Skip to content
Assessment Prep That Works  MAD Security Town Hall Recap – September 2025

Watch the March MAD Security Town Hall Webinar replay 👇

 

With CMMC 2.0 moving toward full enforcement and 48 CFR updates imminent, many defense contractors are facing increased pressure to ensure they are assessment-ready. In our September 2025 Town Hall, we tackled a topic that’s critical but often misunderstood when preparing for a CMMC Level 2 assessment: the difference between dry runs and mock assessments. 

Hosted by Adam Starnes (Account Manager) and Jaclyn Jones (Head of Compliance), this month’s cybersecurity webinar helped organizations understand when, why, and how to apply these valuable exercises for real-world assessment success. 

MAD SEC HubSpot Blog Images-1As a CMMC Level 2 Certified MSSP and trusted Registered Provider Organization (RPO), MAD Security works exclusively with companies in the Defense Industrial Base to align compliance with practical security operations. If your organization handles Controlled Unclassified Information, this session is a must-watch. 

 

Key Takeaways: What You Need to Know

MAD SEC - Website Images-1

 

Mock Assessments Simulate the Real CMMC Assessment

A mock assessment is a full-scale simulation of your CMMC Level 2 assessment, conducted in the same style and rigor as a C3PAO would—minus the official result. 

  • Covers all 110 NIST 800-171 controls and 320 assessment objectives.
  • Provides a readiness report, SPRS score simulation, and a detailed Plan of Action and Milestones (POAM).
  • Identifies gaps especially those involving 3- and 5-point controls, which are not POAM-eligible under CMMC 2.0 rules.

If you Are preparing for a CMMC assessment, a mock gives you the visibility to address systemic risks before they become disqualifiers. 

MAD SEC - Website Images (1)

 

Dry Runs Prepare Your People to Prove Compliance

A dry run isn’t about scoring; it Is about team readiness. 

  • Coaches each department (IT, HR, cybersecurity, vendors) to speak confidently during live assessment interviews.
  • Helps assign roles, prepare artifacts, and walk through expected scenarios.
  • Identifies whether your staff truly understands and follows the documented processes. 

Dry runs are best used when you're nearing a perfect SPRS score of 110 and want to ensure your team can confidently demonstrate compliance under pressure. 

 

Do You Need One, the Other, or Both?

Dry runs and mock assessments serve different purposes, and both add value depending on your maturity level: 

MAD SEC - Website Images (2)

 

Dry Run Mock Assessment
Team rehearsal  Control validation 
Live coaching  Compliance scoring 
Ideal before interviews  Ideal before official assessment 
No scoring  Readiness scoring and POAM 

Some contractors start with a dry run to prepare their people others dive into a mock to test technical posture. Many choose both for comprehensive readiness. 

MAD SEC - Website Images (3)

 

C3PAOs Can’t Help You Prepare

While some assume a Certified Third-Party Assessor Organization can help them get ready with a pre-check, they’re not allowed to consult. 

C3PAOs can assess, but they cannot: 

  • Recommend fixes
  • Coach your team
  • Guide remediation 

That’s where MAD Security steps in. As a CMMC RPO, we can prepare your team, simulate the assessment, and even sit in with you during the official process (if you’re a VCM client). 

MAD SEC - Website Images (4)

 

Failing a Mock Assessment Is a Win; If You Learn from It

A failed mock assessment is never reported and carries no penalty. Instead, it offers a risk-free environment to uncover gaps, fix issues, and rehearse the exact experience you’ll face with a C3PAO. 

If a mock exposes a missed control, it’s better to find out now than during your official assessment when stakes are high and remediation windows are limited. 

Q&A Highlights

If I already have VCM, do I still need a dry run or mock?

Yes. VCM builds compliance. These services ensure you're ready to demonstrate compliance during the real assessment. 

Do I need both?

Not always. Choose based on where you feel less confident—people or process. Many do both to cover all bases.

How much time should I leave between mock and official assessment?

One to two months is ideal. That gives you enough time to remediate any findings.

What if my HR or non-technical staff can’t answer assessment questions?

That’s exactly what dry runs are for preparing all departments to speak confidently about their roles and responsibilities. 

 

Why Defense Contractors Trust MAD Security 

MAD Security brings unparalleled CMMC assessment support to the Defense Industrial Base: 

CMMC Level 2 Certified MSSP
Perfect SPRS Score of 110
Top 250 MSSP (4 years in a row)
U.S.-Based 24/7 SOC in Huntsville, AL
Staffed by cleared U.S. citizens 
15+ Years of cybersecurity and compliance 
Works with your existing stack: Microsoft, AWS, Google, PreVeil etc.
Service-Disabled Veteran-Owned Small Business (SDVOSB)
The same team that passed our own assessment helps clients pass theirs 

We combine security operations and compliance consulting into one full-spectrum solution built specifically for DoD contractors. 

 

Why You Should Act Now Before the Assessment Backlog Hits

As CMMC 2.0 enforcement expands and 48 CFR 52.204-21 becomes a contracting requirement, delays are already building: 

C3PAO availability is tightening 
Vendors are under pressure to prove compliance 
Remediation cycles can be lengthy 
Missed controls may delay or disqualify contracts

Dry runs and mock assessments ensure: 

Higher assessment success rates 
Fewer surprises
Lower remediation costs 
Confident, well-prepared staff 

Start now, while there’s still time to prepare strategically not reactively. 

 

Free Resources and Next Steps

 MAD Security offers free tools to help your team hit the ground running: 

Our resources are built to help you simplify complex requirements and accelerate readiness for CMMC Level 2 assessments. 

 

Final Thoughts and Encouragement

MAD SEC HubSpot Blog Images (1)-1CMMC success isn’t just about passing a checklist; it Is about creating a secure, resilient infrastructure your team can confidently defend and demonstrate. Whether your assessment is months or weeks away, MAD Security is ready to walk with you. Our dry runs and mock assessments have helped dozens of contractors pass on their first attempt. 

Cybersecurity is a journey, not a finish line. Let’s take the next step together!

 

Original Published Date: October 02, 2025

By: MAD Security