CMMC Level 2 Assessment Guide: Self vs C3PAO, Evidence, POA&M, and SPRS
Bottom line up front: A CMMC Level 2 assessment verifies that the systems in your defined scope meet the 110 NIST SP 800-171 Rev. 2 requirements for protecting Controlled Unclassified Information (CUI). There are two paths, and your contract decides which one you get: a Level 2 self-assessment your own team performs and posts to SPRS, or a Level 2 certification assessment performed by a C3PAO (Certified Third-Party Assessment Organization). The single most expensive mistake is assuming Level 2 always means C3PAO — many contractors need only a self-assessment. Read your clause first.
Here’s the part most guides bury: a passing score you can’t defend is worse than no score at all. In June 2026, the Justice Department settled with a contractor that self-reported a perfect 110 to the government — then scored a −170when the Defense Department actually assessed it. We’ll show you what DOJ alleged, how big the gap was, and how to make sure your own result would survive the same scrutiny.
DCR Level 2 Assessment Path Matrix: what you need before you request quotes
Before you scroll, here’s the fastest way to orient yourself. This matrix maps your situation to your likely path, where the result lands, what has to be ready first, and the type of help to consider before you request a single quote.
| Your situation | Level 2 path | Who performs it | Where the result goes | What must be ready first | Provider category to consider first |
|---|---|---|---|---|---|
| Solicitation says Level 2 (Self) | Level 2 self-assessment | Your internal team (the OSA) | SPRS | Defined scope, SSP, self-assessment score, CAGE code(s), POA&M (if any), an affirming official | RPO/RP, MSSP/MSP, GRC, or CUI enclave — if gaps remain |
| Solicitation says Level 2 (C3PAO) | Level 2 certification assessment | An authorized/accredited C3PAO | CMMC eMASS → SPRS | Scope, complete SSP, evidence, assessor access, cloud/ESP documentation | Readiness category first if gaps remain; C3PAO only when assessment-ready |
| Phase 1 Level 2 requirement, no C3PAO language | Usually Level 2 self, unless DoD specifies C3PAO | Your team, unless the clause says C3PAO | SPRS | Read DFARS 252.204-7025 to confirm the required status | RPO/RP or a federal-contracts attorney if the clause is ambiguous |
| Subcontractor, handles only FCI | Not Level 2 — Level 1 (Self) minimum | Your team | SPRS | Confirm you truly process/store/transmit no CUI | RP/RPO or attorney to review the flow-down |
| Subcontractor, handles CUI, prime is Level 2 (Self) | Level 2 self-assessment minimum | Your team | SPRS | CUI scope + a complete self-assessment packet | RPO/RP, MSSP/MSP, GRC, or enclave |
| Subcontractor, handles CUI, prime is Level 2 (C3PAO) | Level 2 certification assessment minimum | A C3PAO | eMASS → SPRS | Assessment-ready scope and evidence | Readiness first, then C3PAO |
| Score is 88–109 with only eligible gaps | Conditional Level 2 is possible | Your team or a C3PAO, by path | SPRS or eMASS → SPRS | A valid POA&M with no prohibited items, plus a 180-day closeout plan | Remediation/readiness help, immediately |
| A cloud service or ESP is inside your scope | Same path, larger scope | Your team/C3PAO evaluates inherited and shared responsibility | SPRS/eMASS evidence must line up | Customer Responsibility Matrix, SSP references, FedRAMP authorization/equivalency evidence, ESP availability | CUI enclave, GCC High / GovCloud implementer, MSSP/MSP, GRC |
Not sure which row you’re in?
Map your Level 2 path with Find My CMMC Path. Answer a few questions about your clause, CUI scope, environment, and timeline, and the tool points you to a provider category — not a named provider, not a ranking — before you spend.
Map my Level 2 path with Find My CMMC Path →What is a CMMC Level 2 assessment?
A CMMC Level 2 assessment evaluates whether the information systems in your assessment scope have implemented the Level 2 security requirements for protecting CUI. The official DoD Level 2 Assessment Guide describes two paths — a self-assessment and a certification assessment by a C3PAO — and Level 2 incorporates NIST SP 800-171 Revision 2. The assessment produces a CMMC status (Conditional or Final) that contracting officers verify in SPRS before award.
Think of Level 2 as a CUI-handling assessment requirement, not a company-size test. It applies because of what you handle — Controlled Unclassified Information — not because you have 15 employees or 1,500. If you process, store, or transmit CUI on contractor information systems for a DoD contract, Level 2 is the minimum CMMC status for subcontractors, and the prime contract or solicitation sets the required status for the procurement (32 CFR Part 170, §170.3 and §170.23).
A few distinctions matter enough to define once:
- Compliance means you’ve actually implemented the controls. It’s the thing being measured.
- Self-assessment is the Level 2 path where your own team assesses your systems and posts the result to SPRS (32 CFR Part 170, §170.16).
- Certification assessment is the Level 2 path where a C3PAO — an independent firm authorized by the Cyber AB — assesses you, uploads results into CMMC eMASS, and the resulting status transmits to SPRS (32 CFR Part 170, §170.17).
- Conditional status means you passed but still have an allowable gap on a Plan of Action & Milestones (POA&M). Final status means everything is met, or the POA&M is closed.
