One of the most common points of confusion for defense contractors preparing for CMMC Level 2 is the relationship between two things that sound similar but serve entirely different purposes: the readiness assessment and the certification assessment.
Some organizations treat them as interchangeable. They are not. Others skip the readiness assessment entirely and go straight to a C3PAO. And some organizations confuse the C3PAO’s own internal readiness review, which is part of the formal assessment process, with an independent pre-assessment readiness evaluation they should have completed themselves before engaging a C3PAO.
This post explains exactly what each one is, what it does, what it does not do, and why the sequence between them matters.
What a Readiness Assessment Is
A readiness assessment is not a formal CMMC program event. It does not appear in 32 CFR Part 170 as a required step. It produces no CMMC Status, no entry in SPRS, and no Certificate of CMMC Status. A C3PAO does not conduct it in any official capacity.
Many organizations choose to conduct a readiness assessment before engaging in a C3PAO because it provides an opportunity to identify and remediate deficiencies prior to the certification assessment. The readiness assessment is preparation. The certification assessment is a validation.
A well-structured readiness assessment works directly from the two documents that govern how a C3PAO will evaluate your organization: the DoD CIO CMMC Assessment Guide Level 2 and the DoD CIO CMMC Scoping Guide Level 2. Both are publicly available at no cost through the DoD CIO CMMC Documentation page. Together, they describe exactly what assessors look for, how assets are categorized within the assessment scope, and what MET looks like for each assessment objective across all 110 security requirements in NIST SP 800-171 Revision 2.
What a Readiness Assessment Actually Covers
A thorough readiness assessment evaluates your organization across the same dimensions a certification assessment examines.
Scope. Prior to a Level 2 certification assessment, the organization must specify the CMMC Assessment Scope in accordance with 32 CFR § 170.19(c). The CMMC Scoping Guide Level 2 identifies five asset categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. Each category carries different assessment requirements. A readiness assessment evaluates whether your scope has been defined accurately and whether any systems handling Controlled Unclassified Information have been incorrectly left outside the boundary.
Technical implementation. For each of the 110 security requirements, a readiness assessment examines whether the control is in place, configured correctly, and producing the intended security outcome. A tool purchased but never configured, a policy written but never followed, an access control that exists in documentation but not in practice: these are exactly the kinds of gaps a readiness assessment is designed to surface before a C3PAO engagement begins.
System Security Plan. Security requirement CA.L2-3.12.4 requires organizations to develop and maintain a System Security Plan describing how security requirements are implemented within the assessment scope. The SSP is a key artifact evaluated during a Level 2 assessment. A readiness assessment evaluates whether the SSP accurately reflects your actual environment or whether there are gaps between what the document describes and what your systems do.
Evidence. The CMMC Assessment Guide Level 2 describes how assessors use examine, interview, and test methods to evaluate each assessment objective. A readiness assessment asks whether the evidence you, as an assessor, have is organized, current, and aligned to the specific objectives it is meant to support.
Deficiency identification. A readiness assessment may help an organization identify deficiencies that could later qualify for POA&M treatment during a certification assessment, subject to the requirements of 32 CFR § 170.21. It does not officially determine POA&M eligibility. That determination is made by the C3PAO during the certification assessment, in accordance with the criteria set out in the regulation.
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and determine the steps required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
SCHEDULE YOUR FREE CONSULTATION!
What a Readiness Assessment Is Not
This distinction matters because the term is used loosely in the compliance market.
A readiness assessment is not a certification assessment. It does not result in any CMMC Status. It does not produce a finding that can be submitted to SPRS. It does not satisfy any contractual requirement. It creates no legal obligation and confers no credential.
It is also not a gap assessment in the narrower sense in which the term is sometimes used. A gap assessment typically identifies which controls are implemented and which are not. A readiness assessment goes further. It evaluates not just whether controls exist but whether the evidence, documentation, and operational consistency needed to demonstrate those controls to a C3PAO are in place.
And it is not a substitute for genuine remediation. A readiness assessment that surfaces significant gaps is valuable precisely because it gives your organization time to address those gaps before entering a certification assessment. But the readiness assessment itself does not close the gaps. The work of implementing controls, updating documentation, and collecting evidence is what closes them.
What a Certification Assessment Is
A Level 2 certification assessment is the formal process through which an accredited C3PAO evaluates your organization and produces an official CMMC Status. It is defined in 32 CFR § 170.17 and governed by the CMMC Assessment Process (CAP) v2.0, published by Cyber AB.
Following completion of the assessment and required quality assurance activities, assessment results are uploaded into CMMC eMASS, and the certification process proceeds in accordance with the CAP, including issuance of a Certificate of CMMC Status. Assessment results are submitted through the CMMC assessment process and made available through the appropriate government systems, including SPRS, in accordance with program requirements. The outcome is one of three: Final Level 2, Conditional Level 2, or no certificate issued, as defined in the CAP and 32 CFR § 170.21.
