CMMC assessment guide: What to expect, how to prepare & pass successfully

Achieving Cybersecurity Maturity Model Certification (CMMC) is no longer optional for defense contractors. With Phase 1 implementation underway as of November 10, 2025, DoD contracting officers are now including CMMC self-assessment requirements in applicable solicitations and contracts — meaning organizations handling FCI or CUI may need to complete and submit a Level 1 or Level 2 self-assessment, depending on the solicitation, to be eligible for contract award. 

Phase 1 focuses primarily on Level 1 and Level 2 self-assessments, but DoD may include Level 2 (C3PAO) requirements in some Phase 1 procurements. Level 2 (C3PAO) requirements expand in Phase 2, which begins November 10, 2026.

Whether you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), understanding the assessment process is your first step toward achieving the required CMMC status or certification assessment outcome.

Note: ISACA took over as the CMMC Assessor & Instructor Certification Organization (CAICO) in April 2026. Learn how this affects CMMC assessments in our webinar with ISACA.

WATCH NOW

Understanding CMMC assessment requirements by level

CMMC 2.0 simplified the original five-level model into three distinct levels. 

• Level 1 applies to organizations that handle only FCI and requires 15 security requirements with an annual affirmation.
• Level 2 covers most defense contractors handling CUI, requiring all 110 NIST SP 800-171 Rev. 2 security requirements with either a triennial self-assessment or C3PAO assessment, depending on the solicitation, plus annual affirmations.
• Level 3 is reserved for the most sensitive CUI, adding 24 NIST SP 800-172 requirements with government-led assessment.

For Level 2 (C3PAO), assessors will review your documentation, interview your staff, test technical controls and verify consistent security practices. If you need preparation support, Infosec Institute offers CMMC Certified Professional (CCP) training covering the full assessment process.

For more details on assessment by level, see our comprehensive CMMC levels guide.

The critical role of proper CMMC scoping

Before you prepare for an assessment, you need to define exactly what systems and data are in scope. Scoping mistakes are one of the most common reasons organizations struggle during their CMMC evaluation. According to the Cyber AB, "CMMC only applies to Defense Industrial Base contractors' unclassified networks that process, store or transmit FCI or CUI."

Understanding what scoping means

Think of scoping as drawing a security perimeter around your sensitive information. Everything inside that perimeter must meet CMMC requirements. Everything outside can remain at your current security standards. You don't need to secure your entire IT infrastructure to CMMC standards if only certain systems handle regulated data.

Your System Security Plan (SSP) is the key scoping document. It describes which systems, networks and assets are included in your CMMC assessment and how you protect CUI that flows through them. Assessors will closely examine your SSP to understand your scope boundaries.

How to scope your assessment

Start by identifying where CUI lives in your organization. Map every place it's created, stored, processed or transmitted. This includes obvious locations like file servers and databases, but don't forget email systems, backup solutions, cloud storage and collaboration platforms.

Once you know where your CUI exists, trace its movement through your environment. Create a data flow diagram showing how CUI enters your organization (from DoD contracts, emails, collaboration platforms), who accesses it (employees, contractors, managed service providers), where it's stored (on-premises servers, cloud systems, backup locations), and how it eventually leaves your systems (delivery to DoD, secure deletion, archival).

This visual representation makes it much easier to identify all the systems that need to be in scope. It also helps assessors understand your environment during their evaluation.

Document your scoping decisions clearly. For each system, explain why it's included or excluded from scope. If a system can access CUI but isn't included, explain the technical or administrative controls preventing that access. Assessors will challenge unclear scoping decisions, so be thorough.

Don't forget that managed service providers or your internal IT department may need to be included if they can access in-scope systems. External service providers that process, store or transmit CUI, or that provide security protection for CUI assets, may affect your CMMC scope and must be documented appropriately in your SSP and related service documentation.

Common scoping strategies

Many organizations use network segmentation to simplify their CMMC scope. By isolating CUI on dedicated networks or systems, you can reduce the number of assets needing strict security requirements. This might involve VLANs, separate physical networks, or firewall rules preventing cross-contamination.

Some contractors create a CUI enclave — essentially a separate, secure environment specifically designed to handle sensitive information. This approach can significantly reduce your assessment scope and costs, though setting up an enclave requires upfront investment. Treat these as market estimates, but basic implementations typically cost $300 to $400 per user per month, while more complex environments run higher.

Cloud considerations add another layer of complexity. If you use cloud services, understand the shared responsibility model. Your cloud provider may handle certain controls, such as physical security, environmental protections and infrastructure management. You can inherit these controls, but you must document them in your SSP and confirm your provider meets the required standards.

