A CMMC assessment is not something you pass by studying the night before. Organizations that treat it as a last-minute exercise fail. The ones that succeed treat preparation as a structured project with clear phases, defined milestones, and enough runway to fix what’s broken before an assessor walks through the door.
Most organizations need 6 to 18 months of active preparation before they’re ready for a C3PAO Level 2 certification assessment. The assessment itself takes roughly a week. Everything that determines the outcome happens in the months before that week begins.
This guide walks through the full preparation process, from initial scoping through assessment day, based on what C3PAOs actually evaluate and where organizations most commonly fall short.
Step 1: Determine Your CMMC Level and Assessment Type
Before you prepare, confirm what you’re preparing for.
Check your contracts. Review current contracts and active solicitations for DFARS clauses that reference CUI handling. DFARS 252.204-7012 mandates NIST 800-171 compliance for CUI. DFARS 252.204-7021 specifies the CMMC level required.
Identify your data types. If your contracts involve only Federal Contract Information (FCI), Level 1 self-assessment applies. If Controlled Unclassified Information (CUI) is present in your environment, plan for Level 2. Many contractors underestimate what qualifies as CUI. Technical drawings, test data, export-controlled specifications, and certain personnel records all fall under CUI categories. When in doubt, consult the CUI Registry maintained by the National Archives.
Confirm your assessment path. Most CUI contracts will require a C3PAO certification assessment, especially those the DoD designates as prioritized acquisitions. Some non-prioritized contracts may allow Level 2 self-assessment. Your contracting officer or the solicitation language will specify the requirement. Don’t assume self-assessment is sufficient without confirming.
Step 2: Define Your CUI Boundary and Assessment Scope
Scoping errors are the leading cause of CMMC assessment failures. Over-scoping wastes money on controls for systems that don’t need them. Under-scoping is worse. When an assessor discovers CUI in systems you excluded from scope, that’s an automatic finding, and it calls the integrity of your entire submission into question.
Map your CUI data flows. Document where CUI enters your environment, how it moves through your systems, where it’s stored, how it’s processed, and where it exits. Include email systems, file shares, collaboration tools, cloud storage, backup systems, and any endpoint that touches CUI.
Identify your in-scope assets. Every system, application, network segment, and device that stores, processes, or transmits CUI falls within your CMMC assessment boundary. This includes:
- CUI Assets: Systems that directly handle CUI
- Security Protection Assets: Tools that protect CUI assets (firewalls, SIEM, endpoint protection, identity providers)
- Contractor Risk Managed Assets: Assets that are not intended to, but are capable of, processing, storing, or transmitting CUI because of the security policy, procedures, and practices in place
- Specialized Assets: IoT devices, OT systems, government-furnished equipment, and test equipment that may interact with CUI
Consider network segmentation. Reducing your CUI boundary through network segmentation is one of the most effective ways to control assessment scope and cost. If you can isolate CUI processing into a defined enclave, only that enclave and its supporting infrastructure need to meet CMMC requirements. Every system you keep out of scope is a system you don’t need to document, monitor, and defend during assessment.
Account for external service providers. If your MSP, cloud provider, or any other external service provider processes, stores, or transmits CUI or Security Protection Data on your behalf, their environment becomes part of your assessment scope. You need a customer responsibility matrix (CRM) that clearly defines which controls each party owns. Assessors will ask for it.
Step 3: Run an Honest Gap Assessment
The gap assessment is where you find out what’s real and what’s wishful thinking. This is not the time for optimism.
Evaluate all 110 controls at the assessment-objective level. NIST 800-171A defines 320 assessment objectives across the 110 controls. Assessors evaluate at this granular level. A control with four objectives where three are satisfied and one is not will score as NOT MET. Working at the control level instead of the objective level is how organizations convince themselves they’re ready when they’re not.
For each control, answer three questions:
- Is the control implemented? Not planned, not in progress. Running in production.
- Is the implementation documented? Can you point an assessor to a policy, procedure, or configuration that describes how it works?
- Do you have evidence? Can you produce a current artifact that proves the control is functioning as documented?
