The Assessment Process

A CMMC Level 2 certification assessment follows four phases. Understanding each one prevents surprises — and surprises during an assessment always go badly.

Phase 1 — Pre-Assessment

What happens: You and the C3PAO agree on scope, timeline, logistics, and cost. You provide the documentation the assessment team needs to review before arriving: SSP, asset inventory, network diagrams, operational plan of action, and any supporting policies and procedures.

Why it matters: The assessment team reads your SSP before they arrive. It’s their roadmap. If the SSP is incomplete, inaccurate, or contradicts your actual environment, the assessment starts with the team already questioning your compliance posture. A strong SSP sets the tone for the entire engagement.

What to get right: Your SSP must be current (updated within 30 days of any recent changes), your asset inventory must match the SSP, your network diagram must match the inventory, and your operational plan of action must be actively managed — not hastily assembled the week before. The C3PAO may ask clarifying questions during this phase. Answer them promptly and thoroughly.

Duration: Typically 2-4 weeks before the on-site assessment, though the C3PAO sets the specific timeline.

---

Phase 2 — Assessment

What happens: The assessment team executes the assessment plan using three methods: Examine (review documents and configurations), Interview (talk to responsible personnel), and Test (verify mechanisms work as described). They work through the 110 requirements systematically, evaluating the 320 determination statements from NIST SP 800-171A.

What this looks like in practice: The lead assessor works through requirements family by family. For each one, they may ask to see a policy, interview the responsible person, and then test the control. For access control, they’ll review your account list, ask the admin how offboarding works, and then check whether a recently terminated employee’s account is actually disabled. For logging, they’ll ask to see your SIEM, run a query, and verify logs from three months ago exist.

How long it takes: Typically 3-5 days on-site for a small to mid-size DIB contractor, depending on scope complexity. Larger or more complex environments take longer. The C3PAO estimates this during pre-assessment.

Your role: Have the right people available (see Assessment Day). Respond to questions directly and honestly. If you don’t know an answer, say so and get the right person — don’t guess. Demonstrate controls when asked. Provide evidence promptly.

---

Phase 3 — Post-Assessment

What happens: The assessment team compiles their findings. For each of the 110 requirements, they determine MET, NOT MET, or NOT APPLICABLE. They calculate the SPRS score. They identify which NOT MET items (if any) are POA&M-eligible.

The out-brief: Before finalizing, the assessment team typically conducts an out-brief with the OSC leadership — a summary of preliminary findings. This is your opportunity to provide additional evidence for any preliminary NOT MET findings. If the assessor missed something or you can produce additional evidence that addresses a gap, this is the time. But don’t expect to change findings based on promises of future work — evidence must exist at the time of assessment.

Quality assurance: The C3PAO’s quality assurance process reviews the assessment results before they’re finalized. This ensures consistency and accuracy across assessors.

---

Phase 4 — Reporting

What happens: Final results are uploaded to eMASS and reported to the CMMC PMO. The CMMC PMO reviews and issues the CMMC Status. The OSC receives the assessment report detailing findings for each requirement.

The outcomes:

• All requirements MET/N/A → Final Level 2 (C3PAO). Certification valid for three years with annual affirmations.
• Some requirements NOT MET, all POA&M-eligible → Conditional Level 2 (C3PAO). 180-day clock starts to close all POA&M items and pass a closeout assessment.
• NOT MET requirements include non-POA&M-eligible items → No certification. You must remediate and schedule a new assessment.

SPRS update: Your score is recorded in SPRS. Contracting officers can see it. This is the number that determines contract eligibility.

Key Insight

The assessment is not a surprise audit. You provide documentation in advance. The assessment team reviews it before arriving. The on-site assessment verifies what the documentation claims. No documentation = nothing to verify = findings. The better your pre-assessment preparation, the smoother the on-site assessment goes.