CMMC Assessment Guidance: Making the Assessment Easier On Your Team and The Assessors

Posted by Kevin Hutchinson, CISSP on May 5, 2026 10:25:20 AM

If you are an Organization Seeking Compliance (OSC), going through a CMMC assessment can fray nerves, stress you and your team, and create unnecessary tension. If you are willing to do the hard work up front, so much of the negativity can be avoided, and you will reap the overall benefits. The tips I am going to provide are things you can do to make the assessment process easier on your team and the assessors.

So, what do I mean by “hard work”? It is not that it is hard, it just takes planning, forethought, organization, and time. CMMC assessments, particularly Level 2 and 3, are more about paperwork than anything else. By paperwork, I mean having an accurate, complete, and current System Security Plan (SSP), policies, procedures, and evidence. Having it assembled in a way that is meaningful, easy to navigate, and easy to search can save you considerable time and aggravation when you are going through your assessment.

 

Where To Begin

Determine if you want to manage the process manually or if you have the budget to leverage a Governance, Risk, and Compliance (GRC) solution that is CMMC Level 2 compliant. Why is that important? If any of the data you store in the GRC platform contains Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), then you are bringing that solution in scope. You may inherit some controls like Physical Protection (PE), but most of the controls may only be partially inherited. If you do elect to use a GRC system, ensure that the vendor is able to provide a Shared Responsibility Matrix (SRM) that accurately covers how they protect and secure your information.

Advantages of utilizing a GRC platform would be:

  • It has the structure in place with the controls and objectives needed for compliance
  • It may have ways to automatically gather and store evidence
  • Provides mechanisms to maintain your SSP
  • Should be able to generate a Plan of Actions & Milestones (POA&M)
  • Can help manage the preparation needed for an assessment.

If a GRC solution is not in your cards and you are going to manage the process on your own, that is okay, but it will mean a little more work. If you are managing the process yourself, here are a few key points to consider:

  1. Create a secure, central repository within your enclave or scoped environment. The repository should contain:
    1. SSP
    2. POA&M
    3. Support Documentation and Evidence folders
  2. Create standard nomenclature for documentation and evidence.
  3. Align the folder structure to be easy to manage and easy to navigate.
  4. Ensure the folders and evidence are easy to identify and, just as important, easy to search.

The more organized you are, the easier it will be to find things while preparing for and during an assessment.

 

Some Options

The one I feel that will pay the biggest dividend is #4 and here is why. If you have one document that has multiple screenshots within it as part of your evidence, you can make it easy to search within that document by adding the control objective as part of the description for the image.

For example, if I have a screenshot to support AC.L1-3.1.1[a] showing which users are authorized to access CUI systems, it would be simple to add the tag “AC.L1-3.1.1[a]” to the description of the image. This way, the auditor can simply search within the document for specific evidence for that control. This can also be helpful especially when you have a single screenshot that can be used as evidence for multiple objectives.

cmmc-assessment-guide-1

If you elect to create individual evidence documents for each control objective and separate them by domain, control, and objective, you may want to consider using meta tags to enhance their searchability if you do not add the control objective to the document name. For Microsoft shops, that is as easy as updating the information properties within the document as shown below.

cmmc-assessment-guide-2

 

Conclusion

CMMC readiness assessments can be difficult to prepare for and go through successfully. Leveraging a GRC platform can make the process easier, but it is not essential to pass an assessment. Proper planning and attention to detail are critical, whichever approach you pursue.

Regardless of the method you choose, you are not alone. IGI Cybersecurity has CMMC Certified Assessors (CCAs) on staff to provide the expert guidance needed to navigate the certification requirements and assist you in achieving CMMC certification.

If you want more information about our service offerings, please contact Ken Barnaby (kbarnaby@igius.com) for details.

 

Topics: CMMC