CMMC Level 2 Assessment FAQ — Your Questions Answered by Erudio Corp

About CMMC & Certification Requirements

  • Q: What is CMMC?

    • A: CMMC (Cybersecurity Maturity Model Certification) is a DoD program that verifies defense contractors have implemented required cybersecurity standards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It is governed by 32 CFR Part 170, effective December 2024.

  • Q: Do I need CMMC certification?

    • A: If you are a DoD prime or subcontractor and your contract involves FCI or CUI, you will need to meet a specific CMMC level. Your solicitation or contract will specify the required level. Check DFARS clauses 252.204-7012, 7019, 7020, and 7021 for applicability.

  • Q: When does CMMC start affecting contracts?

    • A: CMMC Phase 1 began November 10, 2025, with Level 1 and Level 2 self-assessments appearing in new solicitations. Phase 2 (beginning Nov 2026) will require Level 2 C3PAO certification in new contracts. Organizations should begin preparation now to meet Phase 2 deadlines.

  • Q: What is the difference between CMMC Level 1, 2, and 3?

    • A: Level 1: 15 practices, FCI protection, annual self-assessment. Level 2: 110 practices, CUI protection, C3PAO certification every 3 years (for most programs). Level 3: 134 practices, advanced CUI/APT protection, DIBCAC assessment every 3 years (Level 2 C3PAO certification is a prerequisite).

  • Q: What is CUI?

    • A: Controlled Unclassified Information (CUI) is information the U.S. Government creates or possesses that law, regulation, or policy requires to be safeguarded — such as technical data, export-controlled information, personally identifiable information, and defense-related specifications. See the DoD CUI Registry (archives.gov) for a complete list of CUI categories.

    About C3PAOs

  • Q: What is a C3PAO?

    • A: A Certified Third-Party Assessment Organization (C3PAO) is an organization accredited by CyberAB to conduct official CMMC Level 2 certification assessments on behalf of the DoD. Only a C3PAO can issue a Certificate of CMMC Status recorded in eMASS.

  • Q: Why can't my cybersecurity consultant certify me?

    • A: A consultant or Registered Provider Organization (RPO) can help you prepare, but they are not authorized to conduct CMMC certification assessments. Certification must come from an accredited C3PAO listed in the CyberAB Marketplace. Additionally, a C3PAO cannot have provided consulting services to the same organization it is assessing — they must be impartial.

  • Q: Is Erudio Corp listed in the CyberAB Marketplace?

    • A: Yes. Erudio Corp is an accredited C3PAO and is listed in the CyberAB Marketplace, which is the official registry of authorized C3PAOs, RPOs, and credentialed assessors. You can verify our status at cyberab.org/catalog.

  • Q: Can a C3PAO also help us prepare for our assessment?

    • A: No. By regulation and CyberAB accreditation rules, a C3PAO cannot provide consulting or preparation assistance to an organization it is then assessing. Erudio Corp's role is exclusively certification assessment — we do not offer implementation consulting.

    About the Assessment Process

  • Q: How long does a CMMC Level 2 assessment take?

    • A: Typically 8–16 weeks from contract execution to certificate issuance. Phase 1 pre-assessment takes 2–4 weeks; evidence preparation (your responsibility) takes 2–6 weeks; Phase 2 fieldwork takes 1–3 weeks; post-assessment and certification takes 2–4 weeks. Timeline depends heavily on your organization's documentation quality and responsiveness.

  • Q: How much does a CMMC Level 2 assessment cost?

    • A: Erudio Corp uses a transparent, hours-based pricing model. Phase 1 (scoping, NDA, preliminary gap analysis, Assessment Plan) is $4,500 firm, credited toward the Phase 2 price. Phase 2 pricing is determined by your organization's size, scope complexity, and documentation quality. Contact us for a scoping call and firm quote.

  • Q: What is the Evidence Request List (ERL)?

    • A: The ERL is a comprehensive, practice-by-practice list of evidence categories your organization must provide for the assessment. Erudio Corp issues the ERL at the start of Phase 1 so you have maximum preparation time. Evidence may include system documentation, configuration screenshots, access control records, training records, and more.

  • Q: What is a System Security Plan (SSP)?

    • A: The SSP is a formal document describing how your organization implements and maintains each of the 110 NIST SP 800-171 security requirements. It is the single most important document in a CMMC Level 2 assessment. Erudio Corp's preliminary evidence review in Phase 1 evaluates your SSP quality before fieldwork begins.

  • Q: What is a POA&M?

    • A: A Plan of Action and Milestones (POA&M) documents security requirements that are NOT MET at the time of assessment but are planned to be remediated. For CMMC Level 2, POA&Ms can result in a Conditional CMMC Status — valid for 180 days while you close out the plan. Critical requirements cannot be placed on a POA&M. After closeout, a C3PAO POA&M Closeout Assessment is required to achieve Final CMMC Status.

