By NHI Mgmt Group Editorial TeamPublished 2026-05-12Domain: Cyber SecuritySource: Exostar

TL;DR: C3PAO assessors evaluate CMMC Level 2 readiness through scope definition, CUI handling, a defensible SSP, and evidence mapped to the CAP, according to Exostar. The practical issue is not policy intent but whether your controls, boundaries, and documentation hold up under interview and testing.


At a glance

What this is: This is a practitioner guide to what C3PAO assessors expect for CMMC Level 2, with the central finding that assessment readiness hinges on scope, CUI handling, SSP quality, and evidence.

Why it matters: It matters to IAM, PAM, and governance teams because assessment scope, access boundaries, and documentation discipline directly affect how identity-controlled systems are evaluated and how CUI exposure is constrained.

👉 Read Exostar's guidance on preparing for a C3PAO CMMC Level 2 assessment


Context

CMMC Level 2 readiness is fundamentally a governance problem before it is a documentation problem. If scope is unclear, CUI handling is inconsistent, or system boundaries are loosely drawn, assessors will test the control environment as a whole rather than accept policy claims at face value. For identity and access teams, that means the boundary around users, systems, and privileged pathways is part of compliance evidence, not a separate architecture concern.

This article focuses on the assessor perspective: what C3PAOs look for when validating scope, handling of CUI, the System Security Plan, and evidence during CAP-based assessments. The identity angle is real, because access control, enclave design, and responsibility assignment shape whether CUI is truly isolated or only described as isolated.


Key questions

Q: How should organisations scope CMMC Level 2 without overexpanding the assessment boundary?

A: Start by mapping where CUI is created, stored, processed, and transmitted, then include only the systems, users, and environments that materially affect those paths. The best scope is narrow but defensible. If you use an enclave, make sure supporting identities, integrations, and third parties are still visible in the boundary.

Q: Why do access controls matter so much in CMMC Level 2 assessments?

A: Because assessors are not just checking whether CUI exists, they are checking whether the people and systems handling it are constrained in a way that matches the documented control model. Access governance, MFA, and privilege assignments prove whether CUI handling is operational, not merely stated.

Q: What do assessors usually find wrong in a System Security Plan?

A: The most common problem is a mismatch between the SSP and the real environment. Teams describe controls, but the architecture, ownership, or system boundary has changed. A strong SSP reflects current dependencies, actual responsibilities across CSPs and ESPs, and the way controls work in practice.

Q: Who is accountable when CUI handling fails during a CMMC assessment?

A: Accountability sits with the organisation, even when parts of the environment are run by CSPs or ESPs. The assessment will still test whether responsibilities are clearly assigned, whether evidence is available, and whether control ownership is understood. Outsourced operations do not outsource accountability.


Technical breakdown

CMMC Level 2 scoping defines the assessment boundary

Scoping is the first control decision because it determines which systems, users, and environments fall under Level 2 requirements. In practice, scope should reflect where CUI is created, stored, processed, or transmitted, and it should also include supporting identity and infrastructure components that can affect that data. A secure enclave can reduce exposure, but only if the enclave boundary is consistent across technical controls, user access, and third-party dependencies. If the boundary is vague, assessors will widen the review to understand actual CUI movement and control coverage.

Practical implication: document the CUI boundary with enough precision that identity, system, and third-party dependencies are traceable during assessment.

CUI handling depends on access, sharing, and protection controls

Once scope is set, assessors look at how CUI is handled in day-to-day operations, not just how it is described in policy. That includes who can access it, how it is shared, where it is stored, and whether controls prevent unauthorized disclosure. From an identity perspective, this is where least privilege, MFA, and role design matter because CUI handling is only defensible when access paths are consistently controlled. A gap between process and practice is usually more damaging than a missing document because it suggests the control environment is not operating as stated.

Practical implication: validate that access paths, sharing workflows, and privileged roles match the documented CUI handling model.

The SSP must reflect how controls operate in practice

The System Security Plan is not just a compliance artifact. It is the assessor's map of how the environment actually meets the 110 NIST 800-171 controls, including architecture, system boundaries, and responsibility splits across CSPs and ESPs. If the SSP overstates coverage or omits operational details, it becomes difficult to reconcile documentation with evidence. Treating the SSP as CUI is also part of its control value, because uncontrolled access to the plan can expose design details that make the environment easier to target.

Practical implication: keep the SSP aligned to real architecture, real responsibilities, and controlled access to the plan itself.


NHI Mgmt Group analysis

Scope drift is the control failure that most often turns CMMC readiness into an assessment problem. The article makes clear that scope determines cost, effort, and risk, but the deeper issue is that scope defines the identity and system boundary the assessor will test. If the organisation cannot show where CUI lives and which users and systems touch it, it has not really bounded the compliance problem. Practitioners should treat scope as a live control boundary, not a planning document.

