What Are the Phases of a CMMC Level 2 Audit?

With the finalization of CMMC, thousands of contractors are gearing up for their long-awaited third-party audit. Many of these organizations have done the work, documented their process, and are now willing to see if their hard work holds up to external scrutiny. Like with any assessment, there is a certain amount of anxiety that comes with a C3PAO compliance audit.

CorpInfoTech understands this firsthand as one of the first managed service providers (MSP) to pass their CMMC level 2 third-party audit. It took years of work, thousands of pages of evidence, and the cooperation of our entire organization, but CorpInfoTech (as an OSC) has passed a CMMC Level 2 third-party audit performed by a C3PAO. This blog, taken from a larger and more comprehensive guide, outlines the stages that your organization will go through during your CMMC audit and what you can expect.

Before Engaging a C3PAO

Before your organization reaches out to a Certified Third-Party Assessment Organization (C3PAO) to schedule an audit, you are expected to have completed key internal preparations. These elements include:

• A fully developed System Security Plan (SSP)
• An up-to-date asset inventory, with classification of all assets into categories including CUI assets, security protection assets, and documentation of external service providers (ESPs) and Cloud Service Providers (CSPs).
• A self-assessment using the NIST SP 800-171 assessment methodology with a SPRS score submitted.
• Organizational readiness, trained personnel, internal documentation, and operational policies and procedures.

Phase 1: Pre-Assessment - Defining Scope

The first stage, prior to your assessment beginning, requires that your organization define and document the scope of systems and services that will be evaluated. This phase is about understanding what Controlled Unclassified Information (CUI) you have, how it flows through your environment, and which people, systems, and providers interact with it. Think of Phase 1 as building a map. If you can’t show where your critical information lives or moves, there’s no way to protect it—or to prove that you do. This phase ensures that both your internal team and your assessors are working from the same, accurate understanding of what is in scope and why. How do you define your scope?

Step 1: Map the Flow - Create a Data Flow Diagram

Start by mapping out how CUI moves through your organization. A data flow diagram should answer key questions:

• Where does CUI come from (e.g., DoD portals, subcontractors)?
• Where is it stored?
• How is it processed and by which applications?
• Where does it leave the organization (if it does)?
• Who or what (users, systems, providers) has access at each step?

Step 2: Draw the Boundary - Define What's in and What's Out

The system boundary outlines all facilities, systems, networks, and services that store, process, or transmit CUI—or that protect such systems. This includes:

• Physical infrastructure (servers, workstations)
• Virtual environments and cloud services
• Security protection systems (firewalls, EDR, SIEM)
• Identity and access management platforms
• Any tool or service provider that touches CUI or protects CUI systems

Step 3: Inventory and Classify Your Assets

Once you’ve defined what’s in scope, compile a full inventory of your assets. This includes hardware, software, user accounts, and network segments within the boundary. Then classify each asset into one of the following categories defined by the DoD:

• CUI Assets – Directly handle CUI.
• Security Protection Assets – Defend, monitor, or enforce security for CUI systems.
• Contractor Risk Managed Assets – Not intended to handle CUI but could, based on configuration.
• Specialized Assets – OT, IoT, or other systems that may support mission needs but aren’t easily isolated or replaced.
• Out-of-Scope Assets – Segmented by physical or logical means and do not store/process/transmit CUI.

Step 4: Understand the Contract and Type of CUI You Handle

CMMC certification requirements are not “one-size-fits-all.” Your contractual obligations determine whether a Level 2 Self-Assessment is sufficient—or whether you need a Third-Party Certification Assessment.

Phase 2: The Assessment Itself - What Happens, Who's Involved, and How It's Done

Phase 2 marks the formal start of the CMMC assessment. At this stage, a Certified Third-Party Assessment Organization (C3PAO) initiates the evaluation process to determine whether the Organization Seeking Certification (OSC) has correctly and
fully implemented the 110 security requirements outlined in NIST SP 800-171 Revision 2. Before any evidence is reviewed or evaluated, the C3PAO will provide the OSC with a set of foundational documents and expectations to ensure transparency and
readiness. These typically include:

• An Assessment Plan: This outlines the overall structure of the engagement, including the methodology, timeline, deliverables, and roles of both assessors and OSC personnel.
• A Detailed Schedule: The C3PAO will propose an assessment timeline that includes planning sessions, daily checkpoint meetings, evidence review periods, and the in-brief and out-brief meetings.
• Preliminary Evidence Requests:  While most evidence is reviewed during the assessment, C3PAOs may request certain artifacts in advance to streamline the process. These typically include foundational documents such as the System Security Plan (SSP), network diagrams, asset inventories, and any security policies or procedures supporting the controls being assessed.

