Assessment Structure
A Level 2 C3PAO assessment for a small to mid-size contractor typically runs 1–3 weeks of fieldwork preceded by 2–4 weeks of document submission and assessor preparation, and followed by 4–8 weeks of report drafting and certification decision. The fieldwork itself is the most operationally intense phase — when most of your team's time is engaged with the assessors.
The fieldwork follows a predictable structure: opening conference, document walkthroughs, interviews organized by control family, technical observations of your actual environment, daily status meetings, findings discussions, and a closing conference. Within that structure, every C3PAO has their own rhythm; the patterns below are typical but not universal.
The assessment is governed by the CMMC Assessment Process (CAP), the Cyber AB's documented methodology that C3PAOs are expected to follow. Familiarity with the CAP helps you anticipate what assessors will do and why.
Pre-Assessment Phase
The pre-assessment phase begins after SOW signing and ends at the opening conference. The assessor team uses this time to develop a scoping confirmation, prepare their interview question sets, and identify the evidence they want to walk through. The contractor uses it to finalize document submissions and prepare personnel.
What the assessor team is doing
- Reviewing your SSP, POA&M, and supporting documentation submitted via secure transfer
- Confirming the in-scope environment matches the SOW scope
- Mapping each of the 110 requirements to evidence sources you've identified
- Identifying gaps where the SSP statement and the supporting evidence do not align
- Drafting interview question sets for each control family
- Coordinating logistics: site visit dates, conference room, network access, escort procedures
- Identifying the personnel they need to interview
What you should be doing
- Completing any final document or evidence submissions
- Briefing personnel who will be interviewed about the assessment process and their specific control family
- Confirming logistics: room reservations, network access for assessors, badge/escort arrangements, secure storage for assessor laptops if on-site
- Designating an internal Assessment Coordinator — a single point of contact responsible for fielding assessor requests, coordinating evidence retrieval, and ensuring interviewees are available on time
- Conducting a final internal walkthrough of high-weight controls (5-point and 3-point requirements in the DoD Assessment Methodology) to confirm evidence is current and accessible
- Confirming that all referenced policies actually exist and are accessible — assessors will ask for any policy your SSP cites
Pre-assessment surprises are normal. The assessor team almost always identifies gaps during document review — a referenced policy that isn't producible, an SSP statement that contradicts the evidence package, an asset inventory that's stale. Treat these as opportunities to remediate before the formal fieldwork begins; assessors will tell you what they've found and you can usually address it before findings are formally recorded.
Day Zero: Opening Conference
The first day of fieldwork begins with an opening conference — typically 60–90 minutes — that establishes the working agreement for the rest of the assessment.
| Time | Activity | Participants |
|---|---|---|
| 09:00 | Introductions, assessor team and contractor team | Lead assessor, all C3PAO assessors, contractor System Owner, ISSO, key SMEs, Assessment Coordinator |
| 09:15 | Confirmation of scope as documented in SSP and SOW | Lead assessor, System Owner |
| 09:30 | Walkthrough of assessment schedule, interview times, evidence approach | Lead assessor, Assessment Coordinator |
| 10:00 | Logistics: working space, network access, escort procedures, daily status meeting timing | Assessment Coordinator, lead assessor |
| 10:30 | Q&A; confirmation of any pre-assessment open items | All |
The opening conference is rarely contentious — it's an alignment session. The most useful contributions from the contractor side are confirming who handles what topic, agreeing on a daily status meeting time, and surfacing any logistical concerns before fieldwork begins. Discussion of specific controls or findings is deferred to the topical sessions.
The Daily Rhythm
After the opening, each day follows a predictable structure. A typical day during a 5-day fieldwork engagement:
| Time | Activity | Notes |
|---|---|---|
| 08:30 | Daily kickoff (15 min) | Assessment Coordinator and lead assessor confirm the day's interviews, evidence requests, and any blocking issues |
| 09:00 | First interview block (90 min) | Typically focused on one control family, with the family owner and SMEs |
| 10:30 | Evidence walkthrough (60 min) | Assessor reviews specific evidence with the SME — opening configurations, looking at logs, reading policies |
| 11:30 | Buffer / open evidence requests (30 min) | Coordinator collects items the assessor needs but doesn't have yet |
| 12:00 | Lunch (assessors typically work through lunch on their own; do not "host" them) | |
| 13:00 | Second interview block (90 min) | Different control family, different SMEs |
| 14:30 | Technical observation (60–90 min) | Assessor watches a sysadmin perform an operational task — review audit logs, run a vulnerability scan report, demonstrate access provisioning |
| 16:00 | Daily status meeting (30 min) | Lead assessor walks through what was covered, what's open, what's needed for tomorrow. Findings are NOT typically presented here as final — they emerge through discussion. |
| 16:30 | Coordinator wrap (30 min) | Internal: review evidence requests for tomorrow, brief tomorrow's interviewees, address any concerns |
The pattern repeats for each day of fieldwork, with different control families each day. A 14-control-family assessment running 5 days will typically cover 2–3 families per day, with the high-weight families (Access Control, Identification & Authentication, System & Communications Protection) consuming more time.
