CMMC Assessment: Types, Process & How to Prepare (2026)
You’ve spent months — maybe a year — getting ready for CMMC. New security tools, stacks of documentation, policies your employees may or may not have read. Now comes the part that keeps program managers up at night: the actual assessment.
The problem is that most companies going through this for the first time have no idea what to expect. The official CMMC documentation reads like it was written for assessors, not the people being assessed. So you’re left guessing. How long does it take? What do they actually look at? What happens if you fail?
We’ve guided dozens of defense contractors through this process. Here’s what actually happens, step by step.
Types of CMMC Assessments
Not every assessment works the same way. Which type you need depends on your CMMC level and what your contract requires. Getting this wrong means either overspending on an assessment you don’t need or being unprepared for one you do.
Level 1 Self-Assessment
If your contracts involve only FCI (Federal Contract Information) and no CUI, you need Level 1. The “assessment” is something you do yourself. Your company reviews its own security against the 17 Level 1 practices, assigns a score, and submits that score to DoD through the SPRS portal.
No assessor visits. No third party involved. You do this annually, and a senior company official signs an affirmation statement saying the score is accurate. Lying on that affirmation is a violation of the False Claims Act, so take it seriously even though nobody is checking your work.
Cost: Essentially your team’s time. See our full cost breakdown for details.
Level 2 Self-Assessment
If your contracts involve CUI but are categorized by DoD as “non-prioritized acquisitions,” you perform a Level 2 self-assessment. Same concept as Level 1 — you assess yourself — but now you’re measuring against all 110 requirements from NIST SP 800-171.
This is significantly more involved than Level 1. You need to evaluate each of the 110 controls, determine whether they’re met, partially met, or not met, calculate a score (possible range: -203 to 110), and submit it to SPRS. Every three years, with annual affirmations in between.
The key difference from the C3PAO path: you’re grading your own exam. That sounds easier, but it cuts both ways. If you overstate your score and a DoD audit reveals the truth, you’re looking at False Claims Act liability. If you’re too conservative, your low score might disqualify you from contracts.
Level 2 C3PAO Assessment
This is the one that matters most to most readers of this article. If your contracts involve CUI and are “prioritized acquisitions” — weapons systems data, technical drawings with export restrictions, anything DoD considers sensitive enough to verify — a certified third-party assessment organization (C3PAO) conducts your assessment.
The C3PAO is independent. They’re certified by the Cyber AB (the accreditation body for CMMC), and they have no stake in whether you pass or fail. The company that helped you prepare (your RPO) cannot be your assessor. We explain the difference between RPOs and C3PAOs in a separate article.
A C3PAO assessment results in one of three outcomes:
| Outcome | What It Means | What Happens Next |
|---|---|---|
| Met | You met all 110 requirements | You receive a CMMC certificate valid for 3 years |
| Conditional | You met most requirements but have open items | You have 180 days to fix the gaps (via a POA&M), then the C3PAO verifies |
| Not Met | You have significant gaps | No certificate. You fix the issues and schedule a new assessment |
Conditional is more common than you’d think. It doesn’t mean you failed — it means you have work to do on a defined timeline. We’ll cover this in more detail below.
Level 3 Government-Led Assessment
Level 3 applies to contractors handling the most sensitive DoD information. After achieving Level 2 certification from a C3PAO, the government conducts an additional assessment against the enhanced requirements from NIST SP 800-172.
DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center) handles these directly. If you’re at this level, you likely already have a dedicated security team and government program managers guiding you through the process. We won’t go deep on Level 3 here — the audience for that guidance is narrow and typically isn’t finding it through blog posts.
The CMMC Assessment Process Step by Step
Here’s what a Level 2 C3PAO assessment actually looks like from start to finish. This is the path most defense contractors are on, and it’s the one with the most unknowns for first-timers.
Step 1: Pre-Assessment Readiness Review
Before the formal assessment begins, most companies (and we’d argue all companies should) go through a readiness review. This is separate from the C3PAO assessment — it’s work you do on your own or with a consultant to make sure you’re actually ready.
A readiness review is essentially a practice run. Someone who understands the 110 NIST 800-171 requirements reviews your environment, your documentation, and your evidence to identify gaps before the real assessors find them.
This is where a gap assessment pays for itself. The $10,000–$30,000 you spend here can save you from a failed assessment that costs you a contract.
