Understanding the CMMC Level 2 Assessment ProcessWhen anOrganization Seeking Certification (OSC)engages aCertified Third-Party Assessment Organization (C3PAO)to conduct aCMMC Level 2 Assessment, anAssessment Planis developed to outline the scope, methodology, and logistics of the assessment.
According to theCMMC Assessment Process (CAP) Guide, theAssessment Plan must be formally agreed upon and signed off by:
Lead Assessor– The individual responsible for overseeing the execution of the assessment.
C3PAO (Certified Third-Party Assessment Organization)– The entity conducting the assessment.
TheLead Assessorensures that theAssessment Plan aligns with CMMC-AB and DoD requirements, including methodology, objectives, and evidence collection.
TheC3PAOprovides organizational approval, confirming that the assessment is conducted according toCMMC-AB rules and contractual agreements.
A. OSC and Sponsor (Incorrect)
TheOSC (Organization Seeking Certification)is involved in planning but does not sign off on the plan.
Asponsoris not part of the sign-off process in CMMC assessments.
B. OSC and CMMC-AB (Incorrect)
TheOSCdoes not formally approve theAssessment Plan—this responsibility belongs to the assessment team.
TheCMMC-ABdoes not sign off on individualAssessment Plans.
D. C3PAO and Assessment Official (Incorrect)
"Assessment Official" isnot a defined rolein the CMMC assessment process.
TheC3PAOis involved, but it must be theLead Assessorwho signs off, not an unspecified official.
The correct answer isC. Lead Assessor and C3PAO.
TheLead Assessorensures assessment integrity, while theC3PAOprovides official authorization.
[References:, CMMC Assessment Process (CAP) Guide, CMMC 2.0 Level 2 Certification Procedures, The Cyber AB Assessment Guidelines, , , ]
