Your CMMC Assessment: What Actually Happens
Master the essentials of cyber security audit and compliance in five actionable steps.
Word count: ~2,100
Specificity markers hit:
- ✅ NIST/CMMC control reference (NIST 800-171A, CA.L2-3.12.1, assessment objectives)
- ✅ Cost/time estimate (3–5 days on-site, 60–90 days for final report, assessment fees $20K–$75K)
- ✅ Tool/product name (CMMC-AB marketplace, SPRS, PIEE, eMASS)
- ✅ Common mistake (personnel unpreparedness for interviews, scope disputes day of)
- ✅ Decision point with guidance (conditional pass vs. fail — what to do next)
---
Your CMMC Assessment: What Actually Happens
Most articles about CMMC assessments describe a process that sounds like a compliance checklist review. That's not what actually happens. A C3PAO assessment is an active investigation. Your assessors will review your documents, test your systems, and interview your people — sometimes separately, sometimes simultaneously — looking for gaps between what your SSP claims and what your environment actually does.
Understanding the assessment sequence before it happens is the best thing you can do to not be blindsided.
Who Conducts the Assessment
CMMC Level 2 certifications require assessment by a Certified Third-Party Assessment Organization (C3PAO) authorized by the Cyber AB (formerly the CMMC Accreditation Body). The assessment team is led by a Certified CMMC Assessor (CCA) and typically includes one to three additional assessors depending on your organization's size.
The C3PAO is separate from any consulting firm you used to prepare. If a company helped you implement controls, they cannot also certify you — that's a conflict of interest under the CMMC program rules. Your assessors are neutral.
Find authorized C3PAOs in the Cyber AB marketplace at cyberab.org/Catalog. Book early. As of 2025, most C3PAOs are scheduling 3–6 months out.
The Assessment Phases
A CMMC Level 2 C3PAO assessment runs through five distinct phases. Each feeds into the next.
Phase 1: Pre-Assessment and Contract
Once you've selected a C3PAO, you'll sign an assessment agreement that specifies: - Scope (what systems and organizational units are in scope) - Assessment timeline - Fees - Confidentiality terms
The C3PAO will request your documentation package — SSP, POA&M, asset inventory, policies, network diagrams — before the on-site visit. Expect to provide this 2–4 weeks in advance. They'll review it ahead of time so they arrive with questions, not orientation. If your SSP is incomplete or the scope is undefined, the pre-assessment review surfaces that early.
Cost: Assessment fees for Level 2 typically range from $20,000 to $75,000. Larger organizations with more systems in scope pay more. This is the C3PAO's direct fee — it doesn't include your internal preparation costs or any consulting you did to get ready.
Phase 2: Kickoff Meeting
The assessment begins with a kickoff session, typically a half-day meeting with your security team, IT staff, and executive sponsor. The lead assessor will:
- Confirm the scope — every system, organizational unit, and location covered
- Review the assessment methodology (NIST SP 800-171A: examine, interview, test)
- Establish the schedule for the assessment days
- Identify which personnel will be available for interviews
This is also where scope disputes happen. If the assessor looks at your network diagram and sees systems that aren't in your SSP, they'll ask about them. If those systems touch CUI, they go into scope on the spot. You can't argue your way out of in-scope systems on assessment day — you can only be prepared for them.
Phase 3: On-Site Assessment Activities
The on-site phase typically runs 3–5 days for organizations with 50–200 employees. Larger organizations or those with multiple locations may require a longer engagement or multiple visits.
During this phase, the assessment team works through all 110 Level 2 controls and their approximately 320 assessment objectives from NIST SP 800-171A. For each objective, they use one or more of three evaluation methods:
Examine — Document review. Your SSP, policies, configuration files, audit logs, training records, incident response documentation, and the rest of your evidence package. Assessors review these systematically. If your policy document references a procedure that doesn't exist, that's a finding. If your SSP says you do quarterly access reviews but you have no access review records, that's a finding.
Interview — Personnel discussions. The assessors will talk to your ISSO or security officer, your system administrators, your IT manager, and likely several end users. They're not looking for rehearsed answers — they're checking whether your people understand the security program. Common interview questions include: "Walk me through how you provision a new user account," "What do you do when you receive a phishing email?", "How do you handle CUI on your laptop when you travel?", "Who would you notify if you thought there was a security incident?"
Test — Technical verification. Assessors will observe or attempt actions to verify controls work as documented. They may request a demonstration of your MFA enrollment process, check firewall rule configurations, review SIEM alert configurations, verify that audit logging captures the events your SSP claims, test session lock timeout behavior, or attempt to access systems from accounts that shouldn't have access. What they find during testing must match what your SSP describes.
The three methods are used in combination. An assessor who examines your access control list, interviews the admin who manages it, and then tries to access a CUI system with a deprovisioned account is checking the same control from three angles.
