CMMC CAP: What the Assessment Process Means for Level 2
CMMC CAP stands for the CMMC Assessment Process. CAP v2.0 is the Cyber AB’s procedural guide for how a C3PAO (Certified Third-Party Assessment Organization) conducts a CMMC Level 2 certification assessment. It applies only to Level 2 C3PAO assessments — not Level 1, not Level 2 self-assessments, and not the government-led Level 3. It is not the control list, not a credential, and not legal advice.It’s the rulebook your assessor follows so two different assessors reach the same verdict about the same company.
That last distinction is where the confusion — and most of the wasted money — lives. So before you read a procedural manual written for auditors, or worse, hire the wrong kind of help, let us translate the CAP into the decisions you actually have to make.
Which reason brought you here?
The word “CAP” pulls in five different readers. Find yourself first — the rest of this page assumes you know which one you are.
| You searched “cmmc cap” because… | Bottom line | Your next move |
|---|---|---|
| A C3PAO quote or assessment conversation referenced it | You’re almost certainly on the Level 2 (C3PAO) certification path | Lock down scope, SSP, and evidence before you schedule |
| You only handle FCI (Level 1) | The CAP is not your process | Use a Level 1 self-assessment checklist instead |
| You’re on the Level 2 self-assessment path | The CAP isn’t your formal process, but its evidence discipline still helps | Follow the DoD self-assessment + SPRS path |
| You’re on the Level 2 C3PAO path | The CAP is central to your next 6–18 months | Prepare for the four phases below |
| You’re at Level 3 | The CAP is not the Level 3 process (that’s DIBCAC) | Confirm your Level 2 prerequisite first |
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Here’s our one honest warning up front: the CAP was not written for you. It’s the procedural guide C3PAOs must follow, written in assessor language, and it explicitly does not replace 32 CFR Part 170, NIST, DFARS, or DoD guidance. It tells your assessor how to grade you. It will not tell you how to get ready. That gap is exactly why this page exists — and why, for most contractors, the smartest first dollar goes to readiness, not to booking an assessment you’re not prepared to pass.
We read the CAP v2.0, and we read the regulation behind it line by line — 32 CFR Part 170, section by section — to confirm every rule below. Let’s get you oriented.
What is the CMMC CAP?
The CMMC CAP (CMMC Assessment Process) is the procedural playbook, published and maintained by the Cyber AB and approved by the CMMC Program Management Office, that governs how a C3PAO conducts a CMMC Level 2 certification assessment. Adherence is mandatory for C3PAOs and their CMMC Certified Assessors (CCAs) — it’s a built-in condition of C3PAO accreditation. It defines the activities, roles, and sequence of a Level 2 assessment so results stay consistent across different assessors.
The current version is CAP v2.0, published December 16, 2024— the same day the CMMC program reached its major rulemaking milestone. The earlier v1.0 was a 2022 pre-decisional draft and is obsolete. If a guide still calls v1.0 “current,” it’s out of date — and several of the top results for this term still are.
A few quick clarifications, because the acronym gets tangled:
- CAP is not a certification you earn. You earn a Certificate of CMMC Status through an assessment. The CAP is the process behind it.
- CAP is not a credential. The people-level credentials are the CCP (CMMC Certified Professional) and CCA (CMMC Certified Assessor), now administered by ISACA, which took over as the CAICO (CMMC Assessor & Instructor Certification Organization) in April 2026.
- CAP is not a “corrective action plan.” In CMMC, the plan for fixing gaps is a POA&M (Plan of Action and Milestones) — a different thing with strict rules we cover below.
- CAP is not the control set. The security requirements come from NIST. The CAP is only how an assessor checks them.
Where to find the official CMMC CAP PDF
The official CMMC Assessment Process v2.0 is published by the Cyber AB on its website. Use the Cyber AB as the source for the current document, then use this page to translate that assessor-facing procedure into contractor-side readiness decisions. Reading the CAP cover to cover won’t answer your real question — what do I need in hand before an assessor shows up?— which is what the rest of this guide is for.
Does the CMMC CAP apply to my company?
