KapacyberKapacyber
Compliance 10 min read

How to Prepare for a C3PAO Assessment

The five evidence buckets your assessor expects, the failures that consistently surface, and how a well-prepared shop turns a multi-week ordeal into a few days of focused interviews.

What a C3PAO actually does

A C3PAO — Certified Third-Party Assessor Organisation — is an independent firm accredited by the CMMC Accreditation Body (Cyber-AB) to conduct CMMC Level 2 assessments. They're not your consultant. They don't help you remediate. Their job is to verify, with documented evidence, that you meet each of the 320+ assessment objectives in NIST SP 800-171A.

A typical assessment has three phases: planning (scoping calls, evidence package review, schedule), fieldwork(interviews, walk-throughs, evidence verification, sometimes on-site), and reporting (findings, scoring, certification decision).

The five evidence buckets

For every one of the 110 controls, the assessor expects to see five types of evidence:

  1. Policy — a documented organisational statement that this control is required.
  2. Procedure — a documented step-by-step of how the control is operated.
  3. Operational evidence — proof that the procedure is followed in practice (configuration screenshots, log samples, training records, ticket history).
  4. Control owner — a named person who can speak to the control in an interview.
  5. Continuous evidence — proof that the control is operating now, not just at one point in time (last 30/60/90 days of activity).

A control with the technology in place but no documented policy is a finding. A documented procedure that nobody follows is a finding. A control owner who doesn't know what they own is a finding. The assessor isn't hostile — they're measuring against the NIST 800-171A criteria, which require all five.

The package you assemble before the assessor arrives

  1. System Security Plan (SSP) — the master document describing how every control is implemented in your environment. Typically 100–300 pages for a small-to-mid shop.
  2. Plan of Action & Milestones (POAM) — documents residual gaps and the remediation plan, including target dates and assigned owners.
  3. Network and data-flow diagrams — showing the CUI boundary, the enclave, every interface in and out.
  4. Asset inventory — every system that processes, stores, or transmits CUI.
  5. Policies and procedures — the documentation backing each control family.
  6. Training records — awareness training completion for every CUI-cleared user, with dates.
  7. Evidence samples — log excerpts, configuration screenshots, vulnerability scan reports, ticket samples, change-management records. The last 90 days' worth.
  8. Incident response plan — documented, with tabletop exercise results.
  9. Risk assessment — written, dated within the last 12 months.
  10. Vendor inventory and assessments — every third party with access to CUI, with security attestations.

The five things that fail most often

  1. Shared logins on legacy systems. An old CAM workstation the shop floor shares, an ERP module everyone has the same credential for. Always cited under Access Control (3.1).
  2. Logs that nobody reviews.The technology is generating logs, but there's no documented review cadence and no named reviewer. Audit & Accountability (3.3) finding.
  3. Undocumented baseline configuration.Systems are hardened, but there's no written standard. Configuration Management (3.4) finding.
  4. MFA gap on at least one privileged account.A service account, a legacy admin, or a vendor maintenance login that's exempt. Identification & Authentication (3.5) finding.
  5. Flat network with no CUI enclave.Guest Wi-Fi shares the same VLAN as engineering workstations. System & Communications Protection (3.13) finding.

POAM rules — what assessors actually accept

The Plan of Action & Milestones lets you document gaps you haven't fully closed. But there are limits:

  • POAM items must be specific — “improve logging” is rejected; “deploy centralised log aggregation for control 3.3.2 by 2026-09-30” is acceptable.
  • POAM items must have a target close date within 180 days (the DoD-stated norm).
  • You can't POAM the highest-value controls — some controls (notably MFA on privileged accounts and certain audit logging requirements) cannot be on POAM under current CMMC scoring rules.
  • Too many POAM items and the assessor will fail the assessment — the standard interpretation is that POAM is for the residual, not the bulk of your controls.

The interviews

A meaningful portion of the assessment is interview-based. The assessor will ask the named control owner about the control, walk through the procedure, and verify operational evidence in real time.

Two patterns kill credibility immediately:

  • A control owner who doesn't know they own the control.
  • A procedure documented in the SSP that the operator describes differently.

Rehearse with your team before the assessor arrives. Walk through each control family with the named owner. Have them describe the procedure in their own words. If their words don't match the SSP, update one of them.

The 90-day pre-assessment plan

  1. Day 0–30: Final SSP review, gap close-out, evidence collection in audit-ready form.
  2. Day 30–60: Mock assessment by your readiness partner. Control owner interviews. Documentation gaps.
  3. Day 60–75: POAM finalisation. Final evidence package assembly. Schedule confirmation with C3PAO.
  4. Day 75–90: Tabletop incident response exercise. Final walk-throughs of the CUI environment. C3PAO planning calls.

The honest expectation-setting

A well-prepared small shop with a clean scope completes a Level 2 assessment in 3–5 days. A shop that thinks they're ready but discovers gaps during fieldwork can drag the assessment into a 2–4 week engagement, with re-work fees. The cost of a mock assessment is usually a fraction of the cost of an inflated C3PAO engagement.

Get the evidence package right

We build, document, and operate the controls behind your SSP and hand the C3PAO a clean package. Free assessment to see where you stand today.

Book the free assessment

Keep Reading

CMMC · Compliance12 min read

CMMC 2.0 Explained — Levels, Timeline & a Small-Manufacturer Guide

Read More
CMMC · Reference14 min read

The 110 NIST SP 800-171 Controls in Plain English

Read More
CMMC · Pricing Guide9 min read

CMMC Level 2 Cost — What a Small DoD Subcontractor Actually Pays

Read More

Explore Our Managed Security Services

EDR, 24/7 monitoring, backup, and incident response in one predictable plan.

Learn More