Preparing for CMMC Certification: A Pre-Assessment Security Testing Checklist

Key Takeaways

  • Only 4% of defense contractors passed third-party CMMC assessments despite 75% believing they were compliant through self-assessment—a gap that pre-assessment security testing can close before your official C3PAO evaluation begins.
  • An estimated 25% of companies seeking CMMC certification experience false starts due to failed pre-assessments, with the median SPRS score sitting at just 60 out of a required 110—making a structured security testing checklist essential for avoiding costly rework.
  • A comprehensive pre-assessment testing program that covers all 14 NIST SP 800-171 control families—from access control and audit logging to incident response and system integrity—can compress typical 6–18-month remediation timelines and dramatically improve first-attempt certification rates.

The defense industrial base is staring down a deadline that many contractors still aren’t ready for. The CMMC 2.0 program rollout officially began on November 10, 2025, and contract solicitations now require defense contractors to demonstrate cybersecurity compliance as a condition of winning awards. The phased implementation means Level 2 third-party assessments become mandatory by November 2026, and full enforcement across all DoD contracts follows by 2028.

The numbers are sobering. A 2025 survey by CyberSheath found that only 1% of defense contractors report being fully prepared for CMMC assessments. Perhaps more alarming, while 75% of contractors believed they were compliant based on self-assessments, only 4% actually passed when a third-party assessor examined their controls. That disconnect—the chasm between what organizations think they’ve implemented and what they can actually demonstrate—is precisely the gap that pre-assessment security testing is designed to close.

A separate report from Kiteworks and Coalfire confirmed the readiness crisis: only 46% of Defense Industrial Base contractors feel prepared for Level 2 certification, and a staggering 57% haven’t even completed a gap analysis against NIST SP 800-171 requirements. Meanwhile, the median Supplier Performance Risk System score across the DIB sits at just 60, far below the 110 required for CMMC Level 2. And third-party assessors estimate that 25% of companies seeking certification experience false starts due to failed pre-assessments, resulting in wasted time, significant expense, and adverse findings that must be reported in the Enterprise Mission Assurance Support Service.

This isn’t just a documentation problem or a policy problem. It’s a testing problem. Organizations are implementing controls on paper without validating that those controls actually work in practice. A firewall rule that’s configured but never tested might fail to block prohibited traffic. An access control policy that exists in a binder but hasn’t been validated through technical testing may have implementation gaps that a C3PAO assessor will catch immediately.

That’s why pre-assessment security testing—conducted before you engage a C3PAO—has become one of the single most impactful steps a defense contractor can take to improve their chances of first-attempt certification. This article provides a comprehensive, domain-by-domain checklist that walks you through every critical testing activity your organization should complete before scheduling your official assessment. Whether you’re pursuing Level 1, Level 2, or Level 3 certification, treating security testing as a foundational preparation activity rather than an afterthought will save you time, money, and the very real risk of losing access to over $849 billion in annual Department of Defense contracts.

Understanding the Pre-Assessment Landscape

Why Pre-Assessment Testing Matters More Than Ever

The CMMC assessment process is structured, rigorous, and expensive. Engaging a Certified Third-Party Assessment Organization is a commitment that typically starts at $50,000 and can stretch considerably higher depending on your organization’s size and complexity. A failed assessment doesn’t just cost money—it costs time. Remediation after a failed assessment can push your certification timeline back by months, potentially causing you to miss contract opportunities that require demonstrated compliance.

Pre-assessment security testing serves as your organization’s dress rehearsal. It validates that documented controls aren’t just written policies but are actually implemented, configured correctly, and operating as intended. The goal isn’t to find zero issues—it’s to find and fix issues before the C3PAO does.

Think of it this way: a CMMC readiness assessment reviews your policies, documentation, and overall compliance posture. Pre-assessment security testing goes a step further by technically validating that those controls function under real-world conditions. Both are necessary, but the testing component is what separates organizations that pass on the first attempt from those that stumble.

The Relationship Between Testing and CMMC Assessment Objectives

CMMC Level 2 assessments evaluate 110 security practices across 14 control families derived from NIST SP 800-171, broken down into 320 individual assessment objectives. Assessors aren’t just checking whether you have a policy for each control—they’re examining whether each objective is met through a combination of documentation review, personnel interviews, and technical testing.