The CAP applies if your contract requires a CMMC Level 2 certification assessment performed by a C3PAO. It does not govern Level 1 self-assessments, it is not the process for Level 2 self-assessments, and it is not the process for Level 3, which is assessed by the government’s DCMA DIBCAC (Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center).Your required level is set by the contract clause and the type of information you handle — not by a checklist.
Here’s the level-by-level reality:
- Level 1 (FCI only): the 15 basic safeguarding requirements at FAR 52.204-21, with annual self-assessment and affirmation. The CAP does not apply.
- Level 2 self-assessment: the Level 2 path when the solicitation requires CMMC Level 2 (Self). Allowed only for a limited subset of Level 2 contracts; you self-score the 110 requirements of NIST SP 800-171 Rev. 2 and post to SPRS. The CAP is not your formal process, though its evidence expectations are worth borrowing.
- Level 2 C3PAO certification: the Level 2 path when the solicitation requires CMMC Level 2 (C3PAO). A third party assesses the same 110 requirements. This is the CAP’s job.
- Level 3: Level 2 requirements plus 24 enhanced requirements from NIST SP 800-172, assessed by DIBCAC. A Final Level 2 (C3PAO) status for the same scope is a prerequisite. The CAP does not govern the Level 3 assessment.
Federal Contract Information (FCI) is nonpublic information generated for or provided by the government under a contract. Controlled Unclassified Information (CUI) is information the government requires to be safeguarded under law, regulation, or government-wide policy. Which one flows through your systems is the single biggest factor in whether the CAP applies to you at all. See our FCI vs. CUI guide for a plain-English breakdown.
A 60-second self-check
If you answer “no” or “not sure” to any of these, you’re not yet at the “book a C3PAO” stage — you’re at the readiness stage:
- Does your contract clause actually require Level 2 (C3PAO), not Level 1 or Level 2 (Self)?
- Is your CUI boundary defined, with an asset inventory and a current SSP that matches your real environment?
- Is every 5-point and 3-point control fully implemented today — not planned?
- Is your evidence organized and mapped to the requirements?
- Is the firm helping you get ready different from the firm you’d hire to assess you?
Not sure whether the CAP even applies to you — or which of those five you’d fail?
Find My CMMC Path maps your level, CUI scope, assessment type, environment, and timeline to the right provider category — C3PAO, RPO, MSSP, GRC platform, or CUI enclave — before you spend a dollar on quotes.
Find My CMMC Path →CMMC CAP vs. 32 CFR Part 170 vs. NIST vs. DFARS: what actually controls what?
The CAP tells a C3PAO how to run a Level 2 certification assessment. It does not set the rules, define the controls, or put CMMC into your contract — three separate authorities do that. Treating the CAP as a substitute for the regulation, the control set, or the clause is the mistake that sends contractors down the wrong path.
This is the table we wish had existed when we started. Each row is a different document people constantly blur together.
| Document / system | What it actually does | Why it matters to you |
|---|---|---|
| CMMC CAP v2.0 | The Cyber AB’s procedure for Level 2 C3PAO certification assessments | Shows how your assessment will be run, phase by phase |
| 32 CFR Part 170 (CMMC Program Rule) | Establishes the program: levels, scoring, POA&M rules, affirmations, scoping | The binding rules — POA&M eligibility, conditional status, and the 180-day clock all live here. See our 32 CFR Part 170 guide. |
| NIST SP 800-171 Rev. 2 | The 110 Level 2 security requirements, across 14 control families | Your actual to-do list of controls under the current rule |
| NIST SP 800-171A | The assessment methodology (examine, interview, test) — 320 assessment objectives | How each requirement is judged MET / NOT MET |
| DFARS 252.204-7021 | The contract clause requiring current CMMC status | Ties your CMMC status and annual affirmation to contract eligibility |
| CMMC eMASS | The government system where a C3PAO uploads certification results | Where your assessment record officially lands |
| SPRS (Supplier Performance Risk System) | Reflects your status, score, and affirmation | What contracting officers check before award |
One accuracy point that trips up even good guides: for CMMC Level 2, the controlling control set is NIST SP 800-171 Rev. 2, not Rev. 3. NIST has published Rev. 3 as a general update, but 32 CFR Part 170 still incorporates Rev. 2 for CMMC Level 2 unless and until DoD amends the CMMC rule. Any page that treats Rev. 3 as your CMMC control set is handing you the wrong requirements — and that’s a mistake measured in real remediation dollars.