Level 1 vs Level 2 (Self) vs Level 2 (C3PAO) vs Level 3
| Level 1 | Level 2 (Self) | Level 2 (C3PAO) | Level 3 | |
|---|---|---|---|---|
| Protects | FCI | CUI | CUI | The most sensitive CUI |
| Standard | 15 basic safeguarding requirements (FAR 52.204-21) | 110 requirements (NIST SP 800-171 Rev. 2) | 110 requirements (NIST SP 800-171 Rev. 2) | 800-171 Rev. 2 + selected requirements from NIST SP 800-172 |
| Who assesses | Your team | Your team | A C3PAO | DoD (DCMA DIBCAC) |
| Result posted to | SPRS | SPRS | CMMC eMASS → SPRS | eMASS → SPRS |
| Cadence | Annual self-assessment + affirmation | Every 3 years + annual affirmation | Every 3 years + annual affirmation | Every 3 years + annual affirmation |
Do you need a Level 2 self-assessment or a Level 2 C3PAO assessment?
Your required Level 2 assessment type comes from the contract, not from a rule of thumb. The DoD program office or requiring activity decides, for each procurement, whether Level 2 calls for a self-assessment or a C3PAO certification assessment, and the solicitation states it in the DFARS 252.204-7025 notice. Under DFARS 252.204-7021 and the DFARS award rules, an offeror is not eligible for award without the required CMMC status.
Open the solicitation and search for 252.204-7025 (the notice telling you the required level) and 252.204-7021(the clause requiring you to maintain that status). If you’re a subcontractor, the same logic reaches you through flow-down — your prime’s requirement and the information you handle set your floor (32 CFR Part 170, §170.23).
This guide cannot tell you which path your specific contract requires. No guide can. No checklist can. The clause and your DoD program office decide it, and anyone who tells you otherwise is either guessing or selling you the more expensive option.
The most common way contractors waste money here is by hiring a C3PAO before they’re ready — treating the certification assessment as if it will also fixtheir gaps. It won’t. Under the Cyber AB’s rules, a firm that provides you advice, recommendations, or implementation help creates a conflict of interest for that assessment engagement, and a C3PAO can’t use the assessment to coach you on remediation (Cyber AB CMMC Assessment Process and Code of Professional Conduct). Practically: the C3PAO documents what’s wrong; it cannot fix it.
One more thing: the Cyber AB, the CAICO, and DoD will not recommend or introduce specific C3PAOs to you (Cyber AB CMMC Assessment Process). The system is deliberately hands-off. That’s part of why an independent decision layer — one that maps you to a categoryand lets you choose the firm — exists at all.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Why this is urgent now (without the scare tactics)
CMMC requirements are being phased into DoD contracts on a published schedule. Phase 1 runs November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026: alongside Phase 1 requirements, DoD intends to include Level 2 (C3PAO) requirements in applicable solicitations and contracts as a condition of award. Because C3PAO capacity is limited and readiness takes months, the practical deadline for many contractors arrives well before the calendar date on their contract.
The rollout has four phases (32 CFR Part 170, §170.3(e)):
- Phase 1 — Nov. 10, 2025 to Nov. 9, 2026: Level 1 and Level 2 self-assessment requirements appear in applicable solicitations. DoD may also require Level 2 (C3PAO) in select procurements.
- Phase 2 — begins Nov. 10, 2026: Level 2 (C3PAO) certification requirements phase into applicable solicitations and contracts.
- Phase 3 — begins Nov. 10, 2027: Level 3 requirements phase in.
- Phase 4 — begins Nov. 10, 2028: Full implementation across applicable contracts.
Two changes tripped up a lot of otherwise-current guidance in 2026, and if an article you’re reading doesn’t mention them, it’s already stale.
First, the clause numbers moved. Under DoD’s Revolutionary FAR Overhaul, class deviations effective February 1, 2026 eliminated the old standalone basic self-assessment provision (DFARS 252.204-7019), renumbered DFARS 252.204-7020 to 252.240-7997, and renumbered FAR 52.204-21 to 52.240-93. The important part: DFARS 252.204-7021 (the CMMC clause) and 252.204-7012 (safeguarding and incident reporting) did not change.The underlying safeguarding obligations didn’t shrink. Because these are class deviations while formal rulemaking catches up, verify the actual clause text in your solicitation, not just the number.
Second, the credentialing body changed hands.As of April 2026, ISACA operates as the CAICO — the CMMC Assessor and Instructor Certification Organization — administering the CCP, CCA, and Lead CCA credentials. The Cyber AB still runs the Marketplace and C3PAO accreditation. If a source still describes the Cyber AB as running assessor certification, it hasn’t been updated.
Readiness for a Level 2 (C3PAO) assessment commonly takes 6 to 18 months, and C3PAO scheduling lead times are running roughly 6 to 12 months against a small pool of assessors. Those two clocks run at the same time. If your contract’s Level 2 (C3PAO) requirement lands in late 2026 and you start in mid-2026, you may simply run out of runway.
What does a CMMC Level 2 assessment actually test?
Level 2 assessments evaluate implementation of the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families. Each requirement breaks down into specific assessment objectives — 320 in total, defined in NIST SP 800-171A — and every objective must be satisfied for the parent requirement to be marked MET. Assessors verify each objective three ways: by examining artifacts, interviewing your people, and testing whether controls actually work.
