The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 2 Assessment Guide: Self vs C3PAO, Evidence, POA&M, and SPRS

By The Defense Compliance Report Editorial Team— an independent trade publication on CMMC 2.0 and DIB compliance.

Last reviewed:

The Defense Compliance Report is not affiliated with, endorsed by, or sponsored by the U.S. Department of Defense, the Cyber AB, DCMA DIBCAC, NIST, or any U.S. Government agency. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This is educational research, not legal, contractual, or compliance advice.

Bottom line up front: A CMMC Level 2 assessment verifies that the systems in your defined scope meet the 110 NIST SP 800-171 Rev. 2 requirements for protecting Controlled Unclassified Information (CUI). There are two paths, and your contract decides which one you get: a Level 2 self-assessment your own team performs and posts to SPRS, or a Level 2 certification assessment performed by a C3PAO (Certified Third-Party Assessment Organization). The single most expensive mistake is assuming Level 2 always means C3PAO — many contractors need only a self-assessment. Read your clause first.

Here’s the part most guides bury: a passing score you can’t defend is worse than no score at all. In June 2026, the Justice Department settled with a contractor that self-reported a perfect 110 to the government — then scored a −170when the Defense Department actually assessed it. We’ll show you what DOJ alleged, how big the gap was, and how to make sure your own result would survive the same scrutiny.

DCR Level 2 Assessment Path Matrix: what you need before you request quotes

Before you scroll, here’s the fastest way to orient yourself. This matrix maps your situation to your likely path, where the result lands, what has to be ready first, and the type of help to consider before you request a single quote.

Sources: 32 CFR Part 170 (§170.16, §170.17, §170.21, §170.23); DFARS 252.204-7021 and 252.204-7025.
Your situationLevel 2 pathWho performs itWhere the result goesWhat must be ready firstProvider category to consider first
Solicitation says Level 2 (Self)Level 2 self-assessmentYour internal team (the OSA)SPRSDefined scope, SSP, self-assessment score, CAGE code(s), POA&M (if any), an affirming officialRPO/RP, MSSP/MSP, GRC, or CUI enclave — if gaps remain
Solicitation says Level 2 (C3PAO)Level 2 certification assessmentAn authorized/accredited C3PAOCMMC eMASS → SPRSScope, complete SSP, evidence, assessor access, cloud/ESP documentationReadiness category first if gaps remain; C3PAO only when assessment-ready
Phase 1 Level 2 requirement, no C3PAO languageUsually Level 2 self, unless DoD specifies C3PAOYour team, unless the clause says C3PAOSPRSRead DFARS 252.204-7025 to confirm the required statusRPO/RP or a federal-contracts attorney if the clause is ambiguous
Subcontractor, handles only FCINot Level 2 — Level 1 (Self) minimumYour teamSPRSConfirm you truly process/store/transmit no CUIRP/RPO or attorney to review the flow-down
Subcontractor, handles CUI, prime is Level 2 (Self)Level 2 self-assessment minimumYour teamSPRSCUI scope + a complete self-assessment packetRPO/RP, MSSP/MSP, GRC, or enclave
Subcontractor, handles CUI, prime is Level 2 (C3PAO)Level 2 certification assessment minimumA C3PAOeMASS → SPRSAssessment-ready scope and evidenceReadiness first, then C3PAO
Score is 88–109 with only eligible gapsConditional Level 2 is possibleYour team or a C3PAO, by pathSPRS or eMASS → SPRSA valid POA&M with no prohibited items, plus a 180-day closeout planRemediation/readiness help, immediately
A cloud service or ESP is inside your scopeSame path, larger scopeYour team/C3PAO evaluates inherited and shared responsibilitySPRS/eMASS evidence must line upCustomer Responsibility Matrix, SSP references, FedRAMP authorization/equivalency evidence, ESP availabilityCUI enclave, GCC High / GovCloud implementer, MSSP/MSP, GRC

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.

Not sure which row you’re in?

Map your Level 2 path with Find My CMMC Path. Answer a few questions about your clause, CUI scope, environment, and timeline, and the tool points you to a provider category — not a named provider, not a ranking — before you spend.

Category guidance only. Do not submit CUI, drawings, or sensitive contract details.

Map my Level 2 path with Find My CMMC Path →

What is a CMMC Level 2 assessment?

A CMMC Level 2 assessment evaluates whether the information systems in your assessment scope have implemented the Level 2 security requirements for protecting CUI. The official DoD Level 2 Assessment Guide describes two paths — a self-assessment and a certification assessment by a C3PAO — and Level 2 incorporates NIST SP 800-171 Revision 2. The assessment produces a CMMC status (Conditional or Final) that contracting officers verify in SPRS before award.

