Skip to content
Learn
Get help ↗

Assessment · Topic 01

The Assessment Process.

Four phases from pre-assessment to final reporting — what happens, when, who's involved, and what determines the outcome.

The Assessment Process

A CMMC Level 2 certification assessment follows four phases. Understanding each one prevents surprises — and surprises during an assessment always go badly.

Phase 1 — Pre-Assessment

Section titled “Phase 1 — Pre-Assessment”

What happens: You and the C3PAO agree on scope, timeline, logistics, and cost. You provide the documentation the assessment team needs to review before arriving: SSP, asset inventory, network diagrams, operational plan of action, and any supporting policies and procedures.

Why it matters: The assessment team reads your SSP before they arrive. It’s their roadmap. If the SSP is incomplete, inaccurate, or contradicts your actual environment, the assessment starts with the team already questioning your compliance posture. A strong SSP sets the tone for the entire engagement.

What to get right: Your SSP must be current (updated within 30 days of any recent changes), your asset inventory must match the SSP, your network diagram must match the inventory, and your operational plan of action must be actively managed — not hastily assembled the week before. The C3PAO may ask clarifying questions during this phase. Answer them promptly and thoroughly.

Duration: Typically 2-4 weeks before the on-site assessment, though the C3PAO sets the specific timeline.

Phase 2 — Assessment

Section titled “Phase 2 — Assessment”

What happens: The assessment team executes the assessment plan using three methods: Examine (review documents and configurations), Interview (talk to responsible personnel), and Test (verify mechanisms work as described). They work through the 110 requirements systematically, evaluating the 320 determination statements from NIST SP 800-171A.

What this looks like in practice: The lead assessor works through requirements family by family. For each one, they may ask to see a policy, interview the responsible person, and then test the control. For access control, they’ll review your account list, ask the admin how offboarding works, and then check whether a recently terminated employee’s account is actually disabled. For logging, they’ll ask to see your SIEM, run a query, and verify logs from three months ago exist.

How long it takes: Typically 3-5 days on-site for a small to mid-size DIB contractor, depending on scope complexity. Larger or more complex environments take longer. The C3PAO estimates this during pre-assessment.

Your role: Have the right people available (see Assessment Day). Respond to questions directly and honestly. If you don’t know an answer, say so and get the right person — don’t guess. Demonstrate controls when asked. Provide evidence promptly.

Phase 3 — Post-Assessment

Section titled “Phase 3 — Post-Assessment”

What happens: The assessment team compiles their findings. For each of the 110 requirements, they determine MET, NOT MET, or NOT APPLICABLE. They calculate the SPRS score. They identify which NOT MET items (if any) are POA&M-eligible.

The out-brief: Before finalizing, the assessment team conducts an out-brief with OSC leadership — a summary of preliminary findings. The out-brief and the 10-business-day re-evaluation window from Phase 2 together form your opportunity to provide additional evidence for any preliminary NOT MET findings. If the assessor missed something or you can produce evidence that addresses a gap, this is the time. But: evidence must have existed at the time of assessment — the window does not allow new work to be submitted as if it were already in place.

Quality assurance: The C3PAO’s quality assurance process reviews the assessment results before they’re finalized. This ensures consistency and accuracy across assessors.

Phase 4 — Issue Certificate and Close Out POA&M

Section titled “Phase 4 — Issue Certificate and Close Out POA&M”

What happens: The C3PAO’s Authorized Certifying Official issues the Certificate of CMMC Status based on the assessment results uploaded to CMMC eMASS in Phase 3. For OSCs that earned Conditional certification, Phase 4 also covers the 180-day POA&M closeout — including the closeout assessment by an authorised C3PAO that converts Conditional status to Final status (or lets it lapse if the work isn’t done in time).

The initial outcomes (at Certificate issuance):

  • All requirements MET/N/A → Final Level 2 (C3PAO). Certificate valid for three years with annual affirmations submitted to SPRS by the Affirming Official.
  • Some requirements NOT MET, all POA&M-eligible, score ≥ 88 → Conditional Level 2 (C3PAO). A 180-day clock starts on the CMMC Status Date.
  • NOT MET requirements include non-POA&M-eligible items, or score below 88 → No certification. You must remediate and schedule a new assessment.

The POA&M closeout (only for Conditional): Within 180 days of the CMMC Status Date, every POA&M item must be closed and verified through a closeout certification assessment by an authorised or accredited C3PAO. If closeout is successful, the Conditional status converts to Final and the standard three-year certification cycle begins. If 180 days elapse without successful closeout, the Conditional status expires — the OSC must begin again with a new initial assessment.

SPRS and CMMC eMASS: Your score is recorded in CMMC eMASS (the CMMC instantiation of eMASS — a separate system from generic DoD eMASS) and reflected in SPRS for contracting officer visibility. The CMMC PMO oversees the program and reviews assessment quality through the Cyber AB; certificates themselves are issued by C3PAOs.