CMMC Assessment Guide: What to Expect and How to Prepare

CMMC Assessment Guide: What to Expect and How to Prepare

Not every Cybersecurity Maturity Model Certification (CMMC) assessment follows the same process. Some organizations complete a self-assessment, while others must undergo a formal review by a Certified Third-Party Assessment Organization (C3PAO).

The right assessment path depends on the required CMMC level, the information your organization handles, and the requirements defined in the contract. Preparing for the correct assessment from the start can save time, reduce rework, and improve CMMC assessment readiness.

This CMMC assessment guide explains the different assessment types, what assessors review, how scoring works, typical timelines and costs, and what to expect before, during, and after the process.

TL;DR

  • CMMC assessments vary by certification level and contract requirements. Organizations may complete a Level 1 self-assessment, a Level 2 self-assessment, or a Level 2 assessment performed by a C3PAO.
  • Preparing early with a gap analysis, a defined assessment scope, organized documentation, and supporting evidence helps reduce delays and improve assessment readiness.
  • Assessors review more than documentation. They verify that security controls are implemented, operating effectively, and supported by sufficient evidence.
  • Assessment timelines and costs increase significantly from Level 1 to Level 2, particularly when a C3PAO assessment and remediation activities are required.
  • Passing the assessment is only the beginning. Ongoing documentation, evidence management, continuous monitoring, and annual affirmations help maintain CMMC compliance.
  • MotherBear helps defense contractors centralize requirements, documentation, and assessment evidence to simplify CMMC assessments and stay audit-ready.

CMMC Assessment Process: The Three Assessment Types

The Cybersecurity Maturity Model Certification assessment process varies depending on the required CMMC level and the type of information your organization handles.

Most defense contractors will complete one of three assessment types, while Level 3 assessments apply only to a limited number of organizations and are conducted separately by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The main assessment types for most contractors are:

  • Level 1 self-assessment – Applies to organizations that handle only Federal Contract Information (FCI). Contractors complete an annual self-assessment and submit the required results through the Supplier Performance Risk System (SPRS).
  • Level 2 self-assessment – Applies to certain contracts involving Controlled Unclassified Information (CUI) where a self-assessment is permitted.
  • Level 2 C3PAO assessment – Applies to prioritized CUI contracts that require a formal assessment conducted by a C3PAO.

Choosing the correct assessment path is the first step toward achieving CMMC compliance.

Each assessment type has different security requirements, evidence expectations, assessment objectives, and certification outcomes, so organizations should confirm the required CMMC level before defining the assessment scope or beginning preparation.

CMMC Level 1 Self-Assessment

CMMC Level 1 self-assessment applies to organizations that handle only FCI. Although it is the simplest assessment path, contractors must still demonstrate that all required security controls are implemented before submitting their results.

Level 1 focuses on the 17 basic safeguarding requirements defined by federal regulations, including FAR 52.204-21. Organizations are responsible for completing the self-assessment process, maintaining supporting evidence, and submitting their results annually.

Who Conducts a Level 1 Self-Assessment?

The contractor performs the Level 1 self-assessment internally. Depending on the organization, the work may be led by an owner, an IT manager, an internal security team, or a managed service provider that supports the environment.

An authorized official must affirm the assessment results before submission. Although external consultants can assist with preparation, the contractor remains responsible for demonstrating compliance.

What Does the Level 1 Self-Assessment Cover?

The assessment evaluates all 17 safeguarding requirements in FAR 52.204-21. These security requirements focus on protecting FCI through practical security measures such as:

  • Access control for systems containing FCI.
  • Account management and authorized user access.
  • Media protection and disposal.
  • Basic physical and information system safeguards.

Organizations seeking assessment should map each requirement to supporting documentation or technical evidence before completing the assessment.

How Is Level 1 Scored?

Level 1 uses a pass/fail approach. Every required practice must be fully implemented before the assessment can be successfully completed.

Unlike higher CMMC levels, Level 1 does not permit a Plan of Action and Milestones (POA&M) for unmet requirements. Any missing control must be remediated before the assessment is finalized.

Submitting Assessment Results to SPRS

After completing the assessment, contractors submit their results through the SPRS. The submission includes the assessment date, affirmation by an authorized official, and the information required by the Department of Defense (DoD).

Because Level 1 requires an annual self-assessment, organizations should maintain current assessment documentation, evidence, and assessment records to support future submissions and ongoing CMMC compliance.

CMMC Level 2 Self-Assessment

CMMC Level 2 self-assessment applies to organizations that process CUI under contracts that permit self-assessments.

Level 2 evaluates all 110 security requirements published by the National Institute of Standards and Technology (NIST) in NIST 800-171 (often referred to as NIST 800) and requires significantly more documentation, evidence, and technical controls.

Organizations should first confirm whether the contract allows a self-assessment or requires a third-party assessment before beginning the assessment process.

