Service
CMMC Mock Assessment
A structured, evidence-based walkthrough of your CMMC Level 2 environment, run the way a C3PAO will run the real assessment. Findings reach you with enough time to act on them before the certification assessment is scheduled.
What it is
A C3PAO-style dress rehearsal, privately to you
A Verasor Mock Assessment is a structured walkthrough of your CUI environment by senior Verasor practitioners. We follow the assessment objectives in NIST SP 800-171A and the procedures in the Cyber AB CAP. The engagement is private to you; nothing is reported to DoD or eMASS. The findings are advisory and intended to surface gaps before they cost you a real assessment outcome.
Verasor is not a C3PAO. A Mock Assessment does not produce a CMMC certificate. The certificate is issued only by an authorized C3PAO based on their own independent assessment. We can introduce you to a highly regarded C3PAO from our network when you are ready for the actual certification assessment.
What we do
The walkthrough, end to end
An engagement runs in five workstreams that mirror the CMMC Assessment Process. Together they produce a defensible findings package you can act on.
Scope and boundary validation
We confirm the CUI assessment scope, the asset categorization, and the data flow boundary. Scope errors cause more findings than weak controls do; this is where we start.
Document examination
We review the SSP, any active POA&M, and the policies and procedures for each of the 14 NIST 800-171 r2 control families. We map each document to the assessment objectives it has to support.
Technical evidence review
We verify control operation by examining actual artifacts: Conditional Access policies, Intune compliance configurations, sensitivity labels, DLP rules, audit log samples, FIPS validation, and the rest. Configuration claims are tested against what the tenant actually does.
Personnel interviews
We conduct structured interviews with system owners and operators, the way a C3PAO interview team will. Interview findings are reconciled against documents and technical evidence.
Objective-by-objective scoring
Every assessment objective is rated MET, NOT MET, or N/A using the same scoring methodology a C3PAO uses, and the practice-level score is computed under the SPRS weighting. You see which gaps drive the largest deductions and which fail you regardless of score.
Findings briefing
We walk the results with you in a structured session: what is MET, what is NOT MET, what is at risk, and where the highest-leverage remediation work sits. No marketing dressing, no false reassurance.
What you receive
A defensible findings package, in your hands
The deliverables are written to be acted on, not admired.
Findings report
A report mapped to each of the 110 NIST 800-171 r2 requirements, with practice-level and assessment-objective-level findings, evidence sources, and gap rationale.
SPRS-equivalent score
A computed score with the weighting and deductions shown, so you can compare to your last SPRS submission and to the 88-of-110 Conditional Status floor.
Prioritized POA&M draft
A starter POA&M with each open item categorized by point value and POA&M eligibility under 32 CFR ยง170.21. Non-POA&M-eligible items are flagged first.
Remediation roadmap
A sequenced work plan with effort estimates and dependencies, written so an internal champion or your IT team can pick it up and execute.
SSP and evidence recommendations
Specific edits to the SSP, missing or weak policies, and the evidence artifacts a C3PAO will expect to see, with examples of what acceptable looks like.
Discussion-ready summary
A one-page brief suitable for the executive team or the prime contractor, summarizing posture, gaps, and the remediation plan in language a non-cyber leader can use.
How a Verasor Mock Assessment runs
Discovery call and scoping (week 0)
We confirm the assessment scope, the document set you have, and the timeline for your planned certification assessment. We set the engagement schedule and identify the personnel we need to interview.
Document and evidence collection (week 1)
You provide access to the SSP, POA&M, policies, and the technical environment artifacts we identified. We begin the document review and prepare the interview agenda.
Walkthrough and interviews (weeks 2 to 3)
We perform the technical evidence review, conduct interviews, and score each assessment objective. Daily check-ins keep your team aligned on what is being examined and why.
Findings report and briefing (week 4)
We produce the findings package, walk it with your team in a structured briefing, and answer questions. You leave with a clear list of what to do before the C3PAO arrives.
Remediation and re-test, optional
How this differs
Not the same thing as the free readiness self-survey
The two artifacts answer different questions. Use them in sequence: the self-survey for direction, the Mock Assessment for evidence.
Technical readiness self-survey
Free. In-browser. Takes about ten minutes.
- Based on what you self-report
- 27 questions covering existence of controls and documents
- Produces a directional score and gap list
- Does not examine any actual evidence
- Right for getting oriented and framing a conversation
Verasor Mock Assessment
An engagement. Two to four weeks. Run by senior practitioners.
- Based on examined documents, tested configurations, and interviews
- Every assessment objective scored MET / NOT MET / N/A
- Produces a defensible findings report and prioritized POA&M draft
- Walks the same evidence path a C3PAO will
- Right before a scheduled certification assessment, or as a rigorous second opinion
Who this is for
You have a certification assessment on the calendar in the next six to twelve months. The Mock Assessment surfaces what the C3PAO will find while there is still time to remediate.
Your team has worked through the gap report and believes the environment is ready. An independent walkthrough confirms readiness or surfaces the items that look good on paper but fail at the objective level.
Your prime has added a CMMC Level 2 requirement to your contract. The Mock Assessment establishes a defensible baseline of where you actually stand and what it will take to close the gap.
Find the gaps before the C3PAO does.
A Mock Assessment is the cheapest way to learn what a real assessment will tell you, with time to do something about it. Tell us about your environment and your timeline and we will scope an engagement.