The certification assessment has legal weight. It is what makes your organization eligible for contracts requiring Level 2 (C3PAO) status under DFARS 252.204-7021. Nothing else does.
The Readiness Review Inside the Certification Assessment
Here is the part that confuses many contractors: the formal certification assessment itself includes a readiness review, conducted by the C3PAO as part of Phase 1 of the CAP process.
According to the CMMC Assessment Process (CAP) v2.0, Phase 1 requires the C3PAO to review the SSP, validate the assessment scope, confirm the availability of evidence, and determine readiness for assessment. The CAP readiness activities are part of assessment preparation and assessment planning. They are distinct from the formal evaluation of security requirements that occur during the certification assessment itself.
In other words, the C3PAO’s Phase 1 readiness review is a logistics and feasibility check. It confirms the assessment can proceed. It is not a pre-assessment gap analysis. It is not designed to find your compliance weaknesses and give you time to fix them. If Phase 1 surfaces readiness problems significant enough that the assessment cannot proceed, the engagement may be paused or terminated, which means schedule delays and lost time against your certification deadline.
The independent readiness assessment you conduct before engaging a C3PAO is designed to prevent that outcome. The C3PAO’s Phase 1 readiness review is not a substitute for it.
Why the Sequence Matters
The practical reason to complete a genuine readiness assessment before engaging a C3PAO is the quality of the outcome.
Many organizations choose to conduct a readiness assessment because it provides the opportunity to identify and remediate deficiencies before entering a certification assessment. An organization that enters a certification assessment with significant unresolved gaps either fails to achieve certification or achieves only Conditional Level 2 status, with an 180-day POA&M clock under 32 CFR § 170.21.
Under 32 CFR § 170.21, Conditional status requires that all POA&M items be remediated and verified through a closeout assessment within 180 days. If that window expires without a successful closeout, the Conditional status expires, and the organization must undergo a full new assessment before achieving the required CMMC Status.
A readiness assessment, whether conducted internally or with an RPO, produces specific, actionable gap information that allows your organization to enter the C3PAO engagement positioned to achieve Final Level 2 on the first attempt.
What Good Readiness Assessment Produces
A properly conducted readiness assessment produces a documented set of outputs that directly inform remediation planning and C3PAO preparation.
It produces a gap analysis mapped to the specific assessment objectives in the CMMC Assessment Guide Level 2. Not just a high-level list of missing controls, but a finding for each objective that identifies what is in place, what is missing, and what evidence would need to exist for that objective to be determined MET.
It produces a scoping evaluation that confirms which assets fall inside your assessment boundary under 32 CFR § 170.19(c) and the CMMC Scoping Guide Level 2, and whether the boundary has been defined accurately.
It produces a review of your System Security Plan that identifies where the document reflects your actual environment and where it does not, so that updates can be made before a C3PAO reviews it during Phase 1 of the certification assessment.
It produces a prioritized remediation plan organized by the significance of each gap, giving your team a clear sequence of work to complete before entering a certification assessment.
And it produces an honest answer to the question every contractor needs to answer before booking a C3PAO: Are we ready?
A Practical Way to Think About Both
If the certification assessment is the final exam, the readiness assessment is the practice test you take to find out which subjects you need to study before the real thing.
The practice test does not give you a grade that counts. It does not go on your transcript. But if you skip it and go straight to the final exam without knowing where your gaps are, you are creating a situation where deficiencies that could have been remediated on your own timeline are instead discovered during a formal assessment with legal and contractual consequences attached.
The CMMC Assessment Guide Level 2 and the CMMC Scoping Guide Level 2 are publicly available. The assessment objectives are documented. The scoping categories are defined. The evidence standards are described. Everything your organization needs to conduct a rigorous readiness assessment against the same standard a C3PAO will apply is available at no cost through the DoD CIO CMMC Documentation page.
Final Thought
A readiness assessment and a certification assessment are not two versions of the same thing. They are two different events that serve two different purposes in a sequence that matters.
The readiness assessment is preparation. The certification assessment is a validation. One creates the conditions for the other to succeed.
Organizations that conduct a genuine readiness assessment before engaging in a C3PAO, identify deficiencies on their own timeline, and complete remediation before entering the certification assessment are in the strongest possible position to achieve Final Level 2 status on the first attempt.
Organizations are expected to implement, document, maintain, and demonstrate the required security controls within the defined assessment scope. The applicable requirements, assessment procedures, and scoping guidance are publicly available. The path from readiness to certification is documented in the official CMMC framework.
If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.
What Changes: The Affirmation Requirement. The annual affirmation requirement applies at Level 3 just as it does at Level 2. Under 32 CFR § 170.22, a senior company official must submit an annual affirmation in SPRS confirming continued compliance within the CMMC Assessment Scope. Given that Level 3 status also satisfies Level 1 and Level 2 status requirements for the same scope, the annual affirmation at Level 3 covers the full body of requirements across all three levels.