There’s a lot riding on getting CMMC level 2 compliance right—contracts, trust, and long-term business. But what actually happens during a third-party assessment? Behind the scenes, a C3PAO doesn’t just check a few boxes. They use a range of focused techniques to validate that your organization truly meets all 110 CMMC level 2 requirements. Here’s how they do it.
Documentation Review
Before a single conversation or scan happens, a C3PAO starts by digging into your documents. This step is all about confirming that written policies and procedures align with the 14 domains and 110 practices required by CMMC level 2. These aren’t just company memos—they’re expected to show detailed security responsibilities, regular updates, and clear accountability. The documentation must also show how each control is implemented and maintained.
This isn’t a surface-level scan. Reviewers look for consistency between different parts of the security program. If your configuration management policy says multi-factor authentication is used, the C3PAO will want to see that reflected in system access controls, procedure checklists, and network diagrams. Incomplete or generic documentation is one of the top reasons organizations fail to meet CMMC compliance requirements.
Interviews with Personnel
Policies are only as strong as the people behind them. That’s why C3PAOs conduct interviews with staff who play a role in day-to-day security. These conversations go beyond leadership—they include system admins, security officers, and even end users. The goal is to verify that employees understand their responsibilities and actually follow the documented procedures.
CMMC level 2 compliance doesn’t happen by accident. If someone says they perform regular backups, the C3PAO will ask how often, where the data is stored, and what the recovery process looks like. These interviews help connect the dots between the technical requirements, training, and company culture. If there’s a gap between what’s written and what’s practiced, it will surface here.
Technical Testing/Observation
Some of the most important evidence comes from direct observation. A C3PAO may watch an administrator configure a new user account or demonstrate how an incident is escalated. These walk-throughs help prove that technical controls are functioning as described—not just theoretically, but in real time.
Technical observation also helps verify security tools in action. If your documentation says endpoint detection and response (EDR) is in place, the C3PAO may ask to see real-time alerts or logs from the platform. This hands-on approach makes sure nothing is just for show. It’s a critical way to verify that controls meet the standard, especially across the more advanced CMMC level 2 requirements.
Vulnerability Scans
Automated scans are another core method C3PAOs use to assess system security. These scans search for known vulnerabilities in your network, operating systems, and applications. The results offer a quick snapshot of where you stand—and whether your patch management process is working effectively.
To meet CMMC level 2 compliance, scans must be routine and documented. The C3PAO will expect to see past scan reports, a history of how issues were resolved, and evidence that scan results are reviewed by someone who can act on them. Ignoring scan results or failing to follow up is a red flag. A mature program doesn’t just run scans—it acts on them.
Penetration Testing
Unlike vulnerability scans, penetration tests involve simulated attacks performed by ethical hackers. C3PAOs don’t always conduct these themselves, but they do review recent test results as evidence of proactive security measures. A strong pen test helps validate technical controls and shows whether detection and response systems are doing their job.
Penetration testing is especially important for organizations handling Controlled Unclassified Information (CUI). Since CMMC level 2 compliance targets organizations with greater data risk, having recent and well-documented pen tests can give C3PAOs confidence in your ability to resist real-world threats. They’ll want to see the test scope, results, and follow-up actions taken.
Review of System Security Plan (SSP)
The System Security Plan (SSP) is a key artifact during any CMMC assessment. It outlines how your organization implements each of the CMMC level 2 requirements and describes the systems in scope. A C3PAO will review the SSP to confirm that it is detailed, current, and matches what they’re seeing during the audit.
A weak or outdated SSP can derail your assessment. Reviewers expect to see clear mappings of controls, descriptions of boundaries, and enough technical depth to understand how systems are secured. This document acts as the foundation for the entire evaluation—if it’s missing details, everything else starts to crumble.
Review of Plan of Action and Milestones (POA&M)
No system is perfect, and that’s where the POA&M comes in. It outlines known gaps and the plan to fix them, including responsible parties and deadlines. C3PAOs look at this to evaluate how your organization handles security shortfalls over time. It’s not just about having a plan—it’s about showing that progress is being made.
If your organization claims CMMC level 2 compliance but has open action items with no movement, that’s a concern. A solid POA&M tells reviewers that you’re serious about improvement and aware of what still needs work. It’s especially useful for tracking delayed updates or tool deployments while showing a path to resolution that aligns with CMMC compliance requirements.
