Skip to content

CMMC readiness

What a C3PAO Assessment Actually Requires: The Evidence Package

A Level 2 certification is not a questionnaire — it is an assessor testing 320 objectives against real artifacts. Here is what a C3PAO examines, what belongs in the evidence package, and the failure modes that sink otherwise-ready contractors.

Request proof sample

By the time a defense contractor books a Level 2 certification assessment, most of the anxiety is misdirected. Teams worry about the assessor's demeanor or the length of the engagement when the outcome is almost entirely determined earlier, by whether the evidence package holds up. A CMMC Third-Party Assessment Organization does not grade your intentions; it tests specific claims against specific artifacts. Understanding what it actually examines — and what a defensible package contains — is the difference between a smooth assessment and an expensive re-do.

What a C3PAO is, and what it is not

A C3PAO is a CMMC Third-Party Assessment Organization, authorized through the program's accreditation body (the Cyber AB) under Department of Defense oversight. You engage and pay one, but its role is to assess you objectively against a fixed federal standard, not to consult its way to a passing result. That independence is the point of the whole Phase 2 shift: the government is replacing self-attestation with a verification performed by an accredited outside party. The assessor's loyalty is to the methodology, which means your preparation has to satisfy the methodology, not the assessor's goodwill.

What the assessment is measured against

The standard is not the 110 requirements of NIST SP 800-171 Revision 2 at the headline level; it is the 320 assessment objectives that NIST SP 800-171A decomposes those requirements into. Each of the 110 requirements breaks down into one or more determination statements, and every one of the 320 must be substantiated. The assessor works through them using the three assessment methods defined in 800-171A: Examine (reviewing documents, policies, configurations, and other artifacts), Interview (talking to the people who operate the control), and Test (observing the control actually functioning). A requirement you consider "done" can still fail if an objective underneath it has no evidence, or if the evidence survives Examine but collapses under Test.

What belongs in the evidence package

The foundation is the System Security Plan. The SSP describes your environment, defines the boundary of the system that handles CUI, and states how each requirement is implemented. A vague or aspirational SSP is the single most common root cause of a difficult assessment, because it is the map the assessor uses to navigate everything else. From there, each of the 320 objectives needs backing evidence: the policies that establish intent, the procedures that describe practice, and the concrete artifacts that prove the practice is real — configuration exports, access-control settings, audit-log samples, MFA enrollment records, encryption settings, vulnerability-scan output, training records, and change or incident tickets. The assessor is looking for evidence that is current, that plainly applies to the actual in-scope system rather than a generic template, and that goes beyond a statement of policy to a demonstration of operation.

Scope shapes the entire package. The assessment covers the assets inside your CUI boundary, so how you draw that boundary determines how many systems, people, and objectives are in play. A tightly scoped, well-enclaved environment produces a smaller, cleaner evidence package; a sprawling, undefined one produces an assessment that is larger and easier to fail. We cover this directly in the companion post on CUI scoping, and it is worth reading before you assemble evidence, not after.

The failure modes that sink ready contractors

Most assessment failures are not exotic. The most frequent is policy without practice: a well-written policy that describes a control nobody actually enforces, which passes Examine and then fails Interview or Test the moment the assessor asks to see it working. Close behind is stale or generic evidence — screenshots from a prior year, or artifacts lifted from a template that do not match the real system. A third is scope confusion, where the boundary in the SSP does not match the environment the assessor finds, leaving objectives unaddressed for assets that turn out to be in scope. And the quiet killer is preparing to the 110 requirements instead of the 320 objectives: teams close every requirement at a summary level and still arrive with objectives that have no evidence attached, because they never decomposed the requirement into what the assessor would actually test.

Certification is a posture, not a moment

Passing the assessment is not the end of the obligation. A senior company official must submit an affirmation of compliance in the Supplier Performance Risk System, and that affirmation has to be renewed on an ongoing, annual basis. CMMC treats compliance as a continuous state you keep attesting to, not a certificate you frame and forget. That framing should inform how you build the evidence package in the first place: artifacts that are generated and refreshed as a byproduct of running the environment are far more sustainable than a one-time binder assembled the month before assessment and immediately gone stale.

A note on OSCAL

Modern assessment packages increasingly expect machine-readable formats. NIST's Open Security Controls Assessment Language (OSCAL) defines structured representations of the System Security Plan, the Security Assessment Plan, the Security Assessment Report, and the POA&M. Producing these artifacts in OSCAL rather than as loose documents makes an evidence package easier to exchange, validate, and keep current, and it aligns with where the federal assessment ecosystem is heading.

Where Valty fits, honestly

Valty is not a C3PAO and cannot assess or certify you — that authority belongs solely to accredited assessors. What the platform does is help assemble a defensible evidence package: mapping your controls and artifacts to all 320 assessment objectives so gaps are visible before an assessor finds them, maintaining the System Security Plan, and generating the OSCAL SSP, SAP, SAR, and POA&M artifacts a modern package expects. It is readiness and decision-support — getting you to the assessment with the objectives substantiated — not a replacement for the independent assessment itself. For the broader mandate picture, see the CMMC overview and the federal and regulatory capability page.

Back to blogView proof surface