C3PAO Readiness Checklist, award checks are active. A posted score in SPRS helps, but certification is what carries you through evaluation and option years. This guide shows how leaders turn policies into proof that holds up with a C3PAO for CMMC Level 2.
Why This Matters Now
- The DFARS CMMC rule is effective November 10, 2025, contracting teams can require and verify status in SPRS at award.
- Phase 1 focuses on Level 1 and many Level 2 self-assessments; later phases expand third-party Level 2 certifications. Keep affirmation current.
- Level 2 aligns to NIST SP 800-171 controls; certification follows the Cyber AB assessment process.
What Assessors Look For First
- Clear scope & boundary, exactly where CUI lives, shown with a diagram and inventory.
- Evidence that matches policy, MFA actually enforced, logs retained, access reviews done.
- Current SPRS posture, score posted, UID(s) tied to in-scope systems, annual affirmation complete.
POA&M discipline, open items prioritized and tracked to closure within allowed windows.
The C3PAO readiness checklist (run this before you book)
Scope and boundary
Map CUI data flows, users, apps, devices, vendors.
Produce a simple boundary diagram and asset and user inventories.
Controls and proof
MFA: screenshots or exports showing enforcement for all in-scope accounts.
Logging: samples that show useful events retained.
Access reviews: add or remove records with approvals.
Backups: test logs.
IR tabletop: agenda, notes, and follow-ups.
Documents
SSP that reflects the real boundary.
Policies and procedures referenced by the SSP.
Change control tickets with testing and approvals.
SPRS touchpoints
Post the self-assessment correctly.
Keep the affirmation current.
Ensure CMMC UIDs align to the assessed systems.
Subcontractors
Verify each sub’s level and SPRS status before proposal time; keep a lightweight record.
A Simple 30-60-90 Plan
1. Days 0-30
- Freeze scope; confirm the enclave for CUI.
- Baseline against NIST 800-171 and gather existing artifacts.
2. Days 31-60
- Post your score in SPRS and complete affirmation.
- Close the highest-impact gaps first: MFA, logging, backups, admin access.
3. Days 61-90
- Run a short mock audit with the team.
Confirm sub flow-down status; if required, reserve your C3PAO window.
Mock-Audit Script (use in a 60-minute rehearsal)
- Opening: Scope statement in two sentences; show the boundary diagram.
- Controls walk-through: MFA → logging → access reviews → backups → IR drill.
- Artifacts on screen: SSP, inventories, three log samples, one recent access review, one change ticket.
- SPRS segment: Show posted score, date, UID(s), and latest affirmation.
Close: Open POA&M items, owners, and due dates, then next milestones toward certification.
Common Blockers That Slow Certifications
- Over-scope: certifying beyond the CUI enclave raises cost and risk.
- Paper without proof: policies that don’t show up in logs and records.
- Stale SPRS: missing affirmation or out-of-date entries at award.
What “good” Looks Like On Evidence
- SSP aligned to boundary
- Current asset and user inventories
- MFA evidence for admin and standard users
- Log samples that show useful events retained
- Quarterly access reviews with removals
- Change tickets with approvals and tests
- Backup test results
- Security training and phishing summary
- IR tabletop notes with fixes assigned
Where Centrend Fits
- Scope & segmentation that keeps the footprint small
- Gap mapping to NIST 800-171 with a clear fix list
- Evidence kit built to match assessor expectations
- SPRS support for posting and affirmation
- C3PAO rehearsal with interview prep and artifact walk-throughs