A CMMC Level 2 assessor arrives with a methodology, not a gut feeling. Every practice in NIST SP 800-171 must be examined and scored. The way they examine it is through documentation first, then observation, then interviews. If your documentation does not support your security posture, your security posture does not get credited.
This is the part of CMMC preparation that most contractors underestimate. They spend months on technical controls and then show up to the assessment with a System Security Plan that reads like a template and policies that have never been reviewed. Assessors notice immediately.
Your System Security Plan Is the Assessor's Roadmap
The System Security Plan (SSP) is the single most important document in your entire CMMC package. Before an assessor runs a single test or asks a single interview question, they read the SSP. It sets their expectations for everything that follows.
A credible SSP does three things specifically:
- Defines your CUI boundary precisely: every system, device, application, and network segment that touches Controlled Unclassified Information
- Describes how each of the 110 NIST 800-171 practices is implemented in your specific environment, not in generic terms, but in terms that reference your actual tools, configurations, and processes
- Points to the supporting evidence, policies, and procedures that substantiate each implementation claim
The most common SSP failure is generic language. Statements like "the organization enforces access controls" tell an assessor nothing. What they need to see: "Multi-factor authentication is enforced for all accounts accessing CUI systems via Azure Active Directory Conditional Access policies. MFA is required at login and re-authentication is triggered after 30 minutes of inactivity." That is a description an assessor can verify.
Your SSP should be a document that could only describe your organization. If the same text could describe any other company with a find-and-replace of the company name, it will not hold up under assessment scrutiny.
The Policies Assessors Pull Before Day One
Most C3PAOs request a documentation package before the on-site assessment begins. The policies they ask for first are the ones that govern how your organization handles CUI at a procedural level. Assessors are not just checking that policies exist. They are checking whether the policies reflect what your organization actually does.
The core policies assessors commonly request include:
- Access Control Policy: how user accounts are provisioned, reviewed periodically, and terminated when employees leave
- Configuration Management Policy: who is authorized to change system configurations, how changes are tracked, and how baselines are established
- Incident Response Policy: your defined steps for detecting, containing, reporting, and recovering from security incidents
- Media Protection Policy: how CUI is handled on portable devices, how physical media is sanitized or destroyed, and how printing is controlled
- System and Communications Protection Policy: how encryption in transit and at rest is managed, and how network segmentation is maintained
- Awareness and Training Policy: who is required to complete security awareness training, how often, and how completion is tracked
Every policy needs an owner, an effective date, a review date, and a version number. Policies without these basics are treated as unapproved drafts. A policy that has never been reviewed since it was written three years ago raises questions about whether it reflects current practice at all.
Evidence of Implementation: Closing the Gap Between Policy and Practice
Policies describe intent. Evidence proves execution. The space between them is where most assessments find their most significant gaps.
Evidence that assessors look for across the 110 practices includes:
- Multi-factor authentication: configuration screenshots from your identity provider showing MFA is enforced for all CUI system access, not just recommended
- Security awareness training: completion records with employee names, training dates, and the training content covered for every person who handles CUI
- Access reviews: documented records of periodic reviews confirming who has access to CUI systems and that access remains appropriate
- Patch management: system-generated reports showing patch deployment timelines and that your defined remediation windows are being met
- Audit logging: configuration screenshots confirming which events are logged, where logs are stored, and what your retention period is
- Vulnerability scanning: periodic scan reports with dates, identified vulnerabilities, and documented remediation status for each finding
- Encryption: documentation showing that encryption implementations use FIPS 140-2 validated modules, not just that encryption is enabled
Evidence does not need to be polished. A well-organized folder of screenshots, system-generated reports, and completion records tied directly to the controls they support is far more useful than a presentation deck that makes claims without artifacts.
What Assessors Actually Do with Your POA&M
A Plan of Action and Milestones is not an admission that your security program has failed. It is evidence that your organization understands where its gaps are and has a credible plan to close them. Level 2 assessors expect to see a POA&M. An organization claiming all 110 practices are fully implemented without any open items will receive more scrutiny than one with a well-documented POA&M.
A credible POA&M includes for each open item:
- The specific NIST 800-171 practice number and title
- A description of the current gap, written clearly enough that someone outside your organization could understand it
- A planned completion date that is realistic given the scope of work required
- An assigned owner who is accountable for the remediation
- The resources allocated to close the gap: budget, vendor, or internal effort
What makes a POA&M fail under assessment scrutiny: completion dates that have already passed with no documented progress updates, no owner assignments, or a list of 30 open items all scheduled to close in 30 days. Assessors have reviewed enough POA&Ms to recognize ones that were created the week before the assessment to satisfy a documentation requirement rather than to manage actual remediation work.
Documentation Gaps That Most Commonly Delay Assessments
Based on common patterns in Level 2 assessments, the documentation gaps that most frequently slow or derail the process are:
- No CUI data flow diagram: assessors need a visual map showing exactly where CUI enters your environment, how it moves through systems and people, and where it exits or is destroyed
- Missing FIPS encryption documentation: stating that data is encrypted is not enough; assessors want to see which specific modules or products are in use and confirmation they are FIPS 140-2 validated
- No account provisioning records: documentation showing when each account was created, who approved it, and whether it has been reviewed since creation
- Policies without approval records: a policy document with no approving authority signature or documented review history is not considered a formally adopted policy
- No evidence that training actually happened: a training platform exists is not the same as records showing specific employees completed specific training on specific dates
Each of these gaps is discoverable in a pre-assessment documentation review. Catching them before the C3PAO arrives is substantially less costly than addressing them during the assessment itself. Our guide on how to prepare for a CMMC assessment walks through the full pre-assessment preparation timeline.
How to Organize Your Documentation Package
The organization of your documentation matters almost as much as its contents. An assessor who has to search for evidence during a time-boxed assessment may note findings simply because they could not locate what was needed within the allotted time.
A clean documentation package is organized by NIST 800-171 control family, with each section containing:
- The relevant policy or procedure governing that control family
- The SSP description for each practice within the family
- Supporting evidence: screenshots, reports, logs, and records
- POA&M entries for any open items in that family, with status updates
Label everything clearly. Include dates on all evidence artifacts. If a screenshot does not show a date, add one as a caption or annotation. Assessors are working through a structured methodology and anything that makes their job easier increases the likelihood that your controls get full credit.
The Bottom Line
CMMC assessors are not trying to find reasons to fail contractors. They are following a methodology that requires documented proof for each of the 110 practices. The contractors who pass do so because their documentation package tells a consistent, verifiable story from the SSP through the policies to the evidence to the POA&M.
If you are not sure whether your documentation would hold up under a Level 2 assessment, the time to find out is before the C3PAO arrives. Take our free cybersecurity self-assessment to identify gaps in your current posture. Our CMMC compliance services include SSP development, policy writing, evidence organization, and POA&M structuring for contractors preparing for Level 2 certification. To understand what level applies to your contracts, see our breakdown of CMMC Level 1 vs Level 2. And if you need help choosing the right compliance partner, see what to look for in a CMMC compliance consultant.