The CMMC Assessment Process: From Self-Assessment to Certification
A step-by-step walkthrough of how CMMC assessments work — self-assessment, evidence gathering, SPRS scoring, and what to expect when the C3PAO arrives.
The Two Phases of CMMC Assessment
The CMMC assessment process has two distinct phases:
Phase 1: Self-Assessment
What you do internally. Work through all 110 controls, assess your implementation status, collect evidence, calculate your SPRS score, and generate your SSP.
This article focuses here.
Phase 2: C3PAO Assessment
What the assessor does. A certified C3PAO validates your self-assessment through document review, interviews, and observation.
Read the C3PAO GuideYour self-assessment is the preparation — the C3PAO validates it. A thorough self-assessment is the single biggest factor in whether you pass your C3PAO assessment on the first try.
Control-by-Control Self-Assessment
The core of your self-assessment is working through each of the 110 NIST 800-171r2 requirements across 14 security domains. For each practice, you need to:
- Evaluate assessment objectives — each practice has sub-objectives from NIST 800-171A that break it into specific, testable criteria
- Determine status — MET (fully implemented), NOT MET (gaps exist), or NOT APPLICABLE (control doesn't apply to your environment)
- Write implementation statements — describe HOW each control is implemented in your specific environment, not just that it exists
- Link evidence — attach artifacts that prove the control is implemented and effective
How Bedrock CMMC Handles Self-Assessment
Bedrock CMMC breaks each control into its NIST 800-171A assessment objectives. Track status per objective, write implementation statements, and link evidence — so your self-assessment directly maps to what the C3PAO will evaluate. No spreadsheets, no guesswork about what assessors expect.
See a live compliance dashboardEvidence Collection and Management
Evidence is the proof that your controls are implemented and working. Every MET control needs documented evidence that an assessor can review. Common evidence types include:
Policies & Procedures
Written security policies, standard operating procedures, and configuration guides that describe how controls are implemented.
Configuration Screenshots
Screenshots of system settings, group policy configurations, firewall rules, and other technical implementations.
Scan Results & Reports
Vulnerability scans, STIG compliance reports, penetration test results, and AV/malware scan logs.
Records & Logs
Training completion records, access review logs, incident response test results, and audit log review records.
Evidence quality matters.Evidence must be dated, specific to your environment (not generic templates), and attributable to your organization. An undated screenshot or a policy with another company's name won't pass assessment.
Bedrock CMMC's evidence library stores artifacts per control with version history, review workflows, and in-browser preview — so your evidence package is always organized and assessment-ready.
SPRS Scoring
Your SPRS (Supplier Performance Risk System) scoreis a numerical representation of your NIST 800-171 implementation status. It's required for DoD contracts and visible to contracting officers.
Maximum score — all controls MET
Point deductions per NOT MET control (weighted by impact)
Minimum score — all controls NOT MET
Start at 110. For each NOT MET control, subtract its weighted value: 5 points for high-impact controls, 3 points for moderate, and 1 point for lower-impact controls. Your score must be submitted to SPRS.csd.disa.mil and updated as your compliance posture changes.
Bedrock CMMC calculates your SPRS score automatically as you complete your self-assessment. As you change control statuses from NOT MET to MET, your score updates in real time on the dashboard.
Preparing Your SSP
Your System Security Plan (SSP) is the centerpiece of your assessment. It describes your system boundaries, how each control is implemented, who is responsible, and how your security architecture protects CUI.
A generated SSP is better than a template. Templates require manual updates and quickly become stale. When your SSP is generated from your actual control implementations, it always reflects your current security posture — and assessors can see that your documentation matches reality.
Bedrock CMMCgenerates your SSP directly from your control implementations, evidence, and ESP documentation. When you update a control's implementation statement, your SSP updates too.
Assessment Readiness Checklist
Before engaging a C3PAO, verify you've completed these items:
Every practice has a MET, NOT MET, or N/A status with an implementation statement
Dated, specific, attributable artifacts proving each control is implemented
Score submitted to SPRS.csd.disa.mil and reflects your current posture
Complete System Security Plan covering all controls, system boundaries, and personnel
Remediation plan with milestones, owners, and timelines for remaining gaps
All External Service Providers cataloged with CUI handling, compliance status, and SRM/CRM
Staff who manage security controls can explain how they work and point to evidence
See the C3PAO Assessment Guide for what happens next — choosing your assessor, the assessment process, and certification outcomes.
What Happens After Your Assessment
After your C3PAO assessment, you'll receive one of three outcomes:
Certification
All controls MET. Full CMMC Level 2 certification for 3 years.
Conditional
Limited NOT MET on POA&M. 180 days to remediate. See the POA&M guide.
Not Certified
Too many gaps. Remediate and schedule a reassessment (new assessment fee).
After certification, you enter the continuous monitoring phase — maintaining controls, submitting annual affirmations, and preparing for reassessment in 3 years.
Frequently Asked Questions
What is a CMMC self-assessment?
A CMMC self-assessment is your internal evaluation of your cybersecurity posture against all 110 NIST 800-171r2 requirements. You work through each control, determine if it's MET, NOT MET, or NOT APPLICABLE, write implementation statements, and collect evidence. This is the preparation phase before engaging a C3PAO for your official assessment.
How is the SPRS score calculated?
Start at 110 (the maximum). For each NOT MET control, subtract its weighted value: 1 point for lower-impact controls, 3 points for moderate-impact, and 5 points for high-impact controls. The minimum possible score is -203. Your SPRS score must be submitted to SPRS.csd.disa.mil and is visible to DoD contracting officers.
What evidence do I need for a CMMC assessment?
Each control needs documented proof of implementation. Common evidence types include: security policies and procedures, system configuration screenshots, vulnerability scan results, access review logs, training completion records, incident response test reports, and network architecture diagrams. Evidence must be dated, specific to your environment, and attributable.
What are NIST 800-171A assessment objectives?
Each of the 110 NIST 800-171r2 requirements has sub-objectives defined in NIST SP 800-171A. These break each control into specific, testable criteria that assessors evaluate. For example, Access Control practice AC.L2-3.1.1 has multiple objectives covering user identification, process identification, and device identification — each assessed independently.
How long does CMMC certification last?
CMMC Level 2 certification is valid for 3 years. During this period, you must submit annual affirmations confirming your controls remain effective and maintain a continuous monitoring program. After 3 years, a full reassessment by a C3PAO is required for recertification.
Continue Learning
C3PAO Assessment Guide
How to choose a C3PAO, what assessors look for, and how to prepare for your official assessment.
Read GuideContinuous Monitoring Guide
What happens after certification — maintaining controls, review schedules, and annual affirmations.
Read GuideStart Your CMMC Self-Assessment
Bedrock CMMC walks you through all 110 controls with built-in assessment objectives, evidence tracking, SPRS scoring, and SSP generation — everything you need to be assessment-ready.