What are the four phases of the CMMC CAP?
A Level 2 C3PAO certification assessment runs through preliminary proceedings and then four phases: Phase 1, plan and prepare the pre-assessment; Phase 2, assess conformity to the security requirements; Phase 3, complete and report the results; and Phase 4, issue the certificate and close out any POA&M. Before Phase 1, the C3PAO and the Organization Seeking Certification (OSC) handle entity confirmation, scope framing, conflict-of-interest screening, and the contract. Most problems are cheapest to catch in those preliminary steps and in Phase 1.
Here’s the map we built — not just what happens, but what you need in hand at each stage, the governing source, and where companies most often stall.
| Stage | What the C3PAO does | What you must have ready | Source | Where it goes wrong |
|---|---|---|---|---|
| Preliminary proceedings | Confirm legal entity + CAGE code, frame scope, screen for conflicts of interest, sign the contract under the Code of Professional Conduct | Correct legal entity, CAGE code, a defensible proposed scope, a readiness provider that is not your assessor | CAP v2.0; § 170.9 | Engaging the firm that prepped you as your assessor without a conflict-of-interest review |
| Phase 1 — Plan & Prepare | Review your SSP, validate scope, check cloud/ESP documentation, complete the Pre-Assessment Form, determine readiness | A complete, accurate SSP; finalized scope + asset inventory; a Customer Responsibility Matrix for any cloud in scope; organized evidence | CAP v2.0; § 170.19 (scoping) | Missing or placeholder SSP; scope still unsettled |
| Phase 2 — Assess Conformity | Examine, interview, and test each requirement against the NIST SP 800-171A objectives; score MET / NOT MET using sampling | People available for interviews; live evidence for each objective; systems accessible | CAP v2.0; NIST SP 800-171A | Evidence that doesn’t match what the SSP claims |
| Phase 3 — Report Results | Compile scores, run an independent QA review (by a CCA not on the team), upload to CMMC eMASS, handle appeals | Nothing to submit — stay reachable for clarifications | CAP v2.0; § 170.17 | Assessor-side; you mostly wait |
| Phase 4 — Issue Certificate / Close-Out POA&M | Issue a Final or Conditional Certificate of CMMC Status; verify POA&M closeout | If Conditional: a credible plan to close every POA&M item and pass a closeout assessment within 180 days | § 170.21 | Missing the 180-day window → status expires |
Different providers paraphrase the phase names slightly, but the activities are what matter, and they’re consistent. The single biggest lever across all four? Get your SSP and scope right. Almost every stall we’ve seen traces back to one of those two. See our CMMC Level 2 assessment preparation guide for a deeper breakdown of the 88-point pass gate.
CMMC CAP checklist: what to have ready before Phase 1
Before Phase 1, an OSC should have its legal entity and CAGE code, its finalized CMMC Assessment Scope, a complete SSP, an asset inventory and network diagram, an evidence library mapped to the assessment objectives, documentation for any External Service Providers (ESPs) and Cloud Service Providers (CSPs), and interview-ready personnel.Phase 1 is not a friendly kickoff — it’s the gate where a C3PAO decides whether you’re prepared enough to proceed at all.
Treat this as your pre-assessment punch list:
- Legal entity, CAGE code, UEI/SAM status — plus your CMMC UID if you’ve done a prior self-assessment.
- System Security Plan — with a real name, version, and date, and implementation statements that describe your actual environment, not a template’s placeholders.
- Asset inventory and network diagram — every asset that stores, processes, or transmits CUI, plus your security protection assets, with the scope boundary marked.
- CUI data flow — where CUI enters, lives, and leaves.
- ESP/CSP documentation — provider list, cloud authorization status, and a Customer Responsibility Matrix (CRM) where applicable.
- Evidence library — artifacts mapped to each requirement’s objectives, with owners assigned.
- Interview-ready people — control owners who can speak to how things actually work.
- A secure way to share evidence — one that never puts CUI in the wrong system.
That “template SSP” line isn’t hypothetical. Assessors read your SSP against your real environment, and a generic downloaded document with placeholders is an instant red flag. This is exactly the kind of gap a good readiness engagement closes long before an assessor opens your file.