Following these preparations, the formal assessment begins with assessors conducting interviews, reviewing artifacts, and performing technical validation to determine the status of each required control. CMMC assessment teams are formally composed by the C3PAO to evaluate the implementation of security requirements by an OSC.

Each assessment team includes at least one Certified CMMC Assessor (CCA), one or more additional CCAs or provisional assessors, and a support staff. Assessments can be virtual or onsite, depending on the complexity and configuration of the systems. Virtual assessments are possible when all systems and controls can be demonstrated remotely. Onsite assessments are necessary when physical access controls are involved or if the C3PAO determines in-person validation is required.

Each of the 110 practices from NIST SP 800-171 Rev. 2 is individually assessed using the three methods defined in NIST SP 800-171A: examine, interview, and test. The assessment team determines whether each requirement is MET or NOT MET
based on objective evidence gathered during these activities. All findings are documented per-practice, including references to supporting artifacts, observed behaviors, or personnel interviews. If sufficient evidence is not provided for a given practice, it will be marked as NOT MET, regardless of intent or partial implementation.

If some controls are found to be not fully implemented, assessors may categorize them as:

• Limited Practice Deficiencies (LPDs): Minor issues that must be resolved before certification.
• POA&Ms (Plan of Action and Milestones): Allowed only if 88 of 110 practices are met, with all POA&M items remediated and re-assessed within 180 days. This is referred to as a close-out assessment.

Phase 3: Complete and Report Assessment Results

At the conclusion of evidence collection, the assessment team compiles and finalizes its findings based on the review of documentation, interviews, and technical demonstrations. This phase includes quality assurance (QA) checks, scoring, and
formal result delivery. The C3PAO team documents results for each of the 110 security requirements, marking each control as either MET (control is implemented and required) or NOT MET (control is not fully implemented, or evidence was insufficient). 

These results are entered into the official assessment scoring tool. A final score is calculated based on the number of MET practices. To receive a Conditional CMMC Status, an OSC must achieve a score of at least 88 out of 110. If this threshold is met, the OSC may be eligible to proceed with remediation through a POA&M.

An Out-Brief meeting is conducted with the OSC to review preliminary results and clarify any findings. The finalized results are uploaded into the CMMC Enterprise Mission Assurance Support Service (eMASS) or its successor system. Upon this upload and issuance of a CMMC Universal Identification Number (UID), an OSC receives access to the results through both the C3PAO and SPRS portals.

Phase 4: Issue Certification and Close Out

Phase 4 is the final stage of the CMMC assessment process and focuses on determining certification eligibility, issuing formal certification, and completing any remaining remediation activities. The outcome of this phase depends on whether all CMMC practices were fully met or whether the OSC qualified for conditional certification through the use of an approved POA&M. If the OSC successfully meets all 110 practices or has remediated all POA&M-eligible deficiencies within the permitted timeframe, the organization will be awarded a CMMC certificate.

CorpInfoTech, a Trusted CMMC L2 Partner

CorpInfoTech is a managed service provider (MSP) that offers IT, cybersecurity, and CMMC compliance solutions to SMBs. We have passed out CMMC L2 audit (C3PAO), putting us in a unique position to service DIB contractors. We understand the complexities of CMMC and what it takes to implement the necessary controls. Through TAS for CMMC Compliance, contractors will inherit 200+ pre-certified controls out of the 320 required objectives, making compliance more affordable and efficient.

Our services adapt to your unique business needs, tailored to how your organization is structured. We offer solutions that go beyond an enclave, letting you protect CUI on-prem or in a hybrid environment. TAS for CMMC Compliance gives you the
confidence you need to pass your third-party audit.

For more depth in CMMC Level 2 Assessment download the guide below:  What to Expect During a CMMC Level 2 Assessment: A Practical Guide