Phase 4: Preliminary Findings Review
Near the end of the on-site phase, the lead assessor will typically hold a preliminary findings briefing with your security team. This is your first look at what they found — controls marked as Met, Not Met, or subject to POA&M.
This briefing is informational, not a negotiation. You can ask clarifying questions about findings you believe are incorrect, and provide additional evidence you may have missed during the assessment. What you can't do is promise to fix something as evidence that it already exists. "We'll implement that by next week" doesn't close a finding — implementation and evidence do.
Document everything discussed in this meeting. If you disagree with a finding, note it clearly. There's a formal adjudication process through the Cyber AB for disputed findings.
Phase 5: Final Report and Certification Decision
After the on-site phase, your C3PAO prepares a formal assessment report. This typically takes 30–60 days. The report documents every control assessment, the methods used, the evidence reviewed, findings, and the overall determination.
For CMMC Level 2, the possible outcomes are:
Certified — all required controls are Met or have acceptable POA&M items within policy limits. The C3PAO submits the results to the CMMC-AB, which issues your certificate. Your result is entered in SPRS, making it visible to government contracting officers.
Conditional — you have POA&M items that require closure before full certification, but no critical failures. You have a defined time period (typically 180 days) to close the POA&M items and provide evidence. The C3PAO reviews your closure evidence and, if satisfied, submits for certification.
Not Certified — you have unresolved findings that cannot be addressed through a POA&M. This typically means critical controls are missing, the scope was wrong, or the evidence for multiple core controls was inadequate. You address the findings and start a new assessment cycle.
What Happens with Your SPRS Score
After certification, your C3PAO submits the assessment results to SPRS (Supplier Performance Risk System). Your CMMC Level 2 certification status becomes visible to government contracting officers when they look up your organization. This is the visible output that matters for contract eligibility.
Until you have C3PAO certification, you may submit a self-assessment score to SPRS using the DoD Basic Assessment Methodology. That score — ranging from -203 to 110 — is a separate record from the C3PAO certification. Both are visible in SPRS.
Your certification is valid for three years. At the three-year mark, you need a new C3PAO assessment to maintain certification. Between assessments, you must submit an annual affirmation confirming you remain in compliance.
Common Mistakes That Derail Assessments
Personnel who can't answer basic questions. The most common assessment failure mode isn't bad security — it's people who can't explain the security program they're supposed to be implementing. When an assessor asks your sysadmin "how do you detect if someone's trying to brute-force your login portal" and the answer is "I don't know, IT handles that," that's a problem — especially if your SSP claims the sysadmin manages your intrusion detection system. Brief your people. Not to script answers, but to make sure everyone who might be interviewed understands their role in the security program.
SSP that contradicts observed configurations. Your SSP says session lock engages after 15 minutes of inactivity. Your test systems lock after 30. Not met. Your SSP says MFA is required for all remote access. Your VPN has an exception for a legacy system. Not met. These discrepancies come from writing your SSP before configurations are finalized, then not updating the SSP when the implementation changed. Do a final SSP-versus-reality check in the two weeks before your assessment.
Scope surprise. Discovering on day one of the assessment that systems you excluded from scope are actually in scope. This happens when organizations draw the scope boundary around their "main CUI systems" without tracing all the paths CUI actually takes. Backup systems that replicate CUI shares, IT admin workstations with remote access to CUI servers, cloud sync services that mirror CUI folders — these are all in scope, and a network diagram review on day one will surface them.
Treating the assessment like a compliance checkbox. Assessors are experienced enough to tell the difference between a security program that's been running for 18 months and a program that was assembled in the 60 days before the assessment. Evidence age matters. Audit logs from before your remediation period, training records going back more than a year, change management records with realistic history — these all signal that your program is real, not staged.
What Your Assessor Expects
Your assessor isn't looking for perfection. They're looking for evidence of a functioning security program. That means:
- An SSP that accurately describes your environment and implementation
- Controls that work as documented
- Personnel who understand their security responsibilities
- Evidence that predates the assessment, not evidence collected to pass the assessment
- A POA&M that honestly reflects what isn't done yet
The assessment rewards honesty. A control marked as "partially implemented" with a realistic POA&M closure date is better than a control marked "implemented" with no supporting evidence. Assessors compare your SSP claims against reality; if the claims and reality don't match, the disparity is a finding regardless of which direction it goes.
Come organized. Have your evidence package indexed and accessible. Know who the assessor needs to talk to and make sure those people are available. Run a mock assessment — either internally against NIST 800-171A or with an RPO — in the two to three months before your assessment date. Surprises during a mock assessment cost you nothing. Surprises during the real one cost you certification.
---
Building your evidence package? Start with NIST SP 800-171A — it lists every assessment objective your C3PAO will evaluate. For each objective, ask yourself: what document or artifact proves this? That's your evidence gap list.
Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.
Got Questions? Ask our CMMC Expert →
Prefer email? Reach us at ix@isegrim-x.com