Think of Level 2 as a CUI-handling assessment requirement, not a company-size test. It applies because of what you handle — Controlled Unclassified Information — not because you have 15 employees or 1,500. If you process, store, or transmit CUI on contractor information systems for a DoD contract, Level 2 is the minimum CMMC status for subcontractors, and the prime contract or solicitation sets the required status for the procurement (32 CFR Part 170, §170.3 and §170.23).

A few distinctions matter enough to define once:

Level 1 vs Level 2 (Self) vs Level 2 (C3PAO) vs Level 3

Sources: 32 CFR Part 170 (§170.15–§170.18); NIST SP 800-171 Rev. 2; NIST SP 800-172; DoD CMMC Level 2 Assessment Guide.
Level 1Level 2 (Self)Level 2 (C3PAO)Level 3
ProtectsFCICUICUIThe most sensitive CUI
Standard15 basic safeguarding requirements (FAR 52.204-21)110 requirements (NIST SP 800-171 Rev. 2)110 requirements (NIST SP 800-171 Rev. 2)800-171 Rev. 2 + selected requirements from NIST SP 800-172
Who assessesYour teamYour teamA C3PAODoD (DCMA DIBCAC)
Result posted toSPRSSPRSCMMC eMASS → SPRSeMASS → SPRS
CadenceAnnual self-assessment + affirmationEvery 3 years + annual affirmationEvery 3 years + annual affirmationEvery 3 years + annual affirmation

Do you need a Level 2 self-assessment or a Level 2 C3PAO assessment?

Your required Level 2 assessment type comes from the contract, not from a rule of thumb. The DoD program office or requiring activity decides, for each procurement, whether Level 2 calls for a self-assessment or a C3PAO certification assessment, and the solicitation states it in the DFARS 252.204-7025 notice. Under DFARS 252.204-7021 and the DFARS award rules, an offeror is not eligible for award without the required CMMC status.

Open the solicitation and search for 252.204-7025 (the notice telling you the required level) and 252.204-7021(the clause requiring you to maintain that status). If you’re a subcontractor, the same logic reaches you through flow-down — your prime’s requirement and the information you handle set your floor (32 CFR Part 170, §170.23).

This guide cannot tell you which path your specific contract requires. No guide can. No checklist can. The clause and your DoD program office decide it, and anyone who tells you otherwise is either guessing or selling you the more expensive option.

The most common way contractors waste money here is by hiring a C3PAO before they’re ready — treating the certification assessment as if it will also fixtheir gaps. It won’t. Under the Cyber AB’s rules, a firm that provides you advice, recommendations, or implementation help creates a conflict of interest for that assessment engagement, and a C3PAO can’t use the assessment to coach you on remediation (Cyber AB CMMC Assessment Process and Code of Professional Conduct). Practically: the C3PAO documents what’s wrong; it cannot fix it.

One more thing: the Cyber AB, the CAICO, and DoD will not recommend or introduce specific C3PAOs to you (Cyber AB CMMC Assessment Process). The system is deliberately hands-off. That’s part of why an independent decision layer — one that maps you to a categoryand lets you choose the firm — exists at all.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

Why this is urgent now (without the scare tactics)

CMMC requirements are being phased into DoD contracts on a published schedule. Phase 1 runs November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026: alongside Phase 1 requirements, DoD intends to include Level 2 (C3PAO) requirements in applicable solicitations and contracts as a condition of award. Because C3PAO capacity is limited and readiness takes months, the practical deadline for many contractors arrives well before the calendar date on their contract.

The rollout has four phases (32 CFR Part 170, §170.3(e)):

Two changes tripped up a lot of otherwise-current guidance in 2026, and if an article you’re reading doesn’t mention them, it’s already stale.

First, the clause numbers moved. Under DoD’s Revolutionary FAR Overhaul, class deviations effective February 1, 2026 eliminated the old standalone basic self-assessment provision (DFARS 252.204-7019), renumbered DFARS 252.204-7020 to 252.240-7997, and renumbered FAR 52.204-21 to 52.240-93. The important part: DFARS 252.204-7021 (the CMMC clause) and 252.204-7012 (safeguarding and incident reporting) did not change.The underlying safeguarding obligations didn’t shrink. Because these are class deviations while formal rulemaking catches up, verify the actual clause text in your solicitation, not just the number.

Second, the credentialing body changed hands.As of April 2026, ISACA operates as the CAICO — the CMMC Assessor and Instructor Certification Organization — administering the CCP, CCA, and Lead CCA credentials. The Cyber AB still runs the Marketplace and C3PAO accreditation. If a source still describes the Cyber AB as running assessor certification, it hasn’t been updated.

