The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC CAP: What the Assessment Process Means for Level 2

By The Defense Compliance Report Editorial Team— an independent trade publication on CMMC 2.0 and DIB compliance.

Last reviewed:

Educational research, not legal, contractual, cybersecurity, or compliance advice. The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

CMMC CAP stands for the CMMC Assessment Process. CAP v2.0 is the Cyber AB’s procedural guide for how a C3PAO (Certified Third-Party Assessment Organization) conducts a CMMC Level 2 certification assessment. It applies only to Level 2 C3PAO assessments — not Level 1, not Level 2 self-assessments, and not the government-led Level 3. It is not the control list, not a credential, and not legal advice.It’s the rulebook your assessor follows so two different assessors reach the same verdict about the same company.

That last distinction is where the confusion — and most of the wasted money — lives. So before you read a procedural manual written for auditors, or worse, hire the wrong kind of help, let us translate the CAP into the decisions you actually have to make.

Which reason brought you here?

The word “CAP” pulls in five different readers. Find yourself first — the rest of this page assumes you know which one you are.

You searched “cmmc cap” because…Bottom lineYour next move
A C3PAO quote or assessment conversation referenced itYou’re almost certainly on the Level 2 (C3PAO) certification pathLock down scope, SSP, and evidence before you schedule
You only handle FCI (Level 1)The CAP is not your processUse a Level 1 self-assessment checklist instead
You’re on the Level 2 self-assessment pathThe CAP isn’t your formal process, but its evidence discipline still helpsFollow the DoD self-assessment + SPRS path
You’re on the Level 2 C3PAO pathThe CAP is central to your next 6–18 monthsPrepare for the four phases below
You’re at Level 3The CAP is not the Level 3 process (that’s DIBCAC)Confirm your Level 2 prerequisite first

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

Here’s our one honest warning up front: the CAP was not written for you. It’s the procedural guide C3PAOs must follow, written in assessor language, and it explicitly does not replace 32 CFR Part 170, NIST, DFARS, or DoD guidance. It tells your assessor how to grade you. It will not tell you how to get ready. That gap is exactly why this page exists — and why, for most contractors, the smartest first dollar goes to readiness, not to booking an assessment you’re not prepared to pass.

We read the CAP v2.0, and we read the regulation behind it line by line — 32 CFR Part 170, section by section — to confirm every rule below. Let’s get you oriented.

What is the CMMC CAP?

The CMMC CAP (CMMC Assessment Process) is the procedural playbook, published and maintained by the Cyber AB and approved by the CMMC Program Management Office, that governs how a C3PAO conducts a CMMC Level 2 certification assessment. Adherence is mandatory for C3PAOs and their CMMC Certified Assessors (CCAs) — it’s a built-in condition of C3PAO accreditation. It defines the activities, roles, and sequence of a Level 2 assessment so results stay consistent across different assessors.

The current version is CAP v2.0, published December 16, 2024— the same day the CMMC program reached its major rulemaking milestone. The earlier v1.0 was a 2022 pre-decisional draft and is obsolete. If a guide still calls v1.0 “current,” it’s out of date — and several of the top results for this term still are.

A few quick clarifications, because the acronym gets tangled:

Where to find the official CMMC CAP PDF

The official CMMC Assessment Process v2.0 is published by the Cyber AB on its website. Use the Cyber AB as the source for the current document, then use this page to translate that assessor-facing procedure into contractor-side readiness decisions. Reading the CAP cover to cover won’t answer your real question — what do I need in hand before an assessor shows up?— which is what the rest of this guide is for.

Does the CMMC CAP apply to my company?

The CAP applies if your contract requires a CMMC Level 2 certification assessment performed by a C3PAO. It does not govern Level 1 self-assessments, it is not the process for Level 2 self-assessments, and it is not the process for Level 3, which is assessed by the government’s DCMA DIBCAC (Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center).Your required level is set by the contract clause and the type of information you handle — not by a checklist.

Here’s the level-by-level reality:

Federal Contract Information (FCI) is nonpublic information generated for or provided by the government under a contract. Controlled Unclassified Information (CUI) is information the government requires to be safeguarded under law, regulation, or government-wide policy. Which one flows through your systems is the single biggest factor in whether the CAP applies to you at all. See our FCI vs. CUI guide for a plain-English breakdown.

A 60-second self-check

If you answer “no” or “not sure” to any of these, you’re not yet at the “book a C3PAO” stage — you’re at the readiness stage:

Not sure whether the CAP even applies to you — or which of those five you’d fail?

