How to Conduct a CMMC Assessment

An important step toward achieving CMMC compliance at any level is to know what your starting point is. By accurately assessing your current state, you can figure out exactly what steps need to be taken to become compliant.


Before getting started, determine which level of CMMC compliance you need to attain.

  • Level 1: Compliance with this level demonstrates the basic cyber hygiene required for contractors receiving federal contract information (FCI). It covers 17 controls across six domains, including:
    • Access Control
    • Identification and Authentication
    • Media Protection
    • Physical Protection
    • System and Communications
    • System and Information Integrity
  • Level 3: This level is required for companies having controlled unclassified information (CUI) data. Compliance requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, and required training. It covers 130 controls across 17 domains, including:
    • Access Control
    • Asset Management
    • Awareness and Training
    • Audit and Accountability
    • Security Assessment
    • Configuration Management
    • Identification and Authentication
    • Incident Response
    • Maintenance
    • Media Protection
    • Physical Protection
    • Personnel Security
    • Recovery
    • Risk Management
    • Situational Awareness
    • System and Communications
    • System and Information Integrity


Assessment Process

In order to be successful, it’s important that everyone involved buys into the need for the assessment and is engaged in the process. We recommend the following approach.


Begin with an assessment kickoff, where you:

  • Provide an overview of the CMMC framework for the team members who may be included in the assessment process.
  • Outline the in-scope environment to guide the assessment team in formulating questions they should be asking about how you are controlling your data.
  • Identify points of contact across departments, including IT, your information security representative, and HR.
  • Discuss the information that will need to be shared as part of the process, including which artifacts are going to be required, and how they are going to be shared with the assessment team.
  • Craft a schedule and start planning your assessment interviews based on availability.


The assessment team then interviews key personnel, being sure to ask informed questions to confirm if you have the processes in place to meet the requirements of a control. If the point of contact for your organization is able to attest that you’ve met a specific control, the assessment team should make a note of the attestation, as well as note the relevant artifacts that should be collected to validate that attestation.

Examples of controls and related artifacts include:

  • Control: Complex password enforcement
    • Artifact: Group policy setting screenshot demonstrating that you have configured password complexity
  • Control: Training content
    • Artifact: Presentation that has been internally made, or a screenshot of a platform such as KnowBe4 or InfoSec


After interviews and follow-ups conclude, the assessment team begins analyzing the notes and compiling the initial scoring. Artifacts that have been submitted are analyzed to verify implementation. If an artifact was not submitted or was found to be improperly configured, the control would result in a failure. Keep in mind that to be considered compliant, your company must have the control fully implemented.


Once the assessment team has analyzed the data and scored the controls, the report is drafted. The draft report should include these elements.

  • Executive summary with an overall compliance breakdown for CMMC L1 or CMMC L3
  • DFARS Interim Scoring Rule with the score to be submitted into the Supplier Performance Risk System (SPRS)
  • Key observations and recommendations, including areas discovered where your company has its biggest compliance gaps
  • Detailed analysis of each practice, including observations on how your organization is meeting or not meeting a requirement. If a practice is not being met, a recommended action item is noted within the recommendations piece of the practice control

Once the draft report is complete, it should be released to your company’s leadership team and any other larger audience within your organization with ample time to review and provide feedback prior to submitting the final report.


The assessment team should then schedule one final meeting to present and discuss assessment results, key compliance findings, and the path forward for how your company can meet these requirements. This is also a great opportunity to field questions individuals may have with the compliance findings and recommendations.


CyberSheath finds the below schedule to be most successful in performing a CMMC compliance assessment.


Week What to do
  • Hold kickoff meeting
  • Confirm scope and objectives
  • Identify points of contact
  • Start collecting and reviewing artifacts
2 and 3
  • Conduct the security framework review
  • Schedule interviews and follow-ups
  • Analyze the data
  • Collect remaining artifacts
4 and 5
  • Write and issue draft report
  • Share with leadership and your greater audience to review the findings and provide feedback
  • Start writing your draft system security plan (SSP)
  • Issue your final draft report
  • Hold out-briefing to review high-level findings
  • Get sign-off from leadership
  • Start talking about your path forward to remediate compliance gaps
  • Document and finalize your SSP


If you need any assistance with your assessment to determine your CMMC readiness, contact the experts at CyberSheath. We have extensive experience helping organizations identify compliance gaps and craft remediation plans addressing issues.

CyberSheath’s Federal Enclave: The Fast Track to CMMC Compliance. Checkout the Enclave Whitepaper to Learn More.
This is default text for notification bar