Readiness for a Level 2 (C3PAO) assessment commonly takes 6 to 18 months, and C3PAO scheduling lead times are running roughly 6 to 12 months against a small pool of assessors. Those two clocks run at the same time. If your contract’s Level 2 (C3PAO) requirement lands in late 2026 and you start in mid-2026, you may simply run out of runway.

What does a CMMC Level 2 assessment actually test?

Level 2 assessments evaluate implementation of the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families. Each requirement breaks down into specific assessment objectives — 320 in total, defined in NIST SP 800-171A — and every objective must be satisfied for the parent requirement to be marked MET. Assessors verify each objective three ways: by examining artifacts, interviewing your people, and testing whether controls actually work.

The 110 Level 2 requirements, by family (and where they go wrong)

Requirement counts per family from NIST SP 800-171 Rev. 2 (last counted ). “Where contractors fall short” reflects commonly reported DIBCAC and assessor findings.
FamilyReqsWhat it coversWhere contractors most often fall short
Access Control (AC)22Who can access what, remote access, least privilege, information flowShared “team” logins; admin accounts used for daily work; no record of access reviews
Awareness & Training (AT)3Security awareness and role-based trainingGeneric training with no CUI-specific content
Audit & Accountability (AU)9Logging, log review, protecting and retaining audit recordsLogs not centralized, reviewed, or kept long enough
Configuration Management (CM)9Baselines, change control, least functionalityNo documented baseline; changes not tracked
Identification & Authentication (IA)11Unique IDs, multi-factor authentication, authenticator rulesMFA gaps on remote and privileged access
Incident Response (IR)3Detecting, reporting, and responding to incidentsA plan on paper that’s never tested
Maintenance (MA)6System maintenance and maintenance-tool controlsRemote maintenance not controlled or logged
Media Protection (MP)9Protecting, sanitizing, and controlling CUI mediaRemovable media and sanitization unmanaged
Personnel Security (PS)2Screening and protecting CUI during personnel actionsAccess not revoked promptly at offboarding
Physical Protection (PE)6Physical access, escorting visitors, access logsMissing visitor escorts and access logs — several PE requirements can’t be deferred to a POA&M
Risk Assessment (RA)3Risk assessments and vulnerability scanningScans run, but findings not remediated or tracked
Security Assessment (CA)4SSP, control assessment, POA&M, monitoringAn incomplete SSP — a prerequisite that can’t be deferred
System & Communications Protection (SC)16Boundary protection, encryption, network securityEncryption that isn’t FIPS-validated; weak boundary separation
System & Information Integrity (SI)7Flaw remediation, malicious-code protection, monitoringPatch latency; endpoint-protection gaps
Total110

The 320-objective detail matters more than it sounds. A single requirement — say, multi-factor authentication — can carry several determination statements in NIST SP 800-171A, and missing any one of them means the whole requirement isn’t MET. This is why “we have MFA” isn’t the same as “we can demonstrate MFA the way an assessor will check it.”

Rev. 2 vs Rev. 3 — get this one right

CMMC Level 2 is currently assessed against NIST SP 800-171 Revision 2, not Revision 3.NIST withdrew Rev. 2 at the standards level on May 14, 2024 when it published Rev. 3 — but a DoD class deviation keeps Rev. 2 as the operative standard for DFARS 252.204-7012 and CMMC, and C3PAO assessors are not authorized to assess against Rev. 3 (NIST CSRC; DoD class deviation 2024-O0013). Rev. 3 is a different standard — 97 requirements across 17 families — and it isn’t your assessment basis yet. If a consultant is building your assessment package around Rev. 3, confirm exactly why before you spend.

What has to be in scope before the assessment starts?

Your assessment scope must be defined before the assessment begins. 32 CFR Part 170 (§170.19(c)) requires the OSA to specify the CMMC Assessment Scope in advance, and the Cyber AB CMMC Assessment Process requires the C3PAO to validate that scope before moving into the evaluation phase. Scope is the foundation of the entire assessment — get it wrong and everything downstream is wrong.

Scoping is where a lot of preventable failures begin, because it starts with a question many contractors can’t answer cleanly: where does our CUI actually live, and how does it move?

