CMMC Level 2 Assessment Preparation: What to Get Ready Before You Assess
Here’s the trap we watch defense contractors walk into every week: a CMMC clause shows up in a solicitation, somebody panics, and the first phone call goes to a C3PAO — the firm that runs the official certification assessment. Three months and a five-figure invoice later, they’ve paid assessment rates to discover problems a readiness provider could have found for a fraction of the cost. The assessment is not where you fix things. It’s where you prove you already did.
So let’s fix the order of operations.
CMMC Level 2 assessment preparation is the work of getting your scoped CUI environment, your documentation, and your evidence to the point where you can prove — with final, approved artifacts — that all 110 NIST SP 800-171 Revision 2 security requirements are implemented, before you either submit a Level 2 self-assessment in SPRS or sit for a Level 2 C3PAO certification assessment. Which path you’re on is set by your contract, not your preference. To pass — even conditionally — you need at least 88 of the 110 requirements fully met, no 3-point or 5-point controls on a POA&M, and a complete, approved SSP in hand before the assessor scores a single objective.
That’s the bottom line. The rest of this page is the part nobody hands you in one place: exactly what “ready” means, what evidence counts, what you can and can’t defer, what it actually costs, and who to call first so you don’t waste money or trip an independence rule.
Find yourself in this table first.
| Your situation | Your best next step | What not to do |
|---|---|---|
| Solicitation says Level 2 (Self-Assessment) | Build your evidence, run the self-assessment, post your score and affirmation in SPRS. | Don’t hire a C3PAO just because you saw the words “Level 2.” |
| Solicitation says Level 2 (C3PAO) | Finish readiness work first, then schedule an authorized C3PAO. | Don't let the firm that fixed your gaps also be the one that certifies them. |
| Clause or flow-down is unclear | Ask the contracting officer or your prime, in writing, for the required CMMC status. | Don't guess based on a vendor's sales pitch. |
| Your scope is fuzzy | Map your CUI, draw the boundary, and inventory assets before collecting evidence. | Don't start gathering evidence for your entire company blind. |
| Your evidence is mostly drafts | Finalize and approve policies, then collect proof the controls actually run. | Don't walk in with draft policies — the rule rejects them. |
| Your deadline is under 180 days | Test your POA&M eligibility and your non-deferrable gaps immediately. | Don't assume a plan of action will save the assessment. |
Not sure whether you need readiness help, a C3PAO, or both?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options — readiness first, assessment only when you’re ready.
Get matched →What Does “CMMC Level 2 Assessment Preparation” Actually Mean?
CMMC Level 2 assessment preparation is everything you do to make your environment, documentation, and evidence ready for a Level 2 assessment — defining scope, implementing the controls, finalizing the System Security Plan, building an evidence package mapped to assessment objectives, and running a practice assessment. The standard is the 110 NIST SP 800-171 Revision 2 security requirements, organized into 14 control families, and the same 110 apply whether your contract specifies a self-assessment or a third-party C3PAO assessment.
Two terms defined once so we can use them freely:
- CUI (Controlled Unclassified Information): government information that isn’t classified but still requires safeguarding under law or policy. If your systems process, store, or transmit CUI, you’re in Level 2 territory.
- C3PAO (CMMC Third-Party Assessment Organization): a firm authorized by the Cyber AB (the program’s accreditation body) to run official Level 2 certification assessments and issue your CMMC status.
Preparation is not the same as certification, and conflating the two is the single most expensive mistake we see. Preparation is the months of scoping, remediation, documentation, and evidence work. The assessment — self or third-party — is the verification event at the end. A good C3PAO assessment confirms readiness; it should not be the moment you discover that multi-factor authentication was never fully deployed.
One precise correction that will save you money: CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. NIST published Rev. 3 in 2024, but the CMMC Program Rule (32 CFR Part 170) incorporates Rev. 2 and its companion assessment guide, NIST SP 800-171A. Until the Department of Defense amends the rule, you prepare against Rev. 2. Building toward Rev. 3 today means preparing for an exam that isn’t being given.
