Assessment Process Flashcards
Four Phases
Phase 1: Plan and Prepare the Assessment
Phase 2: Conduct the Assessment
Phase 3: Report Assessment Results
Phase 4: Close-Out POA&Ms and Assessment
The 4-Phase objective:
- Achieve the highest possible accuracy, fidelity, and quality
- Maximize consistency and continuity across C3PAO assessment outcomes
- Improve defensive posture and resiliency of the DIB by providing effective and efficient, well-planned and execuuted assessments.
CMMC Assessment Process (CAP)
the CMMC doctrine providing the overarching procedures and guidance for C3PAOs.
Roles and Responsibilities
OSC – Organization Seeking Certification - responsible for implementing CMMC practices for the target CMMC level.
OSC Assessment Official – Most senior representative of an OSC who is directly and actively responsible for leading and managing the OSCs engagement in the Assessment, and who possesses decision-making authority for the OSC w/re: to the CMMC Assessment.
C3PAO – authorized and independent conformity-Assessment body that contracts with the OSC and CMMC Assessment team (CAT).
C3PAO Assessment Team – representative body of the C3PAO composed of certified perssonel who conduct the assessment.
Lead Assessor – CCA who oversees and manages a dedicated CAT for the assessment. Hold the formal designation from the CMMC AB.
Assessment Team Members - individuals in the CAT.
CMMC Quality Assurance Professional (CQAP) – Formally trained individual who is responsible for ensuring Assessment documentation completeness and accuracy. Each C3PAO must have at least (1) CQAP.
CMMC Templates
CMMC Pre-Assessment Form Template – central record and information for the Assessment, to include documentation of assets, scope, evidence, and other OSC data. MANDATORY.
Virtual Assessment Evidence Preparation Template – excel file to support the organization and presentation of Evidence to be validated virtually. MANDATORY.
CMMC Assessment Readiness Review (CA-RR) Checklist – preliminary but formal review conducted by the L.A. and, as applicable, the CAT, to verify OSC and CAT readiness for Phase 2.
COI Attestation - Short statement which the C3PAO & CAT confirm they have not provided consulting, advisory, or implementation support to the OSC. MANDATORY.
CMMC Assessment In-brief – PowerPoint file available to build formal kickoff briefing.
Daily Checkpoint – PP file that supports the coordination and tracking of daily activities.
Limited Practice Deficiency Correction Worksheet – document to record any OSC discrepancies that need to be corrected.
CMMC Assessment Results – Spreadsheet that contains the official Assessment results. MANDATORY.
CMMC Assessment Findings Briefing – PP file used to construct the findings brief.
CMMC Assessment Quality Review Checklist – Checklist of items to be verified during the CQAP review process. MANDATORY.
Confirmation of Destruction of OSC Data – MS Word template used to document the surrender/destruction of OSC proprietary information post-assessment. This template is not mandatory, but a formal notification is.
Mandatory Template
5 total:
(1) Pre-Assessment Form Templates
(2) Assessment Evidence Preparation Template
(3) COI Attestation
(4) Assessment Results
(5) CQAP Review Checklist
Specialized Asset Contractor Requirements
- Document in SSP
- Document in Inventory
- Include in the Network Diagram
CAP Objectives
- Achieve the highest possible accuracy, fidelity, and quality for CMMC Assessments conducted by C3PAOs;
- Maximize consistency to ensure that different Assessments conducted by different C3PAOs and Assessors yield the same verifiable results and outcomes each time;
- Improve the cybersecurity defensive posture and the cyber resiliency of the DIB by providing effective and efficient Assessments that are well-planned, executed inconsistent fashion, and accurately reported.
Limited Practice Deficiencies Ineligibility
- Could lead to significant exploitation of the network or exfiltration of CUI.
- Practices listed in the OSC’s Self-Assessment Practice Deficiency Tracker
- Not implemented prior to the current CMMC Assessment.
- Practices that prevent others from being ‘Met’
Purpose of a POA&M
ID, Assess, Prioritize, and MONITOR the progress of corrective efforts for security weaknesses found in an organization’s programs and system.
SSP Review (3.12.4)
- Description of Scope
- Environment of Operation Description
- ID and Approved Sec Requirement
- Implementation Method for Security Requirements
- Connections and Relationships to Other Systems
- Defined Frequency of Updates
- General information system description
- Design philosophies
- Roles and Responsibilities
Mandatory CMMC Templates
- CMMC Pre-Assessment Form Template
- Virtual Assessment Evidence Preparation Template
- COI Attestation
- CMMC Assessment Results
- CMMC Assessment Quality Review Checklist
OSC Assessment Official
Most senior representative of an OSC who is directly and actively responsible for leading and managing the OSCs engagement in the Assessment, and who possesses decision-making authority for the OSC w/re: to the CMMC Assessment.
C3PAO
authorized and independent conformity-Assessment body that contracts with the OSC and CMMC Assessment team (CAT).
C3PAO Assessment Team
representative body of the C3PAO composed of certified perssonel who conduct the assessment.