CMMC Scope Questionnaire
Table of Contents
ToggleThis questionnaire is designed for Lazarus Alliance, a CMMC-accredited Third-Party Assessment Organization (C3PAO), to document and validate the in-scope boundary of an Organization Seeking Certification (OSC) prior to conducting a full security assessment. It aligns with CMMC requirements for defining the CUI boundary, data flows, external dependencies, and other key scoping elements.
The questionnaire is structured into sections to ensure a comprehensive scope determination. It should be completed based on OSC-provided documentation, interviews, diagrams, and evidence.
Frequently Asked Questions
What is the Cybersecurity Maturity Model Certification (CMMC)?
The CMMC is a framework created by the U.S. Department of Defense (DoD) to evaluate and strengthen the cybersecurity practices of organizations in the Defense Industrial Base (DIB), including contractors and subcontractors. It ensures the protection of sensitive unclassified information like Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Unlike previous self-attestation methods, CMMC requires third-party verification to confirm compliance with standards such as NIST SP 800-171.
How long does a CMMC Level 2 third-party assessment take with Lazarus Alliance?
Typical timeline: 3–6 months from kickoff to certification. Gap analysis (4–8 weeks) + remediation + final C3PAO assessment (2–4 weeks). Lazarus Alliance has completed Level 2 certifications in as little as 10 weeks for well-prepared clients.
Do I need CMMC Level 1, Level 2, or Level 3 certification?
- Level 1: Only Federal Contract Information (FCI) → annual self-assessment
- Level 2: Controlled Unclassified Information (CUI) → third-party C3PAO certification (most common)
- Level 3: High-risk CUI programs → government-led (DIBCAC) Lazarus Alliance performs a free scoping call to confirm your exact level.
How does Lazarus Alliance help with CMMC assessments?
As a certified CMMC Third-Party Assessment Organization (C3PAO), Lazarus Alliance coordinates assessments, determines your required certification level based on business needs, and conducts evaluations using experienced Cybervisor™ teams. Upon successful demonstration of maturity in cybersecurity capabilities and processes, we award certification valid for three years, with annual affirmations required.
What is the process for obtaining CMMC certification?
The process involves: (1) Identifying your level based on data handled; (2) Implementing required controls (with Plans of Action and Milestones for minor gaps in Levels 2/3); (3) Undergoing assessment by a C3PAO (like Lazarus Alliance) for Levels 1-2 or DIBCAC for Level 3; (4) Posting results and affirmations in the Supplier Performance Risk System (SPRS); and (5) Maintaining compliance annually. Certifications last three years, with full rollout phased through 2028.
What is the timeline for CMMC implementation?
CMMC requirements will appear in DoD solicitations starting October 2025, with a three-year phased rollout:
- 2025 (Phase 1): 5-15% of contracts, focusing on self-assessments for Levels 1 and some Level 2.
- 2026 (Phase 2): 20-50% of contracts, increasing third-party Level 2 assessments.
- 2027+ (Phase 3): Full integration across all applicable contracts, including Level 3. Non-compliance will bar organizations from relevant bids.
Who needs to comply with CMMC?
All DoD prime contractors and subcontractors handling FCI or CUI in the DIB must comply at the appropriate level. This includes most defense-related businesses, but exemptions may apply to commercial off-the-shelf (COTS) items. If your organization deals with sensitive DoD data, even indirectly through the supply chain, certification is essential.
What is CMMC 2.0 and when does it become mandatory?
CMMC 2.0 is the U.S. Department of Defense’s mandatory cybersecurity certification program that protects FCI and CUI. Requirements begin appearing in DoD contracts in late 2025, with full enforcement for all applicable contracts by 2028. Non-compliance will disqualify you from bidding.