Schedule Your CMMC Certification Assessment Now!

As of Nov 12, 2025, DFARS 252.204-7021 (CMMC) is now a requirement for defense contractors that handle Controlled Unclassified Information (CUI). The "7021" clause will accompany the other common cyber related DFARS clauses (7012, 7019, & 7020) in your contracts and as flow down requirements. As you prepare for your CMMC L2 assessment, you want a C3PAO that is experienced, fair, respectful, and understands the complexities of operating in the defense industrial base.

As an Authorized C3PAO and long time FedRAMP and GovRAMP 3PAO, Sera Brynn delivers exceptional, customer focused CMMC Level 2 assessments. Assessments that help you maintain your current contracts and win new opportunities. We understand the pressure you feel and the stakes you face. Sera Brynn is here to partner with you.

CMMC Level 2 certification requires an independent evaluation, by a C3PAO, of your implementation of NIST 800-171 within your CUI Information System. As an Authorized C3PAO, Sera Brynn conducts assessments based on our mature & tenured methodology that builds on foundational CMMC Assessment Process (CAP) 2.0 and 32 CFR Part 170.

We fully understand that audit & assessments can feel challenging and intimidating. Our assessment teams are here to provide a great experience through various methods including clear communication, careful listening, and approaching each engagement with fairness and respect.

Non-Certification "Mock" Assessment

A Mock Assessment is a non certification assessment that mimics the certification assessment, especially Phase 2. We use the same examine, interview, and test process & procedures as a formal assessment, without notifying or engaging the Department of War (formerly Defense). Mock Assessments are not communicated to the DoW, Cyber AB, or entered into eMASS system. This allows you as an OCS (Organization Seeking Certification) to have a trail run and then time to remediate any incomplete requirements or documentation.

You will receive a report that shows each requirement and objective as MET or NOT MET and why the requirement passed or failed. People often ask if we will provide recommendations, but C3PAOs are not permitted, ethically, to provide consulting, recommendations, or remediation guidance. If remediation is required, your consultant or advisory firm can help you address issues. If you do not have an advisor, we can recommend several good ones.

CMMC Level 2 Assessment

A formal certification assessment performed by Sera Brynn as your Authorized C3PAO. We will fairly & politely evaluate your implementation of the 110 requirements including the 320 objectives detailed in NIST 800-171 and 800-171A using the Examine, Interview, and Test methods defined in CAP 2.0 and 32 CFR Part 170.

The assessment process spans 5 Phases, see below, and includes scope confirmation, readiness checks, evidence review, sampling, interviews, test procedures, daily coordination, and submission of results into eMASS. We maintain clear, organized, and courteous communication throughout the engagement. The results of a Level 2 assessment can be a certification status of FINAL, CONDITIONAL, or NO ISSUANCE.

Our Assessment Process

The CMMC Level 2 certification process is defined by CAP 2.0 and 32 CFR Part 170 and specifies planning and 4 Phases (we just call it 5 phases). These phases help make the assessment clear, predictable, and manageable. In addition to the phases, as your C3PAO performing your assessment, Sera Brynn has a defined and mature methodology that includes communicating openly, showing respect, having positive intent, evaluating fairly, and helping you understand what to expect before, during, and after the assessment.

Phase 0: Planning & Framing

We confirm the entity to be assessed, validate CAGE codes, review scope documentation, identify Cloud Service Providers & External Service Providers, perform conflict-of-interest checks, and establish assessment logistics.

Phase 1: Pre-Assessment

Assessors determine readiness by reviewing your SSP & Documentation, validating assessment scope, conforming evidence availability, verifying personnel access, and determine readiness to proceed. A formal Pre-Assessment Form is submitted to eMASS.

Phase 2: Assessment

Our assessment team (minimum team is one Lead Assessor & one additional Assessor) evaluates the 110 security requirements and 320 objectives using the three examine, interview, and test methods. This includes sampling, daily checkpoint meetings, reviewing External Service Providers and Cloud Service Providers, conducting site inspections, and performing continuous QA oversight of the assessment and assessment team.

Phase 3: Report & Results

We compile and validate assessment results and deliver a documented results briefing. Then based on the assessment results, the Lead CCA issues a recommendation of FINAL, CONDITIONAL, or NO ISSUANCE status. Final results are uploaded to eMASS.

Phase 4: Certification & Closeout

We generate and issue the official Certificate of CMMC Status and complete POA&M closeout (if applicable). Certificates are approved by an Authorized Certifying Official and delivered to you.