Defense contractors approaching the Cybersecurity Maturity Model Certification framework for the first time often arrive looking for information about a CMMC audit. The terminology is understandable. Most contractors have prior experience with audits in other compliance regimes: financial audits under generally accepted auditing standards, ISO certification audits, PCI compliance audits, SOC 2 examinations. The audit terminology is familiar, and contractors apply it to CMMC because they are looking for the parallel concept.
The framework itself does not use the word audit. The formal verification process is called a CMMC assessment, and the entity that conducts it is a CMMC Third Party Assessment Organization, accredited by The Cyber AB. The distinction is more than semantic. The structure of a CMMC assessment differs in important ways from the audits contractors are familiar with from other compliance regimes, and the differences affect how a contractor should prepare for the process and what to expect during it.
This page uses the term assessment from this point forward, because that is what the framework calls the process. The terms audit and assessment are used interchangeably by some contractors and consultants, but the framework documentation, the regulatory text, and the practitioner ecosystem all use assessment as the operative term. Consistency with the framework language matters because it signals familiarity with how the program actually operates.
What a CMMC Assessment Actually Is
A CMMC assessment is a structured examination of a contractor's information system against the security requirements applicable to the contract level. For Level 2, which applies to the majority of contractors handling Controlled Unclassified Information, the assessment evaluates the contractor's environment against the 110 security requirements specified in NIST SP 800-171 Revision 2. The examination is conducted by a CMMC Third Party Assessment Organization, frequently referred to by its acronym C3PAO, applying the methodology specified in the CMMC Assessment Process.
The assessment is conducted at three levels of method. Documentation examination evaluates the contractor's System Security Plan, Plan of Action and Milestones, policies, procedures, and supporting evidence. Personnel interviews evaluate whether the people responsible for security practices understand and execute them. Technical testing or observation evaluates whether the implemented controls actually operate as the documentation describes. The assessment produces a determination on each of the 110 requirements as either fully met, not met, or, for certain controls, eligible for inclusion on a remediation plan within the assessment period.
The output of the assessment is either a CMMC certification, a conditional certification with a defined remediation period, or a non-certification result requiring substantive remediation before reassessment. The certification, when issued, is recorded in the CyberAB Marketplace and is valid for three years subject to ongoing affirmations the contractor must submit annually.
How a CMMC Assessment Differs from Familiar Audits
Contractors approaching the assessment with audit expectations from other regimes encounter several structural differences. The differences are not arbitrary. They reflect the framework's underlying purpose, which is to verify the protection of Controlled Unclassified Information rather than to confirm compliance with a financial reporting standard or a generic security baseline.
| Dimension | Familiar Audits | CMMC Assessment |
|---|---|---|
| Standard examined | Generally accepted accounting principles, ISO standards, PCI requirements, or other published standards | NIST SP 800-171 Revision 2, with 110 specific security requirements |
| Methodology | Sample-based testing of transactions, controls, or population characteristics | Comprehensive evaluation of every applicable requirement, with documentation, interview, and testing methods |
| Output | Audit opinion, often qualified or unqualified, with management response | Certification determination at the level applicable to the contract |
| Recurrence | Annual or as required by the regulatory cycle | Three-year certification with annual affirmations |
| Authority | Public accounting firms or specialized auditing bodies | CMMC Third Party Assessment Organizations accredited by The Cyber AB |
| Consequence of failure | Qualified opinion, regulatory finding, or management remediation | Loss of contract eligibility for affected DoD contracts requiring certification |
The most consequential difference is the last row. A failed financial audit produces a qualified opinion and a remediation requirement. A failed CMMC assessment removes the contractor from eligibility on contracts requiring certification at the affected level. The framework treats the assessment as gating contract eligibility rather than as informational reporting on the security program. The stakes attached to the assessment are accordingly higher than the stakes attached to most audits the contractor will have encountered previously.
What the Assessment Examines
The assessment evaluates the contractor's information system against each of the 110 security requirements. Each requirement is examined through a combination of the three assessment methods, with the specific methods applied to each requirement determined by the nature of the control and the supporting guidance in NIST SP 800-171A.
Documentation examination is the first and most extensive method. The C3PAO assessment team examines the System Security Plan, the Plan of Action and Milestones, the policies and procedures referenced from the SSP, the supporting evidence such as configuration baselines and audit log samples, and the operational records that demonstrate the controls have been executing over time. The documentation review begins before the on-site portion of the assessment and continues throughout. The quality of the SSP determines, more than any other single factor, how the assessment proceeds. The substantive treatment of what an SSP should contain is at CMMC SSP Template.