The DoD CMMC Scoping Guide (Level 2) sorts your environment into categories, and each is treated differently in the assessment:

Source: 32 CFR Part 170 (§170.19); DoD CMMC Scoping Guide – Level 2; Cyber AB CMMC Assessment Process.
Asset categoryAssessed against the 110?What evidence is neededCommon mistake
CUI assets (process, store, or transmit CUI)Yes, fullySystem descriptions, data flows, control implementation evidenceNot knowing all the places CUI lands
Security Protection Assets (provide security for the scope)Yes, for the protections they provideConfiguration, coverage, and responsibility evidenceForgetting tools like SIEM, MFA, or the enclave itself
Contractor Risk Managed Assets (could touch CUI but are managed by policy)Limited, based on your policiesPolicies, procedures, and risk-management evidenceTreating them as fully out of scope with no controls
Specialized assets (e.g., certain OT/IoT)Handled per the rule’s specialized-asset guidanceDocumentation of how they’re managed and isolatedAssuming they’re automatically exempt
Out-of-scope assetsNoEvidence they’re truly separated from CUI“Out of scope” claims that leak CUI in practice

The single highest-leverage move in this whole process is to shrink your scope— to consolidate CUI into a defined enclave so fewer systems have to meet all 110 requirements. Done well, it’s the difference between securing a handful of systems and securing your entire company.

How does the Level 2 C3PAO assessment process work?

The Cyber AB CMMC Assessment Process (CAP) organizes a Level 2 certification assessment into four phases after some preliminary steps: Pre-Assessment (plan and confirm readiness), Assess Conformity (examine, interview, and test all 110 requirements), Report Results (independent quality review, out-brief, and upload to eMASS), and Certify/Close-out (issue the Certificate of CMMC Status and manage any POA&M). Understanding these phases is how prepared contractors avoid the delays that derail unprepared ones.

Source: Cyber AB CMMC Assessment Process v2.0.
PhaseWhat happensWho leadsWhere it can go wrong
PreliminaryContact an authorized C3PAO; confirm legal entity and CAGE code(s); identify and mitigate conflicts of interest; the C3PAO proposes a Lead CCA; sign an agreement consistent with the Code of Professional ConductYou + the C3PAOAn unresolved conflict of interest, or unclear corporate/CAGE structure
Phase 1 — Pre-AssessmentThe C3PAO reviews your SSP for completeness and consistency, validates your scope (including cloud and ESPs), and makes a readiness determination; the Pre-Assessment Form is completedLead CCAIncomplete SSP, unclear scope, or evidence that isn’t accessible — the assessment can be postponed here
Phase 2 — Assess ConformityAssessors evaluate all 110 requirements by examining artifacts, interviewing staff, and testing controls; they score each objective; daily check-ins track progressAssessment teamStaff who can’t demonstrate a control they “have”; evidence that doesn’t match the SSP
Phase 3 — Report ResultsA QA reviewer not on the assessment team checks the package; the team delivers an out-brief; the C3PAO uploads results to CMMC eMASS regardless of outcome; an appeals route existsC3PAO + QA reviewerSurprises at out-brief because gaps weren’t caught earlier
Phase 4 — Certify / Close-outThe C3PAO issues the Certificate of CMMC Status; if a POA&M exists, status is Conditional until closeout within 180 daysC3PAOMissing the 180-day POA&M window and losing Conditional status

Two details are worth underlining. First, the C3PAO uploads results into eMASS whether you pass or not. Second, the C3PAO can’t tell you how to fix what they find during the results briefing; their independence rules prohibit it. If you want a dress rehearsal, that’s what a mock assessmentis for — run one with a complete evidence package before the real thing, not instead of readiness.

How is Level 2 scored, and when does Conditional status count?

Level 2 is scored using the DoD Assessment Methodology, which starts at a maximum of 110 and subtracts points for requirements that aren’t met, on a scale that runs as low as −203 (32 CFR Part 170, §170.24). To earn a Conditional CMMC status you need a score of at least 88 — that is, your score divided by 110 must be at least 0.8 — with any remaining gaps limited to eligible items on a POA&M. Any POA&M must be closed within 180 days of the Conditional CMMC Status Date, or the status expires.

This is where the old “get any number into SPRS” strategy died. Not every gap can be deferred. The rules are specific (32 CFR Part 170, §170.21):

Source: 32 CFR Part 170, §170.21(a)(2).
RequirementName
AC.L2-3.1.20External Connections (CUI Data)
AC.L2-3.1.22Control Public Information (CUI Data)
CA.L2-3.12.4System Security Plan
PE.L2-3.10.3Escort Visitors (CUI Data)
PE.L2-3.10.4Physical Access Logs (CUI Data)
PE.L2-3.10.5Manage Physical Access (CUI Data)

Note the SSP itself (CA.L2-3.12.4) on that list. A complete System Security Plan isn’t just a scored requirement — it’s a prerequisite for the assessment to proceed at all. The practical translation: the high-point-value requirements and these six prerequisites are the ones you must have working before anyone assesses you.

