The best practices for CMMC assessment preparation are drawn from what C3PAO assessors consistently find, what contractors underestimate, and what separates organizations that pass CMMC Level 2 on the first attempt from those that don’t. With Phase 2 enforcement taking effect November 10, 2026, the contractors who treat this as a compliance program rather than a one-time audit are the ones who will still be eligible for new solicitations a year from now.
Key Takeaways
- A gap assessment against NIST SP 800-171 is the right first step. It tells you which side of the 88/110 passing threshold you’re on.
- The SSP must reflect your environment as it actually operates, not as you intend it to.
Table of Contents
6 Best Practices for CMMC Phase 2 Assessment Preparation
The following practices reflect the DoD’s program guidance and the experience our team accumulated during our own CMMC Level 2 assessment – which produced 110 controls met and zero open POA&Ms on the first attempt.
1. Start the C3PAO scheduling process now.
C3PAO scheduling lead times for new clients are extending. Contractors who wait until late-2026 to contact an authorized C3PAO risk missing the deadline entirely.
The CMMC Accreditation Body maintains an authorized provider marketplace at cyberAB.org where contractors can identify and engage C3PAOs. Start having conversations now, even if your remediation work isn’t complete.
Many C3PAOs can help you scope your assessment and queue your engagement while your preparation continues. Waiting until you feel ready can lead to you having an assessment date well after you’d prefer.
2. Run a gap assessment against NIST SP 800-171 before anything else.
A NIST 800-171 gap assessment maps your current controls against all 110 requirements and identifies what needs remediation before you can get your certification.
Most organizations, even those with mature IT programs, find gaps. Even ISO 27001-certified organizations find that CMMC Level 2 requires a different depth of documentation, not just more of the same.
Per DFARS 252.204-7021, a minimum passing score of 88 out of 110 requirements is required for Level 2, with restrictions on which requirements may be deferred to a POA&M and a maximum 180-day window to close any conditional items.
A gap assessment tells you which side of that threshold you’re on – before your C3PAO arrives.
3. Build an SSP that reflects your actual posture.
A System Security Plan is the foundational document for any CMMC Level 2 assessment. It should identify every system in scope, describe how each of the 110 controls is implemented or address deviations, define your CUI boundary, and detail connections to external systems and vendors.
C3PAO assessors read the SSP before your assessment week begins. A strong SSP means that they begin with a clear understanding of your environment and can focus on verification. A weak one means the interview week is spent correcting the record instead of confirming it.
As Reid Johnston, Teal cofounder and CITO, put it after leading Teal’s own assessment, “The level of documentation expected for a CMMC Level 2 assessment was very significant and detailed. The things we were already doing just weren’t enough. We needed to do more.” That was after an ISO 27001 certification.
Build your SSP early, build it to reflect your current reality, and update it regularly as your environment changes.
4. Treat subcontractor compliance as part of your own program.
DFARS 252.204-7021 requires the CMMC clause to flow to every subcontractor that processes, stores, or transmits FCI or CUI under the contract. A subcontractor whose own subcontractor(s) is/are not certified – or whose subcontractor’s certification lapses – faces its own compliance exposure. Annual SPRS affirmations of continued compliance cover the full supply chain, not just the prime.
Your compliance program can’t stop at your own perimeter. Third-party and supply chain risk should be taken seriously. You need visibility into which subcontractors touch CUI, whether their certifications are current, and how their posture changes over the contract lifecycle.
5. Establish continuous monitoring as a standing program.
Your CMMC Level 2 certification is valid for three years; however, the posture that earned it needs to be maintained throughout the contract lifecycle. Contract option periods can trigger fresh reviews, security events create gaps that didn’t exist during the assessment, and personnel changes affect documentation accuracy. So, a certification earned in Q1 of year one won’t reflect your environment in Q3 of year two if you’re not actively updating your records.
What does that continuous monitoring look like? It means that you’re:
- Updating the SSP when systems change.
- Documenting deviations from your security baseline when they occur (rather than after the fact).
- Running internal audits between formal assessments.
- Maintaining evidence that controls are operating as documented.
Organizations that discover a posture gap during a contract option review – rather than finding and closing it in advance – have fewer remediation options.