Find My CMMC Path maps your level, CUI scope, assessment type, environment, and timeline to the right provider category — C3PAO, RPO, MSSP, GRC platform, or CUI enclave — before you spend a dollar on quotes.

Do not submit CUI, drawings, or sensitive contract details. Provider matching is a free service for readers. Where DCR may receive compensation from a partner, that compensation does not influence our editorial analysis.

Find My CMMC Path →

CMMC CAP vs. 32 CFR Part 170 vs. NIST vs. DFARS: what actually controls what?

The CAP tells a C3PAO how to run a Level 2 certification assessment. It does not set the rules, define the controls, or put CMMC into your contract — three separate authorities do that. Treating the CAP as a substitute for the regulation, the control set, or the clause is the mistake that sends contractors down the wrong path.

This is the table we wish had existed when we started. Each row is a different document people constantly blur together.

Document / systemWhat it actually doesWhy it matters to you
CMMC CAP v2.0The Cyber AB’s procedure for Level 2 C3PAO certification assessmentsShows how your assessment will be run, phase by phase
32 CFR Part 170 (CMMC Program Rule)Establishes the program: levels, scoring, POA&M rules, affirmations, scopingThe binding rules — POA&M eligibility, conditional status, and the 180-day clock all live here. See our 32 CFR Part 170 guide.
NIST SP 800-171 Rev. 2The 110 Level 2 security requirements, across 14 control familiesYour actual to-do list of controls under the current rule
NIST SP 800-171AThe assessment methodology (examine, interview, test) — 320 assessment objectivesHow each requirement is judged MET / NOT MET
DFARS 252.204-7021The contract clause requiring current CMMC statusTies your CMMC status and annual affirmation to contract eligibility
CMMC eMASSThe government system where a C3PAO uploads certification resultsWhere your assessment record officially lands
SPRS (Supplier Performance Risk System)Reflects your status, score, and affirmationWhat contracting officers check before award

One accuracy point that trips up even good guides: for CMMC Level 2, the controlling control set is NIST SP 800-171 Rev. 2, not Rev. 3. NIST has published Rev. 3 as a general update, but 32 CFR Part 170 still incorporates Rev. 2 for CMMC Level 2 unless and until DoD amends the CMMC rule. Any page that treats Rev. 3 as your CMMC control set is handing you the wrong requirements — and that’s a mistake measured in real remediation dollars.

What are the four phases of the CMMC CAP?

A Level 2 C3PAO certification assessment runs through preliminary proceedings and then four phases: Phase 1, plan and prepare the pre-assessment; Phase 2, assess conformity to the security requirements; Phase 3, complete and report the results; and Phase 4, issue the certificate and close out any POA&M. Before Phase 1, the C3PAO and the Organization Seeking Certification (OSC) handle entity confirmation, scope framing, conflict-of-interest screening, and the contract. Most problems are cheapest to catch in those preliminary steps and in Phase 1.

Here’s the map we built — not just what happens, but what you need in hand at each stage, the governing source, and where companies most often stall.

StageWhat the C3PAO doesWhat you must have readySourceWhere it goes wrong
Preliminary proceedingsConfirm legal entity + CAGE code, frame scope, screen for conflicts of interest, sign the contract under the Code of Professional ConductCorrect legal entity, CAGE code, a defensible proposed scope, a readiness provider that is not your assessorCAP v2.0; § 170.9Engaging the firm that prepped you as your assessor without a conflict-of-interest review
Phase 1 — Plan & PrepareReview your SSP, validate scope, check cloud/ESP documentation, complete the Pre-Assessment Form, determine readinessA complete, accurate SSP; finalized scope + asset inventory; a Customer Responsibility Matrix for any cloud in scope; organized evidenceCAP v2.0; § 170.19 (scoping)Missing or placeholder SSP; scope still unsettled
Phase 2 — Assess ConformityExamine, interview, and test each requirement against the NIST SP 800-171A objectives; score MET / NOT MET using samplingPeople available for interviews; live evidence for each objective; systems accessibleCAP v2.0; NIST SP 800-171AEvidence that doesn’t match what the SSP claims
Phase 3 — Report ResultsCompile scores, run an independent QA review (by a CCA not on the team), upload to CMMC eMASS, handle appealsNothing to submit — stay reachable for clarificationsCAP v2.0; § 170.17Assessor-side; you mostly wait
Phase 4 — Issue Certificate / Close-Out POA&MIssue a Final or Conditional Certificate of CMMC Status; verify POA&M closeoutIf Conditional: a credible plan to close every POA&M item and pass a closeout assessment within 180 days§ 170.21Missing the 180-day window → status expires

Different providers paraphrase the phase names slightly, but the activities are what matter, and they’re consistent. The single biggest lever across all four? Get your SSP and scope right. Almost every stall we’ve seen traces back to one of those two. See our CMMC Level 2 assessment preparation guide for a deeper breakdown of the 88-point pass gate.

