CMMC Certified Assessors (CCAs) have now sat across the table from hundreds of defense contractors during Level 2 certification assessments. Some organizations walk into assessment week confident and well-prepared. Others arrive with a filing cabinet full of policies they have never tested, an SSP that does not match their live environment, and staff who cannot explain how their own access controls work. The outcome in each case is predictable.
The truth is, CMMC assessors are not trying to catch contractors off guard. They are not looking for perfection. What assessors are looking for is evidence; consistent, verifiable proof that security controls are implemented, operational, and understood by the people who use them every day. This article pulls back the curtain on exactly what CCAs evaluate during a CMMC Level 2 C3PAO assessment, where organizations most commonly fail, and how contractors can present themselves as the kind of organization that sails through certification.
1. The Evidence Triad: How CMMC Assessors Actually Evaluate an Organization
Every finding in a CMMC Level 2 assessment comes down to what the CMMC Assessment Guide – Level 2 calls three assessment methods: Examine, Interview, and Test. Experienced CCAs refer to this as the Evidence Triad, and understanding it is the single best way for a contractor to prepare.
Examine means the assessment team reviews documentation and artifacts—the System Security Plan, policies, procedures, network diagrams, data flow diagrams, configuration screenshots, scan reports, audit logs, and training records. These form the paper trail that tells assessors what the organization intended to do and what it claims is in place.
Interview means assessors talk to personnel directly. CCAs will speak with system administrators, IT managers, security officers, HR personnel, and sometimes end users. They ask staff to describe, in their own words, how specific controls work in practice.
Assessors are not looking for memorized policy language—they are looking for honest, confident explanations that match the documentation. When someone says, “I’m not sure, I think our IT guy handles that,” it signals to the assessment team that the control may not be operationally embedded.
Test means assessors validate controls on live systems. The assessment team may ask staff to demonstrate how access is revoked for a departing employee, pull up audit logs showing specific event data, display vulnerability scan results, or walk through incident response procedures on a real system. This is where documentation meets reality.
Here is the critical point: all three must align. If the SSP says the organization enforces multi-factor authentication everywhere, administrators confirm it in interviews, but the assessment team tests the system and finds a service account bypassing MFA—that is a NOT MET finding.
One broken leg of the triad collapses the whole requirement. Per the official assessment methodology defined in NIST SP 800-171A, a single NOT MET assessment objective results in a failure of the entire security requirement.
2. The SSP Is the First Thing Assessors Open—and the First Place They Find Problems
The System Security Plan is the primary assessment artifact. It is the document CCAs spend the most time with before they ever engage with the contractor’s environment or join the scoping call. A well-written SSP tells the assessment team that the organization understands its own systems. A poor one signals that the assessment week will be difficult.
Here is what assessors look for in the SSP, and what most commonly goes wrong:
Accuracy over polish. The SSP must describe the environment as it actually exists today—not as the organization intends it to exist after improvements. If the SSP references a specific SIEM product but the organization migrated to a different platform six months ago, that discrepancy becomes an immediate finding. CCAs routinely encounter beautifully formatted SSPs that are functionally fiction. The SSP should be treated as a living document, updated every time infrastructure, personnel, or service providers change, with a change log to demonstrate ongoing maintenance.
Specificity over generics. A control implementation statement that says “We use encryption to protect CUI” tells assessors almost nothing. CCAs need to know what encryption standard is used (FIPS 140-2 validated?), what products implement it, where in the data flow it is applied, and how key management is handled. Every control description in the SSP should answer the who, what, where, when, and how of implementation. The 110 requirements in NIST SP 800-171 Rev 2 demand this level of specificity.
Shared responsibilities must be explicit. If a managed service provider handles log monitoring, or a cloud service provider manages encryption at rest, the SSP must spell out exactly what they do and what remains the contractor’s responsibility. This requires a Customer Responsibility Matrix (CRM) from each external service provider. Per 32 CFR § 170.19, the use of an ESP, its relationship to the OSA, and the services it provides must be documented in both the SSP and the ESP’s CRM. An SSP entry that says “Handled by our MSSP” with no further detail will result in a finding every time.
3. Scoping Mistakes That Derail Assessments Before They Start
Assessment scoping under 32 CFR § 170.19 is not a formality—it is a make-or-break decision. One of the first actions CCAs take during the pre-assessment phase is to validate the contractor’s scope. If the scope is wrong, everything built on top of it is unreliable.
The most common scoping failure assessors encounter is under-scoping. Contractors attempt to minimize their assessment boundary by informally declaring parts of their network “out of CUI.” But if CUI can traverse those systems—even temporarily, even through email forwarding or file sharing—those systems are in scope. If segmentation is not technically enforced and documented, assessors will challenge that boundary. And if the assessment team discovers in-scope systems that the SSP does not cover, the assessment stalls.
