Control Objectives That Must Be Assessed On-Site During the C3PAO Certification Assessment

The Misconception About Virtual CMMC Assessments

Many organizations assume that a Cybersecurity Maturity Model Certification (CMMC) Level 2 certification assessment can be conducted entirely remotely. With the rise of virtual collaboration tools, that assumption feels reasonable. However, it does not reflect how assessments are actually performed.

The Misconception About Virtual CMMC Assessments The CMMC Assessment Process (CAP) explains that while some activities may be conducted virtually, certain controls require in-person validation. Section P.11 identifies 18 assessment objectives that are expected to be evaluated on-site unless the scoped environment justifies a different approach.

These objectives focus on physical security, media protection, and operational safeguards. In these areas, documentation alone cannot confirm that controls are functioning as intended.

If you are preparing for an assessment, you should plan part of the process to take place inside your facility and understand what to expect during assessment execution.

Why Some Assessment Objectives Require On-Site Evaluation

To understand why on-site validation is required, it helps to look at how assessments are conducted within the CMMC assessment process.

The CAP defines three core methods:

	Examination of artifacts
	Interviews with personnel
	Observation of operational behavior

Documentation and interviews can often be handled remotely. Observation requires assessors to verify how controls operate in real-world conditions.

Remote validation has clear limitations. It cannot fully confirm:

	Whether physical access controls are consistently enforced
	How visitor access is managed throughout the day
	Whether media containing Controlled Unclassified Information (CUI) is securely stored is securely stored
	If infrastructure protections are actively maintained

Because of these limitations, assessors determine the appropriate validation method based on risk and the level of assurance required.

For certain objectives, that assurance depends on direct observation. This ensures that controls are implemented and consistently followed, not just documented.

Control Objectives That Must Be Assessed On-Site

The CAP identifies 18 assessment objectives where in-person validation is typically expected to ensure sufficient scope and depth, especially during third-party assessments for Levels 2 and 3.

These controls span multiple domains and focus on protecting sensitive information at the physical and operational level.

Configuration Management

CM.L2-3.4.5[d] – Physical access restrictions associated with system changes are enforced

Maintenance

MA.L2-3.7.2[d] – Personnel used to conduct system maintenance are controlled

Media Protection

	MP.L2-3.8.1[c] – Paper media containing CUI is securely stored
	MP.L2-3.8.1[d] – Digital media containing CUI is securely stored
	MP.L2-3.8.4[a] – Media containing CUI is properly marked
	MP.L2-3.8.4[b] – Media includes distribution limitations

Physical Protection

	PE.L1-3.10.1[b] – Physical access to systems is limited
	PE.L1-3.10.1[c] – Physical access to equipment is limited
	PE.L1-3.10.1[d] – Physical access to operating environments is limited
	PE.L2-3.10.2[a] – Facilities are protected
	PE.L2-3.10.2[b] – Supporting infrastructure is protected
	PE.L2-3.10.2[c] – Facilities are monitored
	PE.L2-3.10.2[d] – Infrastructure is monitored

Visitor Control

	PE.L1-3.10.3[a] – Visitors are escorted
	PE.L1-3.10.3[b] – Visitor activity is monitored

Physical Access Device Management

	PE.L1-3.10.5[b] – Physical access devices are controlled
	PE.L1-3.10.5[c] – Physical access devices are managed

System Communications Protection

SC.L2-3.13.12[b] – Collaborative devices indicate when in use

These objectives often require assessors to inspect facilities, review access controls, and observe procedures in action.

What These Objectives Have In Common

Although these objectives come from different control families, they share common characteristics that explain why on-site validation is expected, particularly for organizations handling Controlled Unclassified Information (CUI).

It is important to understand that this phase is not about scoring controls. It is about determining whether your organization is prepared to be assessed.

Physical Security Controls

These controls address facility protections, access restrictions, and infrastructure monitoring. Assessors need to confirm how access is controlled and enforced.

Media Handling Controls

These requirements focus on how sensitive data is stored, labeled, and protected across both physical and digital formats.

Operational Safeguards

These include visitor management, maintenance oversight, and device usage visibility.

Together, these controls operate at the implementation level, where written policies must align with observable practices.

When An On-Site Assessment May Not Be Required

There are scenarios where on-site validation may be limited, depending on how your environment is defined during assessment planning and scoping.

Examples include:

	Fully cloud-based environments
	Infrastructure managed by FedRAMP-authorized providers
	External Service Providers supporting system operations
	Environments without physical infrastructure in scope

The CAP states that applicability should be determined during assessment planning between the assessment organization and the organization seeking certification.

Even in these cases, the objectives must still be validated using appropriate methods.

How Contractors Should Prepare For The On-Site Portion Of An Assessment

Preparation should focus on demonstrating that controls are both documented and consistently implemented through CMMC Consulting.

Prepare Physical Security Evidence

Be ready to demonstrate:

	Badge access systems
	Locked server rooms
	Surveillance monitoring
	Facility access restrictions

Validate Media Protection Practices

Ensure that:

	Sensitive media is labeled correctly
	Storage methods are secure
	Destruction processes are followed

Prepare Staff for Interviews

Assessors will likely speak with:

	IT administrators
	Facilities or security personnel
	Compliance leadership

Personnel should be able to clearly explain how controls are implemented in practice.

Confirm Facility Readiness

Expect assessors to inspect:

	Secure areas
	Media storage locations
	Access control mechanisms
	Monitoring systems

The goal is to demonstrate that controls are actively enforced and consistently applied.

Why Understanding On-Site Objectives Reduces Assessment Risk

Organizations that understand these requirements early are better positioned for a successful assessment.

Early preparation can:

	Reduce delays during the assessment
	Identify gaps before the assessment begins
	Improve confidence during walkthroughs
	Strengthen alignment between policy and practice

Physical and operational controls are sometimes less mature than technical controls. Addressing them early supports a more complete level of readiness through GRC gap assessments and Virtual Compliance Management.

Plan For An In-Person Component Of Your Assessment

Assessments are not purely virtual. The CAP identifies 18 control objectives that are generally expected to be validated on-site when applicable.

Most of these controls relate to physical protection, media handling, and operational safeguards. These areas require direct validation to confirm that controls are functioning as intended.

Organizations that prepare their facilities, personnel, and operational processes ahead of time are more likely to experience a smooth and predictable certification assessment supported by CMMC Compliance and Defense Industry Base Services.

Frequently Asked Questions (FAQs)

What is the CMMC assessment process?

The CMMC assessment process is the structured methodology used to evaluate whether your organization meets CMMC Level 2 requirements. It defines how assessors review your implementation of NIST SP 800-171 controls and determine certification outcomes.

Who conducts a CMMC Level 2 certification assessment?

A CMMC Level 2 assessment is conducted by an authorized C3PAO. These organizations follow the CAP to perform a consistent and compliant CMMC certification assessment.

How long does a CMMC assessment take?

The length of a CMMC assessment depends on your organization’s size and scope. Most CMMC Level 2 assessments take several days to a few weeks.

What happens if we are not ready for the assessment?

If your organization is not ready during the early phase of the CMMC assessment process, the assessment may be postponed until documentation, scope, and evidence requirements are met.

What is a conditional certification?

A conditional certification in a CMMC Level 2 assessment means most requirements are met, but some deficiencies remain. These must be resolved before final certification is granted.

Original Publish Date: June 16, 2026

Author: Scott Hutcheson |

Scott Hutcheson is a Cybersecurity Consultant specializing in security operations and compliance, with a strong background in leading SOC operations. He brings hands-on expertise in incident response, log analysis, and threat monitoring, along with CMMC implementation, documentation development, and audit readiness. Scott helps organizations strengthen their security posture by combining operational leadership with practical compliance support.

Reviewer: Johnathon Tyrka | CySA+ |

Johnathon Tyrka is a Cybersecurity Consultant and holds the CySA+ certification. He specializes in CMMC compliance, supporting organizations through control implementation, documentation development, evidence collection, and audit readiness. Johnathon also brings hands-on SOC experience in incident response, log analysis, vulnerability assessments, and threat intelligence.