If you handle CUI, the C3PAO assessment is coming. Here's the 10-step readiness path Maverc walks every defense industrial base client through before the auditor shows up.
CMMC 2.0 is no longer a future problem. The DFARS 252.204-7021 final rule has phased CMMC requirements into new DoD contracts, and prime contractors are pushing the assessment requirement down their supply chain at the same time. Self-attestation is off the table for any organization processing, storing, or transmitting Controlled Unclassified Information (CUI). The contracts now require an assessment by an authorized C3PAO (Certified Third-Party Assessment Organization), and the assessor scoring guidance leaves very little room for charitable interpretation.
Maverc is a Registered Provider Organization (RPO) and has guided dozens of DIB contractors through the readiness path. The good news: failure on first assessment is almost always preventable. The bad news: most of the work has to happen before the assessor walks in the door. This is the sequence we run.
1. Confirm what you actually handle
The single most expensive mistake we see is misclassifying scope. Federal Contract Information (FCI) triggers Level 1 (17 controls, self-assessed). Controlled Unclassified Information (CUI) triggers Level 2 (110 NIST SP 800-171 Rev 2 controls, third-party assessed). Mixing the two in the same environment forces the higher standard onto everything that touches CUI.
Walk every active and recent contract. Identify clauses that flow down DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021. Pull the contract data deliverables and ask: does any of this meet the CUI definition under 32 CFR Part 2002? When in doubt, ask the contracting officer in writing. Document the answer.
2. Define your CUI boundary
Most contractors do not need their entire enterprise in scope. A purpose-built CUI enclave dramatically shrinks the assessment surface — typically by 80 percent or more — and pays for itself in reduced compliance overhead within the first year.
A common architecture pattern: Microsoft 365 GCC High plus a hardened Windows endpoint set (or virtual desktop) for users with CUI access, with strict data loss prevention preventing CUI from leaving the enclave. AWS GovCloud, Azure Government, and Google Workspace for Government play similar roles depending on tooling. The enclave does not have to be Microsoft — it has to be FedRAMP Moderate equivalent or higher and configured to meet 800-171.
Write a scoping document. Identify CUI assets, security protection assets, contractor risk managed assets, specialized assets, and out-of-scope assets per the official CMMC scoping guide. The C3PAO will start their assessment by accepting or rejecting your scope.
3. Build the System Security Plan early
The SSP is not paperwork. It is the contract you sign with the assessor about what is in scope and how each of the 110 controls is implemented. A vague or aspirational SSP becomes the assessor's roadmap for finding gaps.
Write the SSP control-by-control. For each control: state the implementation status (implemented, partially implemented, planned, not applicable with justification), describe the actual implementation in concrete terms (system names, configuration settings, responsible roles), and reference the supporting evidence. "We have a policy" is not an implementation. "Endpoint protection is enforced via Microsoft Defender for Endpoint with policies X, Y, Z applied to the device group ENCLAVE-WORKSTATIONS, monitored by the SOC team" is.
4. Execute a gap assessment against all 110 controls
Map current state against each NIST SP 800-171 requirement. Use the official DoD Assessment Methodology scoring (110 maximum, weighted deductions of 1, 3, or 5 points per gap). A score of 110 is full implementation; 88 is the minimum threshold to enter the assessment with POA&M-eligible items. Below that, you are not ready.
Maverc delivers this as a scored heatmap with remediation effort estimates. The output is a prioritized backlog: critical 5-point gaps first, then 3-point, then 1-point, with realistic effort and cost attached to each.
5. Remediate technical gaps
The technical work cluster around predictable areas:
- FIPS 140-2 or 140-3 validated cryptography for CUI at rest and in transit. Verify the FIPS module is actually enabled, not just available.
- Multi-factor authentication on every CUI-touching system, including local console access for privileged accounts.
- Audit logging that meets the AU family requirements: defined event types, sufficient retention, protected from tampering, reviewed on a defined cadence.
- Vulnerability management with documented scan cadence, defined remediation SLAs, and evidence of execution.
- Incident response capability that has actually been tested, not just documented.
- Configuration management with baselines, change control, and least-functionality enforcement.
- Media protection covering CUI on removable media, mobile devices, and during sanitization or destruction.
6. Remediate policy and process gaps
Auditors want to see the artifact and the evidence the artifact is being followed. A risk assessment policy is not enough — show the most recent risk assessment and the resulting risk register. An incident response plan is not enough — show the tabletop after-action report and the corrective actions completed since. A configuration management policy is not enough — show the change tickets for the last quarter and the approval records.
If a process is performed but not documented, document it. If a process is documented but not performed, either start performing it or change the policy. Inconsistency between written and observed practice is a fast path to an open finding.
7. Train your workforce
Three layers of training, all required:
- Security awareness for every user with system access, on a defined cadence, with completion records.
- Role-based training for privileged users (administrators, developers with production access, SOC analysts) covering their specific responsibilities.
- Insider threat awareness, documented and tracked.
The assessor will sample users and ask whether they completed training, what it covered, and what their security responsibilities are. Train accordingly.
8. Stand up the POA&M
A Plan of Action and Milestones tracks every gap not yet at full implementation: the deficiency, the remediation plan, the responsible party, the milestone dates, the resources required. Under CMMC 2.0, only certain controls are POA&M-eligible at assessment, and POA&M items must close within 180 days of the conditional certification.
The POA&M is also a living document. Keep it accurate. Auditors check whether previously promised remediation actually happened.
9. Run a mock assessment
Bring in an independent team to act as the C3PAO. They will request your SSP and scoping document, interview your staff, sample evidence for each control family, and score the environment using the official DoD methodology. Maverc runs these as a two-week engagement that mirrors the real assessment workflow.
The mock catches the things you cannot see from inside the program: missing evidence, control descriptions that read well but cannot be operationalized, and staff who do not know how to answer a specific question. Fix what the mock finds before scheduling the real assessment.
10. Schedule the C3PAO
Once your mock score is conditional pass or higher, engage an authorized C3PAO from the Cyber AB marketplace. Lead time varies — six months out is common in the current backlog. Maverc remains engaged as your advisor through the assessment, helping you respond to evidence requests and clarify control implementation in real time. We do not perform the assessment ourselves (that conflict is prohibited), but we sit alongside you while it happens.
What "ready" actually looks like
A ready organization has a current SSP that matches reality, a recently exercised incident response plan, evidence collected and organized by control family, a workforce that can answer assessor questions in their own words, and a POA&M with no surprises. The assessment becomes a confirmation, not an audit.
The contractors who treat CMMC as a sustained program rather than a one-time project pass on first assessment, win more DoD work, and spend less on compliance over time than the ones who scramble at contract award. Start now.
