Your formal CMMC assessment: A step-by-step guide to certification
A formal Cybersecurity Maturity Model Certification (CMMC) assessment is the official, third-party audit that verifies your company's security controls to protect Controlled Unclassified Information (CUI). This is a required step for organizations handling CUI to achieve CMMC Level 2 certification. A "pass/fail" outcome is decided by a C3PAO (Certified Third-Party Assessment Organization), and with our expert guidance as your Compliance Partner, you can be confident that you will pass and become certified. We will be there with you from the initial preparations to the final certification decision, ensuring a smooth and successful assessment.
The formal CMMC assessment process
Your CMMC assessment is conducted by a C3PAO, an independent body accredited by the Cyber AB. Our role is to ensure you are fully prepared and to support you throughout the entire process.
Phase 1: Pre-assessment and readiness validation
The C3PAO's assessment team will first review your readiness, an essential step in securing your certification. We work with you to provide the C3PAO with all necessary documentation, including:
System Security Plan (SSP): We present your SSP, which details your system boundaries and the security controls you have in place.
POA&M: Your Plan of Action and Milestones (POA&M) will be provided to show how you are addressing any remaining security gaps. For a CMMC assessment, an acceptable POA&M may be used, but all critical controls must be "Met".
Evidence: We organize and submit all supporting evidence, such as policies, procedures, and system configurations, to demonstrate your compliance.
Review and approval: A C3PAO quality assurance professional reviews our pre-assessment information before the assessment can officially begin.
Phase 2: The formal on-site or remote assessment
With the pre-assessment complete, the C3PAO begins the formal evaluation, typically conducted over several days. We are with you during every step of this phase, providing real-time support and confirmation.
Kick-off meeting: The assessment begins with an in-briefing where we, along with your team, meet with the C3PAO assessors to review the scope and schedule.
Interviews: The assessors will interview key personnel to confirm their awareness and understanding of security procedures. We help prepare your team for these interviews so they can confidently explain their roles and prove your security processes are sound.
Technical testing: The assessment team will examine your systems and network to verify that your technical controls are implemented correctly and effectively.
Document review and evidence collection: The C3PAO will review and collect documented evidence, including system logs, training records, and incident reports, to prove that your security practices are operational.
Daily checkpoints: The assessors will provide daily check-ins to communicate progress, address challenges, and manage the assessment efficiently.
Phase 3: Reporting and quality review
After the assessment, the C3PAO team compiles its findings.
Preliminary findings: The assessment team will present an initial brief on its findings, confirming that each control is "Met."
Quality assurance: A separate C3PAO quality assurance professional reviews the assessment report to ensure accuracy before it is finalized and presented to you.
Submission: The final report, affirming your compliance, is submitted to the DoD's CMMC system (eMASS), with a copy provided to your organization.
Phase 4: Certification
After a successful assessment, you will receive your certification.
Final certification: With all controls "Met" or addressed via an acceptable POA&M and all critical controls verified, the C3PAO issues your CMMC certificate, which is valid for three years.
Post-assessment support: We remain your Compliance Partner throughout the entire lifecycle. This includes assisting you with the annual affirmations required to maintain your certification and ensuring your security posture remains robust.