CMMC Assessment Process (CAP)

The CMMC Assessment Process (CAP) is the official procedural guide that governs how CMMC Third-Party Assessment Organizations (C3PAOs) evaluate an Organization Seeking Certification (OSC). Published by the Cyber AB, the CAP defines the end-to-end assessment lifecycle — from pre-assessment planning through evidence evaluation to final certification recommendation — ensuring consistent and objective CMMC assessments across the Defense Industrial Base.

glossary
What Is the CMMC Assessment Process?

What Is the CMMC Assessment Process?

The CAP provides the overarching procedures and guidance that C3PAOs must follow when conducting official CMMC assessments. It establishes a standardized methodology so that every assessment, regardless of which C3PAO conducts it, follows the same rigor and produces comparable results. The CAP covers assessor qualifications, evidence requirements, scoring methodologies, and reporting procedures.

Phases of the CMMC Assessment

The CAP organizes the assessment into distinct phases:

Pre-Assessment: The OSC and C3PAO establish the assessment scope, define the CMMC Assessment Boundary, review the System Security Plan (SSP), and agree on logistics, timelines, and evidence submission procedures.
Assessment: The C3PAO assessment team evaluates the OSC’s implementation of CMMC practices through documentation review, technical testing, and personnel interviews. Each practice is scored as MET, NOT MET, or NOT APPLICABLE.
Post-Assessment: The lead assessor compiles findings, determines whether the OSC meets the target CMMC level, and submits the assessment report to the Cyber AB for quality assurance review and final certification decision.

CAP Scoring and Evidence Requirements

For a CMMC Level 2 assessment, the C3PAO evaluates 110 security practices aligned to NIST SP 800-171. The OSC must demonstrate that each practice is not only documented in policy but is actively implemented and producing the intended security outcomes. Acceptable evidence types include system configurations, audit logs, policy documents, technical demonstrations, and staff interviews that confirm operational awareness.

CAP vs. DoD Assessment Methodology

The CAP governs third-party CMMC assessments conducted by C3PAOs, while the DoD Assessment Methodology (DoDAM) is used for DFARS-based self-assessments and DIBCAC evaluations. Both assess NIST 800-171 implementation, but the CAP is specifically designed for the CMMC certification process and includes additional procedures for assessor conduct, conflict of interest management, and Cyber AB quality oversight.

Preparing for a CAP-Governed Assessment

Organizations preparing for a CMMC assessment should familiarize themselves with the CAP’s evidence expectations and scoring criteria. Key preparation steps include conducting an internal readiness assessment against all 110 Level 2 practices, ensuring the SSP accurately reflects the current environment and security controls, organizing evidence artifacts mapped to each practice, training personnel who may be interviewed during the assessment, and addressing any items in the Plan of Action and Milestones (POA&M) that could affect scoring.

Secureframe Comply

Defense for CMMC

Risk & Vendor Management

Solutions

Top Frameworks

Partner Types

Partner Program

Security and Compliance Resources

Framework Resources

Customer Resources

Company