What you should have in place before engaging a C3PAO:
- A complete System Security Plan (SSP) that describes your environment and how you meet each requirement
- A Plan of Actions and Milestones (POA&M) for any requirements not yet fully met — but keep this list short; assessors want to see most controls implemented, not planned
- Policies and procedures that cover all 14 NIST 800-171 control families
- Evidence that your controls actually work (logs, screenshots, configuration exports — not just a document that says “we do this”)
- Staff who can explain your security setup during interviews
Step 2: Scoping and Boundary Definition
Before anyone looks at a single control, you need to define what’s being assessed. This is scoping, and it’s one of the most consequential decisions in the entire process.
Your CMMC assessment scope includes every system, network, and person that processes, stores, or transmits CUI — plus anything that provides security protections to those assets. In CMMC language, these fall into categories:
- CUI Assets — systems that directly handle CUI (your email server with CUI, the file share with technical drawings, the laptops your engineers use)
- Security Protection Assets — systems that protect CUI assets but don’t handle CUI themselves (your firewall, your SIEM, your antivirus management server)
- Contractor Risk Managed Assets — systems that can access CUI assets but aren’t directly managed by your security controls (personal devices accessing your network, if applicable)
- Specialized Assets — things like IoT devices, operational technology, or test equipment that might interact with CUI systems but can’t run traditional security software
- Out-of-Scope Assets — everything else that doesn’t touch CUI
Why this matters financially: Every asset in scope has to meet the requirements. A company that scopes correctly and limits CUI to a small enclave environment might have 20 assets in scope. A company that lets CUI flow everywhere might have 200. That’s the difference between a focused, affordable assessment and one that drags on for weeks and costs six figures.
We see companies make scoping mistakes in both directions. Some define the scope too narrowly and get caught during the assessment when the C3PAO discovers CUI in places that weren’t included. Others throw everything in scope “just to be safe” and massively increase their cost and timeline.
Get help with scoping. It’s not intuitive, and the consequences of getting it wrong are expensive either way.
Step 3: Evidence Collection
This is the grind. Before the assessors arrive, you need to assemble evidence that each of the 110 controls is implemented and working.
Assessors evaluate each requirement against three types of evidence:
| Evidence Type | What It Means | Example |
|---|---|---|
| Examine | Review documents, configurations, and artifacts | Your SSP, access control policy, screenshots of MFA settings, firewall rules |
| Interview | Talk to staff responsible for implementing controls | Your IT admin explains how accounts are provisioned and deprovisioned |
| Test | Observe or verify that a control works in practice | Assessor watches as a terminated employee’s account is disabled, or reviews logs showing failed login attempts are captured |
Not every control requires all three — the CMMC Assessment Guide specifies which assessment methods apply to each requirement. But many do. Having a document that says “we require MFA” isn’t enough if the assessor tests it and finds half your accounts don’t have it enabled.
Practical tips for evidence collection:
- Organize by control family. Create a folder structure that mirrors the 14 NIST 800-171 domains (Access Control, Audit and Accountability, etc.). When the assessor asks for evidence on AC.L2-3.1.1, you should be able to pull it in seconds, not hours.
- Timestamp everything. Evidence needs to show your controls are current, not that they existed six months ago. Export fresh configurations, pull recent logs, update screenshots.
- Prepare your people. Your IT staff, HR, and management will be interviewed. They need to know what the company’s security policies say and how they actually work — not just that they exist.
Step 4: Assessment Execution
The assessment itself typically runs 1-2 weeks for a mid-size company, though complex environments with multiple locations can take longer. Here’s what the day-to-day looks like.
Day 1: Opening briefing. The C3PAO assessment team (typically 2-3 assessors, led by a Certified CMMC Assessor or CCA) meets with your leadership. They review the scope, confirm the assessment timeline, and explain the process. You’ll present your SSP and walk them through your environment at a high level.
Days 2 through ~8: Control-by-control review. The assessors work through the 110 requirements systematically, usually organized by domain. For each control, they:
- Review your documentation and evidence
- Interview relevant staff
- Test or observe the control in action (where applicable)
They’ll move between conference rooms, server rooms, and individual workstations. Your key people need to be available — the assessors will have questions, and “I’ll have to get back to you” too many times starts to become a finding.
