The rulemaking process for CMMC continues, with no updated timeline. This leads us to believe we can still expect CMMC requirements to start appearing in DoD contracts around May of 2023.

Draft CMMC Assessment Process (CAP)

The Cyber-AB has published a draft version of the CMMC Assessment Process (CAP). The CAP includes guidance to C3PAO’s (CMMC Third-Party Assessment Organizations) for areas such as:

  • Roles and responsibilities;
  • Assessment documents and templates;
  • CMMC Assessment scope;
  • Pre-Assessment planning;
  • Assessment kick-off meeting, interviews, tests and results, and final findings;
  • Results reporting;
  • POA&M close-out (if applicable)

The Cyber-AB continues to receive feedback on the 47-page document, which is available via this link:

The CAP will not be finalized until after Rulemaking is completed, and the final version will be endorsed by the DoD.

Joint Surveillance Voluntary Assessments are underway!

DIBCAC/C3PAO joint voluntary assessments began in late August. Organizations that receive passing assessment results will achieve “DIBCAC-High” approval status, which will convert to CMMC when rulemaking is finalized. The joint assessments are being conducted under DIBCAC authority, and DIBCAC has directed third-party assessors to use the Cyber-AB CAP as guidance during the assessments.

There are currently 22 authorized C3PAOs in the CMMC ecosystem. Visit the Cyber-AB Marketplace for more information!

Check out our Blog Series – Technical Implementation of CMMC

Download FoxGuard’s latest blogs on top-level technical implementation options of CMMC Levels 1 and 2 at

Need Help?

FoxGuard Solutions is a Registered Provider Organization (RPO) with Registered Practitioners ready to help with your cybersecurity readiness needs, including planning and preparation for CMMC.  You can find us on CMMC Accreditation Body Marketplace/FoxGuard Solutions.

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider our professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DOD work.

FoxGuard’s services will help you save time and money in your journey towards FAR, NIST, and CMMC compliance by helping to accurately evaluate the type of protected information your organization handles, identify where the information resides, and create a customized and streamlined solution for effective and thorough protection of that information.

FoxGuard partners with Boston Government Services, LLC (BGS) Boston Government Services, LLC (BGS), one of only 12 currently authorized CMMC Third-Party Assessment Organizations (C3PAOs). 

Please visit for more information.