How do you prepare for a CMMC Level 2 assessment? The 12 No-Go Gates

Before you sign a C3PAO engagement, you should be able to clear twelve readiness gates. If any gate is still open, scheduling a formal certification assessment is premature — you’ll pay for assessor time to document problems you could have found for free. We built this checklist from 32 CFR Part 170, the DoD Level 2 Assessment Guide, the Cyber AB CMMC Assessment Process, and SPRS workflow requirements so you can pressure-test your own readiness in an afternoon.

This is our original readiness framework — the one screen we’d hand a client before they cut a check. Treat any “no” as a stop sign.

Sources: 32 CFR Part 170; DoD CMMC Level 2 Assessment Guide; Cyber AB CMMC Assessment Process.
#GateYou pass when…Why it matters
1Clause gateYou know whether you need Level 2 (Self) or Level 2 (C3PAO)Prevents buying the wrong service entirely
2CUI gateYou know everywhere CUI is processed, stored, or transmittedScope starts with CUI; unknown CUI = unknown scope
3Boundary gateSystems, locations, users, and CAGE code(s) are mappedAn assessment can't proceed on a vague boundary
4SSP gateYour System Security Plan is complete, accurate, and consistentThe C3PAO reviews it in Phase 1; it can't be deferred (CA.L2-3.12.4)
5Evidence gateYour evidence reflects how controls actually operatePolicies alone don't prove implementation
6ESP gateExternal Service Providers are documented with a responsibility matrix and available for interviewAssessors may need ESP evidence and people
7CSP gateCloud responsibility and FedRAMP authorization/equivalency evidence is readyCloud claims get verified, not assumed
8POA&M gateAny open items are POA&M-eligible only (see the barred list above)A disallowed POA&M can leave you with no status
9Score gateYou know whether you're at 110, 88–109, below 88, or unknownConditional status has a hard 88 floor
10SPRS gateYour PIEE/SPRS roles and affirming official are set upStatus and affirmation gate your eligibility
11C3PAO gateYour chosen C3PAO is currently authorized/accredited in the Cyber AB Marketplace for the assessment you need, with no conflict identifiedAn unauthorized firm can't produce a valid CMMC status
12Sustainment gateYou've named the owner of your annual affirmationCMMC isn't one-and-done; affirmations continue

Cleared fewer than twelve gates?

Your next step isn’t a C3PAO — it’s readiness. Run Find My CMMC Path to map your open gaps to the right provider category. You’ll leave with the category to contact first — readiness, evidence software, an enclave, or an assessor — and the questions to ask before you sign.

No cost. No CUI. Category match only.

Run Find My CMMC Path to map your open gaps →

How do you complete a CMMC Level 2 self-assessment in SPRS?

For a Level 2 self-assessment, your organization conducts the assessment and submits the results in SPRS, then re-assesses every three years with an annual affirmation. 32 CFR Part 170 (§170.16) governs the Level 2 self-assessment path, and the DoD’s SPRS entry process walks through the workflow: enter the assessment by requirement, define scope, list CAGE code(s), record the score, and route to an affirming official for the affirmation.

At a high level, the self-assessment workflow (32 CFR Part 170, §170.16; DoD SPRS guidance):

  1. Get access to PIEE/SPRS and the appropriate role for your organization.
  2. Enter the Level 2 self-assessment, working through the 110 requirements.
  3. Define the assessment scope and list the applicable CAGE code(s). Each assessed system gets a CMMC Unique Identifier (UID) — a ten-character code that tracks it in SPRS.
  4. Record your score using the DoD Assessment Methodology.
  5. Route to your affirming official, who submits the affirmation of compliance.
  6. Your status posts as Final Level 2 (Self) — or Conditional if you have an allowable POA&M.

Do not mistake “self-assessment” for “self-graded.” A self-assessment still requires real, defensible evidence for every objective. The government can — and does — test those representations later, which is the subject of the enforcement section below.

How much does a CMMC Level 2 assessment cost in 2026?

There is no single published price for a CMMC Level 2 assessment, and any guide that quotes one number is oversimplifying. DoD’s own rule estimates a Level 2 C3PAO cycle at roughly $104,670 for a small entity (about $117,690 for larger ones) — but that figure starts at the assessment phase and deliberately excludes the remediation and documentation most contractors actually pay for. Once you include closing gaps, building an SSP, and any CUI enclave, real all-in costs commonly run $50,000 to $300,000+, and the C3PAO fee itself is typically only a fraction of the total.

