CMMC Level 2 Certification

Frequently Asked Questions

1. Is there a CMMC roadmap to help organizations navigate the process?

Answer: Once you decide to pursue a DoD contract, you need to go undertake your CMMC Journey in a systematic manner. Your CMMC Roadmap will begin with identifying which level you need to comply with, the controls required for that level and whether you need to be certified or submit a self attestation for your specific contract. You can learn about CMMC Documentation, Creating your SSP, Working with CMMC Compliance and Certification Professionals, Preparing for your Certification, Selecting the right C3PAO and much more by reviewing our free resources.

2. How should you prepare for your CMMC Certification?

Answer: Learn about the assessment mindset and three pillars of CMMC Assessment Evidence in our comprehensive blog. You can also benefit from success strategies for all 4 phases of the assessment process, learn how to turn challenges into opportunities and maximize your certification value.

3. How will you know if you are ready for a Level 2 Certification Assessment?

Answer:

• If You’re Early in Your Journey: Focus on compliance preparation first. Engage a CMMC Consultant or an RPO for gap analysis and implementation support. Build your security program methodically. Don’t rush to assessment before you’re ready—failure wastes time and money. databrackets offers Compliance Consulting and Gap Analysis services to organizations that we don’t assess for Certification – this complies with the independence principle for C3PAOs.

• If You’re Nearing Readiness: Schedule a mock assessment to validate preparation. Address any identified gaps. Organize your evidence library. Brief your team on assessment expectations. Then engage a C3PAO to schedule your formal assessment. We offer mock assessments and identification of unmet practices during this trial run. You can work on these areas with your CMMC consultant or RPO before your actual assessment.

• If You’re Ready Now: Contact databrackets to discuss C3PAO assessment services. With limited C3PAO availability and high demand, scheduling early ensures you secure assessment slots that align with your contract timelines. 

• If You’re Uncertain: Schedule a Meeting with our team. We can help you understand where you are in the journey, what preparation remains, and what timeline makes sense for your situation. This initial discussion is complimentary and creates no obligation. 

4. What is Phase 1 of databrackets’ CMMC Level 2 Assessment Process?

Answer: Phase 1 is Pre-Assessment Preparation

Scoping and Documentation Review

• Define assessment boundaries and CUI systems

• Review System Security Plan (SSP) and security documentation

• Verify evidence collection and organization

• Confirm personnel availability and facility access

What You’ll Need:

• Complete System Security Plan (SSP)

• Network architecture diagrams and data flow documentation

• Security policies and procedures for all 14 domains

• Evidence of control implementation (logs, screenshots, configurations)

• Training records and awareness program documentation

5. What is Phase 2 of databrackets’ CMMC Level 2 Assessment Process?

Answer: Phase 2 is Assessment

Opening Meeting

• Assessment team introductions and logistics

• Scope confirmation and methodology overview

• Communication protocols and schedule review

Document Review

• Comprehensive evaluation of your SSP

• Policy and procedure documentation verification

• Evidence package assessment

• Gap identification and clarification requests

Personnel Interviews

• Executive leadership discussions on security governance

• IT and security team technical implementation reviews

• End-user security awareness verification

• Role-based security practice validation

Technical Testing

• Security control functionality verification

• Configuration review and validation

• Access control testing

• Encryption implementation verification

• Logging and monitoring capability assessment

• Incident response capability evaluation

6. What is Phase 3 of databrackets’ CMMC Level 2 Assessment Process?

Answer: Phase 3 is Reporting & Scoring

Findings Documentation

• Detailed assessment report with control-by-control findings

• Evidence evaluation and scoring

• Observations and recommendations

• POA&M eligibility determination (if applicable)

Certification Decision

• Final Status: All requirements met – full certification for 3 years

• Conditional Status: 80%+ score with approved POA&M – certification with 180-day remediation timeline

• Not Achieved: Below 80% threshold – reassessment required after remediation

CMMC Level 2 Assessment Outcomes

1. Final Certification

When your organization demonstrates full compliance with all 110 CMMC Level 2 requirements, you receive Final certification status:

• Valid for 3 Years from assessment completion

• Immediate Contract Eligibility for all CMMC Level 2 requirements

• Annual Affirmation required in SPRS

• No Remediation Required – full compliance achieved

2. Conditional Certification

If your organization achieves the 80% threshold (88+ practices met) but has non-critical gaps, you may receive Conditional certification:

• Contract Award Permitted while addressing remaining gaps

• 180-Day POA&M Timeline to complete remediation

• Closeout Assessment Required to achieve Final status

• POA&M Restrictions Apply – only non-critical controls eligible

7. What is Phase 4 of databrackets’ CMMC Level 2 Assessment Process?

Answer: Phase 4 is POA&M Remediation & Certification Finalization

Plans of Action and Milestones (POA&Ms) provide a structured approach to addressing remaining gaps while maintaining certification eligibility:

POA&M Requirements:

• Minimum 88 of 110 practices must be Met (80% threshold)

• Only non-critical security requirements eligible (point values ≤ 1)

• Specific encryption exemptions may apply

• Detailed remediation plan with milestones and responsible parties

• 180-day completion deadline from Conditional certification date

Transition to Final Status: After successful POA&M completion and closeout assessment verification, organizations achieve Final CMMC Level 2 certification with a three-year validity.

8. Can C3PAOs Explain Their Findings? 

Answer: Yes, C3PAOs are allowed and expected to explain their findings clearly and provide clear communication throughout the assessment process. However, there are strict limitations on what they can explain. 

What C3PAOs CAN Explain: 

• Why specific practices were scored as MET or NOT MET 

• What evidence was insufficient or missing 

• Which controls are critical vs. non-critical 

• Assessment methodology and scoring rationale 

What C3PAOs CANNOT Provide: 

• Specific remediation advice or guidance on how to fix deficiencies 

• Implementation recommendations for failed controls 

• Consulting services on how to resolve issues that disqualified certification 

POA&M (Plan of Action & Milestones) Role: C3PAOs can 

• Identify which controls are eligible for POA&M placement 

• Explain the POA&M process and 180-day remediation timeline 

• Describe critical vs. non-critical control distinctions 

• Cannot provide: Specific remediation strategies or implementation guidance