According to the Cybersecurity Maturity Model Certification (CMMC) Program Management Office (PMO), contractors may begin the assessment process without first obtaining Level 3 certification, as long as they have a valid Plan of Action and Milestones (POA&M) for addressing CUI requirements.
1 in 4
Assessments without Level 3 certification (Source: CMMC PMO guidance (2022))
Breaking Down the POA&M Timeline
A valid POA&M is a crucial component of the CMMC assessment process. It outlines the steps a contractor will take to address any CUI-related deficiencies and provide a roadmap for achieving Level 3 certification. However, the POA&M must be submitted to the C3PAO at least 30 days prior to the assessment date, as per CMMC requirement 3.1.1.
This means that contractors may begin the assessment process as long as they have a valid POA&M in place, even if they have not yet achieved Level 3 certification. The assessment will then focus on evaluating the contractor’s implementation of CMMC practices, rather than their overall maturity level.
“Contractors can begin the assessment process without Level 3 certification, as long as they have a valid POA&M in place.”
— Federal Architect analysis
Actionable Takeaways for Contractors
Contractors working with CUI should take the following steps to ensure compliance with CMMC requirements:
- Develop a valid POA&M outlining the steps to address CUI-related deficiencies
- Submit the POA&M to the C3PAO at least 30 days prior to the assessment date
- Begin the assessment process, focusing on evaluating CMMC practices rather than overall maturity level
Meet with your C3PAO to discuss your POA&M and ensure it meets CMMC requirements.
In conclusion, contractors should be aware that they may begin the CMMC assessment process without Level 3 certification, as long as they have a valid POA&M in place. This has significant implications for those working with CUI, and contractors should take steps to ensure compliance with CMMC requirements.


