CMMC Scope Questionnaire

The CMMC is a framework created by the U.S. Department of Defense (DoD) to evaluate and strengthen the cybersecurity practices of organizations in the Defense Industrial Base (DIB), including contractors and subcontractors. It ensures the protection of sensitive unclassified information like Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Unlike previous self-attestation methods, CMMC requires third-party verification to confirm compliance with standards such as NIST SP 800-171.

Typical timeline: 3–6 months from kickoff to certification. Gap analysis (4–8 weeks) + remediation + final C3PAO assessment (2–4 weeks). Lazarus Alliance has completed Level 2 certifications in as little as 10 weeks for well-prepared clients.

CMMC Level 2 assessment costs typically range from $25,000 to $85,000+ depending on organization size, complexity, number of locations, and current compliance posture. Timelines generally run 3 to 9 months from gap analysis to final certification, with faster results possible for organizations using automation tools like Continuum GRC. As an authorized C3PAO, we provide fixed-fee scoping and clear project timelines during the initial consultation. Contact us for a personalized quote based on your specific environment.

• Level 1: Only Federal Contract Information (FCI) → annual self-assessment
• Level 2: Controlled Unclassified Information (CUI) → third-party C3PAO certification (most common)
• Level 3: High-risk CUI programs → government-led (DIBCAC) Lazarus Alliance performs a free scoping call to confirm your exact level.

As a certified CMMC Third-Party Assessment Organization (C3PAO), Lazarus Alliance coordinates assessments, determines your required certification level based on business needs, and conducts evaluations using experienced Cybervisor™ teams. Upon successful demonstration of maturity in cybersecurity capabilities and processes, we award certification valid for three years, with annual affirmations required.

The process involves: (1) Identifying your level based on data handled; (2) Implementing required controls (with Plans of Action and Milestones for minor gaps in Levels 2/3); (3) Undergoing assessment by a C3PAO (like Lazarus Alliance) for Levels 1-2 or DIBCAC for Level 3; (4) Posting results and affirmations in the Supplier Performance Risk System (SPRS); and (5) Maintaining compliance annually. Certifications last three years, with full rollout phased through 2028.

CMMC requirements will appear in DoD solicitations starting October 2025, with a three-year phased rollout:

• 2025 (Phase 1): 5-15% of contracts, focusing on self-assessments for Levels 1 and some Level 2.
• 2026 (Phase 2): 20-50% of contracts, increasing third-party Level 2 assessments.
• 2027+ (Phase 3): Full integration across all applicable contracts, including Level 3. Non-compliance will bar organizations from relevant bids.

All DoD prime contractors and subcontractors handling FCI or CUI in the DIB must comply at the appropriate level. This includes most defense-related businesses, but exemptions may apply to commercial off-the-shelf (COTS) items. If your organization deals with sensitive DoD data, even indirectly through the supply chain, certification is essential.

CMMC 2.0 is the U.S. Department of Defense’s mandatory cybersecurity certification program that protects FCI and CUI. Requirements begin appearing in DoD contracts in late 2025, with full enforcement for all applicable contracts by 2028. Non-compliance will disqualify you from bidding.

Continuum GRC, our proprietary platform with the A.ITAMBot AI-powered auditor, dramatically reduces the time and cost of CMMC compliance by automating evidence collection, control mapping, continuous monitoring, risk scoring, and POA&M management. For clients nationwide and internationally, it enables real-time collaboration, inheritance of controls, and streamlined documentation, often cutting preparation time by 40-60%. This gives our C3PAO assessment process a significant efficiency advantage over traditional manual approaches.