Pre-assessment security testing should mirror this approach. For every control family, your testing should validate that technical implementations match documented procedures, that configurations align with policy requirements, and that evidence of ongoing compliance exists in the form of logs, scan reports, and system outputs.

The Pre-Assessment Security Testing Checklist

The following checklist is organized by NIST SP 800-171 control family, covering the testing activities most likely to surface gaps before your official assessment. Each section identifies key validation activities, common failure points, and the evidence you should be prepared to produce.

1. Access Control (AC)

Access control is the largest control family in NIST SP 800-171, encompassing 22 requirements and forming the backbone of your CUI protection strategy. It’s also where many organizations stumble, because access control isn’t a single technology—it’s a web of policies, configurations, and technical implementations that must work together seamlessly.

Test multi-factor authentication implementation. Verify that MFA is enforced on every system that processes, stores, or transmits CUI, including cloud services, VPN connections, remote access portals, and privileged accounts. Don’t just confirm that MFA is enabled—attempt to access systems without it. Test bypass scenarios, including whether legacy protocols or exception accounts can circumvent MFA requirements. C3PAO assessors frequently discover MFA gaps in service accounts and administrative interfaces that organizations overlook.

Validate least privilege and separation of duties. Pull access control lists from every CUI system and compare them against documented role-based access policies. Identify any accounts with excessive privileges, paying special attention to users who have accumulated permissions through role changes without corresponding permission removals. Test whether standard user accounts can access resources outside their authorized scope.

Test remote access controls. With geographically dispersed workforces becoming the norm, remote access security is under intense scrutiny. Verify that all remote connections are encrypted, that session timeouts are enforced, and that remote access is routed through monitored, controlled access points. Test VPN split-tunneling configurations to ensure CUI traffic is properly segregated.

Verify wireless access restrictions. If wireless networks exist in facilities that process CUI, validate that unauthorized access points cannot connect to CUI networks, that wireless encryption meets current standards, and that rogue access point detection is functioning. Conduct a wireless survey to identify any unauthorized devices.

Examine mobile device and external system access. Review and test policies governing mobile device connections to CUI environments. Verify that mobile device management solutions enforce required security configurations, encryption requirements, and remote wipe capabilities.

2. Awareness and Training (AT)

While training might seem like a purely administrative control, C3PAO assessors will probe whether your training program actually produces security-aware behavior. Testing in this domain focuses on validating that training translates to practice.

Conduct social engineering simulations. Run phishing campaigns against your organization before the assessment. Track click rates, credential submission rates, and reporting rates. The results serve dual purposes: they validate your training effectiveness and produce evidence of ongoing security awareness activities. If click rates are high, you have time to implement additional training and retest before the official assessment.

Verify training completion and documentation. Confirm that every individual with access to CUI systems has completed role-appropriate security training within the required timeframe. Verify that training records are complete, accessible, and include documentation of training content, dates, and attendees. Spot-check that new employees have completed training before receiving CUI system access.

Test insider threat awareness. Validate that personnel can identify and report potential insider threat indicators. This can be assessed through tabletop scenarios or structured interviews with a sample of CUI system users.

3. Audit and Accountability (AU)

Audit logging is the evidentiary backbone of your security program. Without comprehensive, tamper-resistant logs, you cannot demonstrate that controls are operating effectively over time—and that’s exactly what CMMC assessors need to see.

Validate log coverage and completeness. Verify that every in-scope system generates audit logs capturing the required event types: login attempts (successful and failed), privilege usage, file access to CUI repositories, system configuration changes, and account management activities. Test by performing each event type and confirming it appears in the logs with the required detail—who, what, when, where, and the outcome of the event.

Test log protection and integrity. Attempt to modify or delete audit logs as a standard user and as a privileged user. Verify that log files are protected from unauthorized modification, that centralized log collection prevents local tampering, and that log retention meets documented policy requirements. If you’re using a Security Information and Event Management platform, confirm that SIEM ingestion is functioning for all in-scope systems.

Verify alert and response capabilities. Trigger test events that should generate security alerts—failed login thresholds, unauthorized access attempts, privilege escalation—and confirm that alerts are generated, routed to the appropriate personnel, and responded to within documented timeframes. This validates not just your technology but your operational processes.

Organizations that struggle with audit and accountability requirements often benefit from managed cybersecurity services that provide continuous log monitoring and analysis, ensuring that security events are not just collected but actively reviewed and acted upon.

4. Configuration Management (CM)

Configuration management is where technical implementation meets operational discipline. This control family validates that your systems are configured securely and that those configurations remain consistent over time—a concept known as configuration drift management.

Run configuration baseline scans. Scan all in-scope systems against established security baselines—CIS Benchmarks, DISA STIGs, or vendor-specific hardening guides. Document deviations and validate that any exceptions have documented risk acceptance decisions. Pay particular attention to default configurations that haven’t been hardened: default passwords, unnecessary services, open ports, and sample applications.

Test change management processes. Review recent system changes to verify they followed documented change management procedures, including security impact analysis, approval workflows, and post-change validation. Test whether unauthorized changes can be made to production systems without triggering alerts or requiring approval.

Validate software inventory and whitelisting. Confirm that application whitelisting or software restriction policies prevent unauthorized software installation on CUI systems. Attempt to install unapproved software and verify that the attempt is blocked and logged. Comprehensive vulnerability management starts with knowing exactly what software exists in your environment.

5. Identification and Authentication (IA)

Identification and authentication controls ensure that only authorized individuals can access CUI systems and that the system can verify their identity with an appropriate level of assurance.

Test password policy enforcement. Verify that password complexity requirements, minimum length, history, and maximum age policies are technically enforced—not just documented. Attempt to create passwords that violate policy requirements and confirm they are rejected. Test account lockout thresholds and verify that locked accounts require administrative intervention to unlock.

Validate authenticator management. Confirm that default passwords have been changed on all devices, that shared accounts are eliminated or strictly controlled, and that service account credentials are managed securely. Test whether expired or revoked credentials can still be used to access systems.

Verify identity proofing processes. Review and test the process for issuing new credentials, including identity verification steps, credential distribution methods, and initial password handling. Ensure the process prevents credential interception or unauthorized issuance.

6. Incident Response (IR)

CMMC assessors don’t just want to see that you have an incident response plan—they want evidence that it works. Pre-assessment testing of incident response capabilities is critical for demonstrating operational maturity.

Conduct a tabletop exercise. Run at least one tabletop exercise simulating a cybersecurity incident involving CUI. The scenario should test your organization’s ability to detect, respond to, contain, and recover from an incident while maintaining required notification timelines—including the 72-hour reporting requirement to the DoD. Document the exercise, participants, decisions made, and lessons learned.

Test detection and containment capabilities. Simulate security events—malware execution in a sandbox, unauthorized data exfiltration attempts, lateral movement techniques—and evaluate whether your monitoring systems detect them, your team responds appropriately, and containment procedures effectively limit the impact. This hands-on testing validates that your incident response plan isn’t just theoretical.

Verify forensic readiness. Confirm that your environment supports forensic investigation: logs are retained for sufficient duration, evidence collection procedures are documented, and personnel know how to preserve evidence without contaminating it. Test by simulating evidence collection for a hypothetical incident and evaluating the completeness and integrity of gathered data.

7. Maintenance (MA)

System maintenance controls ensure that maintenance activities—both routine and non-routine—don’t introduce security vulnerabilities or unauthorized access to CUI.

Validate patch management effectiveness. Run vulnerability scans to identify missing patches on all in-scope systems, including operating systems, applications, firmware, and network devices. Compare scan results against your documented patching timelines to verify that critical patches are applied within required windows. Track remediation of identified vulnerabilities through resolution.

Test remote maintenance security. If remote maintenance is permitted on CUI systems, verify that sessions are encrypted, authenticated with MFA, logged, and monitored. Test whether remote maintenance tools provide only the access required for the maintenance task and whether session recording or oversight mechanisms function correctly.

Review maintenance personnel controls. Confirm that maintenance personnel—whether internal staff or external contractors—are authorized, supervised as required, and that their access is limited to systems needing maintenance. Verify that maintenance tools and media are inspected before use on CUI systems.

8. Media Protection (MP)

Media protection controls govern how CUI is stored, transported, and destroyed on physical and digital media. Testing here focuses on validating that technical controls prevent unauthorized data exposure.

