CMMC CAP Assessment Phases C3PAO Process POA&M Closeout // 8 MIN READ

The CMMC Assessment Process

The 4 Phases, Required Outputs, and What Happens in Each Step

The CMMC Assessment Process (CAP), defined by the Cyber AB, is the standardized process that organizes a Level 2 certification assessment into four sequential phases and defines the required activities, outputs, and roles at each step. The four phases are: Pre-Assessment, Assess Conformity, Complete and Report Results, and Issue Certificate and Close Out POA&M. Every C3PAO must follow this process; the forms and sequence are identical regardless of the organization being assessed.

Sequence is not incidental in the CAP — it is jurisdictional. A C3PAO cannot move to Phase 2 without completing the Phase 1 readiness review. An interim certificate cannot be issued without a qualifying score and the absence of open 5-point deficiencies. A POA&M closeout cannot succeed unless all items are remediated within 180 days and re-verified by an assessor. Each phase is a gate, and each gate has a defined consequence for failure.

Why this matters for planning: organizations that understand the CAP sequence can work backward from their target certification date and build a realistic preparation timeline. Organizations that do not understand it routinely encounter Phase 1 adverse determinations, unexpected Phase 4 obligations, and the 180-day closeout deadline that voids conditional status when missed.

The Four CAP Phases at a Glance

CMMC CAP — Four Sequential Phases

Phase 1

Pre-Assessment

OSC intake and contract

Scope validation and CARR

ROM and scheduling

Readiness determination

Phase 2

Assess Conformity

Examine documents

Interview control owners

Test live systems

Daily checkpoints

Phase 3

Complete and Report

Finalize findings

Evidence hashing

CQAP quality review

Upload to eMASS

Phase 4

Certificate / POA&M Closeout

Conditional status issued

5-day deficiency window

180-day POA&M window

Closeout reassessment

Gate RiskThe Phase 1 readiness review can produce an adverse determination — stopping the assessment before Phase 2 begins. The 5-point control rule gates interim certification. The 180-day POA&M deadline, if missed, voids conditional status and requires a full reassessment from scratch.

Phase 1: Pre-Assessment — Scope Validation and the CARR

Phase 1 begins when an organization contacts a C3PAO and executes an engagement agreement. The phase has two primary objectives: confirm the scope of the assessment, and determine whether the OSC is actually ready to proceed to Phase 2. The second objective — the Certification Assessment Readiness Review (CARR) — is where most premature assessment engagements fail.

Phase 1 Pre-Assessment — Step by Step

1.1

OSC Intake and Engagement Agreement

The OSC submits intake documentation describing the organization, the contract vehicles in scope, the estimated number of CUI assets, and the anticipated scope. The C3PAO reviews the intake and executes the engagement agreement. At this stage, the lead assessor is assigned.

1.2

Scope Validation and Boundary Agreement

The lead assessor reviews the proposed assessment boundary — the SSP scope statement, asset inventory, network diagram, and data flow diagram — and confirms the scope is defined correctly, consistently documented, and consistent with the live environment. Scope disagreements resolved here are far less expensive than scope surprises discovered in Phase 2.

1.3

Certification Assessment Readiness Review (CARR)

The lead assessor reviews the OSC's core documentation package — SSP, policies and procedures, evidence mapping file, asset inventory — to verify the organization is ready to proceed. The CARR evaluates whether the three assessment methods can be executed efficiently: Are the documents in place to Examine? Are control owners identified and available to Interview? Are systems configured and accessible to Test?

1.4

Readiness Determination and ROM

If the CARR produces a favorable determination, the lead assessor issues a Rough Order of Magnitude (ROM) for the Phase 2 engagement and the assessment is formally scheduled. If the CARR produces an adverse determination — incomplete documentation, undefined scope, open 5-point deficiencies — Phase 2 does not proceed. The OSC remediates the identified gaps and schedules a new CARR. All time spent on the initial engagement is sunk cost.

The Adverse Determination Consequence

An adverse readiness determination is not a minor inconvenience — it is a full stop. The assessment does not proceed to Phase 2. The OSC must close the identified gaps, re-engage with the C3PAO, and undergo a repeat Phase 1 review. Organizations that engage a C3PAO before their documentation is complete, their scope is defined, and their 5-point controls are fully implemented will encounter this outcome at their own expense.

Phase 2: Assess Conformity — Examine, Interview, Test

Phase 2 is the active assessment — typically executed over five to ten business days on-site, in a hybrid format, or remotely depending on the engagement agreement. The assessment team applies the three NIST SP 800-171A assessment methods to each of the 320 assessment objectives across all 110 control practices, recording a Met or Not Met determination for each.

Examine

Document Review

The assessor reviews specifications (policies, procedures, SSP implementation statements), mechanisms (configuration exports, screenshots, system outputs), and activities (dated records of execution — log reviews, scan results, training logs).

Evidence that exists but cannot be located quickly will not be found. The evidence mapping file exists to prevent this outcome.