And yes, many people search “CMMC audit preparation.” The official word is assessment, not audit— a small distinction with a big implication. You’re not trying to charm an auditor. You’re trying to prove every applicable objective with evidence that holds up.
Do You Prepare for a Level 2 Self-Assessment or a Level 2 C3PAO Assessment?
You don’t choose your Level 2 path — your contract does. A Level 2 self-assessment (governed by 32 CFR 170.16) lets your organization assess itself, post the score to SPRS, and submit an annual affirmation. A Level 2 certification assessment(32 CFR 170.17) must be performed by an authorized C3PAO, with results entered into the CMMC instance of eMASS and transmitted to SPRS. Both paths assess the identical 110 NIST SP 800-171 Rev. 2 requirements. The difference is who verifies the evidence and where the result lands — which is why your preparation for both looks nearly the same, except the C3PAO path adds the assessor’s examine/interview/test scrutiny.
Here’s how to find your answer in the paperwork instead of guessing:
- Look for DFARS 252.204-7025 in the solicitation and DFARS 252.204-7021 in the contract clause.
- Confirm whether the required status is Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC).
- If you’re a subcontractor, request the flow-down requirement from your prime in writing. Under 32 CFR 170.23, primes must pass CMMC requirements to subs handling FCI or CUI.
- If it’s still ambiguous, ask the contracting officer or prime directly. Do not let a vendor’s revenue model decide your assessment path for you.
| Your contract says | Preparation path | Provider category to start with |
|---|---|---|
| Level 2 (Self) | Readiness work, then self-assess and post to SPRS | RPO / readiness MSP / MSSP; GRC software if you need evidence workflow |
| Level 2 (C3PAO) | Readiness work first; a separate C3PAO later | Readiness/RPO first — C3PAO only when assessment-ready |
| Level 3 (DIBCAC) | Achieve Level 2 (C3PAO) first, then Level 3 prep | Advanced readiness + C3PAO, then the DIBCAC path |
| Unclear | Get written clarification before spending | Neutral matching triage |
For a deeper comparison of the two paths, see our CMMC self-assessment vs. C3PAO guide.
Confirm your Level 2 path before you buy any help. Find my Level 2 path — answer a few non-sensitive questions and we’ll point you to the provider category that fits your clause and stage.
What Score Do You Need to Pass — and What Can You Actually Put on a POA&M?
To earn even conditional Level 2 status, your assessment score divided by 110 must be 0.8 or higher — a minimum of 88 out of 110 — and only the lowest-value gaps may be deferred to a POA&M (a Plan of Action and Milestones). Critically, every 3-point and 5-point requirement, plus six specific 1-point requirements, must be fully met at the time of assessment; they cannot ride on a POA&M. And a complete System Security Plan must exist before any scoring begins.
This is the heart of preparation, and it’s where most pages wave their hands. We read 32 CFR 170.21 (the POA&M rule) and 32 CFR 170.24 (the scoring methodology) line by line and built the gate map below.
The DCR Level 2 Pass/Fail Gate Map
| What the rule says | Primary source | What it means for you |
|---|---|---|
| You start at 110 points; each unmet requirement subtracts 1, 3, or 5 points based on its security impact. | 32 CFR 170.24 | Your “SPRS score” is 110 minus your weighted gaps. One 5-point miss drops you to 105 — and 5-point items can’t be deferred. |
| Conditional status requires a score ≥ 88 (the 0.8 threshold). | 32 CFR 170.21(a)(2)(i) | 88 is the floor to be conditionally certified. Below it, you don't pass — period. |
| Only 1-point requirements are POA&M-eligible. | 32 CFR 170.21(a)(2)(ii) | Every 3-point and 5-point requirement must be fully met before the assessor scores it. |
| Six 1-point requirements are also excluded from POA&Ms by name. | 32 CFR 170.21(a)(2)(iii) | "Only 1 point" doesn't mean "safe to defer." The six are listed below. |
