CMMCDocs.comScheduling your CMMC Level 2 assessment with a C3PAO is a major milestone, but the real work happens in the months leading up to it. This 90-day playbook provides a structured approach to assessment preparation, assuming you have already implemented your security controls and have an SSP in place.
Days 1-30: Document Review and Gap Closure
Week 1-2: SSP completeness check. Review every one of the 110 security requirement descriptions in your SSP. For each one, ask: does this accurately describe what we do today? Is the evidence referenced still current? Are the responsible parties still in their roles? Update anything that has drifted since your last review.
Week 2-3: Evidence inventory. For each requirement, verify that your evidence artifacts exist, are current, and actually demonstrate implementation. An assessor will ask to see proof — configuration screenshots, policy documents, training records, scan reports, and access reviews. Organize evidence by control family for quick retrieval.
Week 3-4: POA&M review. If you have open POA&M items, determine which ones can be closed before the assessment. Under CMMC, a limited number of requirements can remain on POA&M at assessment time, but the fewer open items, the better. Close everything you can and update completion dates for items that will remain open.
Days 31-60: Internal Assessment
Week 5-6: Conduct a mock assessment. Walk through every requirement as if you were the assessor. Interview the people responsible for each control area. Ask them to demonstrate the control, show the evidence, and explain the process. Document any gaps or weaknesses you find.
Week 7-8: Remediate findings. Address every gap identified in the mock assessment. This might mean updating configurations, conducting additional training, generating missing evidence, or updating documentation. Do not leave remediation to the last 30 days.
Days 61-90: Final Preparation
Week 9-10: Evidence packaging. Organize your assessment package: the SSP, the POA&M, network diagrams, data flow diagrams, hardware and software inventory, and all supporting evidence. Create an evidence index that maps each requirement to its supporting artifacts. Make it easy for the assessor to find what they need.
Week 11-12: Logistics and personnel. Confirm the assessment schedule with your C3PAO. Identify the personnel who will participate in assessor interviews — these should be the people who actually perform the work, not managers reading from scripts. Brief all participants on what to expect: be honest, be specific, and if you do not know the answer, say so.
Assessment Day Tips
Be transparent. Assessors are not adversaries — they are evaluating whether your controls are implemented and effective. If a control is partially implemented, explain what works and what you are still developing. Trying to hide gaps will damage your credibility and potentially result in a worse outcome than honest disclosure.