The 110 Level 2 requirements, by family (and where they go wrong)
| Family | Reqs | What it covers | Where contractors most often fall short |
|---|---|---|---|
| Access Control (AC) | 22 | Who can access what, remote access, least privilege, information flow | Shared “team” logins; admin accounts used for daily work; no record of access reviews |
| Awareness & Training (AT) | 3 | Security awareness and role-based training | Generic training with no CUI-specific content |
| Audit & Accountability (AU) | 9 | Logging, log review, protecting and retaining audit records | Logs not centralized, reviewed, or kept long enough |
| Configuration Management (CM) | 9 | Baselines, change control, least functionality | No documented baseline; changes not tracked |
| Identification & Authentication (IA) | 11 | Unique IDs, multi-factor authentication, authenticator rules | MFA gaps on remote and privileged access |
| Incident Response (IR) | 3 | Detecting, reporting, and responding to incidents | A plan on paper that’s never tested |
| Maintenance (MA) | 6 | System maintenance and maintenance-tool controls | Remote maintenance not controlled or logged |
| Media Protection (MP) | 9 | Protecting, sanitizing, and controlling CUI media | Removable media and sanitization unmanaged |
| Personnel Security (PS) | 2 | Screening and protecting CUI during personnel actions | Access not revoked promptly at offboarding |
| Physical Protection (PE) | 6 | Physical access, escorting visitors, access logs | Missing visitor escorts and access logs — several PE requirements can’t be deferred to a POA&M |
| Risk Assessment (RA) | 3 | Risk assessments and vulnerability scanning | Scans run, but findings not remediated or tracked |
| Security Assessment (CA) | 4 | SSP, control assessment, POA&M, monitoring | An incomplete SSP — a prerequisite that can’t be deferred |
| System & Communications Protection (SC) | 16 | Boundary protection, encryption, network security | Encryption that isn’t FIPS-validated; weak boundary separation |
| System & Information Integrity (SI) | 7 | Flaw remediation, malicious-code protection, monitoring | Patch latency; endpoint-protection gaps |
| Total | 110 |
The 320-objective detail matters more than it sounds. A single requirement — say, multi-factor authentication — can carry several determination statements in NIST SP 800-171A, and missing any one of them means the whole requirement isn’t MET. This is why “we have MFA” isn’t the same as “we can demonstrate MFA the way an assessor will check it.”
Rev. 2 vs Rev. 3 — get this one right
CMMC Level 2 is currently assessed against NIST SP 800-171 Revision 2, not Revision 3.NIST withdrew Rev. 2 at the standards level on May 14, 2024 when it published Rev. 3 — but a DoD class deviation keeps Rev. 2 as the operative standard for DFARS 252.204-7012 and CMMC, and C3PAO assessors are not authorized to assess against Rev. 3 (NIST CSRC; DoD class deviation 2024-O0013). Rev. 3 is a different standard — 97 requirements across 17 families — and it isn’t your assessment basis yet. If a consultant is building your assessment package around Rev. 3, confirm exactly why before you spend.
What has to be in scope before the assessment starts?
Your assessment scope must be defined before the assessment begins. 32 CFR Part 170 (§170.19(c)) requires the OSA to specify the CMMC Assessment Scope in advance, and the Cyber AB CMMC Assessment Process requires the C3PAO to validate that scope before moving into the evaluation phase. Scope is the foundation of the entire assessment — get it wrong and everything downstream is wrong.
Scoping is where a lot of preventable failures begin, because it starts with a question many contractors can’t answer cleanly: where does our CUI actually live, and how does it move?
The DoD CMMC Scoping Guide (Level 2) sorts your environment into categories, and each is treated differently in the assessment:
| Asset category | Assessed against the 110? | What evidence is needed | Common mistake |
|---|---|---|---|
| CUI assets (process, store, or transmit CUI) | Yes, fully | System descriptions, data flows, control implementation evidence | Not knowing all the places CUI lands |
| Security Protection Assets (provide security for the scope) | Yes, for the protections they provide | Configuration, coverage, and responsibility evidence | Forgetting tools like SIEM, MFA, or the enclave itself |
| Contractor Risk Managed Assets (could touch CUI but are managed by policy) | Limited, based on your policies | Policies, procedures, and risk-management evidence | Treating them as fully out of scope with no controls |
| Specialized assets (e.g., certain OT/IoT) | Handled per the rule’s specialized-asset guidance | Documentation of how they’re managed and isolated | Assuming they’re automatically exempt |
| Out-of-scope assets | No | Evidence they’re truly separated from CUI | “Out of scope” claims that leak CUI in practice |
The single highest-leverage move in this whole process is to shrink your scope— to consolidate CUI into a defined enclave so fewer systems have to meet all 110 requirements. Done well, it’s the difference between securing a handful of systems and securing your entire company.
How does the Level 2 C3PAO assessment process work?
