Hero Background
October 31, 2023

CMMC 2.0 Compliance Assessment with a C3PAO: What to Expect

Mariya Bouraima
Topics: Aerospace & DefenseCMMC ComplianceCompliance & Risk Management

What’s New (Updated C3PAO Assessments)

This blog reflects current CMMC enforcement following publication of the DFARS acquisition rule in September 2025. As a result, CMMC Level 2 requirements now appear in active DoD solicitations. Organizations pursuing Level 2 must complete either a self-assessment or a C3PAO assessment, as specified in the contract. This post updates references to anticipated enforcement or future rulemaking to reflect active requirements.

Background on CMMC 2.0 Compliance Assessment

Organizations preparing for a CMMC or NIST 800-171 compliance assessment often ask what to expect. They also want to know how to set themselves up for success. This post shares expert insights from certified CMMC assessors. It explains how to prepare, what auditors look for, and how to pass with confidence.

As cyber threats and data breaches continue to increase in volume and sophistication. As a result, cybersecurity within the Defense Industrial Base (DIB) has become paramount. The Department of Defense (DoD) has worked diligently to upgrade cybersecurity protocols by introducing the Cybersecurity Maturity Model Certification (CMMC).

Specifically, CMMC provides a standardized set of security practices. These practices safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Over time, the DoD introduced CMMC 1.0 and later revised it to CMMC 2.0. The update focused on effective implementation of the 110 controls defined in NIST SP 800-171.

Latest CMMC 2.0 Enforcement Timeline

On September 10, 2025, the Department of Defense published the DFARS acquisition rule implementing CMMC requirements into DoD contracts. The rule takes effect on November 10, 2025, at which point contracting officers may begin including the CMMC clauses (such as DFARS 252.204-7021 and DFARS 252.204-7025) in applicable solicitations and contracts.

Meanwhile, the DoD is implementing CMMC requirements through a phased inclusion in DoD solicitations, with enforcement active as of November 10, 2025. While CMMC clauses are being phased into solicitations, contractors must continue complying with existing DFARS clauses such as DFARS 252.204-7012, DFARS 252.204-7019, and DFARS 252.204-7020.

Failure to comply or accurately report under these clauses may result in contract termination, exclusion from future awards, or liability under the False Claims Act.

What Is a C3PAO?

In practice, a C3PAO (Certified Third-Party Assessment Organization) is an independent organization authorized by the CMMC Accreditation Body (The Cyber AB) to conduct CMMC assessments of defense contractors and subcontractors. These organizations employ certified CMMC assessors who can evaluate whether companies meet the cybersecurity requirements specified in CMMC 2.0 across its various levels.

How a C3PAO CMMC 2.0 Mock Assessment Can Help

A mock assessment evaluates your NIST 800-171 practices as if the organization were undergoing a formal CMMC audit.  In essence, the mock assessment produces detailed findings. These findings describe gaps in your organization’s processes compared to NIST SP 800-171 requirements. It also includes looking at the evidence of compliance that an organization provides, as well as testing team members to assess whether they understand the practices and procedures. A mock assessment is not an advisory service; it’s an unofficial, comprehensive exercise that mirrors the formal CMMC Assessment to help you determine your company’s readiness.

What is the Joint Surveillance Voluntary Assessment Program (JSVA)?

The Joint Surveillance Voluntary Assessment Program (JSVA) is a program offered by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in association with C3PAO companies. As part of this program, a CMMC C3PAO compliance assessment team is paired with a DIBCAC team to conduct a compliance assessment. The DoD expects a successful JSVA review to support issuance of a CMMC Maturity Level 2 certification by the participating C3PAO under the Final Rule.

For this reason, a mock C3PAO CMMC assessment is recommended before pursuing certification or participating in the JSVA under current enforcement conditions. Once your organization remediates the gaps identified in the mock assessment, your company can work with a C3PAO company to schedule the JSVA. The same C3PAO can perform the mock assessment and JSVA; there is no conflict of interest, provided the C3PAO companies are not involved in the remediation of any Plans of Actions and Milestones (POAMs) identified in the compliance assessment.

What Does the JSVA Preparation Process Involve?

To begin with, to qualify for the JSVA, your company must be in an active DoD contract, whether as a prime or a subcontractor. First, you will select an authorized C3PAO company to perform your JSVA; this C3PAO will submit your JSVA request to The CyberAB. The CyberAB is the official accreditation body of the CMMC ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing CMMC conformance. Upon acceptance, the DIBCAC will contact you and add your company to the JSVA queue.

Your C3PAO assessment team works with DIBCAC to conduct the CMMC assessment. Together, they verify scope, request evidence, and review artifacts. The C3PAO will meet with you to verify the scope of the audit (based in part on where CUI lives in your enterprise) and create a plan. DIBCAC and the C3PAO will ask for supporting evidence or artifacts as part of the process.

Documentation and Evidence Required for JSVA

Evidential artifacts may include the following:

  • System Security Plan (SSP)
  • Data Flow Diagram (DFD) that depicts the CUI boundary
  • Asset categorization diagram
  • Policies and plans for each of the 14 security domains in NIST 800-171
  • Applicable documented procedures and processes referenced in the SSP
  • Configuration items and organizational defined parameters
  • Customer responsibility matrix for inherited/assigned practices from cloud or managed service providers
  • Service Level Agreements (SLAs) for vendors providing services that involve CUI

How Long does the JSVA Take to Review Your SSP?

The JSVA typically takes five business days. During that time, assessors review your SSP, test controls, examine documentation, and conduct interviews. There will also be tests for all applicable practices and compliance assessment objectives for CMMC ML 2.

Given current enforcement, if your organization is preparing for a C3PAO assessment and is unsure whether documentation, evidence, or scoping will meet current enforcement expectations, now is the time to reassess. Explore structured approaches that help defense contractors prepare for Level 2 assessments, centralize artifacts, and streamline readiness under the Final Rule.

We hope this post has helped you understand the essential aspects of going through a CMMC or NIST 800-171 compliance assessment with a certified CMMC Third-Party Assessment Organization (C3PAO). You can review this slide deck for additional details about the Joint Surveillance Voluntary Assessment (JSVA) process and mock assessments, or reach out to us to learn how our CMMC Ready Suite can support your compliance journey.

Here’s What to Do Now

Organizations should confirm whether Level 2 applies to their active or upcoming solicitations. They should also validate NIST SP 800-171 implementation and ensure assessment artifacts reflect the CUI boundary. If a C3PAO assessment is required, engage early to avoid scheduling delays, and consider a mock assessment to identify gaps before formal evaluation. Proper preparation now reduces risk of conditional findings or delayed certification.