Deretti Cyber Labs CMMC Desk · The Assessment

The assessment.

Two ways in, and three possible determinations from one set of findings.

An assessment is not a mystery box. It runs the same underlying logic whether an organization performs it on itself or a C3PAO performs it: scope gets checked against what is actually there, evidence gets examined, interviewed, and tested, and every requirement lands on one of three outcomes. This page walks the full path — the two ways into Level 2, what a certification assessment actually does end to end, what Conditional status buys and costs, what changes at Level 3, and what happens every year after.

01The two paths to Level 2

Every Level 2 assessment starts from the same 110 requirements and the same NIST SP 800-171A methodology. What differs is who performs it and where the result lands — and that choice is not the contractor’s to make. The Levels covers this in full; this page assumes you already know which path your contract requires and picks up from there.

The two Level 2 assessment paths, who performs each, and where results land
PathWho performs itResults go toCycle
Level 2 (Self)The OSA itselfSPRS, directlyEvery three years, plus annual affirmations
Level 2 (C3PAO)An authorized or accredited C3PAOCMMC eMASS, which feeds SPRS automaticallyEvery three years, plus annual affirmations

Which one a given contract requires is written into the solicitation — see Start Here for the clause signals. 32 CFR 170.3(e)(1); 170.16; 170.17

02What a C3PAO assessment looks like, end to end

A certification assessment is a defined sequence, not an open-ended inquiry. Six things happen, roughly in this order:

  1. Scoping validation. The C3PAO checks the CMMC Assessment Scope documented in the SSP — the boundary Scope & Boundary covers — against what the assessment team actually finds on the network. A scope that looks right on paper still gets checked against reality.
  2. Evidence review: examine, interview, test. The assessor works through the 110 requirements using the three NIST SP 800-171A methods Evidence, SSP & POA&M covers in detail — reading documents, talking to the people who run the systems, and exercising mechanisms directly.
  3. A finding for every requirement. Each requirement resolves to one of three outcomes: MET (every applicable objective behind the requirement is met, based on final evidence — drafts and working papers do not count), NOT MET (one or more objectives are not met, and the assessor documents why), or N/A (the requirement genuinely does not apply to the assessed environment, and is treated the same as MET for scoring purposes). 32 CFR 170.24(b)
  4. A short window to fix small things. A NOT MET finding can be re-evaluated during the assessment, and for ten business days after it ends, if new evidence closes the gap without changing anything already scored MET and the findings report has not yet been delivered. It is a narrow correction window, not a second attempt at the whole assessment. 32 CFR 170.17(c)(2)
  5. The CMMC Assessment Findings Report. The C3PAO communicates final results to the OSC through this report — the document that carries the requirement-by-requirement findings and the resulting score.
  6. Filing: eMASS, then SPRS. The C3PAO uploads the results into the CMMC instantiation of eMASS. From there, transmission to SPRS is automatic — the contracting officer checking a bidder’s status is reading SPRS, not eMASS. Glossary covers how the two systems relate.

A Level 2 self-assessment runs the same evidence logic — the OSA still applies SP 800-171A’s methods and lands on MET, NOT MET, or N/A for each requirement — but the OSA performs it on itself, scores it, and uploads the result straight to SPRS. There is no C3PAO, no Assessment Findings Report, and no eMASS step in that path.

Artifacts used as evidence on a certification assessment are hashed for integrity and must be retained — by the OSA or OSC, not the C3PAO — for six years from the CMMC Status Date. 32 CFR 170.16(c)(4); 170.17(c)(1),(4)

Engaging a C3PAO — and where its role stops

Authorized and accredited C3PAOs are listed in the Cyber AB Marketplace — accreditation is a checkable fact, not a claim to take on trust. A C3PAO operates under the Accreditation Body’s conflict-of-interest, professional-conduct, and ethics policies, is itself assessed by DCMA DIBCAC at Level 2 before it may assess anyone, and staffs each assessment with at least a Lead CCA and a second certified assessor, plus a quality-assurance reviewer who cannot sit on the assessment team. If a prospective C3PAO also offers consulting, how it separates the two under those conflict-of-interest policies is a fair — and answerable — question to put to it. 32 CFR 170.9(b)

Two boundaries are worth having straight before anyone is hired. What the assessment consumes is what this section already described: a current SSP, a documented scope, and evidence that can be produced when asked — a C3PAO assesses what exists; it does not build any of it. And what the C3PAO decides is the findings, nothing more: it does not choose the level a contract requires (the solicitation does), it does not make award decisions (the SPRS record and a contracting officer do), and it cannot extend the 180-day POA&M window (the rule sets it). Appeals of findings go first to the C3PAO itself, then to the Accreditation Body for final determination. 32 CFR 170.9(b)(19); 170.21(b)

03Conditional vs Final status

A Level 2 assessment does not have to land on a perfect 110 to produce a usable status. If every requirement is MET, the OSA or OSC reaches Final status immediately. If the score is at least 88 of 110 and the open gaps stay inside the bounds the rule sets — every open item worth 1 point, with a single named 3-point exception, and none of six requirements that can never sit on a POA&M at all — the result is Conditional status instead. Evidence, SSP & POA&M covers the full POA&M mechanics and the six exclusions by name; the short version carries over here because it governs what happens next.

