A contractor must exhibit both the required maturity processes as well as the implementation of practices specific to a CMMC level, and the prior lower levels, to achieve that level. For instance, a level 4 certification requires a contractor to obtain all the necessary practices and processes at Levels 1, 2, 3, and 4. As in the case where a contractor exhibits different levels concerning practice implementation and maturity processes, the contractor receives certification for the lower of the two.
The assessment process includes an assessment objective and potential assessment methods. Each goal is related to a CMMC process or practice. Determination statements are the CMMC's objective to trace and assess the results. The assessment process produces assessment findings. These findings subsequently determine whether the procedure met certification standards.
The process also assesses objects that include specific specifications, mechanisms, individuals, or activities. Specifications are document-based artifacts, such as procedures, policies, security plans, security requirements, etc. Mechanisms are the software, hardware, and firmware that protect the system. Activities are protection-related supporting systems that involve people. These include backup operations, having a contingency plan, and watching network traffic. And lastly, individuals are the people applying the parameters listed above.
The methods for assessment include examining, interviewing, and testing. The examination process includes reviewing, observing, inspecting, analyzing, or studying assessment objects. The examination process is to facilitate a better understanding, obtain evidence, and achieve clarification. The interview process holds discussions with groups or individuals for the same three reasons. And lasting, the testing process puts assessment objects under specific conditions to measure its response versus its expected behavior. In all three methods, the results decide the specific determination established in the determination statement, which achieves the assessment procedure objectives.