You’ve spent months preparing. Your SSP is written. Your evidence is organized. Your MSSP is briefed. And now the assessment is tomorrow morning and you have no idea what to expect.
This page walks through what actually happens during a CMMC Level 2 C3PAO assessment, from the opening meeting to the final handshake. The specifics vary by C3PAO and environment, but the general flow is consistent. Knowing the structure takes the surprise out of it, and surprise is the enemy of good performance.
Before the assessment
Your C3PAO will ask for documentation before they ever show up. Expect to submit your SSP, your POA&M (if you have one), your network diagram, your system inventory, and any supporting artifacts that map evidence to practices. Some C3PAOs ask for all of this 30 days in advance. Others want it two weeks out.
The quality of what you submit here directly affects how the assessment day goes. If your SSP is specific and your evidence is clearly labeled, the assessors arrive with context and spend less time asking basic questions. If your SSP is vague or the evidence package is disorganized, they’ll spend the first hour just trying to figure out what they’re looking at.
Label your evidence by practice ID. If you're providing a screenshot of your MFA policy for IA.L2-3.5.2, name the file IA-L2-3.5.2-MFA-ConditionalAccess.png and reference it in your SSP. Assessors review dozens of organizations. Making their job easier makes your assessment go smoother.
Who should be in the room
From your side: The person who knows your security program best (often the IT Director, security lead, or whoever wrote the SSP). If you use an MSP or MSSP, they should be in the room too, not on standby, not available by phone, physically present for every practice they’re involved in. The MSSP is the one operating your tools, reviewing your logs, and running your SOC. They need to explain that directly to the assessor.
From the C3PAO: Typically a lead assessor and one or two supporting assessors. For a small contractor, it might be just two people.
Who should NOT be in the room: Your CEO (unless they’re also the technical lead), your lawyer, or anyone who might try to argue with the assessor. The assessment is a conversation, not a negotiation.
The opening meeting (30-60 minutes)
The assessment starts with introductions. The C3PAO lead assessor explains the process: what they’ll evaluate, how the scoring works, what MET/NOT MET/NOT APPLICABLE means, and how findings get documented. They’ll confirm the scope (your CUI boundary, which systems are in play, which locations are assessed).
This is also when they confirm logistics: how long they expect the assessment to take, break schedules, what access they’ll need to your systems, whether anything will be demonstrated live vs. reviewed from documentation.
For a small contractor with 10-50 people and a straightforward environment, expect the full assessment to take 2-4 days. Complex environments or multiple locations take longer.
Don’t try to impress anyone during the opening meeting. Listen, confirm scope, answer questions directly. The real work starts next.
Document review (varies, sometimes done before the on-site)
The assessors work through your SSP practice by practice. For each one, they’re checking: does the SSP describe how this practice is implemented in your specific environment? Is it specific enough to verify? Does it match the evidence you’ve provided?
If your SSP says “access is reviewed quarterly by the IT Director” (which it should, see AC.L2-3.1.1), the assessor is going to look for evidence of quarterly access reviews signed by your IT Director. If the SSP says one thing and the evidence says another, that’s a finding.
Some C3PAOs do the full document review before the on-site visit and arrive with a list of questions and clarification requests. Others do it on-site during the first day. Either way, the document review drives everything that follows.
Practice-by-practice evaluation (the bulk of the assessment)
This is where most of the time goes. The assessors work through the 110 practices, usually grouped by family (all the Access Control practices together, then Audit, then IR, etc.). For each practice, the pattern is:
1. The assessor references your SSP. “Your SSP says you do X. Walk me through how that works.”
2. You explain it. Two sentences. Maybe three. Not a speech. Connect what you’re about to show to what the SSP says.
3. You show evidence. Pull up the specific thing. Conditional Access policy. Audit log configuration. Signed access review. Patch report. Whatever the practice requires. If you’re sharing your screen, narrate briefly: “Here’s our Conditional Access policy. You can see MFA is required for all users, no exceptions.”
4. The assessor asks follow-up questions. These range from “who reviews this?” to “what happens if [edge case]?” to “show me the last time this actually triggered.” Answer directly. If you don’t know, say “I don’t know, but I can find out” rather than guessing.
5. The assessor scores it. MET, NOT MET, or NOT APPLICABLE. They may not tell you the score in the moment for every practice. Some assessors share as they go. Others compile everything and share at the end.