Turn this into an internal checklist
Grab our CMMC Level 2 Readiness Checklist, mapped to the 14 control families, and assign owners for SSP, scope, evidence, and ESP/CSP tasks beforeyou pay for an assessment date. It’s a free deliverable, not a sales call.
Get the Readiness Checklist →What evidence will a C3PAO look for under the CAP?
A C3PAO is not looking for policies on a shelf. Under Phase 2 and the NIST SP 800-171A methodology, assessors evaluate implementation through three methods — examine, interview, and test — and score each requirement MET or NOT MET.The question is never “do we have a document?” It’s “can we prove this control is implemented, operating, and doing what it’s supposed to?”
What each method looks like in practice:
- Examine — documents, configurations, logs, tickets, screenshots, policies, and procedures.
- Interview — control owners, admins, HR, facilities, program managers, and relevant ESP personnel.
- Test — technical demonstrations: multifactor authentication in action, audit logging, access controls, incident response, media protection.
| Evidence type | Examples | The common mistake |
|---|---|---|
| Governance | SSP, policies, procedures, POA&M, risk assessments | Policy says one thing; the environment does another |
| Technical | MFA config, audit logs, vulnerability scans, encryption settings | Screenshots are stale or not tied to the assessed scope |
| Operational | Training records, incident response tests, access reviews | The process exists, but there’s no proof it happened |
| Physical | Visitor logs, badge controls, media storage | Cloud-first teams skip the physical-access discussion |
| ESP/CSP | Customer Responsibility Matrix, shared-responsibility docs, cloud authorization evidence | Assuming the provider’s compliance covers your responsibility |
Two specifics confirmed in the regulation that most contractors don’t budget for. First, under 32 CFR § 170.17(c)(4), the OSC must hash the artifacts used as evidence with a NIST-approved algorithm and retain them for six years from the CMMC Status Date— and hand the C3PAO the artifact names, hash values, and algorithm for upload into eMASS. Second, there’s a narrow safety valve: under § 170.17(c)(2), a NOT MET requirement can be re-evaluated during the active assessment and for up to 10 business days after — but only before the findings report is delivered, only if you have new evidence, and only if it doesn’t undercut something already scored MET.
Here’s the pattern we keep seeing: teams walk in confident and get stopped by evidence, not controls. The rule is unforgiving on this — Phase 1 exists specifically to catch unready organizations, and § 170.21 tightly limits which gaps you can defer. Confidence is not evidence. The assessor cares about the file, not the folder.
How do scope, CUI assets, ESPs, and cloud providers change the CAP?
Scope is one of the biggest CAP risk points because the Level 2 assessment is performed against your defined CMMC Assessment Scope. How you categorize your assets — and your ESP and cloud responsibilities — changes what evidence you need and what the assessor evaluates. Late scope changes are where cost, timeline, and readiness quietly blow up.
The moving parts to settle before, not during, an assessment:
- Asset categories. CUI assets, security protection assets, contractor risk managed assets, specialized assets, and out-of-scope assets each carry different documentation expectations under 32 CFR Part 170 scoping.
- ESPs. Any external provider that processes, stores, transmits, or protects your CUI or security functions may pull responsibility into your assessment.
- Cloud and FedRAMP. Under 32 CFR § 170.17, a cloud service used to process, store, or transmit CUI must be FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline, or meet the FedRAMP Moderate equivalency requirement under DoD policy — with your responsibilities documented in the SSP and CRM. Don’t assume a commercial collaboration tenant clears it without a contract-specific review. See our managed enclave guide for how contractors approach this boundary.
- Customer Responsibility Matrix. This document splits which controls the cloud provider covers and which are yours. Assessors will ask for it.
- Enclave vs. whole-enterprise.Pulling CUI into a defined enclave can dramatically shrink your assessment scope — a decision worth making before you build.
Get this wrong and you don’t just risk a finding; you can watch your cost and timeline change mid-stream because assets you treated as out-of-scope turn out to be in it.
What can a C3PAO not do for you under the CAP?
