Before your Level 2 assessment, the MNS Group and all C3PAOs follow the standard and required process from the CAP. This makes sure the system is fair and predictable for everyone!
The assessment process is broken into phases.
During the first phase, you have an opportunity to get to know the expectations of your assessor. There are a few items you can expect requests for:
The second phase is where the CMMC Assessors meet with your team to review, objective by objective, whether your system meets the controls. Most meetings occur over a virtual meeting and will require a working camera, microphone, and the ability to share your screen.
Ahead of time, your company and the assessor will agree on a schedule for the assessment that reviews all objectives. For each section, the subject matter expert will need to be in attendance, ready to answer questions and demo or screen share if the assessor asks.
What the assessor wants to see is that your team can demonstrate the “muscle memory” to navigate to the appropriate places in your information system if asked to do so, and knows how to answer the questions with accuracy. Your team should take the time to prepare ahead of time by reviewing their section- and use your SSP! The assessor will ask for live demonstrations of processes and evidence that you are doing what your documentation says you are doing.
If you have CUI that is printed and or saved to physical external drives, an assessor will come to your location to verify the controlled manner in which the CUI is being secured according to the requirements of the framework. Your job is to allow them access to your space, making sure that if they need specific permissions, that is done in advance of the on-site assessment, so the schedule can be kept.
Pro tip: be certain to follow your own procedures for welcoming guests!