The most common failure pattern isn't getting a practice wrong. It's giving a vague answer that triggers deeper questions, which reveals a gap you didn't prepare for. If your first answer is specific and matches your SSP, assessors typically move on. If your first answer is wishy-washy, they dig. And once they're digging, they're looking for problems.
Live demonstrations
For many practices, the assessor will want to see the actual system, not just a screenshot. Expect to share your screen and show:
- Your identity provider (Entra ID, Active Directory) with user roles and group assignments
- Conditional Access policies configured and active
- Your EDR console showing all endpoints enrolled
- Audit log configurations in your SIEM or log management tool
- Patch management reports showing recent deployments
- Firewall rules and FIPS mode configuration
- Your MDM (Intune) showing device compliance status
Have all of these ready to pull up within 30 seconds. Don’t fumble around looking for the right admin portal while the assessor watches. Open the tabs before the session starts. If your MSSP runs these tools, they should be the ones sharing their screen and walking through it.
Breaks and pacing
Assessments aren’t a single marathon session. There are breaks. There’s lunch. The assessors need time to confer and document findings. Don’t read anything into how long they spend on a particular practice or whether they take an extra break after a tough section.
If you need a minute to pull up evidence for a practice that wasn’t pre-staged, ask for it. “Can we come back to that one in five minutes? I need to pull the report.” That’s fine. What’s not fine is guessing or describing evidence you can’t actually produce.
How scoring works
Each practice gets scored as:
MET means you’ve demonstrated that the practice is implemented as described in your SSP and you have evidence to support it.
NOT MET means there’s a gap. Either the practice isn’t implemented, the evidence doesn’t support the SSP, or you couldn’t demonstrate it.
NOT APPLICABLE is rare at Level 2 but possible for a few practices depending on your environment (for example, if you have no wireless networks, the wireless-specific practices may be N/A).
To pass, you need a score of at least 88 out of 110 with no NOT MET on any practice weighted 5 points. You can have some NOT MET findings and still achieve a conditional certification if you have a POA&M that addresses the gaps within 180 days. But the cleanest outcome is meeting everything. A POA&M isn’t a free pass to skip hard practices and deal with them later.
The closing meeting (30-60 minutes)
At the end of the assessment, the lead assessor presents preliminary findings. This isn’t the final report (that comes later in writing), but they’ll tell you which practices were MET and which were NOT MET, and they’ll explain what the gaps are.
This is NOT the time to argue. If you disagree with a finding, you can ask clarifying questions: “Can you walk me through what you were looking for on that practice?” But the closing meeting is informational, not a negotiation. The formal report follows, and there’s a process for addressing findings.
If you passed cleanly, the assessors will tell you. If you have conditional findings, they’ll explain the POA&M path.
After the assessment
If you passed: The C3PAO submits the results to the CMMC-AB (Cyber AB). Your certification is valid for three years, with annual affirmation required.
If you have conditional findings: You have 180 days to close the gaps documented in your POA&M. The C3PAO may require evidence of remediation. Once gaps are closed and verified, you receive full certification.
If you did not pass: You can remediate and schedule a reassessment. There’s no penalty beyond the cost of another assessment and the time it takes to fix the issues.
Regardless of the outcome, do a debrief with your team and your MSSP within a week while everything is fresh. What went well? Where did you stumble? What evidence was harder to produce than expected? Use it to improve, whether for your next annual affirmation or to help someone else on your team handle the next one.
Timeline summary
| Phase | What happens | Duration |
|---|---|---|
| Pre-assessment | Submit SSP, evidence, documentation | 2-4 weeks before |
| Opening meeting | Introductions, scope confirmation, logistics | 30-60 min |
| Document review | Assessors review SSP against evidence | Hours to 1 day |
| Practice evaluation | Walk-through of 110 practices with evidence | 1-3 days |
| Live demonstrations | Screen sharing, system walkthroughs | Integrated throughout |
| Closing meeting | Preliminary findings, MET/NOT MET summary | 30-60 min |
| Final report | Written report from C3PAO | 1-2 weeks after |
| POA&M closure (if needed) | Remediate gaps, provide evidence | Up to 180 days |
Ready to prepare for specific practices? The practice pages cover the hardest controls with what to show, what to say, and what trips people up. If you’re earlier in your prep, the Start Here guide walks through the first steps.