Test encryption of portable media. Attempt to copy CUI to unencrypted USB drives, external hard drives, and optical media. Verify that data loss prevention controls or device restrictions prevent unauthorized copies. If encrypted portable media is permitted, verify that encryption meets FIPS 140-2 validated standards.

Validate media sanitization. Review and test your media sanitization procedures for equipment that has processed CUI. Confirm that hard drives, solid-state drives, and other storage media are sanitized using NIST SP 800-88 compliant methods before reuse, transfer, or disposal. Request evidence of recent sanitization activities.

Verify CUI marking and handling. Review digital and physical CUI assets to confirm they are properly marked with required CUI designations. Test whether systems enforce CUI marking requirements on documents and emails, and whether personnel correctly handle marked materials.

9. Personnel Security (PS)

Personnel security testing validates that access to CUI is granted only to screened, authorized individuals, and that access is promptly revoked when no longer needed.

Test account termination processes. Review recent employee departures and verify that their system access was disabled within documented timeframes. Attempt to authenticate using credentials of recently departed employees to confirm they’ve been properly deactivated. This is a frequent C3PAO finding—organizations often have good termination policies but slow implementation.

Verify personnel screening. Confirm that all individuals with CUI access have undergone required background screening and that screening records are maintained. Verify that contractors, temporary employees, and third-party personnel are included in screening requirements.

Test personnel transfer procedures. When employees change roles, verify that their access is reviewed and adjusted to reflect their new responsibilities. Test whether access accumulated from previous roles has been properly removed.

10. Physical Protection (PE)

Physical protection testing validates that CUI is protected from unauthorized physical access, whether stored digitally or in physical form.

Test physical access controls. Attempt to access areas where CUI is processed or stored without proper authorization. Test badge systems, door locks, combination locks, and visitor management procedures. Verify that access logs capture physical entry and exit events and that they’re retained per policy.

Validate environmental protections. Verify that server rooms and data centers housing CUI systems have appropriate environmental controls: fire suppression, temperature and humidity monitoring, water detection, and emergency power. Test whether environmental alarms trigger appropriate notifications.

Review visitor management. Test visitor escort and access procedures. Verify that visitors are properly identified, logged, escorted in CUI areas, and that temporary access credentials are returned and deactivated upon departure.

11. Risk Assessment (RA)

Risk assessment controls require organizations to identify, evaluate, and prioritize risks to CUI. Pre-assessment testing in this domain validates that your risk management process produces actionable results and informs security decisions.

Run comprehensive vulnerability scans. Conduct authenticated vulnerability scans across all in-scope systems, including network infrastructure, servers, workstations, applications, and cloud environments. Compare results against your documented risk assessments to verify that known vulnerabilities are captured and tracked. NIST SP 800-171 requires vulnerability scanning at least every 90 days—verify that your scanning history demonstrates compliance with this frequency.

Consider penetration testing. While penetration testing is explicitly required only at CMMC Level 3, it’s highly valuable for Level 2 organizations as a pre-assessment validation activity. A professionally conducted network penetration test can reveal complex vulnerabilities that automated scanning misses, including business logic flaws, chained attack paths, and privilege escalation opportunities. Read more about the role of penetration testing in our guide to penetration testing for CMMC 2.0 compliance.

Validate risk assessment documentation. Review your risk assessment to confirm it covers all CUI systems, identifies current threats and vulnerabilities, evaluates potential impact, and assigns risk levels that inform security control priorities. The assessment should be current—assessors expect recent risk assessments, not documents that haven’t been updated in years.

12. Security Assessment (CA)

This control family is essentially meta—it requires you to assess your own security controls and maintain a plan for addressing identified deficiencies. Your pre-assessment testing activities contribute directly to satisfying these requirements.

Review your System Security Plan. Your SSP is the foundational document for CMMC assessment. Verify that it accurately describes your current environment, including all in-scope systems, network architecture, data flows, and implemented security controls. Walk through each control description and test whether reality matches documentation. A recent Greenberg Traurig analysis noted that an incomplete SSP can preclude completion of a third-party assessment entirely.

Evaluate your Plan of Action and Milestones. Review your POA&M to confirm that identified deficiencies have documented remediation plans with realistic timelines. Under CMMC 2.0, POA&Ms must be resolved within 180 days of the conditional assessment. Verify that POA&M items are actively being worked—assessors will ask about progress and expect evidence of remediation activities.

Conduct an internal mock assessment. Walk through the 320 assessment objectives as if you were the C3PAO. For each objective, attempt to locate and produce the evidence that an assessor would request. This exercise reveals documentation gaps, evidence organization issues, and controls that exist in policy but not in practice. It’s one of the highest-value pre-assessment activities you can undertake.

13. System and Communications Protection (SC)

System and communications protection controls safeguard CUI during transmission and while stored in information systems. This is a technically dense control family that demands thorough validation.

Test encryption implementations. Verify that all CUI in transit is encrypted using FIPS-validated cryptographic modules. Test email encryption, file transfer protocols, VPN tunnels, and web application connections. Use network capture tools to confirm that CUI cannot be intercepted in plaintext during transmission. Verify that encryption at rest is implemented on all systems storing CUI, including databases, file shares, backup media, and cloud storage.

Validate network segmentation. If your organization uses a secure enclave to isolate CUI processing, test the boundary controls thoroughly. Attempt to reach CUI systems from non-CUI network segments. Verify that firewall rules, access control lists, and network architecture effectively prevent unauthorized lateral movement. Network segmentation failures are among the most common and consequential findings in CMMC assessments.

Test boundary protection. Verify that all connections between your network and external systems are monitored, controlled, and documented. Test whether data loss prevention controls detect and prevent unauthorized CUI transmission. Validate that DNS, web, and email security controls block known malicious content.

Verify cloud security configurations. For organizations using cloud services to process or store CUI, validate that cloud configurations meet FedRAMP requirements and that the shared responsibility model is properly implemented. Verify that your cloud engineering team has configured identity federation, conditional access policies, and data residency controls in alignment with CMMC requirements.

14. System and Information Integrity (SI)

System and information integrity controls protect against malicious code, unauthorized changes, and information system flaws. This is where your technical security operations are put to the test.

Validate malware protection. Confirm that antivirus and endpoint detection and response solutions are deployed on all in-scope systems, that signature definitions are current, and that real-time scanning is active. Test by introducing a benign test file (EICAR) to verify detection. Verify that malware events generate alerts and are investigated according to documented procedures.

Test security monitoring capabilities. Verify that your monitoring tools detect the types of events required by CMMC: unauthorized access attempts, malware activity, unusual network traffic, and system integrity violations. Generate test events and track them through detection, alerting, and investigation workflows.

Verify system integrity monitoring. Confirm that file integrity monitoring is in place on critical system files and configurations. Test by modifying a monitored file and verifying that the change is detected and alerted. Validate that system integrity checks run at documented intervals.

Test spam and malicious content protections. Verify that email security controls block phishing attempts, malicious attachments, and spam. Test web content filtering to confirm that known malicious sites are blocked and that download controls prevent unauthorized executable installation.

Building Your Pre-Assessment Testing Program

Establishing the Right Testing Timeline

Pre-assessment security testing isn’t a single event—it’s a program that should begin well in advance of your scheduled C3PAO assessment. The typical CMMC preparation timeline of 6 to 18 months should incorporate testing milestones throughout.

Six to twelve months before assessment: Begin with comprehensive vulnerability scanning and configuration baseline assessments. These activities surface the largest number of findings early, giving your team maximum time for remediation. Run your first phishing simulation and tabletop exercise during this phase.

Three to six months before assessment: Conduct detailed testing of specific control families, focusing on areas where your gap analysis identified deficiencies. This is the appropriate window for penetration testing, as it provides time to remediate findings and revalidate fixes.

One to three months before assessment: Perform your internal mock assessment, validating evidence availability for all 320 assessment objectives. Run final vulnerability scans, verify remediation of previously identified findings, and confirm that POA&M items are on track for resolution within the 180-day window.

Selecting the Right Testing Partners

Not all security testing providers understand the nuances of CMMC compliance. Generic penetration testers may identify vulnerabilities without connecting findings to specific NIST SP 800-171 controls, leaving your team to bridge the gap between testing results and compliance requirements.