| Encryption: not FIPS-validated = −3; no encryption = −5. Narrow exception: SC.L2-3.13.11 may go on a POA&M only if encryption is in use but not yet FIPS-validated. | 32 CFR 170.21(a)(2)(ii); 170.24 | If you encrypt CUI with a non-validated module, you can narrowly defer it. If you don't encrypt at all, you can't. |
| MFA not implemented for any users = −5 (non-deferrable). | 32 CFR 170.24 | Multi-factor authentication has to be working, not planned. |
| A complete SSP must exist at assessment, or the result is "an assessment could not be completed." | 32 CFR 170.24; Subpart D | No System Security Plan, no assessment. It's a prerequisite, not just a scored line. |
| All evidence must be in final form — drafts, working papers, and unapproved policies are explicitly unacceptable. | 32 CFR 170.24(b) | A binder of draft policies will not pass. Approve, implement, then evidence. |
| Open POA&M items must be closed within 180 days of your Conditional CMMC Status Date, confirmed by a closeout assessment, or the status expires. | 32 CFR 170.21(b); 170.17 | The 180-day clock is hard. C3PAO path: the C3PAO does the closeout. Self path: you do. |
| Final status is valid 3 years; you must affirm annually, or the status lapses. | 32 CFR 170.22 | This is a program, not a one-and-done certificate. |
The six 1-point controls you cannot defer (named in 32 CFR 170.21(a)(2)(iii)):
- AC.L2-3.1.20 — External Connections
- AC.L2-3.1.22 — Control Public Information
- CA.L2-3.12.4 — System Security Plan
- PE.L2-3.10.3 — Escort Visitors
- PE.L2-3.10.4 — Physical Access Logs
- PE.L2-3.10.5 — Manage Physical Access
Now the arithmetic that decides your readiness. Because only 1-point items are deferrable, only 47 of the 110 requirements can ever sit on a POA&M. The other 63 — every 3- and 5-point requirement, plus the six 1-point controls named above — must be fully met when the assessor scores them. And since you still need 88 points to clear the bar, you can carry at most about 19 to 22 deferred items.That’s a thin margin. If even one of your open gaps is a 3-point control, a 5-point control, or one of those six named 1-pointers, you are not assessment-ready — no matter how good your headline score looks.
One nuance worth banking: the scoring methodology recognizes three findings — Met, Not Met, and Not Applicable.A requirement that genuinely doesn’t apply to your environment is scored as if Met. So is an “enduring exception” — a system where full compliance isn’t feasible — when it’s properly described with mitigations in your SSP. Documenting non-applicability and enduring exceptions correctly is a legitimate, regulation-blessed way to protect your score, and most contractors leave points on the table by skipping it.
Know your gaps but unsure which are blockers? Compare readiness provider categories — find the kind of help that separates your POA&M-eligible gaps from your true blockers before you schedule anything.
How Do You Scope a Level 2 Assessment Before You Touch Evidence?
Scope comes first, always. The DoD CMMC Level 2 Scoping Guide requires you to specify your assessment scope beforethe assessment, and 32 CFR 170.19 sorts every asset into one of five categories. Getting scope right is the highest-leverage decision in the entire project, because it determines how many systems must meet all 110 requirements — and therefore how much you’ll spend.
The five asset categories you must map (from the Level 2 Scoping Guide):
- CUI Assets — anything that processes, stores, or transmits CUI. Fully in scope.
- Security Protection Assets — tools and services that protect your in-scope environment (SIEM, identity providers, MSP management tooling). In scope for the protections they provide.
- Contractor Risk Managed Assets — assets that can, but are not intended to, handle CUI. Documented in your asset inventory, SSP, and network diagram; if the documentation is sufficient, the assessor does not assess them against the full requirement set unless something raises a question.
- Specialized Assets — IoT, operational technology, government-furnished equipment, test gear. Documented in the inventory and SSP; not assessed against the full requirements for Level 2.
- Out-of-Scope Assets — assets that genuinely can’t touch CUI. Out — but you must be able to demonstrate the separation.