What DoD estimates (from the CMMC rule’s regulatory impact analysis, Federal Register, October 15, 2024, for a small entity)

Source: 32 CFR Part 170 regulatory impact analysis (89 FR 83214), Oct. 15, 2024. DoD states plainly that these estimates begin at the assessment phase and exclude NIST SP 800-171 implementation.
ComponentDoD estimate
Conduct the C3PAO assessment$76,743
Plan and prepare for the assessment$20,699
Report assessment results$2,851
Annual affirmations (3-year cycle, ~$1,459/yr)$4,377
DoD-estimated 3-year total (small entity)≈ $104,670

What the market reports (2026 provider cost analyses — not DoD figures)

Ranges aggregated from multiple 2026 provider cost analyses (market-reported, not DoD estimates). Verify current pricing with providers for your scope.
Line itemTypical 2026 range
C3PAO assessment fee alone (single-site small business)$30,000–$75,000 (multi-site/complex: up to ~$120,000–$150,000)
Gap/readiness assessment$5,000–$20,000
SSP and documentation$12,000–$70,000
Remediation / control implementation$20,000–$150,000+ (usually the biggest line item)
CUI enclave (recurring)Roughly $300–$400/user/month up to ~$3,000–$4,000/month
All-in first-cycle Level 2 (C3PAO)$50,000–$300,000+

The insight worth internalizing: the assessment invoice is the small part.For a contractor starting from low maturity, remediation and documentation dwarf the audit fee — the C3PAO fee is often only about a quarter to a third of the total. The lever that moves this number most is scope: the tighter your CUI boundary, the fewer systems you have to bring to all 110 requirements.

For a full cost breakdown by company size and region, see our dedicated CMMC Level 2 cost guide.

How long does a CMMC Level 2 assessment take — and can you even get a slot?

Plan for two clocks. Readiness — reaching the point where you can pass — typically takes 6 to 18 months depending on your starting maturity. Then the C3PAO itself: scheduling lead times commonly run 6 to 12 months because there are only about 100 authorized assessors for tens of thousands of contractors, and the on-site or remote engagement usually spans several days to a few weeks. Work backward from any contract deadline accordingly.

The capacity math is the part contractors underestimate. As reported at the March 2026 Cyber AB Town Hall, the ecosystem had roughly 103 authorized C3PAOs and about 759 credentialed assessors (CCAs), and had certified approximately 1,000 organizations — against a DIB that DoD estimates at tens of thousands of organizations needing Level 2. In one recent month (March 2026), about 178 new Level 2 certificates were issued. And a September 2025 survey of defense contractors by Merrill Research found that just 1% said they were fully prepared for CMMC assessments.

(These figures move — verify the current count at the Cyber AB Marketplace and the latest Town Hall before relying on them.)

Run that forward and the conclusion is uncomfortable but useful: at current throughput, full coverage of the DIB is years away, and demand will spike as Phase 2 approaches. The near-term bottleneck isn’t only assessor supply — it’s readiness. The contractors who get scope, evidence, and documentation done now will be the ones who can book and pass while everyone else is still starting. This is real scarcity, not a marketing invention.

Know your gaps but not your provider type?

Compare CMMC provider categories with Find My CMMC Path. The tool maps your level, scope, evidence maturity, and timeline to a category — RPO/RP, MSSP, GRC platform, CUI enclave, or C3PAO — and tells you which to talk to first.

Category match only. No CUI.

Compare CMMC provider categories →

What the enforcement cases teach: your score has to be defensible

A CMMC Level 2 result — self-assessed or certified — is a representation to the government, and the government can test it. Recent False Claims Act settlements show what happens when a self-reported score doesn’t match reality: in June 2026, a Navy contractor that posted a perfect 110 to SPRS settled for $507,144 after a DoD assessment found its true score was −170. These aren’t CMMC certification cases, but they involve the exact NIST SP 800-171 controls that CMMC Level 2 measures — and they’re the clearest available preview of how inaccurate scores become legal exposure.

LOGZONE, Inc. (settled June 18, 2026)

The Huntsville, Alabama logistics firm held two Navy contracts requiring NIST SP 800-171 implementation and a current SPRS score. According to the settlement, on October 13, 2021, it self-reported a perfect 110. On February 2, 2024, DCMA’s DIBCAC assessed the company and found the real score should have been −170 — near the bottom of the −203-to-110 range. DOJ alleged LOGZONE kept billing on those contracts for years while that gap existed, and the company agreed to pay $507,144 to resolve the matter. There was no whistleblower — DOJ investigated it directly. The settlement includes no admission of liability; the claims are allegations only. (U.S. Department of Justice)

Georgia Tech Research Corporation (settled September 30, 2025)

GTRC, the research affiliate that contracts on Georgia Tech’s behalf, settled for $875,000 over Air Force and DARPA work at its Astrolavos Lab. DOJ alleged the organization submitted a December 2020 summary-level score of 98 based on a “fictitious” or “virtual” campus-wide environment that didn’t reflect the actual systems handling covered information — and that it had failed to run antivirus tools until late 2021 and lacked a System Security Plan until 2020. GTRC litigated the case before settling; the claims are allegations only, with no determination of liability. (U.S. Department of Justice)

Why this belongs in an assessment guide: neither settlement alleged a data breach — the exposure came from the gap between what was reported and what was true. A self-attested score you can’t defend with real evidence isn’t a compliance checkbox; it’s a signed representation the government can later test. If you’re not confident your current SPRS score would hold up, that’s a readiness problem to solve now — not after an invoice.