Government-furnished equipment deserves special attention. Government systems may have their own security controls you can leverage, but document this arrangement clearly.

Scoping mistakes that derail assessments

Making your scope too broad is expensive. If you include systems that don't actually handle CUI, you're spending time and money securing assets that don't need CMMC-level protection. This drives up both preparation costs and ongoing maintenance expenses.

The opposite problem is nearly as bad. Making your scope too narrow creates audit risk. If an assessor discovers CUI on systems you claimed were out of scope, you'll face a "NOT MET" finding that could jeopardize your certification. Even worse, you may need to pause, expand or repeat portions of the assessment process.

Undefined boundaries between in-scope and out-of-scope systems cause problems during assessments. Assessors need to clearly understand where your CMMC environment ends and your general IT environment begins. Vague boundaries raise questions about whether you're really protecting all your CUI.

Poor documentation of scoping decisions is another common pitfall. Even if your scope is technically correct, assessors need to understand your rationale. Without clear documentation, they may challenge your decisions and expand your scope during the assessment.

Finally, don't change your scope mid-assessment. If you discover during the evaluation that you missed systems handling CUI, you'll need to work with the assessor to determine the impact, which could delay the assessment or require reassessment of the affected scope. Lock down your scope before your C3PAO arrives.

Pre-assessment preparation: Your 3–12 month roadmap

Successful CMMC assessments don't happen by accident. They're the result of months of deliberate preparation. Here's what you need to do before your C3PAO shows up — if your contract requires a Level 2 (C3PAO) assessment.

Conduct a comprehensive gap assessment

Start with an honest evaluation of your current security posture against CMMC requirements. A gap assessment compares your existing controls against all 110 Level 2 security requirements and identifies where you fall short. This serves as your CMMC assessment checklist, showing exactly which controls you've implemented and which need work.

You can conduct this assessment internally if you have cybersecurity expertise on staff. Many organizations bring in a Registered Practitioner Organization (RPO) to ensure nothing gets missed. RPOs specialize in CMMC compliance and know exactly what C3PAOs will look for during the formal assessment.

For each of the 110 practices, determine whether you've fully implemented the control, partially implemented it or haven't addressed it at all. Document your findings and prioritize remediation based on the difficulty and importance of each control. To find providers who can help with gap assessments, visit our CMMC marketplace guide.

Remediate identified gaps

Once you know what's missing, it's time to fix it. Remediation is typically the longest and most expensive part of CMMC preparation. Budget both time and money accordingly.

Start with the critical controls that can't be deferred. Under CMMC Level 2, certain security requirements must be fully implemented at the time of assessment. For Level 2, POA&Ms cannot include the System Security Plan requirement, several physical-protection requirements, external connections involving CUI data or public-information control involving CUI data. In addition, requirements worth more than one point generally cannot be placed on a POA&M, except for the limited CUI encryption exception where encryption is implemented but not yet FIPS-validated. These are specified in 32 CFR 170.21 and cannot be included in a POA&M.

Implement missing technical controls. This might include endpoint protection software, log aggregation and monitoring systems, vulnerability scanning tools and access management solutions. Update your policies and procedures to reflect your actual security practices. If you don't have formal documentation for incident response, change management or access control, create it now.

Don't forget about training and awareness. Your staff needs to understand their security responsibilities. Conduct training sessions and document attendance. Assessors will interview your employees, and untrained staff who don't understand security procedures can sink your certification.

For some remaining gaps, you may be able to use a Plan of Action and Milestones (POA&M), but the restrictions are strict. More on that later.

Prepare your documentation package

Documentation proves to assessors that your security controls aren't just theoretical. You need evidence that they're actually implemented and working.

Your System Security Plan is the cornerstone document. It describes your CMMC environment, the controls you've implemented and how those controls protect CUI. The SSP must be complete and accurate before your assessment begins. Under CMMC regulations, you cannot include the SSP itself in a POA&M.

Develop or update your security policies and procedures covering access control, incident response, change management, configuration management, media protection, physical security, system maintenance, risk assessment, security awareness training and all other areas addressed by NIST SP 800-171.

Gather configuration documentation for your systems. Assessors will want to see firewall rules, security settings, patch management records and other technical artifacts that demonstrate your controls are properly configured. Collect training records showing that staff have completed the required security awareness training. Keep incident response logs, vulnerability scan results and audit logs as evidence that your monitoring and response processes are active.

Assemble your assessment team

Your C3PAO will need to speak with various people in your organization. Identify who will participate in the assessment and prepare them for their roles.

