Assessor Experiences in CMMC Level 2 Certification Assessments: An Interpretative Phenomenological Analysis of Role Expectations

📅 2026-05-26
📈 Citations: 0
Influential: 0
📄 PDF

career value

165K/year
🤖 AI Summary
This study addresses the underexplored tension between institutional expectations and lived experience among CMMC assessors operating in non-consultative roles. Drawing on role conflict theory, it employs interpretative phenomenological analysis (IPA) to conduct semi-structured interviews with CMMC-certified assessors, systematically uncovering their subjective experiences and logics of duty fulfillment in this mode. Findings reveal that assessors navigate role conflicts through strategies centered on technical competence, procedural discipline, and boundary management. These insights not only extend theoretical understandings of professional credibility construction in cybersecurity compliance contexts but also offer empirical grounding for establishing interactional norms and boundary-setting practices within CMMC implementation frameworks.
📝 Abstract
The Cybersecurity Maturity Model Certification program requires third-party assessments be conducted under a non-consultative model. The model is intended to ensure impartiality for organizations seeking certification. While this structure defines expectations for assessor behavior, assessor experiences and interpretations of these constraints remain underexamined. The study examines the lived experiences of CMMC-Certified Assessors and how they navigate role expectations within the non-consultative model. Using Role Conflict Theory as a guiding framework, Interpretative Phenomenological Analysis (IPA) was applied to semi-structured interviews to explore how assessors make sense of their roles. The analysis identified experiential themes that describe how assessors construct professional credibility, execute structured assessment work, and manage the practical challenges of maintaining non-consultative boundaries. Findings indicate that assessors rely on technical competence, procedural discipline, and boundary management strategies to reconcile competing expectations. As an exploratory study, the results are not intended to be generalizable but provide initial empirical insight into assessor experiences, highlight considerations related to boundary clarity and assessor/organization interaction, and demonstrate the suitability of IPA for examining practitioner experience within cybersecurity compliance contexts.
Problem

Research questions and friction points this paper is trying to address.

CMMC
non-consultative model
assessor role expectations
role conflict
cybersecurity certification
Innovation

Methods, ideas, or system contributions that make the work stand out.

Interpretative Phenomenological Analysis
CMMC certification
non-consultative model
Role Conflict Theory
assessor experience
🔎 Similar Papers
No similar papers found.