What a CMMC Level 2 assessment actually looks like

Whether you self assess or bring in a C3PAO, the method is the same: examine, interview, test, across 110 requirements. Here is the assessment day walked step by step, how scoring and Conditional status work, and how to arrive with every question already answered.

Last updated July 4, 2026~8 minute readPrimary sources cited
3
Assessment methods: examine, interview, test
110
Requirements scored
88
Minimum score for Conditional status
180
Days to close POA&M items

The assessment, step by step

1

Readiness and scope confirmation

Before assessment day, the C3PAO confirms your authorization boundary: what is in scope, what is out, and where CUI lives. If your scope is unclear or your SSP is thin, this is where it stalls. Walk in with a tight boundary and a real SSP and the rest goes fast.

2

Examine

The assessor reads your evidence: the SSP, policies, configurations, diagrams, and artifacts. For each of the 110 requirements they check that what you claim is actually documented. This is 800-171A's examine method, and it is most of the work.

3

Interview

The assessor talks to your people, the admin who runs MFA, the owner who approves access, the person who handles incidents, to confirm the documented process is the real one. Rehearsed answers do not survive; lived processes do.

4

Test

The assessor watches things work: an account lockout, an encrypted drive, a log capturing an event, MFA challenging a login. Testing is where paper meets reality, and where thin implementations get found.

5

Scoring and result

Each requirement is scored met, not met, or partially met, and your total is tallied out of 110. You either pass, pass with Conditional status if you are at 88 or better with only POA&M eligible gaps, or you do not, with a clear list of what to fix.

6

POA&M closeout

If you file Conditional, every open item on your Plan of Action and Milestones must close within 180 days, and the assessor verifies it. Close them and you convert to Final. Miss the window and the status lapses.

Walk in with an Audit Room, not a shoebox

The Level 2 Accelerator bundles your SSP, inventory, diagram, POA&M, and evidence into one Audit Room with a manifest, mapped to every requirement an assessor examines, interviews, and tests. Assessment ready, and honest about where you stand.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

Questions, answered

Does CMMC Level 2 always require a C3PAO audit?+

No. Many Level 2 contracts accept a self assessment filed in SPRS with an annual affirmation, no third party assessor. Others require certification by an accredited C3PAO. The same 110 requirements and the same evidence serve both, so you prepare once.

What are the three assessment methods?+

NIST SP 800-171A defines three: examine (read your evidence), interview (talk to your people), and test (watch controls actually work). A C3PAO uses all three across your 110 requirements. The Audit Room is built so every one of them has an answer ready.

What score do I need to pass CMMC Level 2?+

A perfect score is 110. You can achieve Conditional status at 88 or better if every remaining gap is POA&M eligible and closes within 180 days. A short set of requirements must be fully met and can never be deferred, and 5 point requirements cannot be POA&M'd. The platform runs this math live.

How do I walk into an assessment ready?+

With a tight scope, a real SSP, evidence mapped to every requirement, and a POA&M for anything open, all in one place an assessor can walk. That is exactly what the Audit Room is: your SSP, inventory, diagram, POA&M, and evidence bundled with a manifest.

We say assessment ready, never guaranteed to pass. Outcome guarantees are prohibited in the CMMC ecosystem, and an honest platform will not make one.

Source: CMMC Assessment Guide Level 2 v2.13 · NIST SP 800-171A · 32 CFR § 170.24. Related: the 110 requirements · what a C3PAO is.