If the answer to any of these is no, the control has a gap.
In gap assessments we’ve conducted, the most frequently unmet control families are Audit and Accountability and System and Communications Protection — areas where implementation exists but evidence is incomplete or outdated.
Score yourself using the DoD Assessment Methodology. The methodology assigns point values of 1, 3, or 5 to each security requirement based on its NIST classification as a Basic or Derived Security Requirement. An unimplemented requirement subtracts its assigned weight from the 110-point maximum. Two requirements (MFA and FIPS-validated encryption) allow partial credit for partial implementation. This gives you your current SPRS score and a quantified measure of the remediation work ahead.
Don’t hide from the number. The average SPRS score across the defense industrial base is negative. If your honest self-assessment produces a score of 40 or 60, that’s not unusual. It’s a starting point. What matters is having a clear, prioritized remediation plan to close the gap.
Need help scoping your gap assessment? Start with a free readiness check to identify your highest-priority control gaps.
Step 4: Build Your Remediation Plan
Your gap assessment produces a list of unmet controls. Your remediation plan turns that list into a sequenced, resourced project with accountable owners and realistic timelines.
Most organizations look at this list and want to start fixing things immediately. Resist that impulse. The sequencing matters as much as the fixes themselves.
Prioritize by assessment impact. Not all control gaps are equal. Some controls are not eligible for POA&M under CMMC, meaning they must be fully implemented at assessment time. Start with those. The DoD has designated specific controls that cannot be deferred through a Plan of Action and Milestones. If any of these are NOT MET during your assessment, you fail regardless of your other scores.
Group by implementation dependency. Some controls depend on others. You need baseline configurations and inventories (CM.L2-3.4.1) before you can enforce security configuration settings (CM.L2-3.4.2). You need identification and authentication controls before access control policies become meaningful. Sequence your remediation to follow these logical dependencies.
One thing that catches organizations off guard: remediation timelines compress faster than expected in the final 90 days. Procurement delays, staff turnover, and change management bottlenecks compound in ways that linear planning doesn’t account for. If your plan has you finishing controls in the last month before assessment, you’re already behind.
Assign ownership. Every remediation task needs a named owner, not a department, not a team, a person. Compliance programs stall when tasks are assigned to groups because no individual feels accountable for completion.
Set realistic timelines. Technical controls like MFA deployment or SIEM implementation take weeks to months. Policy development and training take additional time. Factor in procurement cycles for new tools, change management for new processes, and testing to verify controls work as intended. Organizations that underestimate timelines end up rushing, and rushed implementations produce the kind of evidence that assessors immediately question.
Budget accordingly. Remediation costs vary. A small organization with a limited CUI boundary might spend $50,000 on tools and configuration. A mid-size contractor with distributed systems could spend $150,000 to $300,000. The cost depends on how far your current security posture is from the 110-control baseline and how complex your environment is.
Step 5: Build Your Documentation Package
Documentation is where most CMMC assessments are won or lost. Assessors spend more time reviewing documentation than testing technical controls. Incomplete, inconsistent, or stale documentation produces findings faster than misconfigured firewalls.
System Security Plan (SSP)
Your SSP is the single most important document in your CMMC assessment. It describes your information system, your CUI boundary, your network architecture, your implemented controls, and how each control operates in your specific environment.
A good SSP includes:
- System boundary description with network diagrams
- CUI categorization and data flow documentation
- Roles and responsibilities for security management
- Implementation details for each of the 110 controls, specific to your environment
- Interconnections with external systems and service providers
- Authorization boundary that defines what’s in scope
The most common SSP failure: writing it once and never updating it. If your SSP describes an environment from six months ago, and your current environment has changed, the assessor will find the inconsistencies. Your SSP must reflect reality at the time of assessment.
Among the SSPs we’ve reviewed during readiness assessments, the most common failure is a network diagram that doesn’t match the current environment. Contractors add systems, change providers, and update configurations without updating the SSP.
Plan of Action and Milestones (POA&M)
If your gap assessment shows controls that aren’t fully implemented by assessment time, they go into your POA&M. This document identifies each gap, the specific remediation actions planned, responsible parties, and target completion dates.