CMMC CAP checklist: what to have ready before Phase 1

Before Phase 1, an OSC should have its legal entity and CAGE code, its finalized CMMC Assessment Scope, a complete SSP, an asset inventory and network diagram, an evidence library mapped to the assessment objectives, documentation for any External Service Providers (ESPs) and Cloud Service Providers (CSPs), and interview-ready personnel.Phase 1 is not a friendly kickoff — it’s the gate where a C3PAO decides whether you’re prepared enough to proceed at all.

Treat this as your pre-assessment punch list:

That “template SSP” line isn’t hypothetical. Assessors read your SSP against your real environment, and a generic downloaded document with placeholders is an instant red flag. This is exactly the kind of gap a good readiness engagement closes long before an assessor opens your file.

Turn this into an internal checklist

Grab our CMMC Level 2 Readiness Checklist, mapped to the 14 control families, and assign owners for SSP, scope, evidence, and ESP/CSP tasks beforeyou pay for an assessment date. It’s a free deliverable, not a sales call.

Get the Readiness Checklist →

What evidence will a C3PAO look for under the CAP?

A C3PAO is not looking for policies on a shelf. Under Phase 2 and the NIST SP 800-171A methodology, assessors evaluate implementation through three methods — examine, interview, and test — and score each requirement MET or NOT MET.The question is never “do we have a document?” It’s “can we prove this control is implemented, operating, and doing what it’s supposed to?”

What each method looks like in practice:

Evidence typeExamplesThe common mistake
GovernanceSSP, policies, procedures, POA&M, risk assessmentsPolicy says one thing; the environment does another
TechnicalMFA config, audit logs, vulnerability scans, encryption settingsScreenshots are stale or not tied to the assessed scope
OperationalTraining records, incident response tests, access reviewsThe process exists, but there’s no proof it happened
PhysicalVisitor logs, badge controls, media storageCloud-first teams skip the physical-access discussion
ESP/CSPCustomer Responsibility Matrix, shared-responsibility docs, cloud authorization evidenceAssuming the provider’s compliance covers your responsibility

Two specifics confirmed in the regulation that most contractors don’t budget for. First, under 32 CFR § 170.17(c)(4), the OSC must hash the artifacts used as evidence with a NIST-approved algorithm and retain them for six years from the CMMC Status Date— and hand the C3PAO the artifact names, hash values, and algorithm for upload into eMASS. Second, there’s a narrow safety valve: under § 170.17(c)(2), a NOT MET requirement can be re-evaluated during the active assessment and for up to 10 business days after — but only before the findings report is delivered, only if you have new evidence, and only if it doesn’t undercut something already scored MET.

Here’s the pattern we keep seeing: teams walk in confident and get stopped by evidence, not controls. The rule is unforgiving on this — Phase 1 exists specifically to catch unready organizations, and § 170.21 tightly limits which gaps you can defer. Confidence is not evidence. The assessor cares about the file, not the folder.

How do scope, CUI assets, ESPs, and cloud providers change the CAP?

Scope is one of the biggest CAP risk points because the Level 2 assessment is performed against your defined CMMC Assessment Scope. How you categorize your assets — and your ESP and cloud responsibilities — changes what evidence you need and what the assessor evaluates. Late scope changes are where cost, timeline, and readiness quietly blow up.

The moving parts to settle before, not during, an assessment:

Get this wrong and you don’t just risk a finding; you can watch your cost and timeline change mid-stream because assets you treated as out-of-scope turn out to be in it.

What can a C3PAO not do for you under the CAP?

A C3PAO can assess you, but it cannot also be your readiness consultant for the same engagement. Under 32 CFR § 170.8(b)(17)(ii)(G), a CMMC ecosystem member is prohibited from participating in your Level 2 certification assessment if it served as a consultant to prepare your organization for any CMMC assessment within the prior three years.The firm that gets you ready and the firm that certifies you have to be different — and that’s federal rule, not a site opinion.

