We're ready for our self-assessment."
We're hearing this more and more from defense contractors. They've bought security tools. They've written policies. They've checked the boxes.
But here's the problem: being ready and proving you're ready are two different things.
Phase 1 lets you assess yourself. But Phase 2 starts in 11 months. That's when third-party assessors check your work.
Many contractors are learning this the hard way. There's a big gap between "we do cybersecurity" and "we can prove we meet the requirements."
If you can't prove it, you can't pass.
What Assessors Actually Check
Failed assessments mean lost contracts.
Restarting after you fail wastes months of work. Prime contractors lose trust in subs who aren't ready.
Here's the truth: Assessors don't care about your budget or your plans. They only care about evidence.
They check if your controls actually work—not if you plan to make them work.
They verify your documentation matches what you actually do—not what you wish you did.
They confirm your team knows why controls matter—not just that controls exist.
Good news: You can build real readiness when you know what assessors look for.
It starts with four pillars.
The Four Pillars of Assessment Readiness
Pillar 1: Controls That Actually Work
What it means: You can prove every control works right now—not someday, but today.
Many companies buy security tools and write policies. But they can't show the controls are actually running.
What assessors want to see:
- Access controls enforced every day
- Incident response procedures that have been tested
- System settings that match your documents
- Controls you can demonstrate, not just describe
Bottom line: If a control is "in progress" or "partially done," it doesn't count.
Pillar 2: Documentation That Matches Reality
What it means: Your documents describe what you actually do—not what you hope to do.
This is where most companies fail. They write beautiful policies that describe perfect processes. Then an assessor watches their team and sees something completely different.
What assessors want to see:
- Your Security Plan describes your real environment
- Your policies match how your team actually works
- When employees explain their job, it matches what's written
- No gaps between what you say and what you do
Bottom line: If your documents don't match reality, both fail the assessment.
Pillar 3: Your Team Understands Why
What it means: Your employees know why controls exist—not just that they exist.
CMMC isn't just a tech problem. It's a people problem.
The best security tools fail if your team doesn't understand their role. When security becomes "IT's job" instead of everyone's job, controls fall apart.
What assessors want to see:
- Employees understand how their actions affect security
- People know why processes exist, not just that they must follow them
- When employees make decisions, they choose the secure option
- Security is part of your culture, not just your policy manual
Bottom line: Controls work when people understand them. They fail when people don't.
Pillar 4: Evidence That Holds Up
What it means: Your proof would satisfy someone who's never seen your company before.
Here's the trap: You assess yourself in Phase 1. You know your own environment. Your evidence makes sense to you.
But Phase 2 brings outside assessors. They don't know your company. If your evidence only makes sense to insiders, it won't pass.
What assessors want to see:
- Documents clear enough for outsiders to understand
- Evidence that's specific and dated
- Proof of ongoing practice—not one-time events
- Records that tell a complete story
Bottom line: If you have to explain your evidence, it's not good enough.
Moving Forward
"But we already did our self-assessment."
That's good. Self-assessment is valuable practice.
But it's just practice. Phase 2 brings real validation in November 2026.
Companies treating self-assessment as a dress rehearsal will be ready for Phase 2. Companies treating it as a checkbox are setting themselves up to fail.
Assessment readiness isn't about being perfect.
It's about proving you can work within the standards you claim to meet.
That's the difference between passing and failing.
Ready to see where you really stand?
We help defense contractors assess their true readiness and build a path to Phase 2 certification.
Contact Prescott to evaluate your readiness.