The ideal testing partner brings both technical depth and CMMC expertise. They should understand which controls C3PAOs scrutinize most heavily, what constitutes acceptable evidence, and how to frame findings in terms that map directly to your SSP and POA&M. A virtual CISO can provide ongoing strategic guidance throughout the preparation process, ensuring that testing activities align with your overall compliance roadmap.

For organizations that need both advisory and technical implementation support, working with a partner that combines cybersecurity advisory with engineering capabilities—as opposed to managing multiple vendors—reduces complexity and ensures that identified gaps are not just documented but actually fixed. Essendis’s cybersecurity advisory services combine former Big Four audit methodology with hands-on security engineering, providing the end-to-end support that defense contractors need to move from identified gaps to demonstrated compliance.

Prioritizing Remediation After Testing

Pre-assessment testing will inevitably surface findings. The key is having a structured approach to remediation that prioritizes based on CMMC impact rather than generic risk scoring.

Start with findings that would result in a “Not Met” determination on any of the 320 assessment objectives. These are your must-fix items. Next, address findings that could lead to ambiguous assessor determinations—situations where the control is partially implemented but evidence is insufficient to demonstrate full compliance. Finally, tackle findings that represent security improvements beyond the minimum CMMC requirements.

Throughout remediation, maintain rigorous documentation. Every finding should have a corresponding remediation plan in your POA&M, and every completed remediation should be validated through retesting. This retesting evidence becomes part of your assessment package, demonstrating not just that you identified issues but that you resolved them.

Common Pre-Assessment Pitfalls to Avoid

Testing scope that’s too narrow. One of the most consequential mistakes organizations make is limiting their testing scope to only the most obvious CUI systems while ignoring supporting infrastructure. Remember that your CUI environment includes not just the systems where CUI lives, but every system that could provide an attack path to CUI—administrative workstations, authentication servers, backup systems, and network infrastructure. If a system is in your CMMC assessment scope, it should be in your testing scope.

Confusing vulnerability scanning with penetration testing. Automated vulnerability scanning identifies known vulnerabilities based on software versions and configurations. Penetration testing involves skilled human testers who chain vulnerabilities together, test business logic, and simulate real-world attack techniques. Both have their place in pre-assessment testing, but they’re not interchangeable. Organizations that rely solely on automated scanning frequently miss complex vulnerabilities that C3PAO assessors or real-world attackers would exploit.

Testing without documented evidence. Conducting thorough security testing but failing to retain evidence is like studying for an exam without taking notes. Every testing activity should produce documented evidence: scan reports, test logs, screenshots, findings summaries, and remediation records. This evidence isn’t just useful for the assessment—it’s required to demonstrate that you’re meeting ongoing security validation requirements.

Treating pre-assessment testing as a one-time activity. CMMC compliance is continuous, not point-in-time. Your testing program should establish ongoing cadences for vulnerability scanning (at least every 90 days), access reviews, configuration audits, and incident response exercises. Organizations that build testing into their operational rhythm find ongoing compliance far less burdensome than those that scramble before each assessment cycle.

Ignoring third-party and vendor risks. Your security posture is only as strong as the weakest link in your supply chain. If third-party vendors have access to your CUI environment, their security must be validated as part of your pre-assessment testing. A robust vendor risk management program identifies, assesses, and monitors third-party security to prevent vendor weaknesses from undermining your CMMC compliance.

From Testing to Certification: Connecting the Dots

Pre-assessment security testing is not an isolated activity—it’s the connective tissue between your documented security program and your demonstrated security posture. When done well, testing produces the evidence that C3PAO assessors need to mark your controls as “Met,” while simultaneously improving your actual security against the very real threats facing the defense industrial base.

The defense contracting landscape is shifting rapidly. Phase 1 of the CMMC rollout is already in effect, requiring self-assessments as a pre-award condition for new contracts. Phase 2, requiring third-party Level 2 certification, arrives in November 2026. And by November 2028, full enforcement applies to every DoD contract involving Federal Contract Information or Controlled Unclassified Information.

Organizations that begin comprehensive pre-assessment testing now position themselves ahead of the curve. They’ll identify and remediate gaps while there’s still time, build the evidence portfolios that assessors expect, and develop the operational security maturity that sustains compliance long after the assessment is complete.

