Just 1,391 organizations held a final CMMC Level 2 certificate as of the Cyber AB’s May 2026 town hall, up 14% from the month before, with another 47 conditional certificates issued and 140 assessments still in progress. The Pentagon estimates roughly 80,000 organizations will eventually need that same certification. Every company that has already completed the process went through the same four phases that Fernando Machado will walk through at CMMC CON 2026.
Machado, Managing Principal and CISO at Cybersec Investments, an authorized CMMC Third-Party Assessment Organization (C3PAO), will lead a session on the CMMC Assessment Process on Sept. 23, 2026, at 10 a.m. EDT. His presentation focuses on the CMMC Assessment Process (CAP) document and the procedural guide that C3PAOs must follow when certifying an organization at Level 2.
The CAP matters now because assessments aren’t optional anymore. Companies handling controlled unclassified information need a third-party assessment from a C3PAO to bid on or maintain contracts with the Pentagon, and that assessment has to follow the CAP from start to finish.
Machado will break down all four phases of the CAP:
- Phase 1: conducting the pre-assessment
- Phase 2: assessing conformity to security requirements
- Phase 3: completing and reporting assessment results
- Phase 4: issuing the certificate and closing out plan of action and milestones items
For contractors who have spent months preparing system security plans and remediating gaps, this session covers what happens once the assessor arrives, viewed from the assessor’s side of the table.
Register now for CMMC CON 2026 to hear Machado explain how the CMMC assessment process works and what to expect when your organization’s turn comes