The Cyber AB CMMC Assessment Process (CAP) organizes a Level 2 certification assessment into four phases after some preliminary steps: Pre-Assessment (plan and confirm readiness), Assess Conformity (examine, interview, and test all 110 requirements), Report Results (independent quality review, out-brief, and upload to eMASS), and Certify/Close-out (issue the Certificate of CMMC Status and manage any POA&M). Understanding these phases is how prepared contractors avoid the delays that derail unprepared ones.
| Phase | What happens | Who leads | Where it can go wrong |
|---|---|---|---|
| Preliminary | Contact an authorized C3PAO; confirm legal entity and CAGE code(s); identify and mitigate conflicts of interest; the C3PAO proposes a Lead CCA; sign an agreement consistent with the Code of Professional Conduct | You + the C3PAO | An unresolved conflict of interest, or unclear corporate/CAGE structure |
| Phase 1 — Pre-Assessment | The C3PAO reviews your SSP for completeness and consistency, validates your scope (including cloud and ESPs), and makes a readiness determination; the Pre-Assessment Form is completed | Lead CCA | Incomplete SSP, unclear scope, or evidence that isn’t accessible — the assessment can be postponed here |
| Phase 2 — Assess Conformity | Assessors evaluate all 110 requirements by examining artifacts, interviewing staff, and testing controls; they score each objective; daily check-ins track progress | Assessment team | Staff who can’t demonstrate a control they “have”; evidence that doesn’t match the SSP |
| Phase 3 — Report Results | A QA reviewer not on the assessment team checks the package; the team delivers an out-brief; the C3PAO uploads results to CMMC eMASS regardless of outcome; an appeals route exists | C3PAO + QA reviewer | Surprises at out-brief because gaps weren’t caught earlier |
| Phase 4 — Certify / Close-out | The C3PAO issues the Certificate of CMMC Status; if a POA&M exists, status is Conditional until closeout within 180 days | C3PAO | Missing the 180-day POA&M window and losing Conditional status |
Two details are worth underlining. First, the C3PAO uploads results into eMASS whether you pass or not. Second, the C3PAO can’t tell you how to fix what they find during the results briefing; their independence rules prohibit it. If you want a dress rehearsal, that’s what a mock assessmentis for — run one with a complete evidence package before the real thing, not instead of readiness.
How is Level 2 scored, and when does Conditional status count?
Level 2 is scored using the DoD Assessment Methodology, which starts at a maximum of 110 and subtracts points for requirements that aren’t met, on a scale that runs as low as −203 (32 CFR Part 170, §170.24). To earn a Conditional CMMC status you need a score of at least 88 — that is, your score divided by 110 must be at least 0.8 — with any remaining gaps limited to eligible items on a POA&M. Any POA&M must be closed within 180 days of the Conditional CMMC Status Date, or the status expires.
This is where the old “get any number into SPRS” strategy died. Not every gap can be deferred. The rules are specific (32 CFR Part 170, §170.21):
- You need at least 88 of 110. Your score ÷ 110 must be ≥ 0.8 for a Conditional Level 2 status.
- Only 1-point requirements are eligible for a POA&M. Any requirement worth more than 1 point under the §170.24 scoring methodology — the 3-point and 5-point requirements — must be fully met before the assessment. Multi-factor authentication, for example, is a 5-point requirement, so it isn’t deferrable.
- One narrow exception: SC.L2-3.13.11 (CUI Encryption) may go on a POA&M if encryption is employed but not yet FIPS-validated, in which case it scores as a 3-point deduction rather than 5.
- Six specific 1-point requirements are barred from a POA&M anyway — they must be fully met at the time of assessment regardless of point value:
| Requirement | Name |
|---|---|
| AC.L2-3.1.20 | External Connections (CUI Data) |
| AC.L2-3.1.22 | Control Public Information (CUI Data) |
| CA.L2-3.12.4 | System Security Plan |
| PE.L2-3.10.3 | Escort Visitors (CUI Data) |
| PE.L2-3.10.4 | Physical Access Logs (CUI Data) |
| PE.L2-3.10.5 | Manage Physical Access (CUI Data) |
Note the SSP itself (CA.L2-3.12.4) on that list. A complete System Security Plan isn’t just a scored requirement — it’s a prerequisite for the assessment to proceed at all. The practical translation: the high-point-value requirements and these six prerequisites are the ones you must have working before anyone assesses you.
How do you prepare for a CMMC Level 2 assessment? The 12 No-Go Gates
Before you sign a C3PAO engagement, you should be able to clear twelve readiness gates. If any gate is still open, scheduling a formal certification assessment is premature — you’ll pay for assessor time to document problems you could have found for free. We built this checklist from 32 CFR Part 170, the DoD Level 2 Assessment Guide, the Cyber AB CMMC Assessment Process, and SPRS workflow requirements so you can pressure-test your own readiness in an afternoon.