The 180-day clock, again

Conditional status opens a 180-day window. A POA&M closeout assessment inside that window has to confirm every open item is closed — performed by the OSA itself for a self-assessment, or by a C3PAO for a certification assessment. Close it, and status moves to Final. Miss the window, and Conditional status expires outright; it does not roll over, and a lapsed status carries the same contractual consequences as never having achieved one. 32 CFR 170.21(b); 170.16(a)(1)(ii); 170.17(a)(1)(ii)

Either result — Conditional or Final — is sufficient for a contract’s Level 2 requirement at the moment it is achieved. The difference is what is still open, and how long the organization has to close it.

04Level 3: the same shape, a narrower list

The Levels covers what Level 3 adds: 24 requirements selected from NIST SP 800-172’s pool of 39, assessed by DCMA DIBCAC — a government assessor, not a C3PAO — on top of a prerequisite Final Level 2 (C3PAO) status covering the same assessment scope or a broader one. Conditional Level 2 does not qualify; every Level 2 POA&M item has to be closed first.

Level 3 scores differently than Level 2 — every requirement is worth exactly 1 point, so the maximum score equals 24 — but the shape of Conditional status is the same idea, with its own list of what can never sit on a POA&M:

The rule says

“An OSC is only permitted to achieve the CMMC Status of Conditional Level 3 (DIBCAC) if all the following conditions are met: (i) The assessment score divided by the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and (ii) The POA&M does not include any of following security requirements: (A) IR.L3-3.6.1e Security Operations Center. (B) IR.L3-3.6.2e Cyber Incident Response Team. (C) RA.L3-3.11.1e Threat-Informed Risk Assessment. (D) RA.L3-3.11.6e Supply Chain Risk Response. (E) RA.L3-3.11.7e Supply Chain Risk Plan. (F) RA.L3-3.11.4e Security Solution Rationale. (G) SI.L3-3.14.3e Specialized Asset Security.”

32 CFR 170.21(a)(3)

In practice

A score of at least 0.8 × 24 — roughly 20 of the 24 selected requirements MET — opens the door to Conditional status, the same way 88 of 110 does at Level 2. Seven requirements can never be POA&M’d regardless of score, and they cluster differently than the Level 2 exclusions do: incident-response capability and supply-chain risk management, rather than access control, the SSP, and physical access. DCMA DIBCAC performs the Level 3 POA&M closeout assessment itself, inside the same 180-day window. 32 CFR 170.21(b)(3)

05After the assessment

An assessment measures a point-in-time score. Two ongoing obligations keep a CMMC Status current once it is achieved.

Annual affirmations. Once a year, and again at every assessment and POA&M closeout, the Affirming Official submits an affirmation in SPRS stating the organization still meets the security requirements behind its status. Miss it, and the assessment lapses even though nothing about the underlying score changed. Glossary carries the full Affirmation / Affirming Official entry. 32 CFR 170.22

The triennial reassessment. Underneath the annual affirmation sits a longer clock: the assessment itself — self or C3PAO, at whatever level — is valid for three years from the CMMC Status Date, and has to be repeated before it lapses. Affirmations renew the promise every year; the triennial assessment is what the promise is actually about. 32 CFR 170.16(a)(1); 170.17(a)(1)

What “current status” means in SPRS. A contracting officer checking eligibility reads SPRS, not eMASS — eMASS is where a C3PAO or DIBCAC files results; SPRS is the system of record a solicitation actually points to. A status shown there is current only if both clocks are running: the assessment inside its three-year window, and the affirmation inside its one-year window. Either one lapsing is enough to end eligibility for a contract that requires it. SPRS, explained covers the record itself — who posts what, and the snags.

06At the shop

At the shop

Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard’s practice self-assessment (Evidence, SSP & POA&M) turned up two 1-point gaps — a stale visitor log format and an unencrypted backup drive awaiting a FIPS-validated replacement — neither on the exclusion list, both well inside the 88-point floor. When Blanchard’s C3PAO certification assessment ran for real a few months later, the assessor examined the updated SSP, interviewed the two-person IT team about the visitor log process, and tested the backup encryption directly. Both items came back MET this time; the score landed at 110, and Blanchard reached Final Level 2 (C3PAO) status on the initial assessment — no POA&M, no 180-day clock to watch.

07Sources

Primary sources for the assessment process, findings, filing, and status mechanics
DocumentWhat it’s for
32 CFR 170.16Level 2 self-assessment procedure, scope, artifact retention, and affirmation timing.
32 CFR 170.17Level 2 certification assessment procedure: scoping, findings report, the re-evaluation window, eMASS filing.
32 CFR 170.21POA&M eligibility at every level, the Level 3 exclusions, and the 180-day closeout clock.
32 CFR 170.22Affirmation requirements and timing.
32 CFR 170.24Scoring methodology and the MET / Not Met / N/A finding definitions.
NIST SP 800-171AThe examine/interview/test assessment methods applied during evidence review.