With the 48 CFR CMMC rule published in the Federal Register and now effective on November 10th, 2025, many defense contractors are seeking CMMC L2 C3PAO assessments to be ready to receive new contract awards with the requirements. When these organizations seeking certification (OSCs) meet with their chosen CMMC Third-Party Assessment Organization (C3PAO) and start the assessment preparation phase, they are often being pushed back in what is called a “false start”.
False starts most often occur due to a lack of compliance documentation; OSCs often implement the security requirements sufficiently, yet the System Security Plan (SSP) doesn’t describe that implementation. Or the OSC has cloud services or managed service providers that meet the security requirements, but don’t have the right customer responsibility matrix (CRM) to demonstrate their implementation.
Now that the clock is ticking, let’s talk about the assessment process and how to be prepared ahead of time so your assessment kicks off as scheduled, without delays or false starts.
CMMC Assessment Process Overview
A CMMC assessment is often a week-long crunch period prefaced with approximately 3 months of preparations. A lot of moving parts all need to align for your assessment week. Being un-prepared ahead of time hurts your chances that the parts will line up.
Scoping Call – 60-90 Days Before Assessment
One of the first meetings you will have with your C3PAO, after the sales and introductory calls, will be to determine and validate the scope of the CMMC assessment. In this meeting, the C3PAO is determining whether you appropriately described the asset categorization and scoping of the system components that make up your information system.
Shortly before the scoping call you will be asked to upload current versions of your System Security Plan (SSP), networking diagrams, data flow diagrams, policies, procedures, and CRMs. These documents will be reviewed for completeness and consistency prior to the scoping call, so as to best utilize the time in the scoping call.
Scoping calls often last about ninety minutes. During this meeting you will describe your information system at a high level, talk about how data flows through the organization, and answer questions to ensure the assessment scope is fully understood by the assessors. During this meeting the CMMC assessors will also determine if the assessment scope is eligible for a virtual-only assessment, or if an assessor will need to visit on-site as well.
Assessment Plan Development Meetings – Weekly Leading up to the Assessment
After the scoping call, weekly meetings will be scheduled to begin development of the Assessment Plan. This document describes the logistics of the assessment, including who the assessors are, where any on-site assessments will take place (if necessary), and the schedule of the assessment week. These weekly meetings also ensure lines of communication are open between the C3PAO and the OSC, allowing questions to be asked and answered from either side.
Confirm Travel Arrangements – 30 Days Before Assessment
If on-site travel is deemed necessary, the C3PAO will prepare travel arrangements about a month before the assessment. Scheduling travel so far in advance helps the C3PAO keep the cost of the assessment down by taking advantage of discounted fares. Once travel arrangements are booked, they are often non-refundable and thus charged to the OSC if the assessment gets delayed at this point.
Final Evidence Submission – 21 Days Before Assessment
Documentation often changes as you lead up to an assessment. The documentation received during the scoping call will be set aside/archived or deleted from the C3PAO system, allowing the OSC to upload new, final versions of the documentation that will be used for the assessment. This evidence is accepted up to 7 days before the assessment, to ensure that all the relevant documents are uploaded and available prior to starting the assessment on Monday. Requiring the evidence to be uploaded a week before the assessment gives the C3PAO time to check that they have access to the evidence and ensure it’s not locked behind special accounts, GRC tools, or Sensitivity Labels.
This is a good time to implement a change freeze in your environment that will last until the assessment starts, and potentially throughout the whole assessment. A change freeze helps ensure your environment matches the documentation you provided to the C3PAO. Any changes made during the active assessment period to correct deficiencies must follow your change management procedures; the assessors will be watching to ensure you do what your documentation says.
Finalize Assessment Plan – 14 Days Before Assessment
Two weeks before the assessment the Assessment Plan will be finalized. The weekly meetings will have helped developed the Assessment Plan, but additional meetings dedicated to finalizing it may be scheduled. At this point the Assessment Plan should have all the correct details, clearly identify dates and times, and identify and mitigate scheduling conflicts. After the Assessment Plan is final, the virtual assessment meetings will be scheduled. Be sure to check the links to ensure you can join the meeting before the assessment in-brief.
What Happens During the CMMC Assessment Week?
During the assessment week the C3PAO will evaluate your documentation for adequacy and sufficiency, conduct interviews with members of your team to answer questions, and ask for demonstrations to validate implementations of the requirements. Each day the C3PAO will inform you of any requirements lacking evidence and request you provide that evidence the following day. These requests will be for additional evidence, instead of changes to already presented evidence.
Supplemental Evidence Post Assessment – 10 Business Days Post Assessment
Following the active assessment period, if a score of 110 was not achieved, then the OSC is granted 10 business days to provide additional evidence to demonstrate that a security requirement is MET (https://www.ecfr.gov/current/title-32/part-170/section-170.17#p-170.17(c)(2)(i)). After those 10 business days are up, or earlier if you determine you have no more evidence to present, then the C3PAO will prepare the CMMC Assessment Findings Report and deliver the out-brief presentation.
