Assessment Processes

Here is exactly what happens during your C3PAO Assessment

Erudio Corp follows the four-phase CMMC Assessment Process (CAP) defined by DoD and CyberAB — no shortcuts, no ambiguity. Every assessment begins with clear scoping and ends with your Certificate of CMMC Status uploaded to eMASS. Here is what to expect at each stage.

Phase 1: Conduct the Pre-Assessment

  • Initial inquiry logged; response within 1 business day

  • Mutual NDA executed before any scope details are discussed

  • Scoping session to define your CUI boundary, in-scope assets, ESPs, and CSPs

  • Conflict-of-interest screening for all Erudio Corp personnel

  • Formal proposal and Statement of Work (SOW) delivered; assessment contract executed

  • Evidence Request List (ERL) issued — covers all 110 practices, mapped to evidence categories

  • Preliminary evidence review to surface critical gaps before fieldwork begins

  • Assessment Plan finalized with domain assignments and interview schedule; uploaded to eMASS

Phase 2: Assess Conformity to Security Requirements

  • In-Brief meeting with OSC leadership to confirm scope and schedule

  • Practice-by-practice evaluation using examine, interview, and test methods per NIST SP 800-171A

  • Assessors evaluate all 14 CMMC domains across: Access Control, Incident Response, Configuration Management, Risk Assessment, Audit and Accountability, and more

  • External Service Providers (ESPs) and Cloud Service Providers (CSPs) evaluated for inherited controls

  • Sampling plan applied to streamline testing without sacrificing coverage

Phase 3: Complete and Report Assessment Results

  • All findings compiled - MET, NOT MET, or N/A per 32 CFR §170.24

  • SPRS score calculated and documented

  • If applicable, POA&M items identified ( must be closed within 180 days for Conditional CMMC Status)

  • Out-Brief meeting with OSC leadership to review findings

  • OSC may request may request re-evaluation on up to 10 business days post-Phase 2 for contested findings

Phase 4: Issue certificate and close out POA&M

  • Independent QA individual performs full peer review of all assessment artifacts

  • All data uploaded to eMASS by Erudio Corp QA Individual

  • CMMC Assessment Report (CAR) Finalized

  • Certificate of CMMC Status issued by Erudio Corp’s Authorized Certifying Official (ACO)

  • CMMC Status valid for 3 years from CMMC Status Date; annual affirmations required in SPRS

Erudio Corp is a CyberAB accredited C3PAO that brings together credentialed Lead CCAs, a rigorous ISO/IEC 17020-aligned Quality Management System, and an independent QA review process on every engagement. So your certification is defensible, documented, and done right the first time. We never operate as assessors and consultants for the same OSC, ensuring the impartiality your DoD contracts demand. From a transparent, scoped proposal to a complete CMMC Assessment Report at close, we are built to give defense contractors a clear, compliant path to CMMC Level 2 certification.

Want to know more? Ask us your questions here!