The opposite problem, over-scoping, is less dangerous but far more expensive. Organizations that fail to establish a CUI enclave end up with their entire enterprise network in scope, which means every endpoint, server, and user must meet all 110 requirements. The CMMC Scoping Guidance – Level 2, published by the DoD CIO, provides detailed guidance on asset categorization. A well-defined CUI enclave dramatically reduces the assessment footprint and cost.
Assessors also verify that data flow diagrams match actual CUI movement. If a diagram shows CUI flowing from system A to system B, but the assessment team discovers through interviews or testing that it also transits through system C, system C enters scope immediately—and if it has not been secured and documented, that is a finding.
4. The Controls That Trip Up Even Prepared Organizations
After numerous Level 2 assessments, clear patterns have emerged. Certain NIST SP 800-171 control families consistently produce the most NOT MET findings. Here is where CCAs see contractors stumble most often.
Audit and Accountability (AU). Logging is where theory meets reality, and reality often falls short. Assessors will pull sample audit logs from systems within the CUI boundary and verify they contain the required data elements: user identity, timestamp, event type, success or failure, and the affected resource. Many organizations have logging enabled but are not capturing all required elements, are not retaining logs for the required period, or are not reviewing logs regularly. If logs exist but nobody is reviewing them, that is a finding.
Access Control (AC). This is the largest domain with 22 requirements, and partial implementation fails. If even one user can access CUI without multi-factor authentication, AC.L2-3.5.3 is NOT MET—and that includes service accounts, API connections, VPN split tunnels, and remote desktop sessions. Assessors also verify that access follows the principle of least privilege. If a marketing intern has the same system permissions as the security administrator, access control is not compliant regardless of what the policy says.
System and Communications Protection (SC). Encryption is a frequent failure point. DFARS 252.204-7012 requires FIPS-validated cryptographic modules for CUI at rest and in transit. CCAs verify that encryption products are listed on the NIST CMVP Validated Modules page. If an organization uses a product that employs strong algorithms but has not completed FIPS 140-2 or 140-3 validation, the requirement is not met. This catches many organizations off guard.
Configuration Management (CM). Assessors look for documented configuration baselines for every system in the CUI boundary and evidence that the organization manages changes against those baselines. Patch management is a major component; CCAs expect to see evidence of timely patching, typically within 30 days of a critical vulnerability being identified. Organizations that can produce a patch management dashboard with historical data demonstrate operational maturity. Organizations that cannot locate their last scan report do not.
5. What Happens During Staff Interviews
Personnel interviews are not a test that staff can cram for the night before. When CCAs sit down with system administrators, ISSOs, or HR managers, they are looking for natural, confident descriptions of how personnel perform their duties. The CMMC Assessment Process (CAP) directs assessors to ensure confidentiality and non-attribution so interviewees can speak openly without fear of retribution.
What assessors are listening for is consistency with documentation. If the SSP says terminated employees have their access revoked within 24 hours, the CCA will ask the HR contact to walk through the offboarding process. If they describe something different, say, a process that takes a week because IT has to be notified manually, that discrepancy becomes a finding against Personnel Security and Access Control requirements.
CCAs also gauge operational awareness. Can staff describe what CUI is? Do they know what they are allowed to do with it and what they are not allowed to do? Can the incident response lead walk through the steps the organization would take if a potential CUI data breach were discovered? If the answers to these questions are vague or uncertain, it tells assessors that the Awareness and Training (AT) and Incident Response (IR) controls are not truly implemented, even if the policies exist on paper.
The best-prepared organizations conduct internal mock interviews and role-based training tied to specific CMMC requirements before assessment week. They do not script answers, but they ensure everyone understands their role in the organization’s cybersecurity posture. That preparation is immediately apparent to the assessment team.
6. Evidence Organization: Making It Easy for the Assessor to Pass You
This may sound simple, but it is one of the strongest signals of organizational maturity: can the contractor quickly find evidence? If the assessment team asks for proof that quarterly access reviews are conducted and it takes the organization 30 minutes to locate the right spreadsheet, assessors begin to question whether the review actually happened.
The best-prepared organizations maintain an evidence repository structured by NIST SP 800-171 control family, with each artifact clearly labeled with the control ID, description, and date. They map every piece of evidence to the corresponding assessment objective in NIST SP 800-171A using an evidence matrix. When an assessor requests an artifact, staff pull it up in seconds. That level of organization communicates that compliance is part of daily operations, not a scramble assembled for assessment week.
Evidence must also be current. A firewall configuration screenshot from two years ago does not demonstrate today’s compliance. Assessors expect to see evidence from within the past 12 months for recurring activities, vulnerability scans, access reviews, training completions, incident response exercises, and log reviews. Timestamps matter. Annotated screenshots that explain what the assessor is looking at earn additional credibility.
7. POA&Ms: What Assessors Can Accept and What They Cannot
Under 32 CFR § 170.21, a Plan of Action and Milestones can allow an organization to achieve Conditional Level 2 (C3PAO) certification for requirements that are not yet fully met, but there are strict boundaries.