Under CMMC, POA&Ms have constraints. Your assessment score must reach at least 80% of the maximum (88 out of 110 points) to achieve even Conditional status, and certain controls are excluded from POA&M eligibility entirely — meaning they must be fully MET at assessment time regardless of your score. All POA&M items must be closed within 180 days of the Conditional CMMC Status date. Your POA&M should be a living, actively managed document, not a parking lot for controls you haven’t gotten to.
Policies and Procedures
Each control family requires supporting policies. Access Control needs an access control policy. Incident Response needs an incident response plan. Audit and Accountability needs an audit policy that defines what’s logged, how long logs are retained, and who reviews them.
Generic policies downloaded from the internet fail under assessment. Assessors compare your policies against your actual environment. If your access control policy describes procedures that don’t match how access is actually managed in your systems, that’s a finding. Policies must reflect actual practice in your specific environment.
Evidence Artifacts
Every control needs evidence. Configuration exports, screenshots, audit logs, training records, vulnerability scan results, access control lists, network diagrams, incident response test results. Each artifact should tie to a specific assessment objective, be timestamped, and reflect current-state compliance.
Organize evidence by control family. Use a consistent naming convention. Store everything in a centralized, accessible location. When the assessor asks for evidence of AC.L2-3.1.1, you should be able to produce it in minutes, not hours.
Step 6: Conduct a Pre-Assessment Readiness Review
Before engaging a C3PAO, run a rehearsal. This is the step that separates organizations that pass from those that don’t.
Conduct an internal readiness review. Walk through every control as if you were the assessor. Examine the documentation. Interview your staff. Test the technical controls. Can you produce evidence for every assessment objective? Does your SSP match your actual environment? Can your employees describe CUI handling procedures without referencing a script?
If your internal review surfaces persistent gaps or your team lacks the bandwidth to evaluate objectively, consider engaging an RPO (Registered Practitioner Organization) or experienced consultant to conduct an independent readiness review before the formal C3PAO assessment. The readiness partner identifies gaps and helps you fix them. The C3PAO identifies gaps and scores them. Know the difference. Your C3PAO cannot help you prepare. That’s a conflict of interest under the CMMC ecosystem rules.
Test your staff. Assessors conduct personnel interviews as a core part of the assessment methodology. They ask employees about security awareness, CUI handling, incident reporting, and their specific responsibilities under your security program. If your IT administrator can’t explain your audit log retention policy, or your project manager doesn’t know the procedure for reporting a suspected data breach, those become findings. Train your people and test them before the assessor does.
Verify evidence currency. Evidence goes stale. A configuration screenshot from three months ago doesn’t prove current compliance if the configuration has changed. Refresh all time-sensitive evidence shortly before your scheduled assessment. The closer the evidence is to current state, the fewer questions the assessor will have. Establish a process for continuous evidence capture if possible, so currency is maintained automatically rather than through periodic scrambles.
Step 7: Select and Engage Your C3PAO
C3PAO selection matters. Not all assessment organizations deliver the same experience or operate with the same level of rigor and professionalism.
Start early. Assessor availability can become a scheduling constraint, especially as more contractors seek certification. Scheduling lead times are increasing and will grow as enforcement phases expand the number of contractors who need certification. Begin your C3PAO search 3 to 6 months before your target assessment date.
Verify authorization. Confirm the C3PAO is listed as an Authorized C3PAO on The Cyber AB Marketplace. Check that their authorization is current and their assessors hold valid Certified CMMC Assessor (CCA) credentials.
Understand the pre-assessment process. Most C3PAOs run a scoping and logistics process before the formal assessment. This typically includes a scoping call to review your network architecture, CUI data flows, assessment boundary, in-scope systems, and external service provider relationships. The exact timing, evidence deadlines, and on-site duration vary by provider and scope. Come to the scoping call prepared. Have your SSP, network diagrams, and asset inventory ready. The scoping process sets the assessment parameters and determines what the team will evaluate.
