CMMC readiness · NIST 800-171 alignment · DFARS support Mon–Fri · 0800–1800 ET
Service 04 · Validation
Pending C3PAO authorization

Mock assessment.

A formal practice run conducted by certified assessors using DoD assessment methodology. Find what would fail before an authorized C3PAO finds it. The most useful two weeks you will spend before authorization.

What this is

A two-week engagement structured exactly as a real CMMC Level 2 assessment will be: scoping confirmation, evidence review, control testing, personnel interviews, and a final findings briefing. The difference is that there is no certification at the end; only a precise picture of what would happen if today were the real assessment.

The point is not the result. The point is what the result lets you fix before it counts.

What you receive

  • Findings report : control-by-control, with each finding categorized as "met," "partially met," or "not met," using the same language and standard authorized assessors apply.
  • Evidence quality assessment : not just whether evidence exists, but whether it would survive scrutiny.
  • Interview observations : notes on personnel responses, identifying any gaps between your documented controls and operational reality.
  • Risk-prioritized remediation list : what to fix first, organized by likelihood of triggering a failure in the actual assessment.
  • Final out-briefing : a working session with your leadership team to walk through findings and next steps.

Who this is for

Organizations that have completed remediation, have an SSP and POA&M in place, and are within three to six months of their planned formal assessment. A mock assessment too early is wasted; a mock assessment too late leaves no time to act on the findings.

How we work

Pre-engagement

We confirm scope, review your SSP and POA&M, and align on the assessment objectives we will test against. This is the same scoping conversation a real C3PAO would conduct.

On-site or remote engagement (5–8 days)

The active assessment phase. Document review, control testing, personnel interviews. Conducted in the same sequence and with the same rigor that DoD-authorized assessments use. We are not gentle. We are realistic.

Findings synthesis (3–5 days)

We compile findings, categorize them, and prepare the report and remediation list. This is where the value of the engagement is created.

Out-briefing

Final delivery and working session. We walk through every finding with your team. You leave with a clear understanding of what would happen in your real assessment and what to do about it.

The conflict-of-interest rule

Once we are an authorized C3PAO, we will not assess organizations we have remediated. Cyber AB rules formalize this, but our practice is stricter than the rules: if we have done substantial remediation work for you, we will not be your assessor. A mock assessment performed by us does not preclude us from later being your real assessor, provided we have not also done your remediation or consulting.

What it costs

Mock assessments are fixed-fee. Pricing is driven primarily by environment scope and the number of CUI assets. Quotes are provided in writing during the initial scoping call.

Begin the conversation

Your contract eligibility is on a clock. Let’s get to work.

A 30-minute scoping call with a senior consultant. No pitch. We listen, scope honestly, and tell you what we’d do — including whether we are the right fit.

Request a scoping call →