How does Level 2 flow down to subcontractors?

CMMC requirements flow down to subcontractors and suppliers at every tier that processes, stores, or transmits FCI or CUI. Under 32 CFR Part 170 (§170.23), a subcontractor handling only FCI needs Level 1 (Self) as a minimum, a subcontractor handling CUI needs at least Level 2 (Self), and a subcontractor handling CUI under a prime requirement of Level 2 (C3PAO) needs Level 2 (C3PAO) as a minimum. Your required level follows the information you handle — it isn’t automatically the same as your prime’s.

Before you spend anything, ask your prime three questions — is this FCI or CUI, what CMMC level and assessment type applies to us, and by when — and, if the answer is ambiguous, get a Registered Practitioner or a federal-contracts attorney to review it. A short conversation here can save a wrong six-figure decision.

How do cloud providers, ESPs, MSPs, and CUI enclaves change the assessment?

External providers can reduce, inherit, or complicate your assessment scope depending on what they process, store, transmit, or protect. The Cyber AB CMMC Assessment Process requires assessors to verify FedRAMP authorization when you rely on a cloud service for CUI, and to evaluate inherited-responsibility claims through your Customer Responsibility Matrix and supporting evidence. “The vendor is compliant” does not automatically make your environment compliant.

The distinctions to keep straight:

Provider typeWhat it does for youEvidence you must haveWhat breaks if it’s missing
CSP handling CUI (e.g., GCC High, GovCloud)Stores or processes your CUI in the cloudFedRAMP Moderate authorization or equivalency evidence; Customer Responsibility MatrixCloud claims fail verification; a scope gap the assessor can’t clear
ESP / MSP / MSSP touching CUI or security dataOperates part of your environment or your security toolingCustomer/Shared Responsibility Matrix; ESP personnel available to assessorsSplit of duties is unclear; the assessor can’t confirm who does what
CUI enclaveWalls CUI off to shrink your scopeCUI flow diagram, boundary definition, inherited-control mapping“Out of scope” claims leak; the scope reduction doesn’t hold
GRC platformOrganizes evidence, policies, and control mappingDocumented, current evidence tied to each requirementMistaken for implementation — software tracks controls, it doesn’t satisfy them

The takeaway: inherited controls are real and valuable, but they’re inherited with evidence, not on faith.

Which provider category should you talk to first?

If you’re not assessment-ready, do not start with a C3PAO as if the assessment will fix your gaps — it can’t, and the independence rules forbid it. A C3PAO performs the formal certification assessment. Readiness, remediation, evidence workflow, managed security, and enclave design belong to different provider categories, and matching your situation to the right one first is what saves money and time.

A note on how we handle this: we route readers to a category, never to a ranked “best provider” list, and we never imply a provider is endorsed by us, by the Cyber AB, or by DoD. On this page, the honest, useful answer is the category — and the tool that maps you to it.

Ready to move but unsure who fits?

Tell us your level, scope, and timeline, and we’ll map you to the provider category that fits your situation — readiness first if that’s where you are. Category match, disclosed relationships, no rankings.

Do not submit CUI, drawings, or sensitive contract details.

Get matched with source-checked provider options →

What mistakes delay or derail a CMMC Level 2 assessment?

Most Level 2 delays trace back to scope, evidence, and sequencing — not to technical incompetence. The recurring culprits are unclear CUI flows, an SSP that doesn’t match the real environment, a self-reported score without supporting evidence, missing cloud/ESP documentation, POA&M items that aren’t eligible, and scheduling a C3PAO before readiness.

The avoidable mistakes, in the order we see them:

Every one of these is cheaper to fix before the assessment than during it.

What we actually verified for this guide

We built this guide from primary and official sources, and we separate what the rules say from what we conclude. Here’s what we read and cross-checked, and the date we did it (last reviewed ).

What changes over time and should be re-checked: C3PAO and assessor counts (as of the March 2026 Cyber AB Town Hall; confirm live at the Cyber AB Marketplace), readiness figures (Merrill Research/CyberSheath, September 2025), and cost ranges. Everything time-sensitive carries the “Last reviewed” date above and is re-verified quarterly.