You'll need technical subject matter experts who can explain how your systems work and demonstrate security controls. System administrators who manage your infrastructure should be available to answer detailed questions about configurations and procedures. Your security personnel should be prepared to discuss your security program, policies and incident response capabilities. Management representatives need to address governance, resource allocation and organizational commitment to security.

Give your team time to review relevant documentation before the assessment. They should be familiar with the SSP, policies and procedures they'll be asked about. Consider conducting mock interviews to help them practice responding to assessor questions.

Select your C3PAO

For Level 2 (C3PAO) assessments, choosing the right C3PAO is crucial. Level 3 assessments are conducted by DCMA DIBCAC, not by C3PAOs. Start your search early, as demand for assessments is high and availability is limited.

The Cyber AB maintains a marketplace of authorized C3PAOs. Research several organizations and request proposals. Compare their experience with organizations similar to yours, their timeline availability and their cost structure. Treat these as market estimates, but C3PAO fees for Level 2 assessments typically range from $35,000 to $75,000 or more, depending on your organization's size and complexity.

Check references and talk to other companies that have used each C3PAO. You want an organization that's thorough but fair, communicative throughout the process and knowledgeable about your industry or technology stack.

Once you've selected a C3PAO, sign your engagement contract well before your target assessment date. Popular assessors book up months in advance, particularly as more contractors seek certification under the Phase 1 rollout. For detailed guidance on selecting C3PAO organizations, see our comprehensive guide.

The CMMC assessment process: 6 to 10 weeks from start to certification

For a Level 2 (C3PAO) assessment, the process may look like the following:

Phase 1: Planning and scoping (1–2 weeks)

The kickoff meeting confirms assessment scope, schedule and communication protocols. The C3PAO requests your documentation package (SSP, policies, procedures, evidence artifacts) and coordinates access to systems and staff. You'll receive a detailed schedule outlining the timing of each assessment activity.

Phase 2: Document review (1–2 weeks)

The C3PAO reviews your SSP, policies and procedures for completeness and NIST SP 800-171 alignment. They'll send preliminary questions or clarification requests. Respond promptly to prevent confusion during hands-on activities.

Phase 3: Assessment activities (1–2 weeks)

This is the intensive phase. Management interviews cover security program governance and resource allocation. Technical staff explain access control, patching, monitoring and backup procedures. End users verify they've completed training and understand CUI handling.

The C3PAO tests your controls by reviewing system configurations, validating access controls, verifying encryption is FIPS-validated, and checking logging and monitoring systems. Physical inspections verify that badge readers, visitor logs and secure areas work as documented.

Throughout, assessors collect evidence: log files, change records, training completion, incident records and maintenance documentation.

Phase 4: Findings and reporting (1–2 weeks)

The C3PAO compiles findings and determines each control as Met, Not Met, Not Applicable or Inherited. You'll receive a draft report for discussion before the final version. "Not Met" findings for eligible controls go into a POA&M if you score at least 88 out of 110 points.

Phase 5: Certification (1–2 weeks)

The C3PAO uploads the final report to CMMC eMASS for review. Once verified, your assessment results are transmitted to SPRS, and your organization achieves a Conditional or Final Level 2 (C3PAO) CMMC status, depending on the assessment outcome and any eligible POA&M.

What CMMC assessors look for

Assessors evaluate beyond checkbox compliance. They need complete, accurate, current documentation that aligns with actual practices. Technical controls must be properly configured, actively monitored, regularly updated and demonstrably effective.

Security processes should be consistently followed across your organization, documented and repeatable, understood by staff and overseen by management. Your organizational culture matters too. Assessors look for security awareness throughout the company, compliance commitment beyond audit theater, a continuous improvement mindset and clear accountability when issues arise.

Common assessment findings and how to avoid them

Documentation gaps are extremely common: incomplete SSPs, missing procedures for incident response and change management, outdated policies and insufficient evidence. Technical issues include weak access controls, missing MFA where required, inadequate logging, poor configuration management and unpatched systems.

Process deficiencies manifest as inconsistent implementation, lack of training, weak incident response and poor change management. Address these systematically during your preparation phase.

Understanding plans of action and milestones (POA&Ms)

CMMC Level 2 allows limited use of POA&Ms for organizations that are not yet fully compliant. To qualify for conditional certification, you must score at least 88 out of 110 points (80% compliance), and only certain one-point controls can be included. Controls worth three or five points must be fully implemented, with one exception: partially implemented encryption (encryption exists but isn't FIPS-validated yet) can be included.

Level 2 POA&Ms cannot include the System Security Plan requirement, external-connections and public-information requirements involving CUI data, or the three listed physical-protection requirements: escort visitors, physical access logs and manage physical access.

