The government requires federal contractors to protect controlled unclassified information (CUI) in accordance with requirements defined in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

The Cybersecurity Maturity Model Certification (CMMC) program is designed to ensure contractors fully meet their requirements under NIST SP 800-171 by having third-party assessments certify compliance. The CAP is the official procedural guide for CMMC C3PAOs and is intended to ensure the consistency and integrity of CMMC Level 2 certification assessments.

Join NDIA’s Subject Matter Experts for a discussion on Version 2.0 of the CAP, which became effective in December 2024.