This is the point most buyers get backward, and it’s the most expensive misunderstanding on this page. We read the rule and the Cyber AB’s Code of Professional Conduct v2.0, and the prohibition is broad: it applies to the C3PAO as an organization and to every member of its assessment team, and it covers preparation for any level. The Cyber AB’s own example is blunt — a consultant who helped you prep for a Level 1 self-assessment is blocked from your Level 2 certification team until the three-year window closes.

So here’s the trap. You hire one firm expecting them to “prepare you and certify you.” You get to Phase 1. They determine you’re not ready — and because they can’t provide remediation advice inside that engagement, you’ve paid for an assessment and gotten a written “not ready” instead of a roadmap.

Questions worth asking any C3PAO before you sign:

The takeaway: a C3PAO may be exactly the right provider later and the wrong first hire today. If your SSP, scope, evidence, cloud responsibility, or remediation plan isn’t ready, readiness help comes first — and by rule, it has to be a separate provider. See our C3PAO directory for authorized assessors and our CMMC provider category guide for how to distinguish the different provider types.

Need readiness help, not an assessor yet?

Tell us your level, scope, environment, and timeline, and Find My CMMC Path will match you with source-checked provider options — keeping readiness and formal C3PAO assessment cleanly separated, the way the rule requires.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

What happens if you’re not ready, or you get NOT MET findings?

“Not ready” and “failed” are two different outcomes. If a C3PAO decides during Phase 1 that you’re not sufficiently prepared, the assessment is typically paused or rescheduled. If you proceed and receive NOT MET findings during Phase 2, what happens next depends on your score, which gaps you have, and whether you qualify for a POA&M. One is a gate before the real assessment; the other is a result inside it.

This is where you want a plan before the assessment, not a scramble after it. Which brings us to the rules that catch the most people off guard.

How do POA&Ms, conditional status, and the 180-day clock actually work?

A POA&M is not a free pass for unfinished work. Under 32 CFR § 170.21, you can only reach a Conditional Level 2 status if your assessment score is at least 0.8 (88 of 110), and only certain low-value gaps are eligible. Eligible items must be closed and verified through a closeout assessment within 180 days of the Conditional CMMC Status Date, or the status expires. Level 1 allows no POA&M at all.

We read the rule and the scoring methodology directly. Here’s what it says, in order:

Note the standout on that list: CA.L2-3.12.4, the System Security Plan.You cannot defer your SSP. Walk in without a current one and you don’t get a low score — you get an incomplete assessment.

Reality check on the POA&M myths

What people assumeWhat the rule says
“We can POA&M anything.”No — only eligible 1-point gaps, and only above an 88.
“Conditional means we’re certified enough.”No — it has a hard 180-day expiration.
“The C3PAO will tell us how to fix it.”Not in the same engagement, without conflict-of-interest problems.
“A POA&M is just paperwork.”No — closeout requires real remediation and a verification assessment.

Decide your POA&M posture beforethe assessment. Walking in assuming you’ll POA&M your way past a weak program is how conditional status turns into a lost certification 180 days later.

Counting on a POA&M?

Pressure-test that assumption first. Find My CMMC Path helps you map your gaps to the right readiness category before you commit to an assessment date.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

How do eMASS, SPRS, the CMMC UID, and affirmations connect?

For a Level 2 C3PAO assessment, the C3PAO submits results into the CMMC instantiation of eMASS, which electronically transfers your status to SPRS. (For Level 1 and Level 2 self-assessments, you upload directly into SPRS.) DFARS 252.204-7021 then ties your current CMMC status and an annual affirmation to your eligibility to hold the contract. The most common error here is confusing an old NIST self-assessment score in SPRS with a current CMMC status— they are not the same thing.

Treat that affirmation as the legal statement it is. If your status expires, or your environment no longer matches what you affirmed, 32 CFR Part 170 provides for standard contractual remedies and ineligibility for further awards at that level. And because a knowingly false affirmation or SPRS score can carry False Claims Act exposure — an area the Department of Justice has actively pursued through its Civil Cyber-Fraud Initiative — affirm only what you can defend, and confirm your specific exposure with qualified counsel. A cloud migration, a personnel departure, or a configuration change since your last assessment can quietly put your real posture out of step with what SPRS shows.

Why the CAP matters right now: the Phase 2 clock and the assessor bottleneck

CMMC is enforceable. Phase 1 has been live since November 10, 2025 (running through November 9, 2026), focused primarily on Level 1 and Level 2 self-assessments, with C3PAO Level 2 at DoD’s discretion. Phase 2 begins November 10, 2026.That timeline, combined with a thin assessor pool, is why “we’ll deal with it later” is a losing plan.

The DFARS final rule that made CMMC enforceable was published September 10, 2025, and took effect 60 days later, on November 10, 2025, launching the four-phase, three-year rollout described in 32 CFR § 170.3(e). The 32 CFR Part 170 program rule itself has been in effect since December 16, 2024. Under § 170.3(e), in Phase 2 DoD intends to include Level 2 (C3PAO) certification requirements in applicable solicitations and contracts as a condition of award — though it retains discretion, in some cases, to defer inclusion to an option period rather than at award. See our CMMC Phase 2 deadline guide for the contract-level details.

The scarcity that’s real, and verified against the primary source: the March 2026 GAO report on CMMC (GAO-26-107955) found that, as of December 2025, the Cyber AB had authorized just 92 C3PAOs— and warned that DoD hasn’t documented how it will handle the risk if that private-sector assessor capacity can’t meet demand. Ninety-two authorized assessors is a small pool against the tens of thousands of contractors DoD expects will ultimately need a Level 2 assessment.

Two things follow from this. First, verify a C3PAO’s authorization status yourself, directly in the Cyber AB Marketplace — the official registry of authorized and accredited C3PAOs — on the day you engage, because authorization can change between the engagement letter and the assessment date. Second, the constraint isn’t only your readiness; it’s queue availability. Preparation can’t wait for the requirement to land in your solicitation.

Who should you hire before a CMMC CAP assessment?

Hire based on the decision in front of you, not the acronym you searched. If your scope, SSP, and evidence are genuinely assessment-ready, you need an authorized C3PAO. If any of those are unsettled — which is the norm — you likely need an RPO/RP, an MSSP or CMMC-focused MSP, a GRC platform, a CUI enclave, or federal-contracts counsel first, and by rule, separately from your eventual assessor. The wrong first hire can cost you months.

The CMMC Path Framework maps your required level, FCI/CUI handling, assessment type, environment, and timeline to the provider categoryyou need — routing to a category, never a specific named provider, and never a score, ranking, or compliance advice.

Your situationThe signal that tells you this fitsProvider category to consider first
Level 2 (C3PAO) required, scope + evidence readyYou can produce evidence for every objective todayC3PAO
Unsure whether the CAP even appliesYou can’t say for certain what your contract requiresRP/RPO or the neutral path tool
SSP incomplete or inconsistentYour SSP is a template, or doesn’t match realityRPO / documentation specialist / GRC platform
Evidence scattered across tickets, logs, screenshotsYou have controls but can’t quickly prove themGRC platform / readiness provider
CUI boundary is messyYou’re not sure which assets are in scopeRPO / CUI enclave / MSSP
Cloud/ESP responsibility unclearNo Customer Responsibility Matrix, unclear FedRAMP statusCloud enclave implementer / MSSP
Security operations gapsControls exist on paper but don’t run day to dayMSSP / MSP
Contract or clause interpretation unclearYou can’t confidently read the DFARS requirementQualified federal-contracts attorney

We route to categories, not named providers. When a provider claims certifications, market leadership, or customer outcomes, treat it as company-stated and confirm it independently — starting with the Cyber AB Marketplace for anything status-related.

Choose the right path before you hire

Tell us your required level, CUI scope, assessment type, environment, and timeline, and Find My CMMC Path will map your situation to the right provider category — and, when it helps, source-checked provider options.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

What the CAP means for different kinds of contractors

The CAP is the same process for everyone, but the pain points differ sharply by contractor type. Find your failure point fast.

Small subcontractor or machine shop

Small contractors rarely fail because they’re careless. They fail because one person owns IT, compliance, evidence, contracts, and vendors at once. Your CAP risk is almost always scope definition, an SSP that matches reality, physical-access evidence (visitor logs, badge control, media storage), and who can credibly answer an assessor’s interview questions.

Software or SaaS company

Watch your CUI data flow, development-environment boundaries, and cloud responsibility. If your product or infrastructure touches CUI, the CSP must meet the FedRAMP Moderate (or equivalent) bar and your CRM must document who owns which controls. The CAP won’t decide your scope for you — it will expose a weak scoping assumption the moment an assessor tests it.

