Who Does What in a CMMC Assessment: Roles and Responsibilities Through the Entire Lifecycle

Successfully navigating a Cybersecurity Maturity Model Certification (CMMC) assessment requires clear understanding of the personnel involved and their responsibilities across all phases of the process. This post breaks down the lifecycle phases of a CMMC Level 2 assessment and clarifies who is responsible for what during each stage.

Understanding the CMMC Assessment Lifecycle

The CMMC Assessment Process defines four phases:

• Phase 1: Plan and Prepare the Assessment

• Phase 2: Conduct the Assessment

• Phase 3: Report Recommended Assessment Results

• Phase 4: Close-Out POA&Ms and Assessment

Each phase requires active engagement of several key roles to ensure fairness, accuracy, and thoroughness.

Phase 1 — Plan and Prepare the Assessment

Primary Roles:

Organization Seeking Certification (OSC): The company or entity pursuing CMMC certification, responsible for implementing required cybersecurity practices and responding cooperatively during the assessment.

OSC Assessment Official: The most senior OSC employee responsible for managing the assessment engagement with decision-making authority. This individual signs contracts and ensures organizational support.

OSC Point of Contact (POC): Coordinates daily communication between OSC and C3PAO assessment team; may be an employee or external consultant such as a Registered Practitioner (RP).

C3PAO (Third-Party Assessment Organization): Authorized independent body contracted to conduct and certify the assessment.

Lead Assessor: Certified CMMC Assessor (CCA) appointed by the C3PAO to manage the assessment engagement and team.

Assessment Team Members: Certified individuals conducting evidence collection, interviews, and testing.

CMMC Quality Assurance Professional (CQAP): Ensures completeness and procedural integrity of assessment documentation for quality assurance before submission.

Key Activities

The OSC submits a formal request and organizes supporting documentation, including the System Security Plan (SSP), evidence lists, and inventory of assets within assessment scope.

The C3PAO and OSC collaborate to frame the assessment, define scope boundaries (including Host Units and Supporting Organizations), and agree on schedules.

The Lead Assessor is assigned and assembles qualified assessment team members, verifying no conflicts of interest exist.

The OSC Assessment Official approves the assessment framing and signs the contractual agreement with the C3PAO.

The Lead Assessor performs a readiness review confirming evidence adequacy and sufficiency, establishes evidence collection approaches, and ensures logistical preparations.

Phase 2 — Conduct the Assessment

Primary Roles:

Lead Assessor: Facilitates kickoff meeting, plans and coordinates assessment activities, oversees evidence collection and scoring, and leads daily checkpoint meetings.

Assessment Team Members: Execute interviews, exams, observations, and tests to gather evidence supporting the presence or absence of implemented practices.

OSC POC and Relevant OSC Staff: Provide evidence, participate in interviews and demonstrations, offer access to assets, and clarify procedures as requested.

Key Activities

The Lead Assessor convenes an in-brief meeting to outline scope, methodology, and schedule, including participation expectations for OSC personnel.

Evidence is collected by examining artifacts, conducting interviews with knowledgeable staff, and observing operational tests or demonstrations.

The Assessment Team documents any evidence gaps and engages in daily checkpoints with the OSC to review findings and clarify further evidence needs.

Practices are scored as MET, NOT MET, or NOT APPLICABLE according to the official scoring methodology, with limited deficiency corrections allowed for minor issues.

Phase 3 — Report Recommended Assessment Results

Primary Roles:

Lead Assessor: Presents final assessment findings to the OSC Assessment Official and key OSC participants.

CMMC Quality Assurance Professional (CQAP): Conducts detailed quality assurance on the assessment documentation package to verify accuracy and completeness before official submission.

OSC Assessment Official: Receives final findings, discusses results, and coordinates follow-up actions including corrective plans if needed.

Key Activities

The Lead Assessor delivers a formal brief of assessment results with detailed justification of scores.

The CQAP reviews the documentation and submits the official results package to the CMMC eMASS system for record keeping and DoD tracking.

The OSC receives either full certification, conditional certification with a plan of action and milestones (POA&M), or requirements for reassessment, depending on results.

Phase 4 — Close-Out POA&Ms and Finalize Certification

Primary Roles:

OSC: Implements remediation actions for deficiencies documented in POA&Ms within specified deadlines, typically 180 days.

Lead Assessor and Assessment Team: Validate remediation efforts and evidence during the POA&M close-out assessment.

C3PAO: Manages scheduling and conducts POA&M closeout assessments to award final certification status.

Key Activities

OSC performs remediation and submits evidence to the C3PAO for validation.

Upon successful remediation validation, the Lead Assessor recommends final certification issuance; otherwise, the OSC must reapply for certification.

Maintaining a clear understanding of these roles and the assessment lifecycle phases helps organizations prepare adequately, facilitates a smooth assessment experience, and positions the OSC for timely certification.