Your POA&M must detail each gap, provide a specific remediation plan with a timeline and milestones, identify required resources and responsible parties, and implement interim risk mitigation measures. You have exactly 180 days from conditional certification to remediate every POA&M item and pass a closeout assessment. Miss this deadline and your conditional CMMC Status expires, requiring you to restart the entire process.

Post-assessment: What happens next

If you pass, your Level 2 CMMC status is valid for three years, with annual affirmations required. Results are recorded through the required CMMC systems, including SPRS. Maintain continuous compliance through regular internal reviews, current evidence, updated documentation, ongoing training and early re-assessment preparation.

If you don't pass, review findings carefully with your C3PAO, develop a comprehensive remediation plan, implement corrections and request re-assessment. Re-assessments cost less than initial assessments but still require significant investment.

Assessment cost breakdown

Treat all costs in this section as market estimates. 

C3PAO assessment fees vary by organization size: 

• Small organizations: $35,000–$50,000
• Medium businesses: $50,000–$75,000
• Large organizations: $75,000–$100,000+
• Enterprises: $150,000+

DoD estimates Level 2 third-party assessments cost $105,000–$118,000 over three years, including triennial evaluation and two annual affirmations.

Internal preparation costs represent a significant expense. Staff time for gap assessment, remediation and documentation runs $25,000–$200,000+, depending on organization size and starting compliance level. External support adds expenses for RPO consultants ($150–$400/hour), new security tools ($10,000–$50,000+), and CUI enclave implementation if needed ($3,600–$4,800+/year for small deployments).

Total investment ranges: 

• Small organizations: $50,000–$100,000
• Medium organizations: $100,000–$250,000
• Large enterprises: $250,000–$500,000+

Actual costs vary by scope, architecture, current maturity, assessor availability, remediation needs and staffing model.

Your path to CMMC assessment success

Start your assessment preparation three to twelve months before you need certification. For Level 2 organizations starting from a less mature security posture, preparation may take longer. Begin with a comprehensive gap assessment using NIST SP 800-171 Assessment Procedures as your guide. Select your C3PAO early, as assessment slots fill quickly.

Focus remediation on critical controls first: MFA, FIPS-validated encryption, continuous monitoring and other controls that can't be deferred. Prioritize requirements that are prohibited from POA&Ms or worth more than one point under the CMMC scoring methodology. Develop thorough documentation as you build your security program, not at the last minute. Prepare your team for their assessment roles so they can confidently discuss security responsibilities.

For implementation guidance, see our CMMC implementation guide. For the broader certification process, read our organizational certification guide.

If you're pursuing a CMMC assessment career, Infosec Institute offers comprehensive training. Our CMMC Certified Assessor (CCA) Boot Camp prepares you to conduct formal assessments. As an Approved Training Provider (ATP), Infosec Institute delivers programs aligned with current CMMC requirements.

As of April 2026, ISACA administers CCA and CCP certifications as the CMMC Assessor & Instructor Certification Organization (CAICO). These remain CMMC program credentials, but ISACA now handles training, exam development and credential issuance, bringing the program's infrastructure to scale as tens of thousands of certified professionals will be needed.

The path to CMMC certification is demanding but achievable with proper preparation. Your certification isn't just a contract checkbox. It demonstrates your commitment to protecting sensitive defense information.

Frequently asked questions

How long does a CMMC assessment take?

Formal assessment activities take one to two weeks, but the complete process spans six to ten weeks, including planning, document review and final reporting.

Can I fail my CMMC assessment?

Yes. Too many "Not Met" findings or missing requirements that are prohibited from POA&Ms will prevent certification.

What if I don't pass?

Review findings with your C3PAO, remediate gaps and request a reassessment.

Can I use a POA&M for any control?

No. POA&Ms work only for Level 2 and Level 3, only for eligible controls, and only if you score at least 88 out of 110 points for Level 2. Level 3 POA&M eligibility uses the Level 3 score threshold and excludes seven specific Level 3 requirements.

How often do I need assessment?

Level 1: annual self-assessment. Level 2: triennial self-assessment or triennial C3PAO assessment, depending on the solicitation, with annual affirmations. Level 3: triennial government assessment with annual affirmations.

Can I be present during assessment?

Yes. Your team participates in interviews, demonstrates controls and provides evidence throughout.

How do I know if I'm ready?

Conduct an internal gap assessment or engage an RPO for readiness evaluation. If you can demonstrate all critical controls and score 88+ points with eligible POA&Ms for remaining gaps, you're likely ready.