At the end of the 10 business days, one of three things will happen:
- The OSC passes all the requirements and gets awarded a full CMMC Level 2 certification
- The OSC passes at least 80% of the requirements and the remaining 20% (or less) are all POA&M-able, resulting in a conditional CMMC Level 2 certification and requiring close out within 180 days.
- The OSC fails more than 20% of requirements or has at least one requirement NOT MET that is not POA&M-able, and fails the assessment. No POA&M is created, the OSC will need a new certification assessment that assesses all 110 requirements again from scratch.
Understanding the 180 Day Close-Out Period
An OSC that has a POA&M after their assessment has 180 days to turn their Conditional Level 2 (C3PAO) certificate into a Final Level 2 (C3PAO) certificate or they will lose their certificate status entirely and have to have a new assessment conducted from scratch. OSCs should be mindful of how the 180 days are counted and what steps need to happen to ensure they achieve that Final Level 2 (C3PAO) certificate.
What is a POA&M?
The POA&M term has been changed by the publication of the 32 CFR 170 rule. POA&M now refers to the list of open items after a CMMC Level 2 Self-Assessment or CMMC Level 2 C3PAO-Assessment has occurred: https://www.federalregister.gov/d/2024-22905/p-2019
The old use of this term in NIST SP 800-171 has been “re-branded” to Operation Plan of Action (OPA) and still documents the ongoing deficiencies that may arise with running a CMMC Level 2-compliant information system: https://www.federalregister.gov/d/2024-22905/p-2009
What is the CMMC Status Date?
The 180 Day Close-out period rests on a specific date: the CMMC Status Date. 32 CFR 170 defines the CMMC Status Date:
“CMMC Status Date means the date that the CMMC Status results are submitted to SPRS or the CMMC instantiation of eMASS, as appropriate. The date of the Conditional CMMC Status will remain as the CMMC Status Date after a successful POA&M closeout. A new date is not set for a Final that follows a Conditional.”
https://www.federalregister.gov/d/2024-22905/p-1986
When the OSC conducts a Level 1 or 2 Self-Assessment or commissions a Level 2 C3PAO assessment, the date following the assessment that the results are posted to SPRS/eMASS is the “CMMC Status Date”.
The CMMC Status Date is referenced in 32 CFR 170 as the date from which:
- re-assessments must be conducted [https://www.federalregister.gov/d/2024-22905/p-2252]
- artifacts must be retained [https://www.federalregister.gov/d/2024-22905/p-2279]
- a POA&M must be closed out and have a POA&M closeout assessment [https://www.federalregister.gov/d/2024-22905/p-2266]
The CMMC Status Date remains the same even when the POA&M is closed out. That means if an OSC takes 180 days to close out their POA&M and have a POA&M close-out assessment, then they only have 2.5 years of full CMMC Level 2 Certification status before needing a re-assessment.
POA&M Close-out Steps
After the Assessment Week, 10 business days for closing out requirements, and C3PAO Quality Assurance review and upload to eMASS, the OSC must:
- Remediate/resolve all POA&M items identified during the assessment
- Schedule a close-out assessment with the C3PAO
- Have the C3PAO Quality Assurance perform a quality review and upload the updated result to eMASS.
In the above figure we’ve illustrated this timeline with conservative estimates on the timeline. The close-out assessment will likely take less than a week. QA Review will likely take another week, or longer, depending on the backlog at the C3PAO. A buffer isn’t required but it is highly recommended to ensure there is still time to have the close-out assessment results uploaded to eMASS before the 180 day window closes.
OSCs should keep in mind that it is their responsibility to reach out to the C3PAO and schedule a close-out assessment. The OSC is responsible for scheduling the assessment early enough to ensure that the close-out assessment results are submitted to eMASS before the 180 day window closes.
What Happens if Your CMMC Assessment Gets Delayed?
Given that active assessment periods are often about a week long, assessments are scheduled back-to-back with multiple teams. This scheduling ensures a steady flow of assessments for the C3PAO. But as we’ve seen earlier, assessment teams are engaged with the OSC several months before the assessment week. When an assessment is delayed, they are often delayed for several weeks due to availability.
Some example scenarios based on the timeline in the image above:
- If Gap Analysis 25 in the image above is delayed, the next open slot would be the following week. Easy.
- If Assessment 48 is delayed, it would be delayed by more than a month, despite the next open slot at the C3PAO being just two weeks later. That’s because Assessment 48 is assigned to Assessment Team A. Assessment Team B hasn’t done any of the prep work to scope the environment that Assessment Team B has. So, Assessment 48 would be delayed more than a month until the next opening for Assessment Team A after the holiday.
- If Pre-Assessment 31 is delayed, it could be delayed a month, or maybe only three weeks if Gap Analysis 25 is delayed a week.
These scenarios show in what ways C3PAOs can be both flexible, and rigid.