Managing Assessment Challenges
- Unexpected questions: Designate a "parking lot" for questions that need research. Assessors generally allow reasonable follow-up time.
- Discrepancies: If an assessor identifies a discrepancy between documentation and reality, acknowledge it immediately rather than defending the documentation.
- Scope creep: If assessors question systems or processes outside the defined scope, refer back to the agreed-upon scoping documentation from the pre-assessment call.
- Fatigue: Assessments are intense multi-day events. Rotate support personnel to keep the core team fresh.
---
Post-Assessment: Handling Findings, POA&Ms, and Remediation
The assessment does not end when assessors leave. Understanding the post-assessment process is critical, especially if you receive Conditional Status.
Assessment Outcomes
- Full CMMC Status: All 110 requirements scored MET. Certification is valid for 3 years with annual affirmation.
- Conditional CMMC Status: Score of 80% or above with NOT MET items documented in a POA&M. You have 180 days to remediate and pass a closeout assessment.
- Assessment failure: Score below 80%. You must remediate and schedule a new full assessment. There is no mandated waiting period, but you will need to address systemic issues before re-engagement.
Conditional Status: The 180-Day Clock
If you receive Conditional Status, the 180-day remediation clock starts immediately. During this period:
- Prioritize remediation based on the POA&M items identified during assessment
- Implement fixes and collect new evidence demonstrating compliance
- Update your SSP to reflect the remediated state of each control
- Schedule the closeout assessment with a C3PAO (can be the same or different C3PAO)
- Undergo closeout verification where assessors confirm all POA&M items are resolved
If you miss the 180-day deadline, your Conditional Status expires and you must start the full assessment process over. Factor this timeline into your contract planning.
Continuous Compliance After Certification
Earning CMMC certification is not the finish line — it is a checkpoint. To maintain your status:
- Annual affirmation: A senior official must affirm continued compliance annually in SPRS
- Continuous monitoring: Maintain the controls and evidence that earned your certification
- Change management: Any significant changes to your CUI environment should trigger an SSP update and risk assessment
- Triennial re-assessment: Full C3PAO assessment is required every 3 years
For small businesses managing these ongoing requirements, our guide on CMMC for small business covers strategies for sustaining compliance without dedicated security teams.
---
How Cabrillo Club Simplifies Assessment Preparation
Defense contractors using Cabrillo Club's platform consistently reduce their assessment preparation timeline from months to weeks. Here is how:
Continuous compliance monitoring tracks the status of all 110 NIST SP 800-171 controls in real time, alerting your team when a control drifts out of compliance rather than waiting for a manual review cycle to catch it.
Automated evidence collection captures configuration states, access logs, training records, and policy attestations on an ongoing basis — eliminating the frantic evidence-gathering sprint that derails so many organizations in the weeks before assessment.
SSP and POA&M management keeps your documentation current and version-controlled, with change tracking that shows assessors exactly when and how updates were made.
Assessment readiness scoring gives you a continuously updated view of your MET / NOT MET status across all 320 assessment objectives, so you always know exactly where you stand.
CUI workflow protection ensures that every interaction with controlled information — from proposal development to contract execution — happens within a platform purpose-built for the defense industrial base. Learn more about the full certification journey in our how to get CMMC certified guide.
---
Frequently Asked Questions
How long does a CMMC assessment take?
A CMMC Level 1 self-assessment can typically be completed in 1-2 days since it involves only 15 practices and no external assessors. A Level 2 C3PAO assessment generally takes 3-5 business days for the on-site portion, depending on the size and complexity of your organization's CUI environment. However, the total process — from the initial scoping call through final report delivery — spans approximately 4-8 weeks. Organizations with large or complex environments, multiple facilities, or extensive external service provider dependencies may require additional assessment days.
What documents do I need for a CMMC assessment?
