CMMC

CMMC Assessment Process

How CMMC assessments work — self-assessments, C3PAO third-party assessments, and DIBCAC government-led assessments including scoring, POA&Ms, and conditional certification.
Browse CMMC topics
CMMC Assessment ProcessCMMC Implementation TimelineCMMC Levels ExplainedNIST SP 800-171 MappingWho Needs CMMC

CMMC assessment types

CMMC 2.0 uses three assessment types that correspond to the certification levels. The assessment type for your organization is determined by the CMMC level specified in your contract.

Self-assessment (Level 1 and Level 2)

Self-assessments are conducted internally by the organization. They are required for all Level 1 certifications and for Level 2 certifications on contracts involving less sensitive CUI.

How it works:

  1. Scope your environment — identify the systems, people, and processes that handle FCI (Level 1) or CUI (Level 2) within the assessment boundary.
  2. Evaluate each practice — assess whether your organization meets each required practice using the DoD Assessment Methodology.
  3. Calculate your score — Level 1 is pass/fail across 17 practices. Level 2 uses a scoring methodology based on 110 objectives, starting at 110 and subtracting points for unmet requirements.
  4. Submit to SPRS — enter your assessment score into the Supplier Performance Risk System.
  5. Affirm annually — a senior official must sign an annual affirmation confirming continued compliance.

Self-assessments must be conducted with the same rigor as third-party assessments. The DoD reserves the right to audit self-assessment scores, and material misrepresentation can result in False Claims Act liability.

C3PAO assessment (Level 2)

Third-party assessments are conducted by CMMC Third-Party Assessment Organizations (C3PAOs) accredited by the Cyber AB (formerly the CMMC Accreditation Body). They are required for Level 2 certifications on contracts involving more sensitive CUI or critical programs.

How it works:

  1. Select a C3PAO — choose from the list of accredited C3PAOs published by the Cyber AB. The C3PAO assigns certified CMMC assessors to your engagement.
  2. Pre-assessment readiness review (optional but recommended) — many C3PAOs offer a readiness review to identify gaps before the formal assessment begins.
  3. Assessment planning — the C3PAO works with your organization to define scope, schedule, and logistics. This includes identifying assessment boundaries, CUI data flows, and inherited controls.
  4. Evidence collection and review — assessors review your System Security Plan (SSP), policies, procedures, and evidence artifacts. This typically takes two to four weeks depending on scope.
  5. On-site or virtual assessment — assessors interview personnel, observe processes, and test controls. Most assessments include both documentation review and interactive sessions.
  6. Scoring and findings — the C3PAO scores each of the 110 objectives and documents any deficiencies. You receive one of three results:
    • Met — all 110 objectives satisfied. Full certification issued.
    • Conditional — score of 88 or above with documented POA&M items. Conditional certification issued with a 180-day remediation window.
    • Not met — score below 88. No certification issued. You must remediate and re-engage the C3PAO.
  7. Certification validity — a full or conditional certification is valid for three years with annual affirmation of continued compliance.

DIBCAC assessment (Level 3)

Government-led assessments are conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). They are required for Level 3 certifications.

Prerequisites:

  • A valid Level 2 C3PAO certification must be in place before a Level 3 assessment can begin
  • The organization must demonstrate compliance with all 110 NIST SP 800-171 requirements plus the 24 selected NIST SP 800-172 enhanced requirements

How it works:

DIBCAC assessments follow a similar structure to C3PAO assessments but are conducted by government assessors with additional focus on advanced threat scenarios, penetration-resistant architecture, and operational resilience. The assessment scope, timeline, and logistics are coordinated directly with DIBCAC.

Scoring methodology

Level 1 scoring

Level 1 uses a simple pass/fail model. All 17 practices must be met. There is no partial scoring or POA&M allowance for Level 1.

Level 2 scoring

The DoD Assessment Methodology for Level 2 evaluates 110 objectives (one per NIST SP 800-171 requirement). Scoring starts at 110 and subtracts points for each unmet objective:

  • Most objectives subtract 1 point if not met
  • Some higher-impact objectives subtract 3 points or 5 points
  • The specific point values are defined in the NIST SP 800-171A assessment objectives

A score of 110 means all requirements are met. A score of 88 or above (with POA&M) qualifies for conditional certification. A score below 88 does not qualify for any certification.

Level 3 scoring

Level 3 scoring evaluates the 24 enhanced requirements from NIST SP 800-172 in addition to the Level 2 baseline. The scoring methodology is determined by DIBCAC and follows government assessment procedures.

Plan of Action and Milestones (POA&M)

A POA&M documents security requirements that are not yet fully met and the organization's plan to remediate them. Under CMMC 2.0:

  • Level 1 does not allow POA&Ms — all 17 practices must be met
  • Level 2 allows POA&Ms for conditional certification if the score is 88 or above
  • Level 3 allows limited POA&Ms under DIBCAC discretion

POA&M rules for Level 2

  • Maximum of 22 unmet objectives (score of 88+)
  • Certain critical requirements cannot be placed on a POA&M regardless of score
  • All POA&M items must be closed within 180 days of the conditional certification date
  • A C3PAO must verify POA&M closure through a close-out assessment
  • Failure to close POA&M items within 180 days revokes the conditional certification
  • The organization must then undergo a new full assessment

What cannot go on a POA&M

The DoD has identified specific high-impact requirements that cannot be deferred via POA&M. These typically include:

  • Multifactor authentication requirements
  • FIPS-validated encryption requirements
  • Requirements related to incident reporting to the DoD
  • Other requirements designated by the DoD as non-deferrable

Preparing for your assessment

Regardless of assessment type, preparation follows a similar pattern:

  1. Define your CUI boundary — identify where CUI enters, flows through, and is stored in your environment. This defines your assessment scope.
  2. Complete your SSP — document every NIST SP 800-171 requirement with your implementation status, responsible parties, and evidence.
  3. Conduct a gap analysis — compare your current controls against all required practices and identify shortfalls.
  4. Remediate or document — close gaps where possible. For remaining gaps, create POA&M items with realistic remediation timelines.
  5. Organize evidence — collect and catalog evidence artifacts (screenshots, configs, policies, logs) mapped to each requirement.
  6. Perform a mock assessment — walk through the assessment process internally or with a consultant to identify weaknesses.

How episki helps

episki automates the heaviest parts of assessment preparation. The platform generates a pre-mapped SSP template aligned to NIST SP 800-171, tracks your SPRS score in real time as you close gaps, and organizes evidence by control family. POA&M items are tracked with 180-day countdown timers and assigned owners. When your C3PAO arrives, they get a scoped portal with everything organized by assessment objective — reducing assessment time and back-and-forth. Start a free trial to see your current assessment readiness.

Related topics

levelsnist-800-171-mappingwho-needs-cmmc

Related terms

What is GRC?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough