CMMC Audit Guide: What to Expect & How to Prepare

Everything you need to know about the CMMC assessment process — how C3PAOs evaluate your organization, what they look for, how long it takes, and how to pass on the first attempt.

Published: March 27, 2026 | Updated: March 27, 2026 | Reading time: 14 min

The CMMC audit (officially called an "assessment") is the formal evaluation that determines whether your organization meets the cybersecurity requirements needed to handle Controlled Unclassified Information (CUI) under DoD contracts. For Level 2, this means a third-party assessment by an accredited C3PAO. For Level 1, it's a self-assessment — but the documentation requirements are still significant.

This guide covers the full assessment process from pre-audit preparation through final certification, including the specific areas assessors focus on, the most common reasons companies fail, and what you can do now to make sure you pass.

CMMC Assessment Types

The type of assessment you need depends on your CMMC level:

CMMC Level Assessment Type Who Conducts It Applies To
Level 1 Annual Self-Assessment Your organization Contractors handling only FCI (Federal Contract Information)
Level 2 Third-Party Assessment (C3PAO) Accredited C3PAO Contractors handling CUI — the majority of defense subcontractors
Level 2 Self-Assessment (select contracts) Your organization Lower-risk CUI contracts (determined by DoD, not the contractor)
Level 3 Government-Led Assessment (DIBCAC) DoD DIBCAC Contractors handling highest-sensitivity CUI programs

Most defense subcontractors will need a Level 2 third-party assessment. This is the assessment this guide focuses on, though much of the preparation advice applies to all levels.

What is a C3PAO and How to Choose One

A C3PAO (CMMC Third-Party Assessor Organization) is a company accredited by the Cyber AB (formerly the CMMC Accreditation Body) to conduct official CMMC assessments. Only assessments conducted by an accredited C3PAO count toward certification.

Finding a C3PAO

The Cyber AB maintains the official marketplace of accredited C3PAOs at cyberab.org/marketplace. As of 2026, there are roughly 50-60 accredited C3PAOs, with more being added quarterly. When selecting one, consider:

  • Industry experience: Some C3PAOs specialize in manufacturing, others in IT services or engineering firms. Choose one familiar with your type of business.
  • Team size: A larger team can typically schedule your assessment sooner and complete it faster.
  • Geographic location: While assessments can be conducted remotely for some components, the physical security review requires on-site presence. A nearby C3PAO reduces travel surcharges.
  • Availability: Demand for C3PAOs exceeds supply. Start reaching out 3-6 months before your target assessment date.
  • Independence: Your C3PAO cannot be the same firm that helped you prepare for the assessment. CMMC rules require separation between consulting and assessment.

Need Help Preparing?

A CMMC consultant (different from your C3PAO) can guide your preparation, conduct mock assessments, and help close gaps before the real audit.

Consultant Guide →

The CMMC Audit Process: Step by Step

A typical Level 2 third-party assessment follows this timeline:

Phase 1: Pre-Assessment (4-8 weeks before)

  • Engagement: Sign a contract with your chosen C3PAO. They'll provide a scope worksheet to define the assessment boundary.
  • Scope definition: Identify exactly which systems, people, and facilities are in scope. This is where an enclave approach can dramatically reduce your scope.
  • Document submission: Submit your System Security Plan (SSP), Plan of Action & Milestones (POA&M), and supporting evidence to the C3PAO for review before the on-site assessment.
  • Logistics: Schedule on-site dates, identify key personnel who need to be available, and prepare conference room space for the assessors.

Phase 2: Assessment Execution (3-5 days on-site)

The on-site assessment typically runs 3-5 business days for a mid-size organization. The assessment team (usually 2-3 assessors) will:

  • Opening meeting: Review scope, schedule, and expectations with your leadership team.
  • Document review: Examine your SSP, policies, procedures, and evidence artifacts against each of the 110 NIST 800-171 practices.
  • Technical testing: Verify that controls are actually implemented — checking configurations, access controls, encryption settings, logging, and monitoring.
  • Personnel interviews: Talk to system administrators, security staff, and end users to verify they understand and follow the documented procedures.
  • Physical walkthrough: Inspect facilities for physical security controls — locked server rooms, visitor logs, clean desk policies, media destruction procedures.
  • Closing meeting: Provide preliminary findings (pass, conditional pass with POA&M, or fail).

Phase 3: Post-Assessment (2-4 weeks after)

  • Final report: The C3PAO submits their assessment report to the Cyber AB within 20 business days.
  • Quality review: The Cyber AB reviews the report for completeness and consistency.
  • Certification decision: Three possible outcomes — certified, conditional (must close POA&M items within 180 days), or not certified.
  • Certificate issued: Valid for 3 years, with annual affirmation required.

What CMMC Assessors Actually Look For

Assessors evaluate three things for each of the 110 practices: is it documented, is it implemented, and is it effective? Here are the areas that get the most scrutiny:

The Top 5 Focus Areas

1. Access Control (AC) — 22 practices
The largest practice family. Assessors will check: role-based access, least privilege enforcement, session timeouts, remote access controls, wireless restrictions, and mobile device policies. They'll pull user access lists and compare them against job roles to verify no one has unnecessary privileges.

2. System & Communications Protection (SC) — 16 practices
Encryption is the big one here. Assessors verify FIPS 140-2 validated encryption on data at rest and in transit. They'll check TLS configurations, VPN settings, and email encryption. They also look at network segmentation — is your CUI environment properly isolated?

3. Audit & Accountability (AU) — 9 practices
You need logs, and you need to be reviewing them. Assessors check: what events are logged, how long logs are retained (minimum 90 days active, 1 year archived), who reviews them, and whether alerts are configured for suspicious activity. Simply having a SIEM isn't enough — you must demonstrate active monitoring.

4. Identification & Authentication (IA) — 11 practices
Multi-factor authentication (MFA) is now non-negotiable for all users accessing CUI systems, both on-site and remote. Assessors will verify MFA configurations, password policies, account lockout settings, and that service accounts are properly managed.

5. Configuration Management (CM) — 9 practices
Assessors want to see hardened baselines (CIS benchmarks or DISA STIGs), documented change management processes, and evidence that unauthorized changes are detected and investigated. They'll compare actual configurations against your documented baselines.

Top 10 Reasons Companies Fail CMMC Audits

Based on published assessment results and industry consultant data, these are the most common findings:

  1. Incomplete System Security Plan (SSP). The SSP is the foundation of your assessment. If it's vague, outdated, or missing practice descriptions, assessors start with a negative impression. Every practice must have a detailed description of how it's implemented in your specific environment.
  2. No evidence of log review. Having logging enabled isn't the same as monitoring. You need documented evidence that someone reviews logs regularly — weekly at minimum — with records of what was found and any actions taken.
  3. MFA gaps. MFA is required for all privileged and remote access. Companies often miss: VPN access, cloud admin consoles, service accounts with interactive login, and third-party vendor access.
  4. Encryption not FIPS-validated. Standard AES-256 isn't sufficient unless the implementation is FIPS 140-2 validated. Many commercial tools use encryption that isn't FIPS-certified. Assessors check the specific modules, not just the algorithm.
  5. Scope creep. CUI lives in more places than you think — email archives, file shares, backup tapes, personal devices, and shared printers. If CUI touches it, it's in scope. Companies that don't do thorough data flow mapping get caught with unprotected CUI outside their declared boundary.
  6. Policies exist but aren't followed. Having a policy document isn't enough. Assessors interview users to check whether they actually follow the procedures. If your clean desk policy says "lock screens after 5 minutes" but workstations are configured for 30, that's a finding.
  7. Outdated software and missing patches. Vulnerability management is assessed by looking at actual scan results and patch timelines. If you have known critical vulnerabilities older than 30 days, expect a finding.
  8. Inadequate incident response plan. Plans that are generic templates with no company-specific procedures, contact information, or evidence of testing (tabletop exercises) will fail the assessment.
  9. Physical security gaps. Unlocked server rooms, no visitor logs, shared badge access, and lack of media destruction procedures. These are quick checks that assessors do during the walkthrough.
  10. No separation between personal and CUI systems. Employees accessing CUI from personal devices without proper MDM controls, or CUI data stored on systems that also handle non-controlled work without proper segmentation.

How Ready Are You?

Take our free 5-minute readiness assessment to identify your biggest gaps before the audit.

Start Assessment →

How to Prepare for Your CMMC Audit

Start preparation at least 6 months before your target assessment date. Here's the preparation timeline:

6 Months Before: Gap Analysis

  • Conduct a thorough gap analysis against all 110 Level 2 practices
  • Map all CUI data flows to define your assessment boundary
  • Identify your biggest gaps and estimate remediation timelines
  • Begin C3PAO selection — reach out to 3-5 candidates for quotes

4 Months Before: Remediation

  • Close the gaps identified in your analysis — implement missing controls, update configurations, deploy new tools where needed
  • Draft or update your System Security Plan to reflect current reality
  • Create or update all required policies and procedures
  • Begin collecting evidence artifacts (screenshots, configuration exports, log samples)

2 Months Before: Mock Assessment

  • Conduct a full mock assessment — either internal or with a consultant (not your C3PAO)
  • Test every practice: documentation, implementation, and effectiveness
  • Interview key personnel to verify they can explain procedures
  • Fix any remaining issues found during the mock

2 Weeks Before: Final Prep

  • Submit all documentation to your C3PAO per their requirements
  • Brief all in-scope personnel on what to expect during the assessment
  • Verify all systems are in their documented configurations
  • Prepare your evidence binder (physical or digital) organized by practice family
  • Designate a single point of contact to coordinate with assessors on-site

CMMC Audit Costs

Assessment costs vary significantly based on organization size, scope, and C3PAO pricing:

Cost Component Small (<50 people) Mid-Size (50-250) Large (250+)
C3PAO Assessment Fee $20,000 - $40,000 $40,000 - $80,000 $80,000 - $150,000+
Pre-Assessment Consulting $10,000 - $25,000 $25,000 - $60,000 $60,000 - $120,000
Remediation (tools, configs) $15,000 - $50,000 $50,000 - $150,000 $150,000 - $500,000+
Internal Staff Time 200 - 500 hours 500 - 1,500 hours 1,500 - 5,000 hours
Total Cost Range $45,000 - $115,000 $115,000 - $290,000 $290,000 - $770,000+

These costs cover the full cycle: preparation, remediation, and the assessment itself. The assessment fee alone is typically 30-40% of the total. For a detailed breakdown of all compliance costs, see our CMMC Cost Breakdown.

POA&M: What If You Don't Pass Everything?

A Plan of Action & Milestones (POA&M) lets you achieve conditional certification even with some open findings — but there are strict limits:

  • POA&M items must be closed within 180 days of the assessment
  • You cannot have POA&M items for certain critical practices (the "no POA&M" list)
  • Each POA&M item must have a specific remediation plan, responsible person, and target date
  • The C3PAO will verify closure of POA&M items — either remotely or on-site
  • If you fail to close POA&M items within 180 days, your conditional certification is revoked

While a POA&M provides a safety net, going into your assessment with known open items is risky. Assessors may view a heavy POA&M as a sign that the organization isn't genuinely committed to security.

After You're Certified

Certification is valid for 3 years, but it's not a "set it and forget it" situation:

  • Annual affirmation: Submit an annual affirmation to the Cyber AB confirming your organization still meets all requirements.
  • Continuous monitoring: Maintain the controls that got you certified. If your environment changes significantly (new systems, acquisitions, major reconfigurations), your SSP must be updated.
  • SPRS score: Keep your Supplier Performance Risk System score current in the DoD system.
  • Incident reporting: Report any cybersecurity incidents affecting CUI to the DoD within 72 hours via the DIBNet portal.
  • Re-assessment: Plan for your re-assessment to begin 6 months before your certification expires.

Level 1 Self-Assessment

If you only handle FCI (not CUI), you need a Level 1 self-assessment. This covers 17 practices from FAR 52.204-21 — basic cybersecurity hygiene like antivirus, access control, and physical security. The self-assessment must be:

  • Completed annually
  • Submitted to the SPRS system
  • Signed by a senior company official
  • Supported by documentation that could be reviewed in a government spot-check

Level 1 is less burdensome, but don't treat it as a checkbox exercise. The DoD can request to review your self-assessment evidence at any time, and misrepresenting your compliance status is a violation of the False Claims Act.

Frequently Asked Questions

How long does a CMMC audit take?

The on-site assessment is typically 3-5 business days. The entire process from C3PAO engagement to receiving your certification takes 3-6 months, including pre-assessment preparation and the Cyber AB quality review.

Can I choose when to get audited?

You schedule your assessment with your chosen C3PAO, so you control the timing. However, once CMMC requirements appear in your contracts, you'll have a deadline to achieve certification. Start early — C3PAO availability is limited.

What if I fail the assessment?

You'll receive a report detailing which practices were not met. You can remediate the issues and request a re-assessment, though you'll likely pay for a new assessment engagement. There's no mandatory waiting period between assessments.

Is the assessment fully on-site?

Most assessments are hybrid. Document reviews and some interviews can be conducted remotely, but physical security inspections and certain technical verifications require on-site presence. The split is typically 60% on-site, 40% remote.

Can I use an enclave to reduce scope?

Yes, and this is one of the most effective cost-reduction strategies. An enclave isolates your CUI-processing systems into a smaller boundary, so only those systems need to meet all 110 practices. Learn more in our CMMC Enclave Guide.

Affiliate Disclosure: Some links on this page are affiliate links. We may earn a commission if you purchase software through our links, at no additional cost to you. This helps us maintain this free resource. Learn more.