assessor will ask for live demonstrations of processes and evidence that you are doing what your documentation says you are doing.
If you have CUI that is printed and or saved to physical external drives, an assessor will come to your location to verify the controlled manner in which the CUI is being secured according to the requirements of the framework. Your job is to allow them access to your space, making sure that if they need specific permissions, that is done in advance of the on-site assessment, so the schedule can be kept.
Pro tip: be certain to follow your own procedures for welcoming guests!
Have more questions on what you need to have ready during an assessment?