When Is a Level 2 Self-Assessment Allowed?

Level 2 self-assessments are permitted only for certain non-prioritized acquisitions involving CUI. Contracts requiring independent certification must instead undergo a C3PAO assessment.

The required assessment type is defined by the contract, so organizations should review the solicitation, applicable DFARS clauses, and any flow-down requirements before determining the assessment scope.

What Does the Level 2 Self-Assessment Cover?

The assessment evaluates all 110 security requirements in NIST 800-171 across 14 control families. In addition to implementing the required security controls, organizations should maintain implementation evidence that demonstrates compliance.

Key areas commonly reviewed include:

  • Access control and system access.
  • Configuration management.
  • Risk management.
  • Continuous monitoring.
  • Security policies and technical controls.
  • System Security Plan (SSP) and supporting documentation.

How Is Level 2 Scored?

Level 2 follows the DoD Assessment Methodology, which starts with a score of 110 and deducts points for unmet security requirements. Higher-impact controls carry larger point deductions, making remediation priorities especially important before the formal assessment.

Organizations should complete a gap analysis before the assessment to identify missing controls, improve their compliance posture, and reduce the likelihood of unexpected assessment findings.

Submitting Assessment Results to SPRS

Organizations that complete a Level 2 self-assessment submit their assessment results through the SPRS. The submission includes the assessment score, assessment date, scope information, and executive affirmation.

Because systems, users, and CUI environments change over time, organizations should periodically review their assessment scope, update supporting evidence, and maintain ongoing compliance between assessment cycles.

CMMC Level 2 C3PAO Assessment

A CMMC Level 2 C3PAO assessment is a formal evaluation conducted by a C3PAO. Unlike during self-assessment, an independent assessor reviews your organization's security controls, documentation, and operational practices before CMMC can be awarded.

Organizations should first confirm that a C3PAO assessment is required before scheduling the engagement and verify that the selected assessor is authorized by the CMMC Accreditation Body (The Cyber AB).

Before the Assessment

Preparation begins well before the formal assessment. The contractor and C3PAO confirm the assessment scope, identify in-scope systems, review logistics, and determine which documentation and personnel will be required during the assessment.

Organizations should also prepare core assessment artifacts, including:

  • SSPs
  • POA&Ms (where permitted)
  • Security policies and procedures
  • Asset inventories
  • Evidence supporting each security requirement

Well-organized documentation and evidence help reduce delays and allow assessors to focus on validating implementation rather than locating information.

During the Assessment

The C3PAO uses the examine, interview, and test methodology defined by the CMMC assessment process to evaluate whether each assessment objective has been met.

Assessment activities typically include:

  • Reviewing documentation and security policies.
  • Validating technical controls such as access control, multi-factor authentication, and data encryption.
  • Interviewing personnel responsible for in-scope systems.
  • Sampling evidence to verify that documented controls operate in practice.

The goal is to verify that implemented security controls operate as documented and satisfy the applicable assessment objectives.

Assessment Findings and Reporting

Throughout the assessment, the C3PAO communicates requests for additional evidence, clarifies observations, and documents assessment findings.

Minor requests for clarification during the assessment are common and do not necessarily indicate that the assessment will be unsuccessful.

After the review is complete, the organization receives the assessment results, including any identified deficiencies and the next steps toward certification.

Clear documentation, current evidence, and defined ownership of security controls help reduce assessment findings and support a smoother certification process.

Preparing for a CMMC Assessment

Preparation should begin by reviewing existing security measures, confirming the assessment scope, and identifying compliance gaps early to mitigate risks before an assessor begins reviewing evidence.

Before the assessment begins:

  • Perform a gap analysis to compare your current security controls with the applicable CMMC requirements.
  • Define the assessment scope by identifying the systems, users, and assets that store, process, or transmit FCI or CUI.
  • Review the SSP, security policies, and supporting documentation to make sure they reflect the current environment.
  • Organize assessment artifacts and supporting evidence so they are easy to locate during the assessment.
  • Assign clear owners for each security control and assessment objective.
  • Confirm that technical controls such as access control, multi-factor authentication, and data encryption are operating as intended.
  • Schedule interviews with personnel responsible for implementing and maintaining security controls.

Organizations managing assessment documentation for multiple systems may also benefit from using dedicated CMMC compliance software to centralize requirements, evidence, and assessment artifacts before the review begins.

What CMMC Assessors Review

Once the assessment begins, the focus shifts from preparation to verification. Assessors determine whether required security controls are implemented, operating effectively, and supported by sufficient evidence.

During the assessment, a C3PAO or internal assessor typically:

  • Reviews the SSP, security policies, and other assessment artifacts.
  • Samples supporting evidence to verify that documented controls operate in practice.
  • Tests technical controls such as access control, multi-factor authentication, data encryption, and intrusion detection systems to help protect sensitive data.
  • Interviews personnel responsible for security functions to confirm that documented processes match day-to-day operations.
  • Compares documentation, technical configurations, and operational practices to verify that assessment objectives have been met and that the organization can consistently manage CUI within its own information system.

Assessors also review security protection data, technical configurations, operational records, and supporting evidence to verify that cybersecurity practices remain effective over time.

Consistent documentation and operational processes help demonstrate compliance, strengthen the organization's security posture, protect intellectual property, and reflect cybersecurity best practices, reducing the likelihood of assessment findings.

CMMC Assessment Timeline and Cost Expectations

The time and cost required for a CMMC assessment depend on the assessment type, the required CMMC level, your current cybersecurity posture, and the amount of preparation completed before the initial assessment.

Typical Assessment Timeline

Assessment timelines vary by CMMC level and assessment type.

  • Level 1 self-assessment: Often completed within a few weeks, depending on the size of the FCI environment.
  • Level 2 self-assessment: Typically takes three to six months, including gap analysis, documentation, evidence collection, and internal review.
  • Level 2 C3PAO assessment: The active assessment typically lasts one to three weeks, although scheduling, pre-assessment activities, reporting, and closeout can extend the full engagement to two to four months.

Typical Cost Ranges

Level 1 self-assessments often have minimal external costs when organizations manage compliance internally.

Level 2 self-assessments could cost several thousand dollars or as much as $50,000 if you utilize outside consultants.

For organizations requiring a C3PAO assessment, assessment fees commonly range from $30,000 to more than $100,000, with additional costs for remediation, documentation management, employee training, and ongoing compliance activities.

For many organizations, the largest investment is not the formal assessment itself but the work required to implement security controls, collect evidence, and maintain CMMC compliance over time.

CMMC Assessment Results

After a CMMC assessment is complete, the assessor documents the assessment results and determines whether the organization has met the applicable assessment objectives. The outcome depends on the assessment type, the implementation of required security controls, and any remaining assessment findings.

Organizations that successfully meet the applicable CMMC requirements can proceed with certification or affirmation, depending on the required assessment type. If deficiencies are identified, remediation may be required before the assessment can be closed.

For Level 2 C3PAO assessments, eligible organizations may receive conditional status when only approved POA&M items remain. In these cases, a documented remediation plan must be completed within the permitted timeframe before certification can be finalized.

Organizations that do not achieve the required result should address the root cause of each finding rather than simply updating documentation.

Completing remediation activities, validating security controls, and gathering updated evidence before a follow-up or closeout self-assessment can improve the outcome of the next formal assessment.

Maintaining CMMC Compliance Between Assessments

Completing a successful CMMC assessment is only the beginning. Maintaining compliance requires ongoing attention to security controls, documentation, and operational security practices as systems, personnel, and contract requirements change.

To maintain CMMC compliance between assessments, you should:

  • Review security controls through continuous monitoring.
  • Update the SSP, security policies, and supporting documentation when the environment changes.
  • Refresh assessment artifacts and evidence after remediation activities or system changes.
  • Record annual affirmations and assessment results where required.
  • Provide regular security awareness training so authorized personnel understand their responsibilities.
  • Review cybersecurity measures to help protect controlled unclassified information, reduce the risk of data breaches, and respond to evolving cyber threats.

These ongoing compliance efforts help organizations maintain a strong security posture, support future assessments, strengthen ongoing cybersecurity compliance, and maintain DoD contracts without rebuilding documentation before every assessment.

Simplify CMMC Assessments With MotherBear

MotherBear helps defense contractors stay organized throughout the CMMC assessment process by bringing requirements, documentation, and evidence together in one place.

Instead of managing spreadsheets, shared drives, and disconnected documents, teams can track requirements, organize assessment artifacts, manage SSPs and POA&Ms, and keep evidence mapped to the appropriate assessment objectives.

Book a demo to see how MotherBear helps teams stay assessment-ready and maintain compliance as contracts and requirements evolve.

FAQs About CMMC Assessment Guide

Who conducts a CMMC assessment?

The assessment type determines who performs it. Level 1 and some Level 2 assessments are completed internally, while Level 2 contracts requiring independent certification are assessed by a C3PAO.

How long does a CMMC assessment take?

The timeline depends on the assessment type and your level of preparation. A Level 1 self-assessment may take only a few weeks, while preparing for and completing a Level 2 C3PAO assessment can take several months.

What documents are needed for a CMMC assessment?

Most organizations should prepare an SSP, applicable security policies, evidence supporting implemented security controls, asset inventories, and, where permitted, a POA&M.

What happens if you fail a CMMC assessment?

Organizations that do not meet the required assessment objectives must remediate identified deficiencies before completing another assessment. Some Level 2 C3PAO assessments may qualify for conditional status when only approved POA&M items remain.

Need to Prepare for a CMMC Assessment?

Schedule a demo of MotherBear to see how we simplify assessment preparation