And eMASS Reporting Options
CMMC is brand new, and we find that companies lack a thorough understanding of CMMC Level 2 assessment outcomes. For example, they aren’t aware that if they attain Conditional Level 2 status (score 88 – 109), they only get one chance at a POA&M Closeout Assessment and will fall into non-compliance if they don’t attain a score of 110. Worse still, a non-compliant Assessment outcome (score below 88) requires another complete top-to-bottom certification assessment.
KLC Consulting, Inc., is a leading authorized C3PAO that specializes in assessing and certifying companies in CMMC Level 2. We understand the importance of knowing the possible assessment outcomes for Organizations Seeking Certification (OSCs). This article will walk you through the potential outcomes of your CMMC Level 2 assessment and explain your best options to report your results in the eMASS system and move ahead with your compliance strategy.
CMMC Level 2 Assessment and Evaluation
A CMMC Level 2 assessment evaluates your organization’s implementation of 110 security practices. The assessment culminates in a score, which determines your assessment outcome.
Possible CMMC Level 2 Assessment Outcomes
Three distinct outcomes are possible from a CMMC Level 2 assessment:
Final Level 2 Status (Score of 110)
Achieving a perfect score of 110 signifies full compliance with all CMMC Level 2 requirements. KLC Consulting will issue a CMMC Level 2 Final Certificate of CMMC Status, valid for three years, for your in-scope CUI environment. You’ll also submit an annual self-affirmation of continued compliance on each anniversary of your certificate.
Conditional Level 2 Status (Score of 88-109)
A score between 88 and 109 grants “Conditional Level 2 Status.” KLC Consulting will issue a CMMC Level 2 Conditional Certificate of CMMC Status. This indicates that you’ve implemented many required practices but gaps remain. You have 180 days to correct your identified deficiencies and complete a POA&M Closeout Assessment. CMMC allows only one POA&M Closeout Assessment attempt. Failing to achieve a perfect score of 110 during your closeout assessment results in your falling into Non-Compliance. You will then be required to remediate all identified deficiencies and undergo a complete top-to-bottom reassessment of all 110 security practices.
Non-Compliance (Score Below 88)
A score below 88 signifies that you haven’t met the minimum CMMC Level 2 requirements. You must remediate all identified deficiencies and undergo a complete reassessment of all 110 security practices.
eMASS and CMMC Reporting
KLC Consulting uses the DoD-mandated eMASS system to document and manage all phases of the CMMC assessment process, from pre-assessment to certification. This includes uploading assessment results (Final or Conditional only), managing appeals, and issuing the Certificate of CMMC Status. The DoD then uses this information to update its SPRS system, creating a centralized record of CMMC compliance across the Defense Industrial Base (DIB).
Non-Compliant Assessment Determinations and eMASS
The DoD’s intends eMASS to be a repository for OSCs that achieve Conditional or Final Status – only. Therefore, KLC Consulting will not submit assessment results to eMASS if a CMMC Level 2 Certification Assessment determines you are Non-Compliant. Instead, we’ll treat your assessment as a Readiness Assessment (a practice run “Mock Assessment”). This allows you to identify and correct deficiencies before pursuing your official certification. The good news is that we’ll substantially discount the price of your follow-up, official CMMC Level 2 Certification Assessment because we gain familiarity with your business and CUI environment through the Mock Assessment.
Conditional Status and eMASS Reporting Options
Some OSCs prefer to only have their Final Status (score of 110) recorded in eMASS. If your CMMC Level 2 Certification Assessment results in Conditional Level 2 Status (score of 88-109) and you prefer not to have this status reflected in eMASS, KLC Consulting won’t submit your results. Just like the Non-Compliant scenario, we can treat the assessment as a Mock Assessment and discount the price of your subsequent official CMMC Level 2 Certification Assessment.
POA&M Closeout Assessment
For organizations achieving Conditional Status, KLC Consulting offers a low-cost POA&M Closeout Assessment to verify the implementation of corrective actions detailed in your POA&M. And if you want to ensure passing, we offer a limited Mock Assessment to verify the corrective measures taken with the security practices identified as “Not Met” during your preceding official CMMC Level 2 Certification Assessment.
POA&M Closeout Assessment Fee
This is a separate service and fee. Your fee is determined by factors such as the number of non-compliant practices to be reviewed and the effort required for verification. Upon request, you will receive a detailed quote. It is much less expensive than a full assessment of all 110 security practices.
Remote vs. Onsite POA&M Closeout Assessments
POA&M Closeout Assessments are typically conducted remotely. An onsite assessment (and associated travel expenses) will only be required if your organization prohibits onsite video meetings or if your organization is based outside the United States.