Interviews by Control Family
Interviews are the primary mechanism by which assessors test your SSP statements against operational reality. Each interview pairs an assessor with the contractor SME for a control family. The format is conversational, structured around the requirements in that family, and typically lasts 60–120 minutes per family.
What assessors ask in interviews — illustrative for several high-weight families:
Access Control (AC) — typical assessor questions
- "Walk me through how a new user gets access to a CUI system. Who initiates the request? Who approves it? Who provisions the account?"
- "Show me your most recent quarterly access review. How were terminated employees identified?"
- "How do privileged users access in-scope systems? What additional controls apply to those accounts?"
- "What happens when someone changes roles within the company — do their access permissions automatically update, or is there a manual step?"
- "Show me how a user with mobile access connects to the in-scope environment. Walk me through the conditional access policy."
Identification & Authentication (IA) — typical assessor questions
- "Walk me through your MFA enrollment process. How do you confirm a user is who they claim to be before issuing a token?"
- "Show me MFA being enforced. What happens if a user attempts to authenticate without a second factor?"
- "How are service accounts authenticated? What protections apply to credentials stored in scripts or applications?"
- "What's your password policy? Show me where it's enforced technically — not just in the policy document."
- "How are device certificates managed for systems that authenticate without a user — printers, IoT devices, automation systems?"
Audit & Accountability (AU) — typical assessor questions
- "What audit events are logged across in-scope systems? Show me a sample of recent log records."
- "How long are audit logs retained? Show me logs from at least 12 months ago."
- "How do you protect audit logs from unauthorized modification? Who can delete or alter them?"
- "How frequently do you review audit logs for anomalies? Show me records of the most recent review."
- "How do you correlate events across systems? Walk me through a scenario where you traced an incident across multiple systems."
System & Communications Protection (SC) — typical assessor questions
- "Show me your network architecture diagram. Walk me through how CUI flows from external entry to internal storage."
- "How is CUI encrypted in transit between in-scope systems? Show me the cryptographic configuration."
- "Show me how CUI is encrypted at rest. What FIPS-validated cryptographic modules are in use?"
- "How is your network segmented between CUI systems and general-use systems? Show me the firewall rules."
- "Walk me through what happens when an in-scope user accesses a publicly-accessible site. What controls protect against malicious downloads?"
How to prepare an SME for interview
- Review the relevant SSP sections. The SME should be able to discuss what the SSP says about their control family, in their own words, without reading from the document.
- Identify the evidence in advance. For each requirement in the family, know where the supporting evidence lives and have it accessible during the interview.
- Practice "show me" responses. Most assessor questions follow a "describe it, then show me" pattern. The SME should be ready to demonstrate live in the system, not just describe.
- Don't volunteer beyond the question. Answer what's asked, accurately and completely. Volunteering additional context occasionally helps; volunteering speculation or unrelated topics expands the scope of inquiry unhelpfully.
- If you don't know, say so. "I'm not sure — let me check and get back to you within an hour" is a perfectly acceptable answer. Guessing or fabricating is the worst possible response.
- Have a back-up. If the primary SME is out sick or otherwise unavailable, who can step in? Identify and brief the back-up before fieldwork begins.
Technical Observations
Beyond interviews, assessors will conduct technical observations — sessions where they watch a sysadmin or SME perform an operational task in the live environment. Common observations:
- Access provisioning workflow: Assessor watches the new-user onboarding from request to account creation
- Audit log review: Assessor watches a sysadmin pull and review the most recent audit logs
- Vulnerability scan execution: Assessor watches a vulnerability scan run, the results processed, and the remediation tracking
- Configuration baseline verification: Assessor watches a system configuration compared against the documented baseline
- Backup restoration: Assessor watches a file restored from backup to demonstrate the backup is functional
- Incident response tabletop: Assessor walks through a hypothetical incident with the IR team to test the documented procedure
Observations let the assessor confirm that what's documented is what actually happens. The risk of an observation is that a process the team thinks works smoothly turns out to fail in practice — a vulnerability scan that errors out, a backup that won't restore, a sysadmin who can't find the audit log review documentation. Run the observation activities yourself before the assessment to surface these issues.
How Findings Emerge
Findings rarely arrive as surprises in the closing conference. They emerge through the daily rhythm — usually first as a question or concern raised in an interview or evidence walkthrough, then as an explicit "this looks like a finding" comment in the daily status meeting, then as a documented finding in the closing conference and the ROC.
