Updates Coming to the CMMC Level 2 Procedural Guide in December: What Contractors and C3PAOs Should Know
Thursday, September 25, 2025
Print Mail Download info_icon_img/>i

Last week, we covered the Cybersecurity Maturity Model Certificate (CMMC) Procurement Rule (the Rule), which formalizes cybersecurity as a condition of doing business with the U.S. Department of Defense (DoD). The Rule requires federal contractors and subcontractors to demonstrate they meet the specified security standards before accessing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Rule’s requirements will be phased in over the next three years, but the defense industrial base should begin preparing for CMMC compliance now.

The CMMC framework sets forth three levels of security compliance depending on the type of information a contractor handles. Each level requires a certain type of assessment to evaluate CMMC compliance. Level 2 is for contractors who handle CUI and, depending on the solicitation, may require contractors to complete an independent third-party assessment via a Certified Third-Party Assessment Organization (C3PAO).

The Cyber AB is the official accreditation body of the CMMC and the sole authorized non-governmental partner of DoD in implementing and overseeing contractor and C3PAO CMMC compliance. In December 2024 – when the DoD finalized the first part of the CMMC framework – the Cyber AB published the CMMC Assessment Process, known as the CAP.

The CAP is the official procedural guide for CMMC C3PAOs conducting a CMMC Level 2 certification assessment. According to Cyber AB, the purpose of the CAP is to ensure the consistency and integrity of CMMC Level 2 certification assessments. C3PAOs and their CMMC Certified Assessors are required to adhere to the CAP.

The CAP addresses several pre-assessment “preliminary proceedings” that are to be completed prior to the assessment process. These preliminary proceedings include:

  • Confirming the entity to be assessed;
  • Framing the assessment;
  • Identifying and handling conflicts of interest; and
  • Executing a contractual agreement between the C3PAO and the Organization Seeking Certification (OSC).

Upon completion of the preliminary steps, the CAP organizes the actual assessment process across four phases. Each phase describes the required activities, roles, and responsibilities of CMMC assessment participants.

  • Phase 1: “Conduct the Pre-Assessment” – This phase requires C3PAO personnel to review an OSC’s System Security Plan and validate the scope of the CMMC assessment. Phase 1 also mandates that the assessment team evaluate the OSC’s readiness for assessment and completes a pre-assessment form.
  • Phase 2: “Assess Conformity to Security Requirements” – Phase 2 involves an in-brief meeting that includes the OSC to establish a common understanding of the plan for the assessment. In this stage, the assessment team should also evaluate the OSC’s implementation of mandatory security requirements. This phase also entails addressing external service providers and cloud providers. During this stage, assessment teams are expected to conduct daily checkpoint meetings with the OSC to review progress and discuss how to overcome challenges in the process.
  • Phase 3: “Complete and Report Assessment Results” – In this phase, the assessment team should compile and compose assessment results and conduct quality assurance review of the assessment. The assessment team should also hold an out-brief meeting to present assessment findings to the OSC.
  • Phase 4: “Issue Certificate and Closeout Plan of Action and Milestones (POA&M)” – The final phase is to issue the certificate of CMMC status to the OSC.

After the finalization of the Procurement Rule in September 2025, the CEO of Cyber AB recently shared that the CAP will be updated in December 2025 to align with some of the interpretations of the program in the Rule. The Cyber AB also established a C3PAO Council on August 12 as a body that can “speak with authority from C3PAOs” on issues in the assessment process, according to the organization’s CEO. The Council is composed of owners, executives, and CMMC business area leaders among the C3PAOs. The group serves as a recognized entity to provide feedback and recommendations for Cyber AB’s consideration in improving assessment processes and clarifying guidance.

We will continue to monitor for Cyber AB guidance that further clarifies the CMMC compliance process. For contractors and C3PAOs navigating CMMC, the Cyber AB plays a central role in defining how CMMC compliance is assessed. Its guidance and procedural updates directly shape what steps contractors and C3PAOs must take to demonstrate eligibility for DoD contracts going forward. Any organization that is planning to pursue CMMC certification should treat the Cyber AB’s directives as essential indicators of where the CMMC program is heading and how to stay ahead of its requirements.

Copyright © 2025 Robinson & Cole LLP. All rights reserved.

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF UCC ARTICLE 9 SALE: MEMBERSHIP INTERESTS IN 348PINEVILLERD LLC AND ENERPRISE MANAGEMENT GROUP LLC
Published: 12 November, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: MEMBERSHIP INTERESTS IN SKJ, LLC AND TRYON & GORMAN, LLC
Published: 12 November, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Tekton Artesian Springs LLC
Published: 12 November, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: 1262 JENNIFER LANE CORP.
Published: 12 November, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: MEMBERSHIP INTERESTS IN WESTERN CATTLE COMPANY LLC
Published: 12 November, 2025
PUBLIC NOTICE OF UCC SALE: PEDAVENA MOULD & DIE CO., INC.
Published: 12 November, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Collateral Of Christine Hunsicker
Published: 7 November, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: MPI Group, LLC
Published: 21 October, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: eLearning Platform’s Assets
Published: 13 October, 2025
Discover more public notices

Current Legal Analysis

More from Robinson & Cole LLP

Privacy Tip #467 – Employee Access of Malicious Website Causes Nevada Breach
by: Linn F. Freedman
‘Tis the Season for Safer Shopping- New Jersey’s Gift Card Fraud Notice and Packaging Requirements
by: Roma Patel
Lawmakers Warn Governors About Sharing Drivers’ Data with Federal Government
by: Linn F. Freedman
Fixed Price, Fluid Quantities - The Hidden Risks in Lump Sum Agreements with Variable Units
by: Virginia Trunkes
Missouri Court of Appeals Finds No Duty to Defend or Indemnify in Class Action Involving Environmental Contamination Beginning in the 1960s
by: Wystan M. Ackerman
Appeal Bonds- A Strategic Tool in Appeals of Class Action Settlements
by: Wystan M. Ackerman
Privacy Tip #466 – Consumer Reports Evaluate the Security of Connected Devices
by: Linn F. Freedman
Drawing the Line - Section 230’s Protections Under Scrutiny
by: Roma Patel
Home Depot Facial Scan Lawsuit Voluntarily Dismissed—What’s Next for Biometric Privacy Compliance?
by: Kathryn M. Rattigan
Out-of-State Sony TV Users Can’t Sue Under California Privacy Laws
by: Kathryn M. Rattigan
CISA + Partners Issue Microsoft Exchange Server Security Best Practices Guidance
by: Linn F. Freedman
The Release Report #5: Immediate Actions [Video]
by: Emilee Mooney Scott
Federal Court Enjoins NCAA’s “Five-Year Rule” for JUCO Athletes
by: Kathleen E. Dion , Theresa E. Lane
Advisory Committee on Federal Civil Rules Considering Potential Amendments to Class Action Rule and Potential Third-Party Litigation Funding Rule
by: Wystan M. Ackerman
Privacy Tip #465 – Privacy Risks Associated with AI
by: Linn F. Freedman

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters