When Left to Personal Judgment: Understanding Assessor Variance in CMMC

Picture two organizations virtually identical in size, industry, systems, and Controlled Unclassified Information (CUI) environment going through their CMMC Level 2 Certification Assessment on the same week. One walks out with a Final Certificate of CMMC Status. The other walks out with a handful of NOT MET findings on requirements they were sure they had nailed. Same requirements. Same implementation of those requirements. Different outcomes. What gives? 

Welcome to the very real and, sometimes, frustrating world of assessor variance in CMMC. 

This isn’t a “bash the assessors” piece, not by a long shot. The CMMC Certified Assessors (CCAs) operating in this ecosystem are, by and large, knowledgeable and well-intentioned professionals doing a genuinely difficult job. But I’d be doing a disservice to organizations preparing for their Level 2 assessments if I didn’t acknowledge something that comes up in nearly every conversation I have with clients post-assessment: not all assessors are applying requirements the same way, and that matters a lot. 

So, let’s talk about it. What assessor variance is, where it comes from, what the ideal process looks like per the official CMMC documentation, and most importantly, what you as an Organization Seeking Certification (OSC) should do to prepare for it. 

The Elephant in the Room

The CMMC ecosystem is still relatively young. The formal CMMC rule under 32 CFR Part 170 went effective in December 2024, and the CMMC Assessment Process (CAP) Version 2.0 was published alongside it. While Assessment Guide for Level 2 is refined over time, it was never designed to be a step-by-step recipe that leaves zero room for professional judgment. And that’s where assessor variance was born. 

The Assessment Guide itself explicitly states that “assessors exercise judgment in determining when sufficient and adequate evidence has been presented to make an assessment finding.” That sentence is doing a LOT of heavy lifting. The determination of whether evidence is “sufficient and adequate” is not always a cut-and-dry binary decision, and, candidly, it shouldn’t always be. Context matters. Environments vary. Not every NIST SP 800-171 requirement translates identically across a 10-person machine shop and a 500-person defense technology firm. 

But when the guidance doesn’t explicitly govern how something must be done or what is considered acceptable evidence, you get a spectrum of interpretations across different assessment teams. Some CCAs are more conservative and stringent in what they’ll accept. Others are more pragmatic. Some focus heavily on testing and demonstrations. Others lean more toward documentation and interviews. None of these approaches are inherently wrong, but when applied inconsistently, they produce outcomes that feel inconsistent to the consultants or service providers walking alongside OSCs on the receiving end. 

Side note: This is not the same as saying assessors are being negligent or corrupt. Variance can exist entirely within the boundaries of professionalism and competence. This is about the space that exists in the absence of explicit prescription in the guidance. 

Where the Variance Tends to Show Up 

In my experience and in talking with Managed Service Providers (MSPs) and other consultants in this industry, assessor variance clusters in a few specific areas: 

Interpretation of assessment objectives and other nuanced CMMC requirements 

The Assessment Guide breaks each requirement into distinct “Assessment Objectives,” the specific “determine if” statements that must be satisfied for a requirement to be marked MET. The language of those objectives can sometimes be interpreted in meaningfully different ways. What does it mean to have a process “defined”? Can I write that down on a napkin? Or does it need to be in a version-controlled enterprise document repository? Which External Service Providers (ESPs) need a Customer Responsibility Matrix (CRM)? Just the ones that are used to implement a specific security requirement in your system? What about ESPs that store, process, and/or transmit Security Protection Data (SPD) but don’t provide other functions? (This particular topic has been the topic of great debate in the past, but you get the point. Not all of this is settled, and people differ on some very important and assessment-relevant questions.) 

What constitutes adequate evidence 

The Potential Assessment Methods and Objects in the Assessment Guide (the things assessors might examine, the people they might interview, the things they might test) are explicitly described as potential methods and objects. NIST SP 800-171A states clearly that assessors are “not expected to employ all assessment methods and objects.” Yet, if an OSC doesn’t have a specific common document, one assessor might struggle to determine the requirement to be implemented/met even if the evidence they did provide thoroughly addressed the objective while another assessor might look at the same evidence and mark it MET without hesitation. 

It’s also important to note that assessments are supposed to be conducted using the “nonstatistical sampling approach in accordance with NIST SP 800-171 R2, Appendix D” with the “Focused” value for Depth and Coverage according to the CMMC Assessment Process Section 2.9. Now, what the heck are you talking about, Steve? Yea, this is a very confusing, underutilized, and, in my opinion, obscure section of the CMMC Assessment Process (CAP) and of NIST SP 800-171A Revision 2. The first thing to notice is that the referenced NIST document in the CAP is actually the wrong one. It should say “NIST SP 800-171A,” not “NIST SP 800-171”. 800-171A is the assessment procedures for NIST SP 800-171 and is where the Assessment Methods Appendix D referenced within the CAP actually resides. The next thing to notice is that it is extremely convoluted to most readers. You’re not able to just hop in and really know what’s being talked about. It is also incredibly subjective to further interpretation when it uses using phrases like “…and other specific assessment objects deemed particularly important” or “…provides a level of coverage necessary for determining whether the security safeguards are implemented and free from obvious errors” when talking about the sampling approach for artifacts to examine. Isn’t that the whole point of this Appendix? To tell me what kind of sample I need to collect to sufficiently cover the requirement? 

I could spend more time pointing out some caveats in this portion of the guidance documentation and the CAP, but I think you get my point. The very thing that was meant to provide some guidance on adequacy and sufficiency by virtue of understanding depth and coverage principles is just as subjective and open to interpretation as anything else. This is the part of the concern I think OSCs and their MSPs ought to be aware of and prepare for when the Assessment Team shows up. 

What the Ideal Process Actually Looks Like 

The CAP is explicit that C3PAOs are responsible for the “consistency and integrity” of CMMC Level 2 Certification Assessments. The four-phase process is designed with Quality Assurance (QA) baked in at every critical juncture. A dedicated QA individual, who must be a Certified CMMC Assessor (CCA) and must not be a member of the assessment team, is required to review the Pre-Assessment Form, observe the team’s conduct during Phase 2, and formally review assessment results before the Out-Brief ever happens. 

The CAP also makes clear that re-evaluation of NOT MET findings is explicitly permitted. Assessors may revisit a NOT MET determination during the active assessment period and for up to ten business days after Phase 2 concludes, per 32 CFR § 170.17(c)(2). That’s a meaningful protection that not every OSC may realize they have. And the Assessment Guide reminds us that potential methods and objects are meant to point the reader in the right direction, not serve as a mandatory checklist. If an OSC has satisfied all applicable assessment objectives with the evidence available, the requirement should be MET, full stop. And, though this is commonly known, assessors should do their best to remove their biases and pre-conceived notions as to what is considered sufficient or adequate to give the OSC’s implementation the best shot possible. Maybe the assessor has never seen an implementation quite like the one they’re reviewing right now, but if it meets the intention of the requirement and its objectives and covers the assets need, then it should be considered “MET” without hesitation, unless something hesitation-worthy is noticed, of course. That doesn’t mean that the implementation couldn’t be improved; it most always can be. But perfection is not the standard. The Assessment Objectives are. 

Now I don’t want to be misunderstood. I’m not advocating for leniency in the face of concerning things noticed during the assessment. The CAP, in section 2.8 – 2.12 is clear that the sampling and assessment approach is supposed to be rigorous enough to minimize the risk of overlooking non-conformities. However, it is also clear that there needs to be a balance. Ideally, an assessor should only increase their scrutiny if there are obvious issues that they can’t unsee! 

So, What Can You Actually Do? 

Here’s practical guidance for OSCs and MSPs navigating a world where assessor variance is a reality: 

Know the assessment objectives well. Not the requirement statement at the top; the individual assessment objectives. Those are what assessors evaluate against, and they determine a MET or NOT MET finding. If your implementation addresses every applicable objective with clear, final-form evidence, you have a strong foundation to stand on. 

Document your rationale. When you make an implementation decision, write down why you did it the way you did. Though your SSP’s implementation statements should be straightforward and direct, preparing for potential questions with a well-reasoned written narrative may give you the ammunition you need to convince the assessor of the effectiveness of your implementation. 

Shop around for your C3PAO. Unlike involuntary assessments with the DoD’s Assessment teams (i.e.,DIBCAC), OSCs and their MSPs get to choose their C3PAO. Shop around. Get referrals for partners you trust. Have conversations with the C3PAO representative to get them to open up. They can’t consult, so there’s a good chance some of your questions won’t get answered directly, but there’s also a good chance you’ll still be able to glean some helpful information from them to help you make a good decision for your company. 

Use the re-evaluation window. If you receive a NOT MET finding and believe you can produce additional evidence, you have up to ten business days after the active assessment period to do so. Don’t just accept findings and move on; if you genuinely believe the requirement is met, engage in the process and fight for every point. Just do so kindly and respectfully of course! 

Know your appeal rights. Every C3PAO is required to have a published assessment appeals process, and the CAP requires them to inform you of those rights during the OutBrief. Initial appeals go to the C3PAO; if unresolved, you can elevate to The Cyber AB within 15 business days of the C3PAO’s decision. It doesn’t guarantee you’ll see a reversal in the determination, but it exists and should be used when warranted. 

There’s Hope on the Horizon 

There are some genuinely encouraging developments worth calling out. The Cyber AB formally launched its C3PAO Advisory Council in August 2025, a group of certified and active C3PAO representatives whose stated mission is to improve consistency in the interpretation of assessments and to develop practical, experience-based recommendations. The Council has begun organizing subcommittees around key focus areas, including assessment guidance and CAP updates, with chairs and vice chairs from some well-known C3PAOs leading those efforts. 

I want to be honest, though: the Council is new and doesn’t have direct policy-setting authority. Its input is meant to inform the Cyber AB and DoD as they revise core guidance materials. Not much has formally come out of it yet in terms of published interpretive guidance. But the intent is exactly what is needed and I’m encouraged by it. If the folks conducting assessments day in and day out are at the table helping to shape how guidance is written and interpreted, that’s a meaningful step toward the consistency the ecosystem needs. 

The Bigger Picture

Assessor variance in CMMC is a natural byproduct of a complex certification framework that relies on professional judgment. The C3PAO Advisory Council and the iterative improvement of the CAP and Assessment Guide are signs that the ecosystem is taking this seriously, but variance is never going to disappear entirely. Any system that depends on human judgment will always carry some degree of it. The goal isn’t perfection; it’s continuous reduction of unnecessary variance through better guidance, better training, and better feedback loops. I’m optimistic about that trajectory over time, but it remains something every OSC needs to be eyes-wide-open about going into their assessment. 

If you’re preparing for a CMMC Level 2 Certification Assessment and want to talk through your readiness, your evidence strategy, or just want a second set of eyes on where you stand, we’d love to connect. That’s exactly the kind of thing we’re here for. Reach out to us at IntelliGRC through our website at https://intelligrc.com/contact-us/ or send an email to sales@intelliGRC.com.  

As always, Happy Implementing! 

— Steven Molter 
Steven Molter is a GRC professional at IntelliGRC. Connect with him on LinkedIn.