Understanding the CMMC Assessment Phases:
A Step-by-Step Timeline
As the Department of Defense (DoD) continues to roll out the Cybersecurity Maturity Model Certification (CMMC) program, defense contractors must prepare for a rigorous evaluation of their cybersecurity posture—especially those handling Controlled Unclassified Information (CUI). For organizations pursuing CMMC Level 2, understanding the assessment process and its timeline is critical for success.
This article breaks down the four formal phases of a CMMC Level 2 assessment, including the preliminary steps that occur before the official assessment begins. We also provide estimated durations for each phase based on guidance from the CMMC Assessment Process (CAP) v2.0, published by The Cyber AB.
What is CMMC?
CMMC Compliance for Small Business
The CMMC framework evaluates cybersecurity across three tiers, ranging from Foundational to Expert. Companies dealing solely with Federal Contract Information (FCI) must achieve Level 1.
Those managing Controlled Unclassified Information (CUI) are required to obtain Level 2 certification. Level 3 is designated for extremely sensitive CUI and will be necessary for a limited group of contractors. The introduction of the Cybersecurity Maturity Model Certification (CMMC) program marks a significant advancement that is particularly relevant to small enterprises.
Small businesses are vulnerable to cyber-attacks, and any size company doing business with the DoD must comply with CMMC. Implementing CMMC correctly, handling CUI safely, and being CMMC compliant helps protect our country, its people, military, and industry. The dangers to our nation’s information security are increasing daily, with adversaries becoming increasingly skilled. For companies collaborating with the Department of Defense (DoD), these threats are intensifying. To secure government contracts, businesses must adopt a range of information security measures and develop policies that encourage proactive measures within their organizations.
Following a significant security breach impacting contractors and subcontractors, the government introduced the CMMC program to protect associated agencies.
The CMMC certification program aims to improve information security shared between the Department of Defense and its contractors. The Department will gain more confidence in the Defense Industrial Base (DIB) as it protects Controlled Unclassified Information (CUI) well.
Once companies implement CMMC appropriately, they must complete the following CMMC Level 2 Assessment phases to achieve CMMC Certification.
4 Phases of CMMC Level 2 Assessments to achieve CMMC Certification
Before the CMMC 2.0 Assessment: Preliminary Proceedings
Estimated Duration: 1–2 Weeks
Before Phase 1 begins, organizations known as OSCs (Organizations Seeking Certification) need to finish certain steps. They must do this with their selected C3PAO (CMMC Third-Party Assessment Organization). These include:
- Submitting a formal assessment request
- Confirming their legal entity and CAGE code(s)
- Discussing assessment scope, schedule, and readiness
- Identifying any conflicts of interest
- Executing the service contract and NDA
Phase 1: Conduct the Pre-Assessment
Estimated Duration: 1–2 Weeks
In this phase, the C3PAO determines whether the OSC is ready to move forward. Key activities include:
- Reviewing the System Security Plan (SSP) for completeness
- Validating the scope of the assessment
- Confirming availability of evidence and support personnel
- Assembling the Assessment Team
- Uploading the Pre-Assessment Form to CMMC eMASS
If the OSC does not prepare sufficiently, the assessment is suspended. Importantly, the assessor cannot provide remediation advice to avoid a conflict of interest.
Phase 2: Assess Conformity to Security Requirements
Estimated Duration: 1 Week (Typically 3–5 Business Days)
This is the main part of the assessment. Here, the C3PAO checks how well the 110 CMMC Level 2 requirements are met. They use the Examine, Interview, and Test methods from NIST SP 800-171A. Key tasks include:
- Hosting an official in-brief with the OSC
- Conducting fieldwork or virtual inspections
- Validating inherited controls from ESPs and CSPs
- Scoring each requirement as MET, NOT MET, or N/A
- Holding daily checkpoint meetings
Phase 3: Complete and Report Assessment Results
Estimated Duration: 1–2 Weeks (Plus Optional 10 Business Days)
Following the assessment, the C3PAO prepares a complete report and delivers it to the OSC. The report includes a scorecard of results, an out-brief presentation, and all required uploads to CMMC eMASS. This phase ends with one of three outcomes:
- Final Certificate (all practices MET)
- Conditional Certificate (some items deferred via POA&M)
- No Certificate (significant gaps remain)
Phase 4: Issue Certificate and Close Out POA&M
Estimated Duration: Immediate to 180 Days
If a Conditional Certificate is issued, the OSC has up to 180 days to close out open POA&M items. A C3PAO—either the original or a different one—must verify the closeout and issue the Final Certificate.
Download the Official CMMC Assessment Process (CAP) v2.0 to dive deeper into the official procedures, download the full CAP v2.0 document from The Cyber AB.
Need Help Preparing for Your CMMC Assessment?
At Core Business Solutions, we simplify your path to CMMC certification. Whether you’re just getting started or preparing for a third-party assessment, our team of experts can help you build a compliant environment, narrow your scope, and manage all the necessary documentation.
Contact us today for a free consultation or to learn more about our CORE Vault™ CUI enclave solution.
