CMMC Assessment Guidelines: What to Expect When It’s Time for Your Audit
A contractor has to show that they have both the required maturity processes, as well as proof that they've implemented the practices that are specific to the CMMC level they have to achieve. Since the CMMC levels build on each other, that means that in order to achieve level 3, for example, the contractor has to have all of the necessary processes and practices in place for Levels 1 and 2. If the contractor needs to be at Level 3, but some of their practice implementation and maturity processes areas are only up to the specifications for Level 2, then the contractor would receive certification for the lower of the two.
The assessment process includes an assessment objective and potential assessment methods. Each goal is related to a CMMC process or practice. Determination statements are the CMMC's objective to trace and assess the results. The assessment process produces assessment findings. These findings subsequently determine whether the procedure met certification standards.
The process also assesses objects that include specific specifications, mechanisms, individuals, or activities. Specifications are document-based artifacts, such as procedures, policies, security plans, security requirements, etc. Mechanisms are the software, hardware, and firmware that protect the system. Activities are protection-related supporting systems that involve people. These include backup operations, having a contingency plan, and watching network traffic. And lastly, individuals are the people applying the parameters listed above.