Interview

Control Owner Interviews

The assessor interviews the specific individual named as control owner for each practice — not a designated spokesperson. The interview verifies that the control owner understands what they own and can describe how it is implemented consistently with the SSP.

Answers that contradict documentation, or control owners who cannot describe their own controls, produce sufficiency gaps regardless of what the SSP says.

Test

Live System Verification

The assessor tests whether live systems perform as documented — triggering an alert to verify SIEM response, observing a vulnerability scan, reviewing firewall ACL enforcement, or confirming MFA is active on CUI accounts.

Systems that perform differently from their documented configuration produce findings — even when the documentation is otherwise complete and correct.

Assessment objectives are evaluated individually. A control practice with four objectives is Met only when all four are independently verified as Met. A single Not Met objective fails the entire practice — there is no partial credit and no averaging across objectives within a practice.

Daily Checkpoint — What Happens at the End of Each Assessment Day

📋The lead assessor conducts a structured daily briefing with the OSC point of contact at the end of each assessment day.

📊The lead assessor discloses which controls were evaluated during the day, whether they were marked Met or Not Met, and what evidence — if any — remains outstanding for objectives not yet resolved.

🔔The OSC has the opportunity to provide supplemental evidence for outstanding objectives before the assessment concludes. Evidence delivered after Phase 2 closes cannot retroactively change Phase 2 findings.

📝Daily checkpoint meetings are documented in the Daily Checkpoint Log — a mandatory output of Phase 2 that becomes part of the assessment results package. The log proves the OSC was informed of findings in real time and had the opportunity to respond.

Phase 3: Complete and Report Results

When Phase 2 concludes, the lead assessor compiles all findings into the Assessment Results Package. This package must pass a quality review before being uploaded to the government's CMMC eMASS system, where the certification determination is made.

Assessment Results Package — Required Outputs

Output 01

Daily Checkpoint Log

→

The record of each daily briefing with the OSC — controls evaluated, dispositions recorded, evidence requests documented. Proves the OSC had real-time visibility into findings and the opportunity to respond before Phase 2 closed.

Output 02

Limited Practice Deficiency List

→

A record of minor 1-point deficiencies — typically documentation issues such as missing authorizing signatures, undated records, or incomplete procedure statements. These items trigger the 5-day correction window and are eligible for the POA&M if not corrected within that window.

Output 03

Preliminary and Final Findings

→

The official objective-level scoring matrix. Each of the 320 assessment objectives is marked Met, Not Met, or (in very limited, documented circumstances) Not Applicable. The final SPRS score is derived from this matrix. This is the document from which POA&M items are derived and certification eligibility is determined.

Output 04

Evidence Hash File

→

A cryptographic hash of the evidence package generated using the DoD hashing tool. The hash — not the underlying documents — is uploaded to eMASS by the C3PAO. The original evidence artifacts remain with the OSC, who is legally required to archive them for three years. This architecture ensures the C3PAO never takes proprietary security documentation off-site.

Output 05

CQAP Quality Review

→

Before submission to eMASS, the Certified Quality Assessor Professional (CQAP) at the C3PAO reviews the assessment results package for accuracy, completeness, and consistency. The CQAP approval is the final internal check before the package enters the government's certification workflow.

Evidence Handling — Why the C3PAO Never Takes Your Documents Off-Site

OSC Environment

Evidence Package

Policies, procedures, configuration exports, screenshots, interview records — all artifacts compiled during Phase 2

→

DoD Tool

Cryptographic Hashing

The DoD hashing tool generates a unique cryptographic signature (hash value) for the evidence package

→

Split Outcome

Two Separate Paths

Hash goes to eMASS. Original files stay with the OSC.

OSC Obligation — 3-Year Archive

The original evidence artifacts are retained by the OSC in secure, controlled storage for a minimum of three years. If DIBCAC audits the OSC later, they will re-hash the archived documents to verify they are the same files evaluated during the original assessment. Any tampering with the archive is detectable.

eMASS Submission — Hash Only

Only the cryptographic hash is uploaded to eMASS by the C3PAO. The government record contains the hash, not the underlying security blueprints. This architecture protects the OSC's proprietary operational security information from unnecessary exposure.

Phase 4: Certificate Issuance and POA&M Closeout

Phase 4 has two distinct paths. An OSC that achieves a perfect score — all 110 practices Met, all 320 objectives Met — receives a Final CMMC Status and the certification is issued. An OSC that falls short of perfection but meets the minimum threshold may receive a Conditional CMMC Status, which initiates the POA&M closeout process with strict deadlines.

Conditional status under DFARS 252.204-7021 requires the contractor to meet an 88/110 threshold (no 5-point controls open on the POA&M) and remediate all remaining deficiencies within 180 calendar days. The conditional status is the certification of record during that window — it allows continued contract performance. Failure to close out within 180 days is not a deferral; it is a revocation.