This is our original readiness framework — the one screen we’d hand a client before they cut a check. Treat any “no” as a stop sign.
| # | Gate | You pass when… | Why it matters |
|---|---|---|---|
| 1 | Clause gate | You know whether you need Level 2 (Self) or Level 2 (C3PAO) | Prevents buying the wrong service entirely |
| 2 | CUI gate | You know everywhere CUI is processed, stored, or transmitted | Scope starts with CUI; unknown CUI = unknown scope |
| 3 | Boundary gate | Systems, locations, users, and CAGE code(s) are mapped | An assessment can't proceed on a vague boundary |
| 4 | SSP gate | Your System Security Plan is complete, accurate, and consistent | The C3PAO reviews it in Phase 1; it can't be deferred (CA.L2-3.12.4) |
| 5 | Evidence gate | Your evidence reflects how controls actually operate | Policies alone don't prove implementation |
| 6 | ESP gate | External Service Providers are documented with a responsibility matrix and available for interview | Assessors may need ESP evidence and people |
| 7 | CSP gate | Cloud responsibility and FedRAMP authorization/equivalency evidence is ready | Cloud claims get verified, not assumed |
| 8 | POA&M gate | Any open items are POA&M-eligible only (see the barred list above) | A disallowed POA&M can leave you with no status |
| 9 | Score gate | You know whether you're at 110, 88–109, below 88, or unknown | Conditional status has a hard 88 floor |
| 10 | SPRS gate | Your PIEE/SPRS roles and affirming official are set up | Status and affirmation gate your eligibility |
| 11 | C3PAO gate | Your chosen C3PAO is currently authorized/accredited in the Cyber AB Marketplace for the assessment you need, with no conflict identified | An unauthorized firm can't produce a valid CMMC status |
| 12 | Sustainment gate | You've named the owner of your annual affirmation | CMMC isn't one-and-done; affirmations continue |
Cleared fewer than twelve gates?
Your next step isn’t a C3PAO — it’s readiness. Run Find My CMMC Path to map your open gaps to the right provider category. You’ll leave with the category to contact first — readiness, evidence software, an enclave, or an assessor — and the questions to ask before you sign.
Run Find My CMMC Path to map your open gaps →How do you complete a CMMC Level 2 self-assessment in SPRS?
For a Level 2 self-assessment, your organization conducts the assessment and submits the results in SPRS, then re-assesses every three years with an annual affirmation. 32 CFR Part 170 (§170.16) governs the Level 2 self-assessment path, and the DoD’s SPRS entry process walks through the workflow: enter the assessment by requirement, define scope, list CAGE code(s), record the score, and route to an affirming official for the affirmation.
At a high level, the self-assessment workflow (32 CFR Part 170, §170.16; DoD SPRS guidance):
- Get access to PIEE/SPRS and the appropriate role for your organization.
- Enter the Level 2 self-assessment, working through the 110 requirements.
- Define the assessment scope and list the applicable CAGE code(s). Each assessed system gets a CMMC Unique Identifier (UID) — a ten-character code that tracks it in SPRS.
- Record your score using the DoD Assessment Methodology.
- Route to your affirming official, who submits the affirmation of compliance.
- Your status posts as Final Level 2 (Self) — or Conditional if you have an allowable POA&M.
Do not mistake “self-assessment” for “self-graded.” A self-assessment still requires real, defensible evidence for every objective. The government can — and does — test those representations later, which is the subject of the enforcement section below.
How much does a CMMC Level 2 assessment cost in 2026?
There is no single published price for a CMMC Level 2 assessment, and any guide that quotes one number is oversimplifying. DoD’s own rule estimates a Level 2 C3PAO cycle at roughly $104,670 for a small entity (about $117,690 for larger ones) — but that figure starts at the assessment phase and deliberately excludes the remediation and documentation most contractors actually pay for. Once you include closing gaps, building an SSP, and any CUI enclave, real all-in costs commonly run $50,000 to $300,000+, and the C3PAO fee itself is typically only a fraction of the total.
What DoD estimates (from the CMMC rule’s regulatory impact analysis, Federal Register, October 15, 2024, for a small entity)
| Component | DoD estimate |
|---|---|
| Conduct the C3PAO assessment | $76,743 |
| Plan and prepare for the assessment | $20,699 |
| Report assessment results | $2,851 |
| Annual affirmations (3-year cycle, ~$1,459/yr) | $4,377 |
| DoD-estimated 3-year total (small entity) | ≈ $104,670 |
What the market reports (2026 provider cost analyses — not DoD figures)
| Line item | Typical 2026 range |
|---|---|
| C3PAO assessment fee alone (single-site small business) | $30,000–$75,000 (multi-site/complex: up to ~$120,000–$150,000) |
| Gap/readiness assessment | $5,000–$20,000 |
| SSP and documentation | $12,000–$70,000 |
| Remediation / control implementation | $20,000–$150,000+ (usually the biggest line item) |
| CUI enclave (recurring) | Roughly $300–$400/user/month up to ~$3,000–$4,000/month |
| All-in first-cycle Level 2 (C3PAO) | $50,000–$300,000+ |
The insight worth internalizing: the assessment invoice is the small part.For a contractor starting from low maturity, remediation and documentation dwarf the audit fee — the C3PAO fee is often only about a quarter to a third of the total. The lever that moves this number most is scope: the tighter your CUI boundary, the fewer systems you have to bring to all 110 requirements.
For a full cost breakdown by company size and region, see our dedicated CMMC Level 2 cost guide.
How long does a CMMC Level 2 assessment take — and can you even get a slot?
Plan for two clocks. Readiness — reaching the point where you can pass — typically takes 6 to 18 months depending on your starting maturity. Then the C3PAO itself: scheduling lead times commonly run 6 to 12 months because there are only about 100 authorized assessors for tens of thousands of contractors, and the on-site or remote engagement usually spans several days to a few weeks. Work backward from any contract deadline accordingly.
The capacity math is the part contractors underestimate. As reported at the March 2026 Cyber AB Town Hall, the ecosystem had roughly 103 authorized C3PAOs and about 759 credentialed assessors (CCAs), and had certified approximately 1,000 organizations — against a DIB that DoD estimates at tens of thousands of organizations needing Level 2. In one recent month (March 2026), about 178 new Level 2 certificates were issued. And a September 2025 survey of defense contractors by Merrill Research found that just 1% said they were fully prepared for CMMC assessments.
(These figures move — verify the current count at the Cyber AB Marketplace and the latest Town Hall before relying on them.)
Run that forward and the conclusion is uncomfortable but useful: at current throughput, full coverage of the DIB is years away, and demand will spike as Phase 2 approaches. The near-term bottleneck isn’t only assessor supply — it’s readiness. The contractors who get scope, evidence, and documentation done now will be the ones who can book and pass while everyone else is still starting. This is real scarcity, not a marketing invention.
Know your gaps but not your provider type?
Compare CMMC provider categories with Find My CMMC Path. The tool maps your level, scope, evidence maturity, and timeline to a category — RPO/RP, MSSP, GRC platform, CUI enclave, or C3PAO — and tells you which to talk to first.
Compare CMMC provider categories →What the enforcement cases teach: your score has to be defensible
A CMMC Level 2 result — self-assessed or certified — is a representation to the government, and the government can test it. Recent False Claims Act settlements show what happens when a self-reported score doesn’t match reality: in June 2026, a Navy contractor that posted a perfect 110 to SPRS settled for $507,144 after a DoD assessment found its true score was −170. These aren’t CMMC certification cases, but they involve the exact NIST SP 800-171 controls that CMMC Level 2 measures — and they’re the clearest available preview of how inaccurate scores become legal exposure.
LOGZONE, Inc. (settled June 18, 2026)
The Huntsville, Alabama logistics firm held two Navy contracts requiring NIST SP 800-171 implementation and a current SPRS score. According to the settlement, on October 13, 2021, it self-reported a perfect 110. On February 2, 2024, DCMA’s DIBCAC assessed the company and found the real score should have been −170 — near the bottom of the −203-to-110 range. DOJ alleged LOGZONE kept billing on those contracts for years while that gap existed, and the company agreed to pay $507,144 to resolve the matter. There was no whistleblower — DOJ investigated it directly. The settlement includes no admission of liability; the claims are allegations only. (U.S. Department of Justice)
Georgia Tech Research Corporation (settled September 30, 2025)
GTRC, the research affiliate that contracts on Georgia Tech’s behalf, settled for $875,000 over Air Force and DARPA work at its Astrolavos Lab. DOJ alleged the organization submitted a December 2020 summary-level score of 98 based on a “fictitious” or “virtual” campus-wide environment that didn’t reflect the actual systems handling covered information — and that it had failed to run antivirus tools until late 2021 and lacked a System Security Plan until 2020. GTRC litigated the case before settling; the claims are allegations only, with no determination of liability. (U.S. Department of Justice)
Why this belongs in an assessment guide: neither settlement alleged a data breach — the exposure came from the gap between what was reported and what was true. A self-attested score you can’t defend with real evidence isn’t a compliance checkbox; it’s a signed representation the government can later test. If you’re not confident your current SPRS score would hold up, that’s a readiness problem to solve now — not after an invoice.
How does Level 2 flow down to subcontractors?
CMMC requirements flow down to subcontractors and suppliers at every tier that processes, stores, or transmits FCI or CUI. Under 32 CFR Part 170 (§170.23), a subcontractor handling only FCI needs Level 1 (Self) as a minimum, a subcontractor handling CUI needs at least Level 2 (Self), and a subcontractor handling CUI under a prime requirement of Level 2 (C3PAO) needs Level 2 (C3PAO) as a minimum. Your required level follows the information you handle — it isn’t automatically the same as your prime’s.
Before you spend anything, ask your prime three questions — is this FCI or CUI, what CMMC level and assessment type applies to us, and by when — and, if the answer is ambiguous, get a Registered Practitioner or a federal-contracts attorney to review it. A short conversation here can save a wrong six-figure decision.
How do cloud providers, ESPs, MSPs, and CUI enclaves change the assessment?
External providers can reduce, inherit, or complicate your assessment scope depending on what they process, store, transmit, or protect. The Cyber AB CMMC Assessment Process requires assessors to verify FedRAMP authorization when you rely on a cloud service for CUI, and to evaluate inherited-responsibility claims through your Customer Responsibility Matrix and supporting evidence. “The vendor is compliant” does not automatically make your environment compliant.
The distinctions to keep straight:
- A Cloud Service Provider (CSP) that stores or processes your CUI generally needs to meet FedRAMP Moderate authorization or equivalency, and you’ll need the evidence to prove it (DFARS 252.204-7012; Cyber AB CMMC Assessment Process).
- An External Service Provider (ESP) — an MSP, MSSP, or similar — that touches your CUI or your security-protection data becomes part of your assessment story. You’ll document the split of duties in a Customer Responsibility Matrix (CRM) or Shared Responsibility Matrix, and the ESP’s people may need to be available to assessors.
