What Happens in the First Hour of a CMMC Assessment Sets the Tone for Everything That Follows
After working through dozens of CMMC engagements on behalf of defense contractors, I can tell you this with certainty: the first hour of a C3PAO assessment is not a warm-up. It is a structured, deliberate opening phase in which your assessors are already forming conclusions about your organization's maturity, your documentation discipline, and whether your compliance program is real or performative.
Contractors who arrive unprepared spend that first hour scrambling to locate documents, explain gaps they should have closed months ago, and apologize for artifacts that were never built. Contractors who have done the work spend that first hour projecting confidence—because everything the assessor asks for is already organized, labeled, and ready to hand over.
This post gives you the ten things your C3PAO will almost certainly request within the first sixty minutes. Use this as a final checkpoint before your assessment date. If you want a broader preparation framework, our post on how to prepare for your CMMC audit is a strong place to start.
The 10 Things Your C3PAO Will Ask for in the First Hour
1. Your System Security Plan (SSP)
The SSP is the single most important document in your CMMC package. Your C3PAO will want to see it immediately. They will use it to understand the scope of your assessment environment, the boundaries of your Controlled Unclassified Information (CUI) enclave, and how each of the 110 NIST SP 800-171 practices is addressed. An SSP that is thin, outdated, or inconsistent with your actual environment is one of the fastest ways to start an assessment on the wrong foot. Make sure it reflects your current network architecture, system inventory, and control implementations—not the environment you had when you first drafted it.
2. Your Plan of Action and Milestones (POA&M)
Very few organizations enter a CMMC Level 2 assessment with a perfect score. A well-structured POA&M demonstrates that you have identified your gaps honestly, that you have assigned ownership for remediation, and that you are managing those gaps systematically. Assessors want to see a living document—not a spreadsheet that was created the week before the assessment and has never been updated. Our post on SSP and POA&M as critical components of a strong security program covers what a credible POA&M looks like in practice.
3. Your Network Diagram and Asset Inventory
Your C3PAO needs to understand what is in scope before they can assess anything. Expect to provide a current, accurate network diagram that shows how CUI flows through your environment, which systems touch that data, and where your boundaries are. Alongside this, they will ask for your asset inventory—hardware, software, and cloud services. If your asset list does not match your network diagram, that inconsistency will generate questions you do not want to answer under assessment conditions.
4. Evidence of a Recent Internal Audit or Self-Assessment
C3PAOs want to see that you have assessed yourself before they arrived. This typically means documentation of an internal audit, a gap assessment, or a pre-assessment review conducted within a reasonable timeframe. Organizations that have never formally evaluated their own compliance posture before the C3PAO walks in signal that compliance is not a managed program—it is a procurement checkbox. If you have not yet run an internal readiness review, our guide on how to run an internal CMMC audit readiness review will walk you through the process.
5. Your CUI Identification and Handling Procedures
Assessors will ask how your organization identifies CUI, how it is labeled, how it is stored, and how it is transmitted. You need documented procedures that cover all three. If your employees cannot articulate what CUI looks like in your environment, or if your labeling is inconsistent, that becomes an immediate area of focus. This is not a theoretical concern—it is one of the most common gaps we see across the defense industrial base. For a solid primer on what CUI categories mean in practice, our post on Controlled Unclassified Information is worth reviewing with your team before assessment day.
6. Your Incident Response Plan
Your C3PAO will ask for your Incident Response Plan (IRP) and will want to know that it is more than a document sitting in a shared drive. Expect questions about how recently it was tested, whether your team has conducted a tabletop exercise, and who is responsible for executing the plan when an incident occurs. NIST SP 800-171 requires a formal incident handling capability, and assessors know the difference between a plan that has been exercised and one that was written to satisfy a documentation requirement.
7. Your Access Control Policies and User Access Reviews
Access control is one of the most heavily weighted domains in a CMMC Level 2 assessment. In the first hour, assessors will typically request your access control policy and evidence that you are conducting periodic user access reviews. They want to see that privileged access is limited, that multi-factor authentication is enforced on CUI systems, and that terminated employees are removed from systems promptly. Be prepared to show logs or reports—not just policies.
8. Your Configuration Management Baseline Documentation
Your organization should have established secure configuration baselines for operating systems, applications, and network devices that touch CUI. Your C3PAO will ask for evidence that these baselines exist, that they are enforced, and that deviations are tracked. If your IT team has been managing configurations informally without documented baselines, that is a gap you want to close before assessment day—not during it.
9. Your Training Records and Security Awareness Documentation
CMMC requires that all personnel with access to CUI receive security awareness training. Assessors will ask for training completion records. They will also want to understand what the training covered, how frequently it is conducted, and whether role-based training exists for individuals with elevated responsibilities. A one-time onboarding video from several years ago is not going to satisfy this requirement. Current, documented training records for all relevant staff are essential.
10. Your SPRS Score and Supporting Evidence
Before a C3PAO ever sets foot in your facility, your organization should have submitted a score to the Supplier Performance Risk System (SPRS) based on a self-assessment against NIST SP 800-171. Your C3PAO will ask for the methodology behind that score and the evidence that supports it. If your submitted SPRS score and your actual compliance posture are significantly misaligned, that discrepancy will come up during the assessment. For a deeper look at how SPRS scoring works and what it means for your assessment, see our post on SPRS cybersecurity assessments for defense contractors.
Why the First Hour Matters More Than Most Contractors Realize
The opening of a CMMC assessment is not administrative housekeeping. It is the phase in which assessors calibrate how deeply they need to probe. Organizations that present complete, organized, and internally consistent documentation in the first hour typically move through the assessment more efficiently. Organizations that struggle to produce basic artifacts signal to the assessment team that deeper scrutiny is warranted across every domain.
If you are working toward CMMC, CUI, and DFARS compliance, the question is not whether your C3PAO will ask for these items—they will. The question is whether you will have them ready.
Preparation at this level requires more than good intentions. It requires a structured program with assigned ownership, documented controls, and regularly maintained evidence. Our broader post on the complete list of documentation required for CMMC certification is a useful companion to this checklist as you build out your evidence repository.
Common Mistakes That Derail the First Hour
- SSP that does not match current infrastructure — If your network diagram and SSP describe different environments, assessors will notice immediately.
- POA&M items with no owners or target dates — An unmanaged POA&M signals that remediation is not actually happening.
- Training records that cannot be produced on demand — If it takes your team more than a few minutes to pull training completion data, that is a process gap.
- Asset inventory that is incomplete or outdated — Any system that touches CUI must be accounted for. Shadow IT and forgotten endpoints are discovery risks.
- Policies that exist but have never been reviewed or updated — Document version history matters. A policy last reviewed in 2021 is a red flag in 2025.
The Most Effective Thing You Can Do Before Your Assessment
Run a structured internal readiness review at least sixty days before your C3PAO arrives. Treat it as a dry run. Have someone who was not involved in building your compliance program attempt to locate and validate every artifact on this list. If they cannot find it, the assessor will not be able to find it either.
Our Regulatory vCISO services are designed specifically to help organizations build and validate this kind of readiness—providing executive-level compliance leadership without the cost of a full-time hire. We embed in your program, identify the gaps, and help you close them before the assessment clock starts.
Ready to Get Assessment-Ready?
Whether your assessment is six months out or six weeks out, the time to act is now. The contractors who pass their CMMC assessments efficiently are not the ones with the most sophisticated technology—they are the ones whose documentation is complete, accurate, and organized. At Cleared Systems, we help defense contractors get there. Request a quote to speak with our team about your current posture, your assessment timeline, and the fastest path to certification-ready status.