A C3PAO can assess you, but it cannot also be your readiness consultant for the same engagement. Under 32 CFR § 170.8(b)(17)(ii)(G), a CMMC ecosystem member is prohibited from participating in your Level 2 certification assessment if it served as a consultant to prepare your organization for any CMMC assessment within the prior three years.The firm that gets you ready and the firm that certifies you have to be different — and that’s federal rule, not a site opinion.
This is the point most buyers get backward, and it’s the most expensive misunderstanding on this page. We read the rule and the Cyber AB’s Code of Professional Conduct v2.0, and the prohibition is broad: it applies to the C3PAO as an organization and to every member of its assessment team, and it covers preparation for any level. The Cyber AB’s own example is blunt — a consultant who helped you prep for a Level 1 self-assessment is blocked from your Level 2 certification team until the three-year window closes.
So here’s the trap. You hire one firm expecting them to “prepare you and certify you.” You get to Phase 1. They determine you’re not ready — and because they can’t provide remediation advice inside that engagement, you’ve paid for an assessment and gotten a written “not ready” instead of a roadmap.
Questions worth asking any C3PAO before you sign:
- Are you authorized in the Cyber AB Marketplace today — and can I see it?
- Do you provide readiness help, or assessment only?
- How do you handle the three-year consultant conflict?
- Who is the Lead CCA, and will they staff the engagement start to finish?
- What happens, specifically, if Phase 1 says we’re not ready?
The takeaway: a C3PAO may be exactly the right provider later and the wrong first hire today. If your SSP, scope, evidence, cloud responsibility, or remediation plan isn’t ready, readiness help comes first — and by rule, it has to be a separate provider. See our C3PAO directory for authorized assessors and our CMMC provider category guide for how to distinguish the different provider types.
Need readiness help, not an assessor yet?
Tell us your level, scope, environment, and timeline, and Find My CMMC Path will match you with source-checked provider options — keeping readiness and formal C3PAO assessment cleanly separated, the way the rule requires.
Find My CMMC Path →What happens if you’re not ready, or you get NOT MET findings?
“Not ready” and “failed” are two different outcomes. If a C3PAO decides during Phase 1 that you’re not sufficiently prepared, the assessment is typically paused or rescheduled. If you proceed and receive NOT MET findings during Phase 2, what happens next depends on your score, which gaps you have, and whether you qualify for a POA&M. One is a gate before the real assessment; the other is a result inside it.
- Not ready (Phase 1): you’re not out, but you’re not proceeding yet. Fix the gaps with a readiness provider, then reschedule.
- NOT MET findings (Phase 2): each unmet requirement costs points. Whether you can still certify comes down to your total score and whether your remaining gaps are eligible for a POA&M — which is a narrow door, not a wide one.
This is where you want a plan before the assessment, not a scramble after it. Which brings us to the rules that catch the most people off guard.
How do POA&Ms, conditional status, and the 180-day clock actually work?
A POA&M is not a free pass for unfinished work. Under 32 CFR § 170.21, you can only reach a Conditional Level 2 status if your assessment score is at least 0.8 (88 of 110), and only certain low-value gaps are eligible. Eligible items must be closed and verified through a closeout assessment within 180 days of the Conditional CMMC Status Date, or the status expires. Level 1 allows no POA&M at all.
We read the rule and the scoring methodology directly. Here’s what it says, in order:
- The 88-point floor. Your score ÷ total Level 2 requirements must be ≥ 0.8 — a minimum of 88 out of 110 — beforePOA&M items are factored in. Below 88, no amount of POA&M paperwork changes your status. (§ 170.21(a)(2)(i).)
- Only 1-point gaps are eligible. Every requirement worth 3 or 5 points must be fully metat assessment. Only 1-point requirements can go on a POA&M. (§ 170.21(a)(2)(ii).)
- One narrow encryption exception. SC.L2-3.13.11 (CUI encryption) can go on a POA&M onlyif encryption is in place but not yet FIPS-validated (scored at 3 points instead of 5). If there’s no encryption at all, it’s a 5-point gap and it’s not deferrable. (§ 170.21(a)(2)(ii).)