- A CUI enclave — a dedicated, walled-off environment for CUI — is the most common way to shrink scope. But they reduce your burden; they don’t erase your responsibility. You still own the SSP, the evidence, and the parts of the environment outside the enclave.
| Provider type | What it does for you | Evidence you must have | What breaks if it’s missing |
|---|---|---|---|
| CSP handling CUI (e.g., GCC High, GovCloud) | Stores or processes your CUI in the cloud | FedRAMP Moderate authorization or equivalency evidence; Customer Responsibility Matrix | Cloud claims fail verification; a scope gap the assessor can’t clear |
| ESP / MSP / MSSP touching CUI or security data | Operates part of your environment or your security tooling | Customer/Shared Responsibility Matrix; ESP personnel available to assessors | Split of duties is unclear; the assessor can’t confirm who does what |
| CUI enclave | Walls CUI off to shrink your scope | CUI flow diagram, boundary definition, inherited-control mapping | “Out of scope” claims leak; the scope reduction doesn’t hold |
| GRC platform | Organizes evidence, policies, and control mapping | Documented, current evidence tied to each requirement | Mistaken for implementation — software tracks controls, it doesn’t satisfy them |
The takeaway: inherited controls are real and valuable, but they’re inherited with evidence, not on faith.
Which provider category should you talk to first?
If you’re not assessment-ready, do not start with a C3PAO as if the assessment will fix your gaps — it can’t, and the independence rules forbid it. A C3PAO performs the formal certification assessment. Readiness, remediation, evidence workflow, managed security, and enclave design belong to different provider categories, and matching your situation to the right one first is what saves money and time.
- Need to interpret your clause, scope, or flow-down? Start with a Registered Provider Organization / Registered Practitioner (RPO/RP) or a qualified federal-contracts attorney.
- Need to implement or remediate controls? Start with an MSP, MSSP, or vCISO / readiness provider — the category built to close gaps.
- Need to organize and manage evidence and policies? A GRC platform helps as a supporting layer — but software alone does not satisfy CMMC. It documents and tracks; it doesn’t implement your controls or pass your assessment for you.
- Need to contain CUI and shrink scope? A CUI enclave / secure collaboration provider or a GCC High / GovCloud implementer.
- Genuinely assessment-ready? Then — and only then — engage an authorized/accredited C3PAO, and confirm their current status on the Cyber AB Marketplace on the day you sign.
A note on how we handle this: we route readers to a category, never to a ranked “best provider” list, and we never imply a provider is endorsed by us, by the Cyber AB, or by DoD. On this page, the honest, useful answer is the category — and the tool that maps you to it.
Ready to move but unsure who fits?
Tell us your level, scope, and timeline, and we’ll map you to the provider category that fits your situation — readiness first if that’s where you are. Category match, disclosed relationships, no rankings.
Get matched with source-checked provider options →What mistakes delay or derail a CMMC Level 2 assessment?
Most Level 2 delays trace back to scope, evidence, and sequencing — not to technical incompetence. The recurring culprits are unclear CUI flows, an SSP that doesn’t match the real environment, a self-reported score without supporting evidence, missing cloud/ESP documentation, POA&M items that aren’t eligible, and scheduling a C3PAO before readiness.
The avoidable mistakes, in the order we see them:
- Treating the gap assessment as the starting gun. A gap assessment tells you where you stand; it isn’t readiness. Booking a C3PAO right after one is premature.
- Assuming Level 2 always means C3PAO. Many contractors need only a self-assessment. Confirm the clause first.
- Building to Rev. 3 instead of Rev. 2. CMMC is assessed against Rev. 2 today.
- Mistaking a GRC dashboard for proof of implementation. The tool tracks controls; it doesn’t implement them.
- Not mapping CUI flows — and letting CUI drift into non-scoped email or file storage.
- Missing ESP/CSP evidence and inherited-responsibility documentation.
- Posting an unsupported SPRS score. See the enforcement section above.
- Treating Conditional status as the finish line. The 180-day POA&M clock is real.
Every one of these is cheaper to fix before the assessment than during it.
What we actually verified for this guide
We built this guide from primary and official sources, and we separate what the rules say from what we conclude. Here’s what we read and cross-checked, and the date we did it (last reviewed ).
- 32 CFR Part 170 (eCFR) — applicability and phases (§170.3), the two Level 2 assessment paths (§170.16 self, §170.17 C3PAO), scoping (§170.19), POA&M eligibility and the six barred requirements (§170.21), the scoring methodology and −203-to-110 scale (§170.24), affirmation (§170.22), and flow-down (§170.23).
- DFARS 252.204-7021 and 252.204-7025 (Acquisition.gov) — the CMMC clause, the level-requirement notice, current-status and affirmation conditions, and the CMMC UID.
- NIST SP 800-171 Rev. 2 and 800-171A (NIST CSRC) — the 110 requirements across 14 families, and the 320 assessment objectives.
- DoD CMMC Level 2 Assessment Guide and CMMC Scoping Guide – Level 2 — the assessment paths and scope categories.
- Cyber AB CMMC Assessment Process (CAP) v2.0 — the four assessment phases and the C3PAO independence rules.
