What to Expect During a CMMC Assessment (And the Gotchas That Surprised Us)

If you're in the defense supply chain, you've probably heard plenty about CMMC. What doesn't always get explained is what it's actually like to go through an assessment — what the assessors ask for, how the days are structured, and where teams that looked ready on paper get tripped up.

Here's the short version: an assessment has four phases, and most of the pain in phases two through four traces back to corners cut in phase one.

Phase 1: Pre-Assessment

Before anyone shows up, the assessment team reviews your documentation — your System Security Plan (SSP), your policies, and the evidence that your controls are actually implemented.

The gotcha: your documentation has to match reality. If your SSP says workstations lock after 15 minutes and half your fleet is set to never, that's a finding — not because the setting is hard to fix, but because it tells the assessor your documentation can't be trusted. Expect them to dig deeper everywhere else after that.

Phase 2: The Actual Assessment

The evaluation itself runs over multiple days, with daily checkpoint meetings where the assessment team surfaces concerns as they go.

Two things surprised us:

• Assessors require immediate proof. "Yes, we do that" is not evidence. Screenshots, logs, and configurations need to be available on demand. Teams that pre-staged evidence per control moved fast; teams that went hunting for proof in real time burned hours and goodwill.
• The daily checkpoints are a gift. Concerns raised on day one can sometimes be clarified with better evidence by day three. Treat the checkpoints as a working session, not a verdict.

Phase 3: The Out-Brief

At the end, the team presents results: what passed, what didn't, and what lands on a Plan of Action & Milestones (POA&M). Not every gap is fatal — CMMC allows certain lower-weight items to be remediated post-assessment — but the list of POA&M-eligible controls is narrow.

Phase 4: Closing Out POA&Ms

You get a limited window to close POA&M items and provide evidence. The gotcha here: teams that deferred "easy" fixes to this phase found they weren't easy under deadline. Anything you can fix before the assessment, fix before the assessment.

Key Takeaways

1. Written policies must match actual practice — assessors check both.
2. Concrete evidence (screenshots, logs, configs) must be immediately available.
3. Vet your third-party vendors before the assessment — their gaps become your gaps.
4. Use the daily checkpoints to clarify and supplement evidence.
5. Don't save fixes for the POA&M phase. The clock there is shorter than you think.

If you're preparing for an assessment and want a dry run before the real thing, a mock audit will surface most of these issues while they're still cheap to fix.