The practice pages on this site tell you what to prepare. This page tells you how to present it.
Most assessment failures aren’t because the evidence doesn’t exist. They’re because nobody in the room could find it, explain it, or connect it back to the SSP when the assessor asked.
Prepare your evidence package early
The C3PAO will ask for documentation before the assessment. How they want it varies. Some will share a general folder and let you upload whatever you want. Others will give you a very specific folder structure, exact naming conventions, and a detailed list of what evidence they want for each practice. Follow their instructions to the letter.
Either way, organize well, even if they don’t require it. Practice-by-practice folders, then sub-folders by evidence type (screenshots, policies, logs, etc.). Label everything clearly. If the assessor can open a folder for AC.L2-3.1.5 and immediately find the user-admin matrix, the access review records, and the role change tickets without asking you where anything is, you’re ahead.
The quality of this package has a massive impact on how the assessment goes. A well-organized, clearly labeled evidence package means the assessor walks in having already reviewed most of your documentation. The live assessment becomes “let me confirm a few things” instead of “show me everything from scratch.” It affects how much they scrutinize, how many follow-ups they need, and how long the whole thing takes.
Have the right people in the room
You’ll typically have at least two assessors. At least one of them is usually technical. At least one of them is going to be very detail-oriented. Sometimes that’s the same person.
On your side, you need the people who actually do the work. If your MSSP runs your SIEM, your MSSP needs to be in the room. If your IT director manages access control, your IT director needs to be there. If your FSO handles reporting, your FSO needs to be available. Your MSSP should be present for every practice they’re involved in. They should be able to explain what they do, show the evidence from their systems, and answer technical follow-ups without needing coaching from you.
If your MSSP also provides compliance program management, they’ll already know what the assessor is going to ask and how to demonstrate it. That’s the model that works.
Don’t put someone in the room who has to read from the SSP to answer questions. The assessor can read the SSP themselves. They want to talk to the person who lives it.
The pregame
At least a week before the assessment, get everyone who will be in the room on a call. Go through what to expect. Cover the rules. This is the coaching session, and it matters.
The rules are simple:
Only answer what is asked. Don’t volunteer extra information. Don’t give a five-minute speech about your security program. Don’t provide helpful context the assessor didn’t request. It’s natural to want to be thorough. Resist it. If they want more, they’ll ask. This can feel rude. It is not.
Precision of language. Be precise in the vocabulary you use. Words matter. If your SSP says “quarterly review” don’t say “we check it every once in a while.” If the assessor asks about incidents, don’t accidentally describe alerts as incidents. If you say “we always do X,” you’d better always do X. Sloppy language creates follow-up questions that you don’t want.
Don’t say “yeah, usually, BUT…” The worst thing someone can do in an assessment is volunteer an exception. “Yeah we do that most of the time, but there was this one case where…” just opened a door the assessor is now required to walk through. If the assessor asks whether you do something and the answer is yes, the answer is yes. Stop there.
Know how to hand off. If someone gets a question they’re not confident about, they should have a smooth way to pass it. “I think [name] can speak to that better than I can” is fine. Work this out beforehand. Know who covers what. The pregame call is where you figure out the handoff choreography so it doesn’t look like confusion in the assessment.
If you don’t know, say so. “I’d need to check on that, let me pull it up” is fine. “I think so” followed by something wrong is not. The assessor is evaluating your program, not testing your memory. Looking something up to give an accurate answer is professional. Guessing is how you get findings.
Run a back channel
During the assessment, have a group chat running with your entire team. MSSP staff, contractor key people, whoever is participating. Not the assessors. Your side only.
This is where you coordinate in real time. If someone gets a question and isn’t sure of the answer, someone else in the chat might know exactly where to find it. If the assessor asks for something and the person presenting needs a minute, the back channel is where someone else is already pulling it up.
This is standard practice. Use it.
Screen sharing discipline
Only share the specific window or screen the assessor is asking about. Don’t share your entire desktop. Don’t pull up your whole Azure portal and start clicking around looking for the right page.
Use your browser’s zoom feature to narrow down exactly what you’re showing. Go directly to the relevant screen, show it, briefly explain what’s there, and wait for the next question.
And make absolutely sure your notifications are off. If your boss sends you a Teams message saying something… candid… about the assessor while your screen is shared, that’s a problem you can’t undo. Turn off all notifications on whatever device you’re presenting from. All of them.
When you can’t answer right away
If you can’t find something, if a system is down, if you can’t log in, if you need time to track down the right query, that’s fine. Ask the assessor if you can demonstrate it later. They’ll almost always agree to move on and circle back. It’s better than having ten people sitting in silence for fifteen minutes while someone hunts through the SIEM for a specific log entry.
The assessor keeps a list of open items. There usually isn’t a hard deadline other than the overall assessment timeline. As long as the evidence actually exists and you can show it before the assessment closes out, you’re fine.
What you can’t do is use that time to create evidence that doesn’t exist or change configurations mid-assessment. That’s not “finding the answer.” That’s cheating.
Know your SSP
Every answer should connect back to the SSP. The assessor is checking whether what you say matches what’s written, and whether both match what’s actually configured.
If your SSP says logs are reviewed weekly by the SOC team, and the assessor asks about log review, the answer should confirm that and show the evidence. If the answer doesn’t match the SSP, that’s a gap.
Read your SSP before the assessment. Make sure everyone in the room knows what it commits to. If something has changed since the SSP was last updated, update the SSP before the assessment.
If you have a gap, be upfront
If you’re missing something, don’t try to talk around it. The assessor will see through it.
“We don’t have that in place yet. Here’s our POA&M entry with the timeline and milestones” is a real answer. Pretending you have something you don’t is always worse than being honest about a gap.
If the assessors visit your office
If your physical security procedures include a visitor sign-in process and visitor badges, make sure the assessors follow that process when they arrive. Before anything else happens. Before they sit down, before they open a laptop, before you start the assessment. Sign them in. Give them a badge.
The assessor is literally there to evaluate whether your security controls work. If they walk past your visitor sign-in sheet without signing it, you just demonstrated that your physical access control procedure isn’t being followed. And they noticed.
This page covers general assessment room advice for CMMC Level 2. The guidance here is based on experience in real assessments and is intended to help you prepare. It is not legal or compliance advice.