First, the organization must achieve at least an 80% score, meaning 88 of the 110 requirements scored as MET. If the score falls below that threshold, no conditional status is possible, and the assessment results in no CMMC status.
Second, certain requirements cannot appear on a POA&M. These are foundational requirements aligned with FAR 52.204-21 and DFARS 252.204-7012 that the DoD considers non-negotiable for basic CUI protection. If any of these are NOT MET at the time of assessment, CCAs cannot grant even conditional certification.
Third, every POA&M item must include specific remediation steps, responsible parties, milestones, and completion dates. Open-ended entries like “We plan to address this” are not acceptable. The organization has exactly 180 days from the Conditional CMMC Status date to close all POA&M items and pass a closeout assessment. If the closeout window expires, the conditional status is lost, and the organization must undergo a completely new assessment from scratch.
The guidance from experienced CCAs is clear: do not plan to rely on POA&Ms as a certification strategy. Plan to meet all 110 requirements. Treat POA&Ms as a safety net for genuinely unforeseen gaps discovered during the assessment, not as a backdoor to certification with known deficiencies.
8. The Limited Practice Deficiency Correction: A Narrow Lifeline
One accommodation that many contractors are not aware of is the Limited Practice Deficiency Correction, defined in the CMMC Assessment Process (CAP). If an implemented practice is missing a minor update, such as an unsigned policy, an expired review date on a document, or a slightly outdated reference, and the assessment team reaches consensus that the underlying practice has been in place and does not limit the effectiveness of another MET practice, the CCA may allow a brief correction window during the assessment itself.
This accommodation is intentionally narrow. It covers administrative oversights, not systemic control failures. If an encryption module is not FIPS-validated, that is not a minor update. If a policy was never signed because it was never approved by leadership, that suggests a governance gap rather than a clerical error. Contractors should treat this accommodation as a lifeline for minor documentation oversights and should not count on it to save fundamentally unimplemented controls.
9. What Separates Organizations That Pass from Those That Fail
After conducting numerous assessments across the Defense Industrial Base, experienced CCAs consistently observe clear patterns. Organizations that pass on the first attempt share several traits. They treat CMMC as an organizational initiative, not an IT project; leadership, HR, legal, contracts, and IT are all aligned.
They conduct a readiness assessment or a mock assessment before engaging the C3PAO. They maintain their SSP as a living document. They train their staff not just on policies, but on their specific roles in implementing controls. And they organize their evidence months before the assessment, not the week before.
Organizations that fail tend to exhibit common patterns as well. Their SSP does not match their live environment. Their policies exist but are not enforced or understood by personnel. Their evidence is scattered or outdated. They underestimated the depth of what a C3PAO assessment actually examines. And in many cases, they treated CMMC as a paperwork exercise when it is fundamentally an operational one.
Industry data supports this. Reports indicate that 30 to 50% of organizations entering the assessment process experience a false start, meaning they are not ready to proceed through the pre-assessment phase. Organizations that engage experienced readiness consultants or Registered Practitioner Organizations (RPOs) listed on the Cyber AB Marketplace before their C3PAO assessment consistently achieve higher first-attempt pass rates.
10. Final Word from the Assessor’s Perspective
Every CCA wants the organizations they assess to succeed. That is not a platitude; a successful assessment means the Defense Industrial Base is more secure, CUI is better protected, and contractors can continue contributing to national defense. The CMMC Program exists to verify that the security organization’s claim is the security they actually practice.
The core message from experienced assessors to every contractor preparing for a CMMC Level 2 assessment is this: do not prepare for the assessor. Prepare for the adversary. If controls are genuinely implemented to protect CUI from real threats, the assessment will take care of itself. The documentation, the interviews, the technical testing; all of it is just verification of what should already be an operational reality.
Start early. Be honest about gaps. Fix them before engaging a C3PAO. And when assessment week arrives, the organization will be ready.
Key Authoritative Resources
• DoD CIO – CMMC Program – Official program page, model overview, and assessment documentation
• CMMC Assessment Guide – Level 2 (v2.13) – Official scoring criteria and requirement descriptions
• CMMC Assessment Process (CAP) – The procedural guide C3PAOs follow during assessments
• 32 CFR Part 170 (eCFR) – The CMMC Program Final Rule
• NIST SP 800-171 Rev 2 – The 110 security requirements for CUI protection
• NIST SP 800-171A – Assessment objectives and methodology (320 objectives)
• DFARS 252.204-7012 – Safeguarding Covered Defense Information clause
• NIST CMVP Validated Modules – Verify FIPS 140-2/140-3 validation status of encryption products
• Cyber AB Marketplace – Verify authorized C3PAOs, CCAs, and RPOs
CMMC Assessment Guide (cmmcassessmentguide.com) provides expert guidance on CMMC compliance, assessment preparation, and cybersecurity best practices for the Defense Industrial Base.