The decision that changes your entire budget is enterprise scope versus enclave:
| Scope strategy | Best for | The risk you take on |
|---|---|---|
| Enterprise-wide | Mature organizations where CUI is woven through the business | Broadest, most expensive evidence burden |
| CUI enclave | Small and mid-size contractors with contained CUI workflows | You must enforce the boundary and user behavior, every day |
| Hybrid | CUI in limited systems but shared identity/security tooling | External-provider and inherited-control complexity |
| "We're not sure yet" | The most common starting point | The highest risk of wasted spend — fix this first |
This is also where your vendors enter the picture, whether you planned for it or not. External Service Providers (ESPs) — managed service providers, security operations centers, SIEM vendors — and Cloud Service Providers (CSPs) can pull assets into scope. For both the self and C3PAO paths (32 CFR 170.16 and 170.17), if you use a cloud environment to process, store, or transmit CUI, the CSP’s offering must be FedRAMP Moderate authorized — or meet FedRAMP Moderate-equivalent requirements under DoD policy — and the on-premises infrastructure that connects to it is part of your assessment scope. Document the division of responsibilities in your SSP and a Customer Responsibility Matrix (CRM). Microsoft GCC High and AWS GovCloud can support your requirements, but they do not make you compliant; you still own scope, configuration, the CRM, and the evidence. For a side-by-side, see our enclave vs. enterprise compliance guide.
If your scope is the question mark, start there — not with an assessor. Compare readiness and enclave provider categories that scope tightly and shrink what you have to assess.
What Evidence Does a CMMC Level 2 Assessment Actually Require?
Level 2 evidence has to show that each applicable requirement is implemented, operating, and producing the intended result — and it’s evaluated at the objective level, not the control-title level. NIST SP 800-171A breaks each requirement into assessment objectives and prescribes three assessment methods: examine (review documents, configurations, logs), interview (talk to the people who run the control), and test (demonstrate it works). Prepare to all three, against objectives, and you prepare for what the assessor will actually do.
This is the distinction experienced practitioners harp on, and they’re right: assessors don’t check “Access Control — yes.” They check whether each objective under each requirement is satisfied by evidence. A control can be most of the way there and still fail an objective. Build your evidence index against objectives, not titles.
Before the methods, get your core document set in order — this is the package an assessor expects to see:
- A finalized System Security Plan describing every in-scope system and how each requirement is met
- An asset inventory with each asset’s category and CUI relationship
- A network and data-flow diagram showing your CUI boundary
- Approved policies and procedures (final, not draft)
- A POA&M for any permitted open items
- A Customer Responsibility Matrix for your cloud and external providers
- An evidence index mapping artifacts to each applicable assessment objective
| Method | What the assessor does | Evidence to have ready |
|---|---|---|
| Examine | Reviews artifacts | SSP, approved policies and procedures, access lists, MFA configuration, audit logs, baseline configs, diagrams |
| Interview | Asks responsible staff to explain the control | A named owner per family who can speak to onboarding/offboarding, incident response, log review, etc. |
| Test | Watches the control work | A live MFA prompt, an account disablement, a log/alert generated, a backup restored |
Evidence map by control family
| NIST SP 800-171 family | The question you must answer with evidence | Typical evidence owner |
|---|---|---|
| Access Control | Can you prove only authorized users reach CUI systems? | IT / identity admin |
| Awareness & Training | Can you prove role-based security training happened? | HR / compliance |
| Audit & Accountability | Can you prove logs are generated, reviewed, and retained? | IT / SOC |
| Configuration Management | Can you prove baselines and change control? | IT / MSP |
| Identification & Authentication | Can you prove identity, MFA, and account lifecycle controls? | IT |
| Incident Response | Can you prove an IR plan, testing, and a reporting path? | Security lead |
| Maintenance | Can you prove maintenance is controlled and logged? | IT |
| Media Protection | Can you prove media handling and sanitization? | Facilities / IT |
| Personnel Security | Can you prove screening and termination processes? | HR |
| Physical Protection | Can you prove facility and system access controls? | Facilities |
| Risk Assessment | Can you prove vulnerability scanning and remediation tracking? | Security lead |
| Security Assessment | Can you prove your SSP, POA&M, and monitoring? | Compliance |
| System & Communications Protection | Can you prove boundary defense, encryption, segmentation? | Network / security |
| System & Information Integrity | Can you prove flaw remediation, malware defense, and alerting? | IT / SOC |
The uncomfortable part, stated plainly because it’s the most common silent failure: the regulation explicitly