Note: Assessors are professionals, not adversaries. Their job is to verify compliance, not trick you. If something is unclear, they’ll ask follow-up questions. If evidence is missing for a control, they’ll tell you what they need and give you a reasonable window to produce it. This isn’t a gotcha exercise.
Final days: Preliminary findings. Before wrapping up, the assessment team shares preliminary results. You’ll know whether you’re looking at Met, Conditional, or Not Met before they leave your building.
Step 5: Findings and Remediation
If the preliminary results show anything other than a clean “Met” on all 110 controls, you have work to do.
For a Conditional result: You’ll receive a list of controls that weren’t fully met, documented as findings. You get 180 days to remediate these findings — fix the issue, gather evidence that it’s fixed, and have the C3PAO verify the fix. The number of controls you can have open on a POA&M is limited, and certain critical controls cannot be deferred at all.
This is where having a consultant already engaged helps. If your RPO or compliance partner has been involved in your preparation, they can hit the ground running on remediation. If you’re doing it alone, 180 days sounds generous until you realize procurement cycles for new security tools take 60-90 days on their own.
For a Not Met result: You don’t get a 180-day fix window. The assessment determined that your security posture has fundamental gaps. You go back to preparation, fix the issues, and schedule a new assessment — and pay for it again. This is why the readiness review in Step 1 matters so much.
Step 6: Final Determination and Certification
Once all findings are closed (or if you were Met from the start), the C3PAO submits the results to the Cyber AB for quality review. After that review, your CMMC certification is issued.
Your certificate is valid for 3 years. During those three years, you’re expected to maintain compliance — not just on paper, but in practice. A senior company official must sign an annual affirmation confirming that your security posture hasn’t degraded. If significant changes happen to your environment (new offices, major system changes, acquisitions), you may need to notify your assessor or undergo a reassessment.
What CMMC Assessors Actually Look For
After years of working with companies going through assessments, we can tell you what separates companies that pass clean from companies that scramble.
Documentation that matches reality. Your SSP says you review access quarterly. The assessor asks when the last review happened. If you can’t show evidence of a review in the last 90 days, that’s a finding. The most common failure mode isn’t missing technology — it’s documentation that describes a process nobody actually follows.
Staff who understand the security program. When the assessor interviews your system administrator, they need to articulate how accounts are managed, how logs are reviewed, and what happens when someone reports a security incident. “I think our MSP handles that” is not a passing answer.
Evidence of ongoing practice, not one-time setup. Configuring a SIEM is one thing. Showing that someone actually reviews the alerts it generates is another. Assessors want to see logs, records, and evidence that your security controls are active and monitored — not just installed.
Scope that makes sense. If your SSP says CUI only exists in a small enclave, but the assessor finds CUI in email inboxes, personal drives, or shared folders outside the boundary, your scope is wrong. That undermines your entire assessment. Know where your CUI is — all of it — before the assessors start looking.
How Long Does a CMMC Assessment Take?
Here’s a realistic timeline from “we’re ready to engage a C3PAO” to “certificate in hand.”
| Phase | Duration | What’s Happening |
|---|---|---|
| C3PAO selection and contracting | 2-4 weeks | Finding an assessor, agreeing on scope, signing contracts |
| Pre-assessment planning | 2-4 weeks | Scheduling, logistics, final evidence prep |
| On-site assessment | 1-2 weeks | The actual assessment at your facility |
| Preliminary results | Same week | C3PAO shares initial findings before leaving |
| Remediation (if Conditional) | Up to 180 days | Fixing any open findings |
| C3PAO verification of fixes | 2-4 weeks | Assessors confirm remediation is complete |
| Cyber AB quality review | 2-6 weeks | Final review before certificate issuance |
| Total (clean pass) | 2-3 months | |
| Total (with remediation) | 4-9 months |
Note: These timelines start after you’re already prepared. The preparation phase — gap assessment, technology implementation, documentation, and readiness review — typically takes 6-12 months on its own. Plan accordingly. If you need to migrate to GCC High or make significant infrastructure changes, the preparation phase is the one that stretches.
The C3PAO market is also a factor. As CMMC requirements ramp up through 2026-2028, assessor availability will tighten. Companies that wait until a contract deadline to schedule their assessment may find themselves in a queue, which is why starting the preparation phase now — even if your contract doesn’t require CMMC for another year — is the pragmatic move.