POA&M Closeout Timeline — Mandatory Deadlines from Assessment Close Date

Days

→

Limited Practice Deficiency Correction Window. Minor 1-point deficiencies identified during the assessment — missing signatures, undated records, incomplete procedure statements — must be corrected within five calendar days of Phase 2 close. Evidence of correction is submitted to the lead assessor, who updates the findings before the package is submitted to the CQAP. Items not corrected within this window are placed on the POA&M.

180

Days

→

POA&M Full Remediation Deadline. All items on the POA&M must be fully remediated and verified by a C3PAO within 180 calendar days of the conditional status issuance date. This is the absolute outer boundary — there are no extensions. A closeout assessment that finds even one POA&M item still Not Met at day 180 results in loss of conditional status and requirement for a full reassessment.

5-pt Rule

→

5-Point Controls Cannot Appear on a POA&M. Any control practice valued at 5 points must be fully implemented before conditional status can be issued. Five-point controls are those the DoD has designated as highest-consequence security capabilities — FIPS-validated cryptography, multifactor authentication, incident response, and others. An open 5-point control at Phase 2 close means conditional status is not available. The OSC must remediate and undergo a new assessment.

✓ Successful POA&M Closeout

All POA&M items fully remediated before Day 180

Closeout C3PAO (same or new) re-assesses only the POA&M items

All previously Not Met objectives now verified as Met

Closeout findings uploaded to eMASS

Conditional status upgraded to Final CMMC Status

Three-year certification cycle begins from original conditional status date

✗ Failed POA&M Closeout

Any POA&M item remains Not Met at Day 180

Conditional CMMC Status is revoked in eMASS

DFARS 252.204-7021 contract compliance obligation is no longer met

OSC must notify contracting officer per affirmation requirements

Full Level 2 certification assessment must be scheduled from scratch

Contract performance eligibility may be at risk pending reassessment

The Timing Pitfall

Organizations routinely underestimate how long technical remediation actually takes when operating under normal business constraints. A FIPS migration that looks like a 30-day project in isolation often takes 90 days when procurement, testing, and change management are factored in. Organizations that schedule their closeout assessment in the final two weeks of the 180-day window leave themselves no margin — and a single Not Met finding on closeout day means starting from scratch, not getting a brief extension.

Roles and Responsibilities Across the Four Phases

The CAP assigns specific responsibilities to each participant role. Understanding who owns what — and what the boundaries of each role's authority are — prevents the coordination failures that stall assessments at phase transitions.

Role	Authorization	Phase Responsibilities	Key Limits
OSC Point of Contact	Designated by the organization	Primary liaison with the lead assessor across all phases. Coordinates document delivery, schedules control owner interviews, tracks daily checkpoint action items, manages POA&M remediation timeline.	Cannot approve scope changes or negotiate assessment findings. All scope and finding disputes go through the lead assessor.
Lead Assessor (CCA)	Certified CMMC Assessor — Level 2 qualified	Manages the entire CAP engagement. Makes the final scope approval in Phase 1. Directs the assessment team in Phase 2. Reviews all team member findings. Signs off on the assessment results package. Issues the readiness determination and final findings.	Cannot delegate final finding authority to CCPs for Level 2 practices. All Level 2 objective findings must be approved by the lead assessor regardless of who conducted the initial review.
Assessment Team (CCA / CCP)	CCAs: full Level 1 and Level 2 authority. CCPs: Level 1 only.	Execute the Examine, Interview, and Test methods under the lead assessor's direction. Document findings per CAP procedures. CCPs may assist with Level 2 evidence review but cannot make Level 2 findings independently — the lead assessor must review and sign off on any Level 2 objective a CCP evaluated.	CCPs cannot independently determine findings for any Level 2 practice objective. Any CCP-reviewed Level 2 objective requires lead assessor review and approval before the finding is recorded.
CQAP	Certified Quality Assessor Professional at the C3PAO	Reviews the complete assessment results package for accuracy, completeness, and CAP compliance before submission to eMASS. The CQAP is the final internal check — if the package has errors or omissions, the CQAP returns it to the lead assessor for correction before submission.	The CQAP does not make or change finding determinations. Their role is quality review of the package, not re-assessment of the findings.

The Bottom Line

The CAP is not a flexible framework — it is a structured process with defined gates, mandatory outputs, and consequences for non-compliance at every phase transition. An organization that understands the sequence can plan for it: completing Phase 1 prerequisites before engaging a C3PAO, preparing control owners for Phase 2 interviews, ensuring evidence is organized for rapid Phase 2 retrieval, and building a realistic Phase 4 remediation timeline that does not depend on the final two weeks of the 180-day window.

An organization that does not understand the sequence will encounter its gates as surprises — and each surprise, in a CAP engagement, is measured in assessor hours, timeline extensions, and potential certification delays that affect contract eligibility.

The 180-day closeout deadline is not a soft target — it is the boundary between a certification and a failed certification. Plan the POA&M remediation timeline from Day 1 of conditional status, not from the week the closeout assessment is scheduled. The difference between the two approaches is the difference between a successful certification cycle and a full reassessment at full cost.