The essential documents include your System Security Plan (SSP), Plan of Action & Milestones (POA&M), network topology diagrams, CUI data flow diagrams, asset inventory, all security policies (covering the 14 NIST 800-171 control families), standard operating procedures for each implemented control, incident response plan, configuration management plan, and Customer Responsibility Matrices (CRMs) for any external service providers. Additionally, you need evidence artifacts for each of the 320 assessment objectives, including configuration screenshots, log exports, training records, scan reports, and access control documentation. The C3PAO will request most of these documents during the pre-assessment scoping call.
What happens if you fail a CMMC assessment?
If your organization scores below 80% on a Level 2 assessment, you do not receive certification or Conditional Status. You will receive a findings report detailing which requirements were scored NOT MET. There is no mandated waiting period before re-assessment, but you should plan for sufficient remediation time — typically 2-6 months depending on the nature and quantity of findings. You must then schedule and pay for a new full assessment. Failing an assessment does not trigger any penalty from the DoD, but it does mean you cannot be awarded contracts that require CMMC certification until you pass. If your score is 80% or above but not 100%, you receive Conditional Status and have 180 days to remediate and pass a closeout assessment.
How far in advance should you schedule a C3PAO?
Schedule your C3PAO assessment at least 4-6 months in advance. As CMMC enforcement ramps up through 2026, the limited number of authorized C3PAOs means booking windows are extending. Some C3PAOs are already reporting 3-6 month backlogs. Browse authorized C3PAOs on the Cyber AB Marketplace and begin conversations early, even if your exact assessment date is not yet confirmed. When planning your timeline, also factor in the potential 180-day POA&M remediation window if you anticipate receiving Conditional Status.
Can you do a CMMC assessment remotely?
CMMC Level 1 self-assessments can be conducted entirely remotely since they are self-administered. For Level 2 C3PAO assessments, the DoD allows a hybrid approach: certain document reviews and interviews may be conducted remotely, but on-site activities are required for physical security verification, technical testing of systems that cannot be accessed remotely, and validation of physical access controls. Fully remote Level 2 assessments are not currently permitted under the CMMC Assessment Process (CAP). The scoping call conducted 2-4 weeks before the assessment is always remote.
What is a POA&M and when can you use one?
A Plan of Action & Milestones (POA&M) is a formal document that identifies security weaknesses, describes planned remediation actions, assigns responsible personnel, and sets milestone dates for completion. Under CMMC rules, POA&Ms are not permitted at Level 1 — all 15 practices must be fully implemented. At Level 2, POA&Ms are allowed only for non-critical security requirements, and only if your initial assessment score reaches at least 80%. Critical requirements — including multi-factor authentication, FIPS-validated encryption, and comprehensive audit logging — cannot be deferred to a POA&M. All POA&M items must be remediated within 180 days, and a C3PAO must verify closure through a formal closeout assessment. Think of a POA&M not as a workaround but as a structured, time-bound commitment to full compliance.
How much does a CMMC assessment cost?
Assessment costs vary significantly based on your organization's size, scope complexity, and the C3PAO you select. Level 1 self-assessments have minimal direct cost beyond internal personnel time. Level 2 C3PAO assessments typically range from $30,000 to $100,000+ depending on the number of assessment days required, assessor travel expenses, and the complexity of your environment. If you receive Conditional Status, budget an additional amount for the POA&M closeout assessment. For a detailed breakdown, see our CMMC certification cost guide.
---
Start Preparing Today
The defense contractors that pass their CMMC assessments on the first attempt share one common trait: they started preparing early, followed a structured plan, and validated their readiness before the assessors arrived. Whether you are 12 months or 90 days from your assessment date, the frameworks in this guide give you a clear path forward.
Begin with an honest gap analysis against the 110 NIST SP 800-171 requirements. Build your evidence repository. Run a mock assessment. And schedule your C3PAO before the calendar fills up.
For organizations that want to compress this timeline and eliminate the manual burden of evidence collection and control monitoring, Cabrillo Club's platform was built specifically for defense contractors navigating CMMC certification. Continuous compliance monitoring, automated evidence gathering, and real-time readiness scoring mean you spend less time preparing spreadsheets and more time winning contracts.
Your next contract depends on your CMMC certification. Your CMMC certification depends on your preparation. Start now.