If your contracts involve Controlled Unclassified Information (CUI) — including Covered Defense Information (CDI), Controlled Technical Information (CTI), or ITAR-controlled technical data — CMMC Level 2 is the price of keeping that work. It means implementing all 110 NIST SP 800-171 controls, proving they operate, and for most contractors, passing a triennial C3PAO assessment. We've taken a client to a perfect 110/110 score. We can get you there too.
Talk to a Level 2 ExpertCMMC Level 2 is the standard for defense contractors whose work touches Controlled Unclassified Information — including Covered Defense Information, Controlled Technical Information, and export-controlled ITAR data. It adopts the 110 security requirements of NIST SP 800-171 Rev 2 in full. With the CMMC program rule in effect since December 2024 and CMMC clauses now appearing in new DoD solicitations, Level 2 has moved from "coming eventually" to a condition of doing business. Here is what that means in practice — who gets assessed by whom, what POA&Ms can and cannot cover, and why scope is the decision that drives everything else.
Most contracts involving CUI require a triennial assessment by a C3PAO — a certified third-party assessment organization. A small subset of programs allow self-assessment instead. Your contract's clauses tell you which path applies; don't assume the easier one.
Where self-assessment is allowed, you score all 110 controls yourself, submit the result to SPRS, and a senior official affirms it annually — under real legal exposure if it's wrong. The requirements don't shrink; only the assessor changes.
CMMC 2.0 permits Plans of Action & Milestones only for a subset of lower-weight controls, only above a minimum score — and every open item must close within 180 days. Treat POA&Ms as a short runway, not a parking lot.
The size of your assessment boundary drives most of your cost. Contractors who isolate CUI in a purpose-built secure enclave typically face a smaller, simpler assessment than those who certify an entire flat network.
If your CUI includes export-controlled technical data under ITAR, where that data lives matters as much as how it's protected. It belongs in a US-sovereign cloud — for Microsoft shops, that means GCC High — with access restricted accordingly.
NIST SP 800-171's 110 requirements are organized into 14 families. Here's what each one actually asks of you, without the standards-speak.
Decide who can reach CUI, from where, and on which devices — then enforce it technically, not just on paper.
Everyone who touches CUI knows the risks and their responsibilities — and you can prove they were trained.
System activity is logged, logs are protected and reviewed, and individual actions can be traced to individual users.
Systems are built to documented baselines, and changes are controlled instead of accumulating quietly.
Every user and device is uniquely identified, with multi-factor authentication where 800-171 requires it.
You can detect, contain, report, and recover from incidents — including the 72-hour DoD reporting clock under DFARS 252.204-7012.
System maintenance is controlled and supervised — including what maintenance personnel and their tools are allowed to touch.
CUI on drives, backups, and paper is marked, stored, transported, and destroyed securely.
People are screened before they get CUI access — and access ends the day they leave.
Facilities, server rooms, and workspaces that hold CUI are physically controlled, with visitors escorted and logged.
You regularly assess risk, scan for vulnerabilities — and fix what you find.
Controls are periodically tested, deficiencies are tracked to closure, and your System Security Plan stays current.
Networks are segmented and monitored at the boundary, and CUI is encrypted in transit and at rest with FIPS-validated cryptography.
Flaws get patched promptly, malicious code is blocked, and security alerts are acted on — not just collected.
Start with a control-by-control gap analysis against all 110 requirements, your calculated SPRS score, and a prioritized remediation roadmap — so you know the size of the job before you commit budget to it.
We close the gaps the assessment finds — policies, configurations, tooling, and documentation — working alongside your team or handling it end to end. Everything is built to produce the evidence an assessor will ask for later.
We design and build CUI enclaves on Microsoft GCC High that shrink your assessment boundary, so you certify a contained environment instead of your whole network. As a Microsoft Government Cloud reseller and AOS-G partner, we handle the licensing too.
When your C3PAO engagement begins, we sit on your side of the table — organizing evidence, preparing your team for interviews, and responding to assessor requests. We're consultants, not a C3PAO, so the assessment stays independent.
Certification is a snapshot; compliance is an operation. Our US-based 24x7 Secure Operations Center keeps controls operating, monitoring live, and evidence current — so your next assessment is uneventful.
When our client RPS Defense went through its CMMC Level 2 assessment with A-LIGN, an accredited C3PAO, the result was a perfect 110/110 — no POA&M, nothing to close out later. The environment and compliance program were built with Essendis: former Big Four auditors and top-tier security engineers under one roof, backed by a US-based 24x7 Secure Operations Center. That's the standard we build to, because on assessment day, "mostly ready" isn't a score.
See How We Get Contractors Assessment-ReadyIt depends on your starting point and your scope. A contractor with mature IT and a contained CUI footprint moves far faster than one starting cold across a flat network. A readiness assessment replaces guesswork with a defensible timeline.
Scope, more than anything. The number of systems and people inside your assessment boundary determines how much you must implement, document, and defend — which is why enclave scoping is usually the biggest cost lever. After that: how much remediation your gap analysis uncovers, and the C3PAO's assessment fees, which the assessor sets, not us.
Only narrowly. POA&Ms are permitted for a limited subset of lower-weight controls, you must still clear a minimum score, and every open item must close within 180 days. The highest-weight requirements can't be deferred at all. Treat a POA&M as a short grace period, not a compliance strategy.
No — FCI-only contractors fall under Level 1: 17 practices and an annual self-assessment. But check carefully. CUI has a way of creeping into email, file shares, and subcontractor workflows, and if DoD data with handling or distribution markings touches your systems, you're likely in Level 2 territory.
No, and that's deliberate. C3PAOs must stay independent of the organizations they assess — the firm that certifies you can't also build your program. We do the building: readiness, remediation, enclave engineering, and support through your assessment with an accredited C3PAO.
More questions? Visit our CMMC FAQ