CMMC Assessment Guide: Navigating Your Compliance Journey

April 23, 2025

CMMC assessments are no longer a distant requirement — they’re happening now. If you’re a defense contractor handling Controlled Unclassified Information (CUI), you’ll likely need to pass a CMMC assessment to win or keep government contracts.

This blog is designed to help you navigate the CMMC assessment process. Whether you’re just starting out or preparing for an upcoming assessment, you’ll learn what assessors are looking for, how to prepare your documentation and systems, and how to avoid the most common mistakes that can delay certification.

What is a CMMC Assessment and Why It Matters

Before diving into the assessment process, it’s important to understand what Cybersecurity Maturity Model Certification (CMMC) is and how it applies to your organization. CMMC is a cybersecurity framework developed by the U.S. Department of Defense (DoD) to ensure that contractors handling sensitive federal information — like Controlled Unclassified Information (CUI) — meet specific security requirements spelled out in NIST 800-171. NIST 800-171 has been a contractual obligation since 2017 and CMMC was designed to add an assessment component to the NIST standard to ensure compliance requirements are met.

CMMC consists of three compliance levels:

Level 1 (Foundational): Requires annual self-assessment against the 17 NIST 800-171 controls that apply to Level 1. Level 1 only applies to organizations handling Federal Contract Information (FCI), which is information not deemed critical to national security. For Level 1 self-assessments, a senior company official is required to affirm that the company is meeting all requirements for compliance. The company will also need to register these self-assessments and affirmations in the DoD’s SPRS.
Level 2 (Advanced): Level 2 is based on the 110 NIST 800-171 and applies to contractors handling CUI. A small fraction of Level 2 companies will be allowed to perform self-assessment, but over 95% will require third party assessment by a CMMC Third Party Assessment Organization (C3PAO).
Level 3 (Expert): Companies handling the most sensitive information will need to meet Level 3 (Expert). Level 3 is based on the 110 controls of NIST SP 800-171 as well as a subset of requirements from NIST SP 800-172. To achieve Level 3, OSCs will first need to pass a level 2 assessment by a C3PAO. The OSC will then be assessed for Level 3 readiness directly by the government.

Organizations handling CUI need to know that assessments have already begun. If you are a contractor or subcontractor that processes, stores, or transmits CUI as part of DoD contracts, CMMC compliance is not optional. You’ll either be required to submit a self-assessment score to SPRS or, more likely, undergo a formal third-party review by a C3PAO — depending on the nature of the contract.

The Importance of a CMMC Assessment

A CMMC assessment is not just a checkbox exercise — it’s a critical step toward securing your eligibility for DoD contracts and proving your organization can protect sensitive government data. The CMMC Final Rule was passed in December 2024 and assessments have been taking place since January of this year. As the CMMC program rolls out, more contractors and subcontractors will require proof of compliance, making assessments essential for staying competitive in the defense industrial base.

A CMMC assessment verifies that your organization has implemented the necessary cybersecurity practices and controls outlined in NIST SP 800-171 for Level 2. Assessors will review documentation, interview personnel, and evaluate your technical environment to confirm that your security posture aligns with the CMMC framework.

Achieving certification signals to Prime contractors and the DoD that your organization takes cybersecurity seriously. It can help:

Increase your eligibility for contract awards
Build trust with government and industry partners
Avoid the reputational and financial risks tied to security breaches or noncompliance

How to Prepare for a CMMC Assessment

Achieving CMMC compliance takes 9-12 months. It’s important to get started now on your compliance journey so you won’t become ineligible for government contracts.

Here are some of the important first steps you need to take to get ready for CMMC:

Determine your CMMC level: Your defense contract will specify which CMMC level your organization will need to achieve. CMMC levels are based on the type of information your organization works with. Any organization that handles CUI will need to achieve at least Level 2.
Familiarize yourself with CMMC: Begin by familiarizing yourself with the CMMC framework and determine which CMMC level your organization needs to achieve.
Scope your compliance boundary: The more you can limit your boundary, the easier it will be to maintain. In addition, scoping will also allow you to achieve compliance more quickly and economically.
Adopt a platform to protect CUI: Most organizations will need to employ new technology solutions to protect CUI. Remember that file sharing and email is how CUI is most often transmitted both inside and outside of an organization. If you’re using Microsoft 365 Commercial, know that it does not support CMMC compliant communications. You’ll need to make a switch.
Develop robust documentation: It’s not enough to simply protect CUI, you also must be able to prove that you’re compliant. That’s accomplished with detailed documentation such as your System Security Plan (SSP). An SSP is required by NIST 800-171 and is used to explain how your organization meets each of the 110 NIST 800-171 controls.