6. Maintain Level 1 self-assessment rigor in parallel.
For contractors that handle both Federal Contract Information (FCI) and CUI, CMMC Level 1 annual self-assessments remain a separate obligation under DFARS 252.204-7021. Level 1 covers 17 requirements from FAR 52.204-21 and must be affirmed annually in SPRS.
A lapsed annual affirmation creates a compliance gap independent of Level 2 certification status. Organizations that operate across both FCI and CUI contract types need a compliance calendar that accounts for both of these cycles, as well as a designated member of your staff who is responsible for each.
Common Challenges in CMMC Level 2 Preparation
Even contractors who understand CMMC requirements in theory find the execution harder than expected. These are the specific points where CMMC preparation most commonly breaks down, and where the gap between organizations that pass on the first attempt and those that don’t tends to widen.
Visibility gaps across the IT environment.
Many contractors lack a complete and current inventory of their systems, endpoints, and configurations. Assets that exist outside of formal inventories create scope blind spots, and C3PAO assessors find them. CMMC Level 2 requires comprehensive asset management under NIST 800-171 control domain CM. Organizations that can’t produce an accurate inventory of their environment can’t accurately scope their assessment.
This is a process problem. Asset inventories that aren’t updated when systems change (or that don’t account for cloud services, contractor-managed tools, or remote endpoints) produce an inaccurate SSP. That mismatch is one of the most consistent sources of assessment findings.
- Related content: Prevent common issues in your CMMC program.
Reliance on “point-in-time” assessments.
Traditional compliance programs run periodic reviews, such as a gap assessment in Q1 and then an internal audit in Q3. The problem is that your security posture changes all the time. A configuration that was good in January may have drifted significantly by June. Authentication controls that were disabled before an assessment may have been re-enabled for a temporary business need. These snapshots go stale.
Organizations that treat compliance as a “point-in-time” exercise will find that their renewal assessments require significantly more work than preparing for their initial certification.
Third-party and supply chain risk.
Managing your supply chain risk under CMMC requires a clear understanding of which vendors and subcontractors touch your CUI environment, verifying their certification status before award, and building contractual language that gives you the right to verify its posture throughout the contract lifecycle.
The DoD CIO’s CMMC Scoping Guide (Level 2) requires that any third party with access to CUI or the systems that process it be accounted for in your assessment scope. That obligation doesn’t disappear just because a vendor is trusted.
Evidence collection and documentation burden.
C3PAO assessments require documented evidence that every assessed control is implemented and operating. Per DoD CIO guidance in the CMMC Assessment Guide Level 2, no drafts, working papers, or unofficial policies are accepted. For 110 controls across 320 assessment objectives, that’s a significant evidence library to build, maintain, and organize.
Contractors that try to collect evidence retroactively – reconstructing change histories, assembling screenshots after the fact, finalizing policies that should have been approved months earlier – will likely spend the weeks before their assessment in panic mode.
Hiring a CMMC managed services provider.
For most small defense contractors, building and sustaining a CMMC Level 2 compliance program in-house just isn’t realistic. The expertise required is highly specific, and the cost of building that capability in-house typically exceeds the cost of hiring a qualified managed services provider – making it a great option.
However, not all MSPs understand CMMC. A managed IT services provider that implements security controls but can’t produce the documentation a C3PAO needs – or one that isn’t itself certified – can easily create gaps that show up on your assessment day.
When evaluating a CMMC MSP, you should be asking a lot of questions, such as:
- Have they been through a Level 2 assessment themselves?
- Can they demonstrate 110-control coverage with documented evidence?
- Do they provide a Shared Responsibility Matrix (SRM) that defines which compliance tasks they own versus which you own?
Not sure whether your MSP candidates can deliver on CMMC? This checklist walks DIB contractors through the questions that separate qualified managed IT providers from those figuring it out alongside you.
Where To Go from Here
Certification is achievable for defense contractors that approach CMMC compliance as an ongoing program – documented, continuous, and built around how their environment operates. The contractors best positioned for Phase 2 enforcement are those who started scoping early, whose SSP reflects their current environment, and who have built evidence collection into how they operate between assessments.
Teal achieved CMMC Level 2 with 110 controls met and zero open POA&Ms on the first attempt. If your organization is working toward Level 2, start with a gap assessment against NIST SP 800-171. Explore how we can help through our CMMC managed services or contact our CMMC team to talk through where your program stands today.