When a potential finding emerges, you have several options:
- Provide additional evidence. If the assessor's concern stems from incomplete documentation, providing the missing artifact may resolve the finding before it's documented. Move quickly — within the same day.
- Clarify a misinterpretation. If the assessor has misread a control or its evidence, walk them through your understanding. The lead assessor can adjust the interpretation if your clarification is supported by the evidence.
- Acknowledge the gap. If the finding is real, acknowledge it cleanly. Do not argue or push back when the gap genuinely exists. Acknowledged findings are usually treated more favorably than disputed ones.
- Record it as a POA&M item. A finding that can be added to your POA&M with a credible remediation plan does not necessarily prevent certification. POA&M eligibility is narrow: only 1-point requirements may be on POA&M, plus the single explicit exception of SC.L2-3.13.11 (CUI Encryption) when encryption is employed but not FIPS-validated. Of the 110 requirements, 47 are POA&M-eligible; the contractor must still achieve a SPRS score of 88 or higher to qualify for conditional certification. 5-point requirements (and 3-point requirements other than the SC.L2-3.13.11 exception) must be fully implemented at certification — they cannot be deferred.
What does not work: arguing with the lead assessor about whether something is a finding once they've made the determination, attempting to escalate to the C3PAO leadership during fieldwork, or attempting to renegotiate the scope mid-engagement. The assessor team has process autonomy; their findings stand unless overturned by the C3PAO's QA or by the CMMC PMO.
Closing Conference
The closing conference is the final session of fieldwork — typically 60–90 minutes on the last day. The lead assessor walks through:
- A summary of what was assessed and how
- The findings identified during the fieldwork, with brief justifications
- Recommendations and next steps
- The timeline for ROC drafting and delivery
- The process for the contractor's factual review of the draft ROC
The closing conference is not a forum for negotiating findings. The findings presented have already been discussed in the daily meetings; the closing is the formal record. Listen carefully, take notes, and reserve substantive responses for the factual review of the draft ROC.
Post-Assessment
After fieldwork ends, the lead assessor drafts the Report on Conformity over 2–4 weeks. The contractor receives a draft for factual review — an opportunity to identify factual errors (a system name misspelled, an evidence reference mis-cited) but not to dispute findings. The C3PAO's internal QA reviews the draft, then the final ROC is delivered to the contractor and submitted to the CMMC PMO with a certification recommendation.
Three possible outcomes:
- Recommended for certification: All 110 requirements met (or any open items appropriately on POA&M within rules). Certification granted by the PMO; valid for three years.
- Conditional certification: Some requirements not fully met, but on POA&M with credible remediation plans. Certification granted conditionally with a 180-day window to close POA&M items.
- Not recommended for certification: Material gaps that cannot be POA&M-resolved. Contractor must remediate and re-engage for assessment.
For the operational picture after certification — annual affirmations, change management, the three-year recertification — see the Maintaining Your Certification guide.
Preparing Your Team
The assessment is as much a test of your organization's ability to articulate and demonstrate its security posture as it is a test of the controls themselves. A well-implemented control that the responsible SME cannot describe or demonstrate often produces a finding anyway. Preparation focuses on the people as much as the systems.
- Identify each control family owner. One named person per family who can speak to the implementation. They do not have to be the implementer — they have to be able to describe and demonstrate.
- Conduct a mock interview cycle. Two to four weeks before fieldwork, run mock interviews with each family owner. Either internally (your ISSO or SSP author plays the assessor) or with a third-party readiness reviewer. Document the gaps surfaced.
- Pre-stage evidence. For each requirement, confirm the evidence is current, accessible from the assessment work area, and producible within minutes — not hours.
- Designate an Assessment Coordinator. One person who sits with the assessors throughout fieldwork, fields requests, escalates as needed, and keeps the contractor side organized. This role is typically the ISSO or a senior IT/compliance lead.
- Brief executive leadership. The System Owner and Authorizing Official may be interviewed. They should be prepared to speak to their security responsibilities, the SSP they signed, and the program they are accountable for. Executive interviews where the executive cannot articulate basic security commitments are common findings.
- Schedule conservatively. Interviews and observations take longer than planned. Build buffer time into the schedule. Plan for the assessment week to be a full work week for the assessment team — postpone non-critical organizational activity.
- Maintain composure. The assessment is intense but not adversarial. The lead assessor's job is to evaluate fairly and document accurately. Treat the team professionally; emotional or defensive reactions to questions tend to expand inquiry rather than resolve it.
Authoritative References
Related resources: Before the assessment, audit your evidence library and confirm your policy library is complete. After the assessment, see Maintaining Your Certification.