Clarify logistics. Confirm assessment duration, on-site vs. remote components, team composition, evidence submission requirements, and pre-assessment documentation deadlines. Know what the C3PAO needs from you and when they need it.
Step 8: What to Expect During the Assessment
The C3PAO assessment for Level 2 commonly runs over several days, though duration varies based on scope and complexity. Here’s a general pattern for what to expect.
The assessment typically opens with a scope review and orientation — the team confirms the assessment boundary, aligns on logistics, and you walk them through your environment, introduce key personnel, and confirm access to systems and documentation. The core assessment days that follow are where the team works through all 110 controls across the 320 assessment objectives, using three methods: examining documentation (SSP, policies, evidence artifacts), interviewing personnel (staff responsible for implementing and operating controls), and testing technical controls (verifying configurations, reviewing logs, testing access controls). On the final day, the team presents preliminary findings, identifies any controls scored as NOT MET, and discusses POA&M items if applicable — you’ll have the opportunity to present additional evidence if the team has questions about specific controls.
After the assessment wraps, the C3PAO completes quality assurance review and records the assessment results through the CMMC program’s required reporting path, with Level 2 C3PAO results entered into CMMC eMASS and current status reflected in SPRS. If the organization achieves the minimum passing threshold and meets the requirements for Conditional or Final status, the assessment results in Conditional or Final Level 2 certification depending on whether permissible POA&M items remain.
Common Reasons Organizations Fail CMMC Assessments
Understanding failure patterns helps you avoid them.
Scoping errors. CUI discovered in systems excluded from the assessment boundary. This is the most damaging finding because it calls the accuracy of your entire scope into question. It also triggers a cascade: the assessor has to determine whether additional systems contain CUI, whether controls were evaluated against the right boundary, and whether the SSP accurately describes the environment. A single scoping miss can unravel an otherwise strong submission.
Stale documentation. SSP describes an environment that no longer exists. Evidence reflects configurations from months ago. Policies reference procedures that have changed.
Personnel gaps and evidence gaps often compound each other. The IT team can’t explain how audit logs are managed, and when the assessor asks for evidence of the audit process, nobody can produce it because nobody was clearly responsible for capturing it. In our experience supporting contractors through C3PAO preparation, evidence gaps account for more assessment findings than technical control failures. The control is often implemented — the proof just isn’t captured.
POA&M-ineligible controls not implemented. Certain controls must be fully operational at assessment time. Missing any of these is an automatic failure regardless of your score on everything else. Organizations frequently underestimate the lead time for these controls, particularly those involving encryption, multifactor authentication, or system monitoring — areas where procurement, configuration, and testing cycles can stretch well beyond initial estimates.
Shared responsibility confusion. The contractor thinks the MSP handles a control. The MSP thinks the contractor owns it. Nobody implemented it. The assessor finds the gap.
Building a Compliance System That Lasts
CMMC certification is valid for three years, with annual affirmation required. The organizations that maintain certification with minimal disruption are the ones who build systems, not projects.
A one-time compliance push that gets you through assessment will start degrading the moment your environment changes. New employees, new systems, updated configurations, revised policies. Without a system that keeps documentation, evidence, and control status synchronized continuously, you’ll spend the 12 months before your triennial reassessment doing the same scramble again.
The shift from project-based to continuous compliance is where most organizations struggle, and where the right platform makes the difference.
Deep Fathom was built for this. Our AI-native compliance platform guides defense contractors through every phase of assessment preparation, from gap assessment and remediation planning through evidence collection and pre-assessment readiness review. Documentation stays synchronized as your environment changes. Evidence is captured in flow, not assembled before an audit. When your C3PAO arrives, the work is already organized and traceable.
Check your readiness or talk to our team.
Related reading:
- What Is CMMC 2.0? The Complete Guide for Defense Contractors
- CMMC Compliance Checklist: Everything You Need Before Your Assessment
- CMMC Self-Assessment vs C3PAO Certification: Which Do You Need?
- CMMC vs NIST 800-171: Key Differences
- How to Write a System Security Plan (SSP) for CMMC
- What Happens If You Fail Your CMMC Assessment?