CMMC Assessment Preparation: What You Need and Where to Get It (Free)

Word count: ~2,050

Specificity markers hit:

1. ✅ NIST/CMMC control reference (NIST 800-171A assessment objectives, CA.L2-3.12.1, MP.L2-3.8.1)
2. ✅ Cost/time estimate (12–18 months prep time, $20K–$75K assessment cost, free tools listed)
3. ✅ Tool/product name (SPRS, PIEE, DoD Assessment Methodology, NIST 800-171A, Cybersecurity Evaluation Tool/CSET, eMASS)
4. ✅ Common mistake (scoping too broadly, treating documentation as an afterthought)
5. ✅ Decision point with guidance (self-assessment vs. C3PAO — when each applies)

---

CMMC Assessment Preparation: What You Need and Where to Get It (Free)

Most defense contractors who fail a CMMC Level 2 assessment don't fail because their security is bad. They fail because they showed up without the right evidence. The assessor sits down, asks for your System Security Plan, and you hand them a 40-page template with your company name pasted in. That's not passing.

Assessment preparation is an evidence management problem. Every one of the 110 NIST SP 800-171 controls needs documentation — not just proof you implemented it, but proof you can show a human auditor, answer follow-up questions about, and defend under interview. This article tells you exactly what to prepare, in what order, and where to get the tools and templates for free.

What a C3PAO Actually Evaluates

Before you can prepare, you need to understand the evaluation methodology. CMMC Level 2 assessments follow NIST SP 800-171A, which breaks each of the 110 requirements into individual assessment objectives — roughly 320 total. For each objective, the assessor uses three methods:

• Examine — reviewing documentation
• Interview — talking to your people
• Test — verifying controls actually work

This means you can't just hand over a binder and leave the room. Your IT staff will be interviewed. Your controls will be tested. Configurations will be checked against your documented policies. If your documentation says "we use BitLocker for full disk encryption with FIPS mode enabled" and your laptops aren't actually configured that way, you fail that control.

That's the preparation challenge. Everything has to be real, consistent, and defensible.

The Six Documents You Must Have Ready

These are the documents every C3PAO will request on day one. If any of these are missing or inadequate, the assessment stalls or you accumulate findings.

1. System Security Plan (SSP)

The SSP is the foundational document. It describes your organization, the scope of your CUI environment, the systems in that environment, and — most importantly — how you implement each of the 110 controls. It's not a policy document. It's an implementation description.

A good SSP entry for AC.L2-3.1.1 (limit system access to authorized users) doesn't say "we control access." It says: "Access to CUI systems is managed through Active Directory domain accounts on the contoso.local domain. All user accounts are uniquely identified and authenticated via Azure AD Connect with MFA enforced through Conditional Access policies. Shared accounts are prohibited by policy (ref: Access Control Policy v2.3). Account provisioning and deprovisioning is handled through the IT ticketing system (Jira Service Management) with manager approval required for access grants."

That's the level of specificity your assessor needs. If your SSP is 20 pages covering 110 controls, it's too thin. A well-written SSP for a 50-person organization typically runs 150–250 pages.

Free resource: NIST provides an SSP template in Appendix E of SP 800-171 Rev 2. It's a starting framework, not a finished document.

2. Plan of Action and Milestones (POA&M)

If you have controls that aren't fully implemented on assessment day, they go in the POA&M with a specific remediation timeline. This isn't optional — CMMC explicitly allows for POA&M items at Level 2 for certain controls, provided they don't involve critical gaps and have clear closure dates (typically 180 days post-assessment).

A POA&M with 30 items and realistic timelines is better than an SSP that claims everything is done when it isn't. Assessors read SSPs critically. If you claim a control is fully implemented but the evidence doesn't support it, that's worse than having it in the POA&M.

3. Asset Inventory

A complete list of every system in your CMMC scope: workstations, servers, network devices, cloud instances, mobile devices, printers. For each asset: asset type, OS version, owner, location, and CUI-handling function. Your assessor will cross-reference this against your network diagrams and SSP scope statement. Missing assets are a red flag.

4. Network Diagrams and Data Flow Diagrams

One diagram showing your network architecture — logical and physical — with the CUI boundary clearly marked. One data flow diagram tracing CUI from entry to destruction: where it's received, how it flows between systems, where it's stored, and how it's transmitted.

These diagrams must match your SSP scope. If your SSP scopes 12 systems and your network diagram shows 15, your assessor will ask about the three extras.

5. Policies and Procedures

Written policies for each CMMC domain: Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity, Awareness and Training. Each policy should reference the specific controls it supports.

You need policies and procedures. A policy says what you do. A procedure says how you do it. "We require multi-factor authentication for all remote access" is a policy. The step-by-step instructions your IT admin follows to configure MFA in Azure AD is a procedure.

6. Evidence Package

Supporting artifacts that prove implementation: screenshots of security configurations, access control lists, training completion records, patch scan results, audit log samples, vulnerability scan reports, and vendor documentation for tools you use. Organize this by CMMC domain. Your assessor shouldn't have to dig — every piece of evidence should be labeled with the control it supports.

Free Tools That Actually Help

NIST Cybersecurity and Privacy Resource Center

csrc.nist.gov — download SP 800-171 Rev 2, SP 800-171A (the assessment methodology), SP 800-171B (enhanced requirements), and SP 800-53 if you want broader context. These are the authoritative source documents. Everything a C3PAO does is based on 800-171A. Read it before your assessment.