Frequently asked questions

Is CMMC Level 2 a self-assessment or a C3PAO assessment?

It can be either. The official DoD Level 2 Assessment Guide covers both a Level 2 self-assessment and a Level 2 certification assessment by a C3PAO. Which one applies to you is stated in your solicitation through the DFARS 252.204-7025 notice, and the DFARS 252.204-7021 clause requires you to maintain that status — not your company size or a checklist.

Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?

Current CMMC Level 2 assessments use NIST SP 800-171 Revision 2. NIST published Revision 3 in 2024, but a DoD class deviation keeps Rev. 2 as the operative standard, and C3PAO assessors are not authorized to assess against Rev. 3 until DoD changes the rule.

How many requirements are in CMMC Level 2?

Level 2 covers the 110 security requirements in NIST SP 800-171 Rev. 2, organized into 14 control families. Those 110 requirements break down into 320 assessment objectives defined in NIST SP 800-171A, all of which are evaluated.

What score do I need for Conditional Level 2?

You need a score of at least 88 out of 110 — your score divided by 110 must be at least 0.8 — with any remaining gaps limited to eligible POA&M items. A Conditional status must be resolved by closing the POA&M within 180 days(32 CFR Part 170, §170.21).

Can I use a POA&M for CMMC Level 2?

Yes, but only for 1-point requirements, and never for requirements worth more than 1 point — with one narrow exception for CUI Encryption (SC.L2-3.13.11) when encryption is employed but not FIPS-validated. Six specific 1-point requirements are also barred from a POA&M, including your System Security Plan (CA.L2-3.12.4). Level 1 does not allow POA&Ms at all.

Where do CMMC Level 2 results go?

Level 2 self-assessment results are entered into SPRS. Level 2 C3PAO certification results are uploaded by the C3PAO into CMMC eMASS and then transmitted to SPRS, where contracting officers verify your status before award (32 CFR Part 170, §170.16 and §170.17).

How long is CMMC Level 2 status valid?

A Final Level 2 status — self-assessed or C3PAO-certified — is tied to a three-year cycle with an annual affirmation of continued compliance (32 CFR Part 170, §170.22). A Conditional Level 2 status is valid for 180 days, within which the POA&M must be closed.

Should I hire a C3PAO first?

Only if you’re assessment-ready or your contract specifically requires the certification assessment and you’ve closed your gaps. If you still need scoping, remediation, evidence workflow, managed security, or a CUI enclave, start with the category that solves that problem — a C3PAO can’t also prepare you for the same engagement.

Can my readiness consultant also be my C3PAO?

Generally no. A C3PAO that provides advice, recommendations, or implementation assistance creates a conflict of interest for that assessment engagement under the Cyber AB’s rules, and a C3PAO cannot provide remediation advice through the assessment results process. Treat readiness help and formal assessment as separate functions.

Do subcontractors need CMMC Level 2?

A subcontractor that processes, stores, or transmits CUI needs at least Level 2 (Self); if the related prime requirement is Level 2 (C3PAO), the subcontractor needs Level 2 (C3PAO) as a minimum. A subcontractor handling only FCI needs Level 1 (Self). Your level follows the information you handle (32 CFR Part 170, §170.23).

What happens if I fail a CMMC Level 2 assessment?

If a Level 2 assessment identifies NOT MET requirements, some may be re-evaluated during the assessment or within a short window afterward (see 32 CFR Part 170, §170.17). If your score is at least 88 and the remaining gaps are POA&M-eligible, the result can be Conditional — which you must close out within 180 days. If the gaps aren’t eligible or you’re below the threshold, you remediate and re-engage for a new or continued assessment. A full mock assessment beforehand is the best way to avoid this outcome.

Before you request quotes: a 60-second gut check

Before you spend a dollar on a provider, confirm you can answer these three — they’re the questions that separate contractors who are ready from contractors who are about to waste money:

  1. Do I know whether my solicitation requires Level 2 (Self) or Level 2 (C3PAO)?
  2. Do I know everywhere my CUI is processed, stored, or transmitted?
  3. Do I know whether my open gaps are POA&M-eligible (1-point only, none on the barred list)?

If you hesitated on any of them, that’s not a failure — it’s a map. Handle those first and every quote you request afterward gets sharper, faster, and cheaper.

Your next step with this CMMC Level 2 assessment guide

The short version to act on: confirm your clause, map your CUI scope, decide whether you’re on the Level 2 (Self) or Level 2 (C3PAO) path, close your gaps until your score is defensible, and only then request quotes — from the right provider category, in the right order.

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, or sensitive contract details through this or any web form. This is educational research, not legal, contractual, or compliance advice — confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level, not a checklist. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance and is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. Government agency.

Primary sources