There are many further steps you’ll want to engage in to ensure you are ready for an assessment. These steps range from conducting a self-assessment to (potentially) working with an outside consultant. Get started with our step-by-step overview of how to prepare – see our CMMC Compliance Checklist.

The CMMC Assessment Process

The CMMC Accreditation Board (CyberAB) has authored the CMMC Assessment Process (CAP) handbook to explain the assessment roles, responsibilities, requirements, and timeline. The CAP explains the four phases of the assessment.

Phase 1: Plan and prepare the assessment

In this step, the C3PAO will confirm that the Organization Seeking Compliance (OSC) has evidence to meet a substantial number of assessment objectives. The OSC will need to provide the results of a self-assessment along with a list of evidence, a robust SSP, a list of all the personnel involved in the procedures evaluated, and any other relevant documentation.

Phase 2: Conduct the assessment

In the assessment, the C3PAO will check the OSC’s fulfillment of every single compliance objective and control in NIST 800-171A. The C3PAO will then determine the final CMMC results on a binary scale of met / not met.

If the OSC assessment ends with at least 88/110 (80% of the CMMC Level 2 practices), the C3PAO has the discretion to allow the organization to use a Plans of Actions and Milestones (POA&Ms) as temporary stopgap measures for eligible controls that are not yet fully satisfied. Note that only a limited number of NIST controls are eligible for POAM status. In addition, the organization must close out any POAMs within 180 days.

Phase 3: Report assessment results

The C3PAO shares the assessment results with the OSC and decides whether any unsatisfied controls can be addressed through a POAM. If POAMs are allowed, the Lead Assessor identifies those controls, and the organization moves to Phase 4. If there are no POAMs, Phase 4 isn’t needed and the assessment wraps up.

Phase 4: Close out POA&Ms and assessment

If the OSC received a conditional CMMC Level 2 certification during phase 3, then the final step is to close any open POA&Ms within 180 days. In order to receive CMMC Level 2 certification, the OSC must close all open POA&Ms within 180 days and have a C3PAO verify that they’re closed out.

3 CMMC Assessment Pitfalls and How to Avoid Them

The C3PAO assessments that have taken place since January 2025 have revealed several compliance shortfalls. Some of the most common ones include:

System Security Plan (SSP) does not match what is done in practice: The first thing a C3PAO will review in your assessment is your SSP, which details how your organization is implementing every control and practice. They want to make sure what is written in your SSP is how the control is met in practice. Unfortunately, many organizations have one set of instructions in their SSP but meet the control in a separate manner.
Addressing 110 requirements versus 320 objectives : Assessors are looking at the 320 NIST 800-171 objectives to determine if a requirement is being met. Unfortunately, OSCs have focused on meeting the top level control rather than the underlying objectives.
Organizations don’t realize that they need to maintain assessment readiness: Organizations have been focused on getting ready to pass their C3PAO-led assessment without making plans for how they will work to maintain their compliant status.

Check out our webinar on From the Frontlines: The First 60 Days of CMMC Compliance to learn from leading C3PAOs about challenges they see OSCs running into as they go through CMMC assessments.

How PreVeil Can Help Achieve CMMC Compliance

If your organization handles CUI and wishes to stay in the Defense Industrial Base, then you will need to become CMMC compliant. PreVeil can help.

PreVeil is the leading solution for CMMC compliance. Trusted by over 1,600 small and midsize defense contractors, PreVeil’s solution has proven successful in getting 15+ contractors and C3PAOs perfect 110 scores in tough DoD audits.

Technology Platform: Our Email and Drive platform protects CUI with end-to-end encryption and meets FedRAMP Moderate Equivalent, FIPS 140-2 and DFARS 7012 c-g.
Compliance Accelerator: We provide pre-filled CMMC documentation, assessor-validated videos and 1×1 support from our compliance experts.
Partner Network: We support your organization through the entire compliance journey – from prep to assessment – with our network of CMMC consultants and auditors.

PreVeil’s proven solution has been used by over a dozen defense contractors and C3PAOs to achieve perfect 110 scores in CMMC and DoD assessments.

Read PreVeil’s Guide to CMMC, used by 5,000 defense contractors

Take Action:

Schedule a demo
Schedule a free 15 minute consultation with PreVeil’s compliance team.
Download our CMMC Guide, which has been downloaded by over 5,000 defense contractors

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is PreVeil's Compliance Officer and Certified CMMC Assessor (CCA) with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her M.S. in Information Technology and holds certifications from the CMMC Accreditation Body (CyberAB), Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.

Related Blog

See All Blog

April 25, 2025

Understanding CMMC Level 2 (Advanced)

CMMC

April 22, 2025

Understanding C3PAOs in the CMMC Ecosystem: What They Are and How to Choose One

CMMC

April 21, 2025

CMMC Certification Costs and 6 Ways to Save

CMMC