- Six requirements are barred by name — even at 1 point. Under § 170.21(a)(2)(iii), these Level 2 requirements can neverbe placed on a POA&M:
- AC.L2-3.1.20 — External Connections (CUI Data)
- AC.L2-3.1.22 — Control Public Information (CUI Data)
- CA.L2-3.12.4 — System Security Plan
- PE.L2-3.10.3 — Escort Visitors (CUI Data)
- PE.L2-3.10.4 — Physical Access Logs (CUI Data)
- PE.L2-3.10.5 — Manage Physical Access (CUI Data)
- The 180-day wall. Close every POA&M item and pass a closeout assessment within 180 days of your Conditional Status Date, or the conditional status expires— and you start over. For a Level 2 certification assessment, the closeout must be performed by an authorized or accredited C3PAO. (§ 170.21(b).)
Note the standout on that list: CA.L2-3.12.4, the System Security Plan.You cannot defer your SSP. Walk in without a current one and you don’t get a low score — you get an incomplete assessment.
Reality check on the POA&M myths
| What people assume | What the rule says |
|---|---|
| “We can POA&M anything.” | No — only eligible 1-point gaps, and only above an 88. |
| “Conditional means we’re certified enough.” | No — it has a hard 180-day expiration. |
| “The C3PAO will tell us how to fix it.” | Not in the same engagement, without conflict-of-interest problems. |
| “A POA&M is just paperwork.” | No — closeout requires real remediation and a verification assessment. |
Decide your POA&M posture beforethe assessment. Walking in assuming you’ll POA&M your way past a weak program is how conditional status turns into a lost certification 180 days later.
Counting on a POA&M?
Pressure-test that assumption first. Find My CMMC Path helps you map your gaps to the right readiness category before you commit to an assessment date.
Find My CMMC Path →How do eMASS, SPRS, the CMMC UID, and affirmations connect?
For a Level 2 C3PAO assessment, the C3PAO submits results into the CMMC instantiation of eMASS, which electronically transfers your status to SPRS. (For Level 1 and Level 2 self-assessments, you upload directly into SPRS.) DFARS 252.204-7021 then ties your current CMMC status and an annual affirmation to your eligibility to hold the contract. The most common error here is confusing an old NIST self-assessment score in SPRS with a current CMMC status— they are not the same thing.
- CMMC eMASS is where the C3PAO uploads your certification assessment results.
- SPRS reflects your status, score, and affirmation for contracting officers to check.
- CMMC UID is the 10-character identifier assigned to each CMMC assessment. Under DFARS 252.204-7025, offerors provide the applicable CMMC UID(s) in the proposal.
- Annual affirmation is a senior official’s yearly attestation, in SPRS, that you remain in compliance.
Treat that affirmation as the legal statement it is. If your status expires, or your environment no longer matches what you affirmed, 32 CFR Part 170 provides for standard contractual remedies and ineligibility for further awards at that level. And because a knowingly false affirmation or SPRS score can carry False Claims Act exposure — an area the Department of Justice has actively pursued through its Civil Cyber-Fraud Initiative — affirm only what you can defend, and confirm your specific exposure with qualified counsel. A cloud migration, a personnel departure, or a configuration change since your last assessment can quietly put your real posture out of step with what SPRS shows.
Why the CAP matters right now: the Phase 2 clock and the assessor bottleneck
CMMC is enforceable. Phase 1 has been live since November 10, 2025 (running through November 9, 2026), focused primarily on Level 1 and Level 2 self-assessments, with C3PAO Level 2 at DoD’s discretion. Phase 2 begins November 10, 2026.That timeline, combined with a thin assessor pool, is why “we’ll deal with it later” is a losing plan.
The DFARS final rule that made CMMC enforceable was published September 10, 2025, and took effect 60 days later, on November 10, 2025, launching the four-phase, three-year rollout described in 32 CFR § 170.3(e). The 32 CFR Part 170 program rule itself has been in effect since December 16, 2024. Under § 170.3(e), in Phase 2 DoD intends to include Level 2 (C3PAO) certification requirements in applicable solicitations and contracts as a condition of award — though it retains discretion, in some cases, to defer inclusion to an option period rather than at award. See our CMMC Phase 2 deadline guide for the contract-level details.
The scarcity that’s real, and verified against the primary source: the March 2026 GAO report on CMMC (GAO-26-107955) found that, as of December 2025, the Cyber AB had authorized just 92 C3PAOs— and warned that DoD hasn’t documented how it will handle the risk if that private-sector assessor capacity can’t meet demand. Ninety-two authorized assessors is a small pool against the tens of thousands of contractors DoD expects will ultimately need a Level 2 assessment.
