If you’re in the defense supply chain, you’ve probably heard plenty about CMMC. What doesn’t always get explained is what it’s actually like to go through an assessment. Having been through the process myself, I can tell you: it’s not just about checking boxes. It’s about preparation, evidence, and being ready for curveballs.

Here’s what stood out to me — and some lessons you’ll want to keep in mind before your own assessment.

Phase 1: Pre-Assessment (Where Most Companies Get Stuck)

Before the assessors even dive into your environment, they’ll want to see your System Security Plan (SSP) and validate your assessment scope. Sounds straightforward, but here’s the gotcha: if your documentation isn’t complete, you won’t even make it to the next phase.

One thing that surprised me — they don’t just want your policies and procedures on paper. They’ll ask, “Can you show me how this works in practice?” If your written policies don’t match what’s actually happening day to day, that’s a red flag.

Phase 2: The Actual Assessment (Where the Nerves Kick In)

This is where the assessors roll up their sleeves. They’ll interview staff, review artifacts, and test whether your controls are really in place. A few things to watch for:

  • Daily check-ins: Every day ends with a “checkpoint” meeting. It’s basically a progress update, but also where concerns get raised. If they’ve found gaps, you’ll know pretty quickly.

  • Cloud providers and MSPs: If you rely on outside vendors (and most of us do), expect questions. They’ll want to see your contracts, Customer Responsibility Matrix (CRM), and proof your vendors are FedRAMP authorized. If you can’t show that, you’re in trouble.

  • Sampling: Don’t assume they’ll just look at one system and call it good. They’ll pick different users, sites, and assets to make sure you’re consistent across the board.

The biggest “gotcha” here? Evidence. If you can’t produce screenshots, logs, or real proof on the spot, it’s considered a finding. Telling an assessor, “Oh yeah, we do that, we just don’t have the report handy,” doesn’t cut it.

Phase 3: The Out-Brief (Where You Learn Your Fate)

At the end, the assessors compile everything and present results in an out-brief. This is not the time you want surprises. You’ll either walk away with:

  • A Final Certificate (best case),

  • A Conditional Certificate (you’ve got a POA&M to close), or

  • No certificate at all.

What caught me off guard here was how formal the process is. They don’t give “advice” or tell you how to fix issues — that would create a conflict of interest. They just tell you what’s met, what’s not, and leave it at that.

Phase 4: Closing Out POA&Ms (The Follow-Through)

If you’re issued a conditional certificate, you’ll have a POA&M to work through. Closing these out takes coordination with your C3PAO and, depending on the gaps, can stretch timelines more than you’d expect. My advice? Don’t leave big-ticket items for the POA&M — knock those out before the assessment.

Key Takeaways From Someone Who’s Been There

  • Don’t underestimate documentation. Your SSP needs to match reality.

  • Have evidence ready. Policies without logs, screenshots, or records won’t pass.

  • Prep your vendors. If your MSP or cloud provider isn’t ready, neither are you.

  • Expect to feel pressure. Daily checkpoints can be stressful, but they’re also a chance to clarify.

  • Plan ahead. If you’re relying on a POA&M, you’re adding months to your timeline.

Going through a CMMC assessment is no small lift, but being prepared makes all the difference. If you’re early in the process, get a readiness review done before calling in a C3PAO. It’ll save you time, money, and frustration when the real thing happens.