After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP).  The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification.  The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.

Aimed at increasing the accuracy and consistency of assessments conducted by C3PAOs, the CAP is segmented into four distinct phases:

Phase 1:  Plan and Prepare the Assessment;
Phase 2:  Conduct the Assessment;
Phase 3:  Report Assessment Results; and
Phase 4:  Close-Out Plan of Action and Milestones (POAMs) and Assessment.

While the assessment process is still in draft form, DoD contractors should familiarize themselves with the proposed structure and conduct of CMMC assessments, as these parameters will be critical to companies attaining CMMC certification at the level requisite for future government contract awards.

The Cyber AB is currently accepting comments on the draft CAP. 

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Alexander Urbelis Alexander Urbelis

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer…

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer (CISO), Chief Compliance Officer, in-house counsel, and private practice litigator.

Alex has a unique skill set that has allowed him to create a bridge between the technical and legal side of cybersecurity. As a result, he is the primary architect of an exclusive DNS (Domain Name Search) monitoring and intelligence platform. Through this intel platform, Alex advises his clients on identified and early-stage indicators of cybersecurity threats and provides counsel on legal actions and technical defensive remedies to neutralize those threats. Alex tracks sophisticated cyber adversaries and advanced persistent threats (APTs) through his intel platform and, notably, detected a state-sponsored cyber intrusion attempt targeting the World Health Organization in March 2020. For combining legal and technical skill sets with public service, the Financial Times selected Alex as a finalist for its Innovative Lawyers awards for pandemic response in 2020.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.