- Federal Register (89 FR 83214) — the DoD cost estimates.
- U.S. Department of Justice announcements and settlement records — the LOGZONE ($507,144) and Georgia Tech ($875,000) matters.
- DoD class deviations (Feb. 1, 2026) and the ISACA/CAICO transition (April 2026) — current clause numbering and credentialing.
Frequently asked questions
Is CMMC Level 2 a self-assessment or a C3PAO assessment?
It can be either. The official DoD Level 2 Assessment Guide covers both a Level 2 self-assessment and a Level 2 certification assessment by a C3PAO. Which one applies to you is stated in your solicitation through the DFARS 252.204-7025 notice, and the DFARS 252.204-7021 clause requires you to maintain that status — not your company size or a checklist.
Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?
Current CMMC Level 2 assessments use NIST SP 800-171 Revision 2. NIST published Revision 3 in 2024, but a DoD class deviation keeps Rev. 2 as the operative standard, and C3PAO assessors are not authorized to assess against Rev. 3 until DoD changes the rule.
How many requirements are in CMMC Level 2?
Level 2 covers the 110 security requirements in NIST SP 800-171 Rev. 2, organized into 14 control families. Those 110 requirements break down into 320 assessment objectives defined in NIST SP 800-171A, all of which are evaluated.
What score do I need for Conditional Level 2?
You need a score of at least 88 out of 110 — your score divided by 110 must be at least 0.8 — with any remaining gaps limited to eligible POA&M items. A Conditional status must be resolved by closing the POA&M within 180 days(32 CFR Part 170, §170.21).
Can I use a POA&M for CMMC Level 2?
Yes, but only for 1-point requirements, and never for requirements worth more than 1 point — with one narrow exception for CUI Encryption (SC.L2-3.13.11) when encryption is employed but not FIPS-validated. Six specific 1-point requirements are also barred from a POA&M, including your System Security Plan (CA.L2-3.12.4). Level 1 does not allow POA&Ms at all.
Where do CMMC Level 2 results go?
Level 2 self-assessment results are entered into SPRS. Level 2 C3PAO certification results are uploaded by the C3PAO into CMMC eMASS and then transmitted to SPRS, where contracting officers verify your status before award (32 CFR Part 170, §170.16 and §170.17).
How long is CMMC Level 2 status valid?
A Final Level 2 status — self-assessed or C3PAO-certified — is tied to a three-year cycle with an annual affirmation of continued compliance (32 CFR Part 170, §170.22). A Conditional Level 2 status is valid for 180 days, within which the POA&M must be closed.
Should I hire a C3PAO first?
Only if you’re assessment-ready or your contract specifically requires the certification assessment and you’ve closed your gaps. If you still need scoping, remediation, evidence workflow, managed security, or a CUI enclave, start with the category that solves that problem — a C3PAO can’t also prepare you for the same engagement.
Can my readiness consultant also be my C3PAO?
Generally no. A C3PAO that provides advice, recommendations, or implementation assistance creates a conflict of interest for that assessment engagement under the Cyber AB’s rules, and a C3PAO cannot provide remediation advice through the assessment results process. Treat readiness help and formal assessment as separate functions.
Do subcontractors need CMMC Level 2?
A subcontractor that processes, stores, or transmits CUI needs at least Level 2 (Self); if the related prime requirement is Level 2 (C3PAO), the subcontractor needs Level 2 (C3PAO) as a minimum. A subcontractor handling only FCI needs Level 1 (Self). Your level follows the information you handle (32 CFR Part 170, §170.23).
What happens if I fail a CMMC Level 2 assessment?
If a Level 2 assessment identifies NOT MET requirements, some may be re-evaluated during the assessment or within a short window afterward (see 32 CFR Part 170, §170.17). If your score is at least 88 and the remaining gaps are POA&M-eligible, the result can be Conditional — which you must close out within 180 days. If the gaps aren’t eligible or you’re below the threshold, you remediate and re-engage for a new or continued assessment. A full mock assessment beforehand is the best way to avoid this outcome.
Before you request quotes: a 60-second gut check
Before you spend a dollar on a provider, confirm you can answer these three — they’re the questions that separate contractors who are ready from contractors who are about to waste money:
- Do I know whether my solicitation requires Level 2 (Self) or Level 2 (C3PAO)?
- Do I know everywhere my CUI is processed, stored, or transmitted?
- Do I know whether my open gaps are POA&M-eligible (1-point only, none on the barred list)?
If you hesitated on any of them, that’s not a failure — it’s a map. Handle those first and every quote you request afterward gets sharper, faster, and cheaper.
Your next step with this CMMC Level 2 assessment guide
The short version to act on: confirm your clause, map your CUI scope, decide whether you’re on the Level 2 (Self) or Level 2 (C3PAO) path, close your gaps until your score is defensible, and only then request quotes — from the right provider category, in the right order.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Related reading
- Level 2 self-assessment vs C3PAO: how to tell which you need
- Conditional Level 2 and POA&M closeout rules
- How to choose a C3PAO when you’re assessment-ready
- CMMC Level 2 cost: full breakdown by size and region
- CMMC scoping guide: define your CUI boundary
- SPRS score guide: post a score that holds up
- The full CMMC certification process