CUI handling is a governance test of access discipline, not just data classification. The source emphasises how CUI is accessed, shared, and protected by users, which means identity controls sit at the centre of the assessment. This is where IAM, MFA, and privilege assignment either support the security story or expose inconsistency between policy and operations. Teams should expect assessors to follow the access path, not stop at the policy statement.

Defensible documentation is the evidence layer that makes security claims testable. An SSP that reflects real architecture, real roles, and real responsibilities gives assessors something they can verify; an SSP that is aspirational does the opposite. For identity programmes, this reinforces a broader lesson: control evidence must align with who can access what, under which conditions, and through which managed systems. Practitioners should use the SSP as an operational truth source, not a filing exercise.

The CMMC model is pushing organisations toward evidence-led governance. The CAP process, interviews, and technical testing all reward environments where controls are demonstrable rather than merely described. That has implications beyond defence contractors, because it mirrors where identity assurance is heading across regulated sectors. Teams that can map access, ownership, and evidence cleanly will be better positioned for similar assurance demands elsewhere.

What this signals

CUI scope and identity scope are converging. As regulated assessments become more evidence-driven, identity teams will be asked to show not only who has access but how that access maps to controlled boundaries. That means service accounts, admin roles, and enclave access paths need the same traceability as the systems they support.

Assessment readiness is moving toward operational proof, not policy assurance. Organisations that can show living evidence, current ownership, and controlled access to security artifacts will have an easier path through CMMC-style reviews and similar audits. The practical signal is clear: documentation quality now reflects programme maturity, not admin overhead.


For practitioners

  • Define the CUI assessment boundary early Document which systems, users, environments, and supporting services interact with CUI, then test whether that boundary matches actual data flows and access paths. If a secure enclave is part of the design, ensure the boundary is consistent across identities, integrations, and third parties.
  • Validate CUI access paths against real operations Review how CUI is accessed, shared, and protected in practice, then compare those workflows to the policies and role assignments on paper. Pay particular attention to privileged users and service accounts that can move CUI across system boundaries.
  • Keep the SSP aligned to live architecture Update the System Security Plan whenever boundaries, dependencies, or responsibilities change, and restrict access to the SSP itself. Include architecture diagrams, CSP and ESP responsibilities, and control ownership that an assessor can verify.
  • Prepare evidence for interviews and technical testing Assemble complete, consistent, and accessible evidence for the 320 assessment objectives, including control artifacts, configuration proof, and interview-ready owners. Test the evidence set before the assessment so gaps are found internally rather than by the C3PAO.

Key takeaways

  • CMMC Level 2 readiness depends on whether scope, access, and evidence line up in practice.
  • Assessors will test the real boundary around CUI, not just the language used in policies and plans.
  • Identity governance, SSP accuracy, and evidence discipline are the controls that make certification defensible.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity and access control are central to how CUI scope is defended.
NIST SP 800-53 Rev 5AC-6Least privilege is essential when assessors review who can touch CUI.
CIS Controls v8CIS-5 , Account ManagementAccount governance supports CUI handling and assessor-ready identity evidence.
ISO/IEC 27001:2022A.5.15Access control is directly relevant to controlling CUI handling across environments.

Map CUI access paths to PR.AC-1 and verify every privileged path is tied to documented scope.


Key terms

  • System Security Plan: A System Security Plan is the core document that describes how an environment meets its security requirements in practice. For CMMC and related assurance work, it should reflect actual boundaries, responsibilities, and controls, not an idealised version of the architecture.
  • Controlled Unclassified Information: Controlled Unclassified Information is sensitive government-related information that is not classified but still requires defined handling and protection. In assessment contexts, it drives scoping, access control, evidence collection, and the design of secure boundaries across systems and users.
  • C3PAO: A C3PAO is a Certified Third-Party Assessor Organisation that evaluates whether an organisation meets CMMC requirements. Its role is to validate implementation through documentation, interviews, and testing, which means organisations must be able to demonstrate controls rather than simply describe them.

What's in the full article

Exostar's full article covers the operational detail this post intentionally leaves for the source:

  • The assessor-oriented explanation of how C3PAOs validate scope, interviews, and evidence in CAP-based assessments.
  • The practical checklist for aligning DFARS requirements, CUI handling, and system boundaries before certification activities begin.
  • The specific documentation and control examples Exostar recommends for SSP readiness and assessment preparation.
  • The common gaps that delay certification and how practitioners can address them before assessor review.

👉 Exostar's full post covers the assessor expectations, SSP readiness, and common gaps that teams need to resolve before certification.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle control. It is designed for practitioners who need to connect identity governance to operational security outcomes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org