CMMC Assessment: What to Expect

C3PAO Assessment (Level 2)

A C3PAO (CMMC Third-Party Assessment Organization) assessment is performed by an accredited assessor from the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB). This is required for organizations handling Controlled Unclassified Information (CUI) on contracts designated as requiring certified assessment.

• Who needs it: organizations handling CUI on critical DoD contracts
• Duration: 2-4 weeks for assessment execution (on-site or remote)
• Cost: $35,000-$55,000 depending on scope and complexity
• Outcome: certification uploaded to DoD systems (SPRS)

Self-Assessment (Level 1, some Level 2)

Self-assessment means your organization evaluates itself against CMMC requirements. This applies to Level 1 (Federal Contract Information, not CUI) and some Level 2 contracts where the contracting officer permits self-attestation.

• Who uses it: Level 1 organizations, some Level 2 with contract allowance
• Requirement: annual affirmation of compliance
• Cost: lower direct cost, but still requires evidence and documentation
• Tradeoff: less credibility with primes and contracting officers than third-party certification

Self-assessment does not mean less work. You still need policies, implementation, and evidence. The difference is who verifies it.

Phase 1: Readiness Review

Before formal assessment, a readiness review checks if you are prepared to succeed. This is often done by a consultant or your internal team, not the certifying C3PAO.

• SSP completeness: is your System Security Plan accurate and current?
• Evidence spot-check: can you produce proof for sampled controls?
• Gap identification: what is not ready and needs remediation?
• POA&M review: if you have open items, are they defensible?

Skipping or rushing readiness review is the most common cause of assessment failure. Treat it as a dress rehearsal.

Phase 2: Assessment Planning

Once you engage a C3PAO, they work with you to plan the assessment.

• Scope confirmation: which systems, which controls, which boundaries
• Schedule and logistics: on-site vs remote, interview schedules, document access
• Evidence requests: what to prepare and how to organize it

Clear scope prevents surprises. If the assessor discovers systems you did not disclose, the scope expands and the assessment may need to restart.

Phase 3: On-Site or Remote Assessment

The actual assessment typically follows this structure:

• Opening meeting: introductions, scope confirmation, logistics
• Control testing: interviews with staff, observation of processes, evidence review
• Daily briefings: assessor shares preliminary findings each day
• Closing meeting: summary of findings and next steps

Assessors test controls by examining documentation, interviewing personnel, and observing technical implementation. They want to see that controls exist, are implemented, and are operating as intended.

Phase 4: Reporting

After the assessment:

• Draft report: assessor documents findings for each control
• Organization response: you may provide clarifications or additional evidence
• Final report: certification decision and any POA&M requirements

If you meet the threshold (including conditional), the certification is recorded. If not, you remediate and schedule a follow-up assessment.

For each control, assessors verify four things:

• Policy exists: a documented requirement that defines what should happen
• Implemented: the technical or procedural control is deployed
• Operating: the control is actively functioning, not just configured
• Evidence: proof that it works (logs, screenshots, configs, test results)

A policy without implementation is a finding. An implementation without evidence is also a finding. All four elements must align.

Top assessment focus areas

Based on DIBCAC assessment data, these control areas receive the most scrutiny and produce the most findings:

1. Access controls (3.1.x): who can access CUI, how access is granted and revoked, how privileges are managed
2. Encryption (3.13.11): FIPS-validated cryptography for CUI at rest and in transit
3. Logging and monitoring (3.3.x): what events are logged, how long logs are retained, who reviews them
4. Incident response (3.6.x): capability to detect, respond, and recover from security events
5. Configuration management (3.4.x): how systems are hardened and how changes are controlled

See our CMMC Guide for the complete list of top failed controls and remediation guidance.

Conditional certification allows you to achieve CMMC status even with some open findings, provided you meet the threshold and commit to remediation.

• Threshold: at least 80% of controls must be fully met
• POA&M required: all open items documented with remediation plans
• 180-day timeline: most findings must be resolved within 180 days
• Not all findings eligible: some deficiencies cannot be conditionally certified

Conditional certification is not a loophole. It is a structured path for organizations that are mostly ready but have a few items requiring more time. The key is that the POA&M must be realistic and the timeline must be met.

If you cannot close a POA&M item within 180 days, your conditional status is at risk. This is why accurate self-assessment before engaging a C3PAO matters.

If you receive conditional certification, your Plan of Action and Milestones (POA&M) becomes a binding commitment.

• Format: structured document, not ad-hoc notes
• Content: finding description, remediation plan, milestones, owner, evidence location
• Timeline: 180 days for most items (non-negotiable)
• Validation: assessor verifies closure before final certification

Run your POA&M like an operational plan, not a paperwork exercise. Each item needs a named owner with authority to complete the work, and evidence must be ready for validation.

Typical path (full certification)

• Months -6: gap assessment and remediation planning
• Months -3: evidence preparation and SSP finalization
• Month 0: readiness review
• Month 0-1: assessment scheduling and planning
• Month 1-2: assessment execution
• Month 2-3: report and certification decision

Conditional certification path

• Month 3: conditional certification with open POA&M
• Months 3-9: POA&M execution and evidence collection
• Month 9: validation assessment
• Month 10: final certification

The conditional path adds roughly 6 months. Organizations that prepare thoroughly and aim for full certification on the first attempt save time and cost.

Evidence is how you prove controls are implemented and operating. Start collecting and organizing early.

• System Security Plan (SSP): describes your environment, boundaries, and control implementation
• Policies and procedures: must match how you actually operate
• Configuration exports and screenshots: technical proof of settings
• Logs and monitoring evidence: retained events, review records, alert history
• Access review records: who has access, when it was reviewed, what changed
• Training records: security awareness and role-specific training completion
• Incident response test results: tabletop exercises, actual incidents handled
• Backup and restore test results: proof that recovery works

Organize evidence by control family. Make it easy for assessors to find what they need. If evidence is scattered or stale, assessors will sample more deeply.

• Policy exists but not implemented ("document theater"): you wrote the policy but the control is not technically or procedurally deployed.
• Implementation exists but no evidence: the control works but you cannot prove it. No logs, no screenshots, no test records.
• Evidence exists but not reviewed or monitored: you collect logs but no one reviews them. The assessor will note this as a gap.
• Scope underestimation: you missed systems, SaaS tools, or vendor access paths that touch CUI. The scope expands mid-assessment.
• Vendor and subcontractor blind spots: third parties have CUI access but are not documented or assessed as part of your environment.

These failures are preventable with honest self-assessment, complete scope documentation, and evidence that reflects actual operations.

Related: vendor risk management and enclave implementation.