Skip to content

CMMC Assessment Process

What is a CMMC Level 2 Assessment?

A CMMC Level 2 assessment is an assessment of your cybersecurity controls to confirm you can protect Controlled Unclassified Information (CUI) at the level your contract requires. Only an authorized C3PAO can perform this assessment.

What is the CMMC Level 2 Assessment Process?

Preparation typically starts with scoping, documentation, and a readiness review. Completing a CMMC mock Level 2 assessment is highly recommended. The organization should not start a mock until they have a complete assessment package and are ready for the certification assessment. During the mock assessment, you will gain a better understanding of what the C3PAO requires in order to assess an objective as met. There is time to make changes and submit evidence for re-evaluation during the mock assessment and there is no limit on the types of changes allowed.

A mock assessment generally includes:

  • Gathering documentation, artifacts, and evidence to evaluate your readiness.
  • Assessing your security posture across all 110 Level 2 controls and their 320 security objectives.
  • Your team understanding the interview process and what types of questions the assessor will ask.
  • The mock assessment does not provide a guarantee of a successful certification assessment.

Once remediation is complete, the formal Level 2 assessment begins. The C3PAO team collects evidence, validates your implementation, scores your practices, and prepares the assessment package for submission. Upon attaining a CMMC Status of Final Level 2 (C3PAO) the certification is valid for three years unless there are any significant changes to the CMMC environment.

What Happens After Certification?

Once certified, your controls must stay in place for the full three years to maintain your certification. Significant changes to the environment may result in the need for a new CMMC Level 2 Certification Assessment. Annually you are required to perform a self-assessment, load the score into SPRS and the Affirming Official must attest that you are still in compliance with all 320 CMMC Level 2 assessment objectives.

Annual compliance assurance helps you verify ongoing compliance, reduce risk, and stay ready for recertification. It also provides peace of mind for your Affirming Official as they attest to compliance each year. False attestation, even if you believe the attestation is accurate, can result in prosecution under the false claims act.

The Right C3PAO Makes the Difference

Your CMMC Level 2 experience is defined by the C3PAO guiding you through it. A C3PAO with high standards and clear communication makes the process easier to follow, easier to prepare for, and easier to manage from beginning to end.

McKonly & Asbury brings open and frequent communication to the table for every engagement. We are an authorized C3PAO for CMMC Level 2 certification and were among the first 34 authorized in the Cyber AB Marketplace. Our team brings more than 15 years of experience in NIST 800-53 and NIST 800-171, giving you a knowledgeable partner from planning through certification.

  • CMMC Level 2 Mock Assessment: Follows the same process as the CMMC Level 2 Certification Assessment without the DoW reporting components. The final result is a status of all 320 assessment objectives with a clear explanation of why any objective is listed as not met. This does not provide any guarantees of a successful certification assessment but does provide valuable insight into the process and any areas that may need remediation.
  • CMMC Level 2 Certification Assessment: As a C3PAO, we are required to follow the steps defined in the CMMC Level 2 Assessment Process (CAP) from the Cyber AB. The stages of Planning, Pre-Assessment, Assess Objectives and Reporting must be followed in order for a C3PAO to maintain authorization/accreditation as a C3PAO.
  • CMMC Level 2 Annual Compliance: M&A offers this service to provide assurance that the CMMC environment is still in compliance with the current CMMC Level 2 Assessment Objectives. Having an annual compliance review conducted on interim years supports the CMMC score entered into SPRS and also reduces the risk of surprises during the CMMC Level 2 Certification Assessment.

CMMC Level 2 Assessment Process

Our process for the CMMC Level 2 Assessments follows the same steps with the exception that the CMMC Level 2 Certification Assessment includes the mandatory eMASS reporting.

  1. Planning and Scoping: Define scope, timelines, schedules, and key documentation readiness. Information will be provided so you are aware of the scheduled events and what you need to do.
  2. Pre-assessment: Assess the CMMC Level 2 package, verify the scope, and determine that sufficient documentation and evidence is available to begin the assessment.
  3. Assess the Objectives: Assess all 320 security requirement objectives and verify sufficient evidence is provided to support a determination that the objective is Met, Not Met or N/A. This process includes frequent checkpoints where the status of the objectives is communicated. We communicate clearly why any objective is not met and what is missing. M&A will not provide any guidance or consultation on how to remediate a not met objective.

Industry Involvement

CMMC Assessment Process Frequently Asked Questions

Any contractor or subcontractor who wants to bid on a DoW contract that has CMMC Level 2 Certification (C3PAO) requirements. The required level is contract-specific and should be reflected in contract language.

Your required level depends on the contract and the type of information you handle. In general, Level 1 aligns to FCI, Level 2 aligns to CUI, and Level 3 is for the highest-priority programs with government oversight.

A mock assessment is a preliminary assessment that follows all but the DoW reporting steps of the certification assessment. There are many gray areas in the CMMC rules and C3PAOs use auditor’s judgement when conducting the assessments. This results in somewhat varied interpretations of the assessment objective. The mock assessment makes sure your interpretation of requirements aligns with the C3PAO’s interpretation prior to conducting the certification assessment when results are reported to DoW.

A C3PAO cannot assist with CMMC implementation and perform the official CMMC assessment for the same organization. To avoid conflicts of interest, C3PAOs are prohibited from consulting on implementation if they will also conduct the certification assessment. Organizations seeking implementation support should engage a Registered Practitioner Organization (RPO) or a C3PAO that provides readiness support. If a C3PAO helps you prepare, you must use a different C3PAO for the CMMC Level 2 Certification Assessment. A mock assessment does not provide a gap analysis or assist in preparing for a CMMC Level 2 Certification Assessment. The C3POA will follow all of the independence and impartiality rules that apply to a CMMC Level 2 Certification assessment when conducting the mock and therefore maintain the independence to conduct the CMMC Level 2 Certification assessment.

If your organization does not pass the CMMC Level 2 Certification assessment, you will receive a detailed results report showing each of the 320 security requirements as Met, Not Met, or Not Applicable (N/A). For any requirement marked Not Met, the report will explain why the assessment objective was Not Met. To pursue certification, you must remediate the Not Met assessment objectives and then re-engage a C3PAO to complete the full CMMC Level 2 certification assessment again. To reduce the risk of rework and delays, McKonly & Asbury recommends a CMMC Level 2 full mock assessment with your selected C3PAO as part of your preparation for the CMMC Level 2 Certification Assessment.

Phased implementation of CMMC requirements is underway with November 10, 2026 as the date contracts are required to include CMMC Status of Final Level 2 (C3PAO) requirements when CUI is involved. Contracting Officers are already adding the CMMC Status of Final Level 2 (C3PAO) to contracts and are not waiting since they can add this language at their discretion. Because compliance often takes months of preparation, starting early helps avoid delays.

CMMC Certification Solutions

How Can We Help?

By leveraging our tiered cybersecurity services, you can prepare your organization to meet DoW and industry-related cybersecurity standards. Explore our suite of security audit and assessment solutions:

  • CMMC Level 2 Mock Assessment (Non Certified)
  • CMMC Level 2 Certification Assessment (C3PAO)
  • CMMC Annual Level 2 Assessment (Non Certified)

View all CMMC Insights

Read More

Thought Leadership

Featured Team Members

David Hammarberg

David Hammarberg

Partner
Elaine Nissley

Elaine Nissley

Director
Michael Murray

Michael Murray

Manager
  Contact Us