Prime contractor

Think past your own assessment. Under DFARS 252.204-7021, you must maintain current CMMC status and flow the correct CMMC level down to subcontractors that handle FCI or CUI — and a sub’s required level follows the information it handles, not automatically your level. Map your supply chain before it maps you. See our prime contractor CMMC guide.

MSP or MSSP serving DIB clients

If your services process, store, transmit, or protect a client’s CUI or security functions, you may sit inside their assessment scope. Under the CAP and 32 CFR scoping, provider responsibility is a buyer’sissue, not a vendor talking point — which is exactly why the Customer Responsibility Matrix matters.

What we actually verified for this guide

We build this page the way The Defense Compliance Report builds every page — primary sources first, dated, with the limits stated plainly.

What we verified (as of July 2026):

What we did not do:we did not scope your environment, read your specific contract, or verify any individual provider’s current status for you. Those require the Cyber AB Marketplace (for status), a CMMC Registered Practitioner (RP/RPO), or a qualified federal-contracts attorney.

Read our Editorial Standards, CMMC Source Methodology, and Corrections Policy.

This is educational research, not legal, contractual, cybersecurity, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

CMMC CAP FAQ

What does CMMC CAP stand for?

CMMC CAP stands for the CMMC Assessment Process. CAP v2.0 is the Cyber AB’s procedural guide for C3PAOs conducting CMMC Level 2 certification assessments. It was published December 16, 2024.

Is the CMMC CAP mandatory?

Yes, for assessors. Adherence to the CAP is required for C3PAOs and their CMMC Certified Assessors during Level 2 certification assessments. For contractors, the CAP governs how your assessment is run, but your security requirements and contract obligations come from 32 CFR Part 170, NIST SP 800-171 Rev. 2, and DFARS clauses.

Does the CMMC CAP apply to Level 1?

No. The CAP applies only to Level 2 C3PAO certification assessments. Level 1 (FCI only) uses an annual self-assessment and affirmation under the CMMC program rule.

Does the CMMC CAP apply to Level 2 self-assessments?

Not as a formal process. The CAP is written for Level 2 certification assessments conducted by C3PAOs. Contractors on the Level 2 self-assessment path follow the DoD Assessment Methodology and post to SPRS, though the CAP’s evidence discipline is still worth borrowing.

Does the CMMC CAP use NIST SP 800-171 Rev. 2 or Rev. 3?

Rev. 2. For CMMC Level 2 under 32 CFR Part 170, the 110 security requirements are identical to NIST SP 800-171 Rev. 2. NIST has published Rev. 3 generally, but the CMMC rule still incorporates Rev. 2 unless DoD amends the rule.

Can a C3PAO help us prepare and then assess us?

No, not for the same engagement. Under 32 CFR § 170.8(b)(17)(ii)(G), an ecosystem member cannot participate in your Level 2 certification assessment if it consulted to prepare your organization for any CMMC assessment within the prior three years. Keep readiness and formal assessment separate.

What happens if we’re not ready in CAP Phase 1?

If the C3PAO determines you’re not sufficiently prepared, the assessment is typically paused or rescheduled, and the assessor cannot provide remediation advice inside that engagement. That’s why readiness work should happen before the formal assessment.

Where do Level 2 C3PAO assessment results go — eMASS or SPRS?

Both. The C3PAO submits certification results into the CMMC instantiation of eMASS, which transfers your status to SPRS. For Level 1 and Level 2 self-assessments, you upload directly into SPRS. You must also maintain an annual affirmation there.

How long do we have to close a CMMC POA&M?

For a Conditional Level 2 status, 32 CFR § 170.21 requires remediation and a POA&M closeout assessment within 180 days of the Conditional CMMC Status Date. Miss that window and the conditional status expires.

Which requirements can’t go on a POA&M?

Only 1-point requirements are eligible, and six are barred by name under 32 CFR § 170.21(a)(2)(iii): AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. All 3-point and 5-point requirements must be fully met, with a narrow exception for CUI encryption (SC.L2-3.13.11) when encryption is used but not yet FIPS-validated.

Does the Cyber AB or DoD recommend which C3PAO to use?

No. Cyber AB, CAICO, and DoD personnel do not recommend C3PAOs or facilitate introductions. Verify a C3PAO’s authorization status directly in the Cyber AB Marketplace.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, export-controlled technical data, or sensitive contract details through this form.

Find My CMMC Path →

The Defense Compliance Report — the independent CMMC decision layer for defense contractors. Choose the right CMMC path before you hire.