The Cyber Accrediting Body (formerly the CMMC-AB) has released a pre-decisional DRAFT of the CMMC Assessment Process (CAP) guide. The CAP is the doctrine providing overarching procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC assessments of organizations seeking CMMC Certification. The current version of the CAP applies to Level Two (L2) of the CMMC Model only.


The CAP is organized across 4 phases and describes the required activities to ensure that CMMC Assessments are conducted consistently across the DIB. The 4 phases are:

  • Phase 1: “Plan and Prepare the Assessment”
  • Phase 2: “Conduct the Assessment”
  • Phase 3: “Report assessment results”
  • Phase 4: “Close out POA&Ms and Assessment” (if necessary)


These 4 phases have been designed to ensure that every CMMC Assessment meets the following objectives:

  • Objective 1- Achieve the highest possible accuracy, fidelity, and quality for CMMC Assessments conducted by C3PAOs.
  • Objective 2- Maximize consistency to ensure that different Assessments conducted by different C3PAOs and Assessors yield the same verifiable results and outcomes each time.
  • Objective 3- Improve the cybersecurity defensive posture and the cyber resiliency of the DIB by providing effective and efficient Assessments that are well-planned, executed in consistent fashion, and accurately reported.

Industry Concerns about CMMC

I spoke with Matt Hodson, CIO of Valeo Networks, who raised concerns about the latest version of CMMC and feels strongly enough to speak out. Hodson expressed serious concern with v2.0 and the potential supply chain issue relating to the government’s timeline for CMMC to be implemented on contracts. Hodson shared, “There so many companies and vendors in the supply chain. I see a lot of gaps; it’s by no means a silver bullet. They need to figure out who is going to do the auditing and what the timeline will be for that.”

In addition to supply chain, Hodson shared his concern about the adversary catching on with how slow the government is known to move. “Hackers work quickly; if you’re going to push CMMC out another two years, I believe that is very risky. The biggest risk of all is going to be whether companies are taking CMMC seriously. This needs to be a higher priority. If they are going to keep pushing the goal post, we put ourselves in severe risk.”

An Insider’s Perspective on CMMC

My experience in the Defense Industrial Base (DIB) and listening to regular engagement from government leaders leads me to confidently say, the government isn’t out to make CMMC a disaster. It’s actually the opposite, and its okay for us to recognize raising cybersecurity within the DIB is not only a good idea, but it is actually DESPERATELY NEEDED. The government sees mistakes happen over and over that have easy remedies to help safeguard our technology. If this is what it takes for companies to set a standard of best practices for cybersecurity, it’s a step in the right direction.

If you’ve ever been through a Commanding General’s Readiness Inspection (CGRI) you are well aware of what is to come in the comforts of your own environment. Binders will be assembled, check-lists will be made, and someone will ask invasive questions despite the answers being easily laid out before their eyes. Thankful for our military experiences to fall back on in times like these, but well aware that this invasion – I mean, assessment –  is going to be uncharted territory for many, and for others will bring on fun-time flashbacks to our days in the Corps.

Related News

NJ has over 10 years inside the DoD working for various organizations and cleared defense contractors. With an ear to the ground on all things OPSEC, cyber, machine learning & mental health, she is an untapped keg of open source information.