Two things follow from this. First, verify a C3PAO’s authorization status yourself, directly in the Cyber AB Marketplace — the official registry of authorized and accredited C3PAOs — on the day you engage, because authorization can change between the engagement letter and the assessment date. Second, the constraint isn’t only your readiness; it’s queue availability. Preparation can’t wait for the requirement to land in your solicitation.
Who should you hire before a CMMC CAP assessment?
Hire based on the decision in front of you, not the acronym you searched. If your scope, SSP, and evidence are genuinely assessment-ready, you need an authorized C3PAO. If any of those are unsettled — which is the norm — you likely need an RPO/RP, an MSSP or CMMC-focused MSP, a GRC platform, a CUI enclave, or federal-contracts counsel first, and by rule, separately from your eventual assessor. The wrong first hire can cost you months.
The CMMC Path Framework maps your required level, FCI/CUI handling, assessment type, environment, and timeline to the provider categoryyou need — routing to a category, never a specific named provider, and never a score, ranking, or compliance advice.
| Your situation | The signal that tells you this fits | Provider category to consider first |
|---|---|---|
| Level 2 (C3PAO) required, scope + evidence ready | You can produce evidence for every objective today | C3PAO |
| Unsure whether the CAP even applies | You can’t say for certain what your contract requires | RP/RPO or the neutral path tool |
| SSP incomplete or inconsistent | Your SSP is a template, or doesn’t match reality | RPO / documentation specialist / GRC platform |
| Evidence scattered across tickets, logs, screenshots | You have controls but can’t quickly prove them | GRC platform / readiness provider |
| CUI boundary is messy | You’re not sure which assets are in scope | RPO / CUI enclave / MSSP |
| Cloud/ESP responsibility unclear | No Customer Responsibility Matrix, unclear FedRAMP status | Cloud enclave implementer / MSSP |
| Security operations gaps | Controls exist on paper but don’t run day to day | MSSP / MSP |
| Contract or clause interpretation unclear | You can’t confidently read the DFARS requirement | Qualified federal-contracts attorney |
Choose the right path before you hire
Tell us your required level, CUI scope, assessment type, environment, and timeline, and Find My CMMC Path will map your situation to the right provider category — and, when it helps, source-checked provider options.
Find My CMMC Path →What the CAP means for different kinds of contractors
The CAP is the same process for everyone, but the pain points differ sharply by contractor type. Find your failure point fast.
Small subcontractor or machine shop
Small contractors rarely fail because they’re careless. They fail because one person owns IT, compliance, evidence, contracts, and vendors at once. Your CAP risk is almost always scope definition, an SSP that matches reality, physical-access evidence (visitor logs, badge control, media storage), and who can credibly answer an assessor’s interview questions.
Software or SaaS company
Watch your CUI data flow, development-environment boundaries, and cloud responsibility. If your product or infrastructure touches CUI, the CSP must meet the FedRAMP Moderate (or equivalent) bar and your CRM must document who owns which controls. The CAP won’t decide your scope for you — it will expose a weak scoping assumption the moment an assessor tests it.
Prime contractor
Think past your own assessment. Under DFARS 252.204-7021, you must maintain current CMMC status and flow the correct CMMC level down to subcontractors that handle FCI or CUI — and a sub’s required level follows the information it handles, not automatically your level. Map your supply chain before it maps you. See our prime contractor CMMC guide.
MSP or MSSP serving DIB clients
If your services process, store, transmit, or protect a client’s CUI or security functions, you may sit inside their assessment scope. Under the CAP and 32 CFR scoping, provider responsibility is a buyer’sissue, not a vendor talking point — which is exactly why the Customer Responsibility Matrix matters.
What we actually verified for this guide
We build this page the way The Defense Compliance Report builds every page — primary sources first, dated, with the limits stated plainly.
What we verified (as of July 2026):
- CAP version and scope — CAP v2.0, published December 16, 2024, applies to Level 2 C3PAO certification assessments (Cyber AB).
- The four-phase structure and roles — CAP v2.0, cross-referenced against 32 CFR Part 170.