  • Q: What happens if I fail my CMMC assessment?

    • A: If NOT MET findings prevent a Final CMMC Status, you may receive a Conditional CMMC Status (if eligible POA&M items remain). You then have 180 days to remediate and request a POA&M closeout assessment. If the closeout is not completed within 180 days, the Conditional Status expires. You may also re-assess at a later date after remediating findings.

  • Q: What is eMASS?

    • A: eMASS (Enterprise Mission Assurance Support Service) is the DoD's official system for tracking CMMC certification status. Erudio Corp's QA Individual submits all assessment data to eMASS, and your CMMC certification status is visible to DoD contracting officials through SPRS.

  • Q: What is SPRS?

    • A: The Supplier Performance Risk System (SPRS) is where DoD contracting officers look up your CMMC assessment status. For Level 2 C3PAO assessments, your results are entered in eMASS and flow into SPRS. Annual affirmations are also submitted in SPRS to maintain active CMMC Status.

  • Q: What does "annual affirmation" mean?

    • A: After your initial assessment, you must submit an annual affirmation in SPRS confirming continued compliance with CMMC requirements. Failure to submit an annual affirmation will cause your CMMC Status to lapse, even if your 3-year certification period has not expired.

  • Q: Can the assessment be done remotely?

    • A: Yes. Erudio Corp conducts both remote and on-site assessments. The assessment method (examine, interview, test) can be applied in both modalities. Physical protection controls may require on-site verification depending on your scope. This is discussed and agreed upon during Phase 1.

    About Scoping

  • Q: What is a CMMC "assessment scope" or "CUI boundary"?

    • A: Your CMMC assessment scope is the set of systems, components, and people that handle CUI. Defining this boundary accurately is critical — scoping too broadly wastes resources; scoping too narrowly risks a non-compliant assessment. Erudio Corp's Phase 1 scoping session is designed to help you define an accurate, defensible boundary.

  • Q: What are "in-scope" asset categories for CMMC?

    • A: Per the CMMC Assessment Process: CUI Assets (process/store/transmit CUI), Security Protection Assets (protect CUI assets), Contractor Risk Managed Assets (can connect to CUI environment), Specialized Assets (OT/IoT/GFE), and Out-of-Scope Assets (physically/logically separated with no CUI path).

  • Q: Do cloud platforms count in my CMMC scope?

    • A: Yes, if they store, process, or transmit CUI — or connect to systems that do. Cloud Service Providers (CSPs) must use FedRAMP-authorized services or equivalent protection under CMMC. Erudio Corp evaluates all ESP and CSP relationships during scoping and Phase 2 assessment.

  • Q: What if I use a Managed Service Provider (MSP)?

    • A: MSPs handling CUI or providing security services within your scope are considered External Service Providers (ESPs) and must be evaluated during your assessment. Erudio Corp will assess the relevant controls your MSP implements on your behalf and whether those controls are properly documented and flow-down agreements are in place.

    About Erudio Corp

  • Q: Is Erudio Corp an accredited C3PAO?

    • A: Yes. Erudio Corp holds active C3PAO accreditation from CyberAB and is listed in the CyberAB Marketplace.

  • Q: Does Erudio Corp offer consulting or gap remediation services?

    • A: No. To maintain the impartiality required of a C3PAO under ISO/IEC 17020 and CyberAB rules, Erudio Corp does not provide CMMC consulting, implementation, or remediation services. Our sole role is independent certification assessment.

  • Q: What qualifications do Erudio Corp assessors hold?

    • A: All Erudio Corp Lead CCAs and CCAs hold current CyberAB credentials, favorable Tier 3 DoD background determinations, and DoD 8140.03-compliant baseline certifications (CISSP, CISM, CISA, CySA+, CASP+, and others). Assessors also complete Erudio Corp's internal onboarding process covering our QMS policies, tools, and procedures.

  • Q: How does Erudio Corp handle conflicts of interest?

    • A: All Erudio Corp personnel declare conflicts of interest before every engagement. COIs that cannot be sufficiently mitigated result in the individual being excluded from the assessment team. This process is documented, reviewed by the QA Individual, and retained as part of the assessment record.

  • Q: What happens after my assessment is complete?

    • A: Erudio Corp's QA Individual performs a full peer review of all findings and artifacts. Data is uploaded to eMASS. Your Authorized Certifying Official signs and issues your Certificate of CMMC Status. You receive a copy of the CMMC Assessment Report (CAR). Your CMMC Status is valid for 3 years with annual affirmations required.