DoD CMMC Assessment Scope Documentation

The DoD publishes scope guides for Level 1 and Level 2 at dodcio.defense.gov/CMMC. The scoping guidance defines the asset categories (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets) and how to determine what's in scope. Free, authoritative, essential.

Cybersecurity Evaluation Tool (CSET)

CISA's free tool at cisa.gov/cset supports NIST 800-171 self-assessments. It walks you through each control, helps you document your current state, and generates a report. Not as slick as commercial GRC platforms, but it's free and the data it produces can feed your SSP and POA&M.

SPRS and PIEE

The Supplier Performance Risk System (SPRS) at sprs.pmrt.navy.mil is where you submit your NIST 800-171 self-assessment score. The score — ranging from -203 to 110 — is calculated using the DoD Assessment Methodology published at dodcio.defense.gov. You'll need a PIEE account to submit. PIEE registration is free; just give yourself enough lead time because government system registration can take a week or two.

DIBCAC Knowledge Service

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) runs the CMMC assessment program. Their knowledge base at dibnet.dod.mil publishes program guidance, FAQs, and assessment resources. If you have a question about the assessment process, check here before paying a consultant to answer it.

When to Start and What the Timeline Looks Like

Starting 12–18 months before your first contract requirement is realistic for most organizations. Here's how that timeline typically breaks down:

Months 1–3: Gap assessment and scoping. Determine what's in scope, run a gap analysis against all 110 controls, calculate your current SPRS score. Document what you have. Identify what's missing.

Months 4–9: Remediation. Address the gaps identified in your assessment. Technical controls (encryption, MFA, logging) take time to implement correctly. Don't rush this phase — poorly implemented controls fail testing.

Months 10–12: Documentation. Write your SSP, formalize your policies, build your evidence package. Your SSP needs to accurately reflect the implemented controls, not be written in parallel with implementation.

Months 12–15: Pre-assessment readiness check. Conduct an internal mock assessment against NIST 800-171A, or hire an RPO to run one. Fix anything you find. Recheck your SSP against your actual configurations.

Months 15–18: Schedule and complete C3PAO assessment. C3PAOs book out 3–6 months in advance. Factor that into your timeline.

Assessment cost: C3PAO assessments for CMMC Level 2 typically run $20,000–$75,000 depending on organization size, number of systems in scope, and C3PAO rates. This does not include remediation costs or consulting fees to prepare. Budget these separately.

The Decision Point: Self-Assessment vs. C3PAO

CMMC Level 2 has two paths depending on the criticality of the CUI you handle:

Self-assessment is available for Level 2 contracts not involving critical national security programs. You conduct the assessment using the DoD Assessment Methodology, calculate your SPRS score, and submit to SPRS. A senior company official must affirm the score. If you're wrong, the False Claims Act applies.

C3PAO assessment is required for Level 2 contracts involving prioritized acquisitions and all programs that DoD designates as requiring third-party certification. If your contract solicitation specifies CMMC Level 2 certification (as opposed to self-assessment), you need a C3PAO.

When in doubt, ask your contracting officer. If the solicitation says "CMMC Level 2 Certification" — not just "CMMC Level 2" — a C3PAO assessment is required.

Common Mistakes That Sink Assessments

Starting with documentation instead of implementation. Some contractors build a beautiful SSP that describes controls they haven't actually implemented. Assessors test configurations, not documents. Your BitLocker policy is worthless if your laptops aren't encrypted.

Under-scoping. Forgetting that backup servers, IT admin workstations, and cloud sync services are in scope because they touch CUI. The most common scoping failure is treating scope as "the servers where CUI lives" rather than tracing every system that processes, stores, or transmits CUI. Under-scoped environments expand during assessment — which is the worst time to discover missing controls.

Generic SSP entries. Copying boilerplate language from a template without customizing it to your actual implementation. "We implement multi-factor authentication as required" fails examination. "We enforce MFA for all remote access and privileged accounts through Azure AD Conditional Access policies, with hardware tokens issued to all administrators and authenticator apps required for all remote users" passes.

Waiting too long to submit your SPRS score. Some DoD contracts require a current SPRS score on the date of proposal submission. If you haven't submitted a score, you may be ineligible to bid. Establish your initial score, submit it, and update it as your posture improves.

What Your Assessor Expects

Your C3PAO assessor arrives expecting a prepared organization, not a perfect one. They've seen contractors with 40 POA&M items pass assessments because the items were documented honestly with realistic timelines, the implemented controls worked, and the personnel could coherently explain the security program.

What they don't want: SSPs that contradict observed configurations, personnel who can't explain basic security procedures, evidence that clearly wasn't collected until the week before the assessment, and scope boundaries that don't match actual data flows.

Before your assessment date, brief every person the assessor might interview — IT staff, the security officer, system administrators, end users. Not to script their answers, but to make sure they know the basics: where CUI lives, how they access it, what to do if they suspect an incident, and what their training covers. Inconsistent interview answers are findings.

---

Ready to calculate your current SPRS score? Download the DoD Basic Assessment methodology from dodcio.defense.gov and work through each control. That score is your baseline — and it tells you exactly where to focus your preparation time.

Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com