- POA&M eligibility, the six named exclusions, scoring, conditional status, and the 180-day rule — read directly in 32 CFR § 170.21.
- Six-year artifact retention and hashing — 32 CFR § 170.17(c)(4).
- The three-year consultant conflict-of-interest rule — 32 CFR § 170.8(b)(17)(ii)(G) and the Cyber AB Code of Professional Conduct v2.0.
- Level 2 control set — NIST SP 800-171 Rev. 2 (110 requirements, 14 families), assessed via NIST SP 800-171A.
- Enforcement timeline — DFARS final rule effective November 10, 2025; Phase 2 begins November 10, 2026 (32 CFR § 170.3(e)).
- Assessor capacity — 92 authorized C3PAOs as of December 2025 (GAO-26-107955).
What we did not do:we did not scope your environment, read your specific contract, or verify any individual provider’s current status for you. Those require the Cyber AB Marketplace (for status), a CMMC Registered Practitioner (RP/RPO), or a qualified federal-contracts attorney.
Read our Editorial Standards, CMMC Source Methodology, and Corrections Policy.
CMMC CAP FAQ
What does CMMC CAP stand for?
CMMC CAP stands for the CMMC Assessment Process. CAP v2.0 is the Cyber AB’s procedural guide for C3PAOs conducting CMMC Level 2 certification assessments. It was published December 16, 2024.
Is the CMMC CAP mandatory?
Yes, for assessors. Adherence to the CAP is required for C3PAOs and their CMMC Certified Assessors during Level 2 certification assessments. For contractors, the CAP governs how your assessment is run, but your security requirements and contract obligations come from 32 CFR Part 170, NIST SP 800-171 Rev. 2, and DFARS clauses.
Does the CMMC CAP apply to Level 1?
No. The CAP applies only to Level 2 C3PAO certification assessments. Level 1 (FCI only) uses an annual self-assessment and affirmation under the CMMC program rule.
Does the CMMC CAP apply to Level 2 self-assessments?
Not as a formal process. The CAP is written for Level 2 certification assessments conducted by C3PAOs. Contractors on the Level 2 self-assessment path follow the DoD Assessment Methodology and post to SPRS, though the CAP’s evidence discipline is still worth borrowing.
Does the CMMC CAP use NIST SP 800-171 Rev. 2 or Rev. 3?
Rev. 2. For CMMC Level 2 under 32 CFR Part 170, the 110 security requirements are identical to NIST SP 800-171 Rev. 2. NIST has published Rev. 3 generally, but the CMMC rule still incorporates Rev. 2 unless DoD amends the rule.
Can a C3PAO help us prepare and then assess us?
No, not for the same engagement. Under 32 CFR § 170.8(b)(17)(ii)(G), an ecosystem member cannot participate in your Level 2 certification assessment if it consulted to prepare your organization for any CMMC assessment within the prior three years. Keep readiness and formal assessment separate.
What happens if we’re not ready in CAP Phase 1?
If the C3PAO determines you’re not sufficiently prepared, the assessment is typically paused or rescheduled, and the assessor cannot provide remediation advice inside that engagement. That’s why readiness work should happen before the formal assessment.
Where do Level 2 C3PAO assessment results go — eMASS or SPRS?
Both. The C3PAO submits certification results into the CMMC instantiation of eMASS, which transfers your status to SPRS. For Level 1 and Level 2 self-assessments, you upload directly into SPRS. You must also maintain an annual affirmation there.
How long do we have to close a CMMC POA&M?
For a Conditional Level 2 status, 32 CFR § 170.21 requires remediation and a POA&M closeout assessment within 180 days of the Conditional CMMC Status Date. Miss that window and the conditional status expires.
Which requirements can’t go on a POA&M?
Only 1-point requirements are eligible, and six are barred by name under 32 CFR § 170.21(a)(2)(iii): AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. All 3-point and 5-point requirements must be fully met, with a narrow exception for CUI encryption (SC.L2-3.13.11) when encryption is used but not yet FIPS-validated.
Does the Cyber AB or DoD recommend which C3PAO to use?
No. Cyber AB, CAICO, and DoD personnel do not recommend C3PAOs or facilitate introductions. Verify a C3PAO’s authorization status directly in the Cyber AB Marketplace.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →