Assessor Experiences in CMMC Level 2 Certification Assessments: An Interpretative Phenomenological Analysis of Role Expectations
Provides initial empirical insight into assessor experiences for cybersecurity compliance practitioners and researchers, though findings are exploratory and not generalizable.
This study explores how CMMC Level 2 assessors experience and navigate role expectations under a non-consultative model, identifying themes of credibility, structured work, and boundary management through interpretative phenomenological analysis.
The Cybersecurity Maturity Model Certification program requires third-party assessments be conducted under a non-consultative model. The model is intended to ensure impartiality for organizations seeking certification. While this structure defines expectations for assessor behavior, assessor experiences and interpretations of these constraints remain underexamined. The study examines the lived experiences of CMMC-Certified Assessors and how they navigate role expectations within the non-consultative model. Using Role Conflict Theory as a guiding framework, Interpretative Phenomenological Analysis (IPA) was applied to semi-structured interviews to explore how assessors make sense of their roles. The analysis identified experiential themes that describe how assessors construct professional credibility, execute structured assessment work, and manage the practical challenges of maintaining non-consultative boundaries. Findings indicate that assessors rely on technical competence, procedural discipline, and boundary management strategies to reconcile competing expectations. As an exploratory study, the results are not intended to be generalizable but provide initial empirical insight into assessor experiences, highlight considerations related to boundary clarity and assessor/organization interaction, and demonstrate the suitability of IPA for examining practitioner experience within cybersecurity compliance contexts.