The cost of delay is no longer measured only in lost contracts but in the exposure of sensitive national security information. With over $849 billion in annual DoD contracts at stake and nation-state actors increasingly targeting the defense supply chain, the question isn’t whether your organization should invest in pre-assessment security testing—it’s how quickly you can get started.

If your organization is preparing for CMMC certification and needs expert guidance on pre-assessment security testing, contact Essendis to speak with a cybersecurity advisor who understands the unique challenges of defense industrial base compliance.

Frequently Asked Questions

How far in advance of my C3PAO assessment should I begin pre-assessment security testing?

Ideally, comprehensive pre-assessment testing should begin six to twelve months before your scheduled assessment. Starting with broad-scope activities like vulnerability scanning and configuration baseline reviews gives you the most time for remediation. More targeted testing—including penetration testing and mock assessments—should follow three to six months out, with final validation scans and evidence reviews conducted in the last one to three months. Organizations that compress this timeline often find themselves rushing remediation, which can result in incomplete fixes that assessors identify during the official evaluation.

What’s the difference between a CMMC readiness assessment and pre-assessment security testing?

A CMMC readiness assessment is a holistic evaluation of your compliance posture that reviews policies, procedures, documentation, and overall alignment with CMMC requirements. Pre-assessment security testing is a subset of readiness activities that focuses specifically on technically validating that your implemented security controls function as designed. Think of the readiness assessment as checking that you have the right answers on your test sheet, while pre-assessment security testing confirms that you actually did the work to arrive at those answers. Both are important, and most successful organizations pursue them in parallel.

Do I need penetration testing for CMMC Level 2?

CMMC Level 2 does not explicitly mandate penetration testing in all cases, though it does require vulnerability scanning at least every 90 days and additional testing for custom software applications. However, penetration testing is strongly recommended as a pre-assessment validation activity for Level 2 organizations. Many prime contractors now require their subcontractors to demonstrate penetration testing regardless of CMMC level. Level 3 organizations must conduct annual penetration testing as a hard requirement. For a deeper dive into testing requirements across levels, see our article on penetration testing for CMMC 2.0.

Can my organization conduct pre-assessment security testing internally, or do I need an outside firm?

You can conduct many pre-assessment testing activities internally, particularly vulnerability scanning, configuration auditing, access control reviews, and tabletop exercises. However, certain activities benefit significantly from external expertise. Penetration testing, in particular, is most effective when conducted by testers who are unfamiliar with your environment and can simulate a true external threat perspective. Additionally, external testers bring CMMC-specific experience that helps them identify compliance gaps your internal team might overlook simply because they’re too familiar with their own environment.

What happens if my pre-assessment testing reveals significant gaps?

That’s exactly the point. Discovering gaps during pre-assessment testing is infinitely preferable to discovering them during the official C3PAO assessment. When testing reveals deficiencies, document them in your Plan of Action and Milestones with specific remediation steps and realistic timelines. Address the most critical gaps first—those that would result in a “Not Met” determination on assessment objectives. Under CMMC 2.0, organizations can receive a conditional certification with up to a specified number of open POA&M items, provided those items are resolved within 180 days. However, the most reliable path to certification is to resolve as many findings as possible before the assessment begins.

How does pre-assessment testing apply to organizations using cloud environments for CUI?

Cloud environments introduce unique testing requirements. You must validate that your cloud service provider meets FedRAMP requirements, that your configuration of cloud services aligns with CMMC controls, and that the shared responsibility model is properly implemented—meaning you’ve secured the controls that are your responsibility as the customer. Testing should include cloud identity and access management, data encryption, network security group configurations, logging and monitoring, and data residency controls. If you’re using a secure enclave for CUI processing, both the enclave itself and the boundary controls separating it from your broader environment need thorough testing.

What documentation should I retain from pre-assessment testing?

Retain everything. Vulnerability scan reports, penetration testing findings, configuration audit results, phishing simulation metrics, tabletop exercise records, remediation evidence, and retesting validation reports all contribute to your assessment evidence package. Organize documentation by NIST SP 800-171 control family so that assessors can easily locate evidence supporting specific assessment objectives. Timestamped evidence is particularly valuable, as it demonstrates not just that controls exist but that they’re consistently maintained over time.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.