Personnel interviews evaluate whether the people responsible for security practices understand them and execute them in the way the documentation describes. The assessment team interviews the IT lead, the security lead, the operations lead, the contracts personnel, and the staff responsible for handling Controlled Unclassified Information in their daily work. The interviews are not adversarial, but they are substantive. An interview that produces responses inconsistent with the documented procedures becomes an assessment finding even if the underlying control is sound, because the inconsistency signals that the documentation does not reflect actual practice.
Technical testing or observation evaluates whether the implemented controls operate as the documentation describes. The assessment team examines system configurations, audit logs, access control lists, encryption settings, network segmentation, and physical controls. The technical examination is the verification layer that prevents documentation alone from establishing compliance. A contractor whose documentation describes encryption that is not actually deployed produces a finding when the technical examination reveals the gap.
How to Prepare for the Assessment
Preparation for a CMMC assessment is the substantive work that occupies the months and frequently the years preceding the formal engagement with a C3PAO. The preparation work is variously described as readiness, enablement, or implementation, and is performed by the contractor's internal team often with consulting support from a credentialed practitioner. The full structure of a readiness engagement is described at CMMC Consulting Services.
Three preparation activities deserve particular attention. The first is scope reduction, which determines the boundary of the assessment. The boundary defines which assets, which users, and which locations are in scope, and the scope decision has the largest single influence on the cost and complexity of the assessment. A contractor whose scope captures the entire enterprise will incur substantially higher implementation cost and assessment cost than a contractor whose scope is correctly drawn around the systems that process Controlled Unclassified Information. Scope reduction is most effective when conducted early in the readiness process, before substantial implementation work has been performed.
The second preparation activity is documentation development. The SSP and POA&M are the two documents the assessment will examine first and last. The SSP must describe the contractor's actual environment with the level of specificity the assessment requires. The POA&M must accurately identify any controls not fully implemented, with the remediation steps and target completion dates. Developing these documents in parallel with the implementation work, rather than as a final step, produces documentation that reflects operational reality rather than documentation that aspires to a state the environment has not yet reached.
The third preparation activity is artifact collection. The assessment requires evidence that each control is operationally implemented, not merely documented. Building the evidence record requires structured collection of operational artifacts over time: signed procedures, log samples, training records, change control tickets, visitor logs, media sanitization records, and the operational documentation that demonstrates the controls have been functioning. The artifact record cannot be assembled in the final weeks before the assessment because some of the evidence requires demonstrated operation over a meaningful period.
Selecting a C3PAO for the Assessment
The contractor selects the C3PAO that performs the assessment. The selection is independent of any consulting engagement the contractor has entered for readiness work. The structural rule that separates consulting from assessment is examined in detail at CMMC Ecosystem Roles. The same firm cannot serve as both the consulting practitioner and the assessing C3PAO for the same contractor.
Selection of the C3PAO involves several considerations. The first is accreditation status, verified through the CyberAB Marketplace. The second is current capacity, which has tightened substantially as the November 2026 transition has approached. The third is geographic reach for any required on-site assessment activity, and the fourth is the C3PAO's familiarity with environments similar to the contractor's, particularly for contractors with operational technology in scope or specialized industry characteristics.
The capacity dimension is worth flagging. The C3PAO market has finite assessment capacity, and the demand has accelerated as the certification deadlines have approached. Contractors that wait until close to a contract deadline frequently find the available C3PAOs scheduling assessments out further than the contract timeline allows. The capacity dynamics are addressed in the firm's white paper on CMMC Assessment Capacity.
What Happens If the Assessment Does Not Result in Certification
The framework provides for several outcomes from a Level 2 assessment. A finding that the contractor has fully met the 110 requirements produces a certification valid for three years. A finding that the contractor has met the substantial majority of requirements with limited gaps eligible for remediation may produce a conditional certification, with a defined period within which the gaps must be closed. A finding that the contractor has substantive gaps not eligible for the conditional pathway produces a non-certification outcome, requiring the contractor to perform additional implementation work before reassessment.
The financial implications of a non-certification outcome can be substantial. The C3PAO assessment fee has been incurred. The contractor remains ineligible for contracts requiring certification at the affected level until the gaps are remediated and reassessment produces certification. For contractors with active contract pursuits or pending awards dependent on certification, the timeline of the remediation and reassessment cycle can affect business outcomes directly.
The most reliable protection against a non-certification outcome is preparation that produces a defensible readiness posture before the formal assessment is scheduled. This is the substantive purpose of compliance consulting work and the reason contractors who attempt to schedule the formal assessment without prior readiness work frequently encounter outcomes that delay certification by many months and incur substantial avoidable cost.