CMMC Assessment vs Gap Analysis: When to Do Each
These two things get confused constantly, and they serve completely different purposes.
| Gap Analysis | CMMC Assessment | |
|---|---|---|
| When | Before you’re ready — during preparation | After you’ve implemented all controls |
| Who does it | Your internal team, an RPO, or a consultant | A C3PAO (for Level 2 third-party) or you (for self-assessment) |
| Purpose | Find out where you stand and what needs to be fixed | Officially determine whether you pass |
| Output | A report with identified gaps and remediation priorities | A score and (if applicable) a CMMC certificate |
| Stakes | None — this is a planning tool | High — this determines contract eligibility |
| Cost | $10,000-$30,000 | $30,000-$120,000 (C3PAO fee alone) |
The gap analysis comes first. Always. Walking into a CMMC assessment without a gap analysis is like taking the bar exam without studying. You might be fine. You probably aren’t.
A proper gap assessment tells you exactly which of the 110 controls you meet, which you partially meet, and which you’re missing entirely. It gives you a roadmap and lets you prioritize spending. Fix the critical gaps first, document what you’re already doing, and build a realistic POA&M for anything that won’t be done by assessment day.
How to Find a C3PAO
The Cyber AB maintains the official CMMC Marketplace, which lists all authorized C3PAOs. As of early 2026, the list is still growing as more assessment organizations complete their own authorization process.
When evaluating C3PAOs, consider:
- Experience with your industry. A C3PAO that has assessed machine shops will understand your environment better than one that’s only worked with software companies. The requirements are the same, but the practical implementation looks different.
- Assessment team size. Larger teams can complete assessments faster, which means less disruption to your operations.
- Availability. Book early. As CMMC rolls into more contracts, the backlog will grow. Some C3PAOs are already scheduling 3-6 months out.
- Communication style. You’ll be spending a lot of time with these people. A C3PAO that communicates clearly and sets expectations upfront will make the entire process less painful.
Get quotes from 2-3 C3PAOs. Assessment fees vary significantly based on scope, company size, and the C3PAO’s own pricing model. Don’t automatically choose the cheapest — a thorough assessor who catches issues and lets you fix them is more valuable than a fast one who misses something that comes up in a DoD audit later.
Frequently Asked Questions
What is a CMMC assessment?
A CMMC assessment is a formal evaluation of your company’s cybersecurity practices against the requirements of the Cybersecurity Maturity Model Certification framework. Depending on your required level, it’s either a self-assessment you perform internally or an independent evaluation conducted by a certified third-party assessment organization (C3PAO). The assessment determines whether you meet the security requirements needed to hold or pursue DoD contracts.
How much does a CMMC assessment cost?
The C3PAO assessment fee alone typically runs $30,000-$120,000, depending on the size of your environment and number of locations. Total cost including preparation (gap assessment, technology, documentation, consulting) ranges from $100,000 to $300,000+. Self-assessments don’t have an assessment fee but still require significant investment in implementation. See our complete cost breakdown for detailed numbers.
How long does a CMMC assessment take?
The on-site assessment itself takes 1-2 weeks. From engaging a C3PAO to receiving your certificate, expect 2-3 months for a clean pass or 4-9 months if remediation is needed. This doesn’t include the 6-12 month preparation phase most companies need before they’re ready to schedule the assessment.
What happens if you fail a CMMC assessment?
If you receive a “Not Met” determination, you don’t get a certificate and you’ll need to fix the identified gaps before scheduling a new assessment — at additional cost. A “Conditional” result is more common: you have 180 days to fix specific findings through a POA&M, after which the C3PAO verifies the fixes and your certificate can be issued.
What’s the difference between a CMMC auditor and a CMMC assessor?
In CMMC, they’re called assessors, not auditors — though people use both terms interchangeably. Certified CMMC Assessors (CCAs) are individuals certified by the Cyber AB to conduct assessments. They work for C3PAOs (Certified Third-Party Assessment Organizations). If someone calls themselves a “CMMC auditor,” they probably mean they’re a CCA working for a C3PAO.
Can my CMMC consultant also assess me?
No. The organization that helps you prepare (an RPO or consultant) cannot be the same organization that assesses you. This is an intentional conflict-of-interest safeguard in the CMMC ecosystem. If a company offers to both prepare and assess you, that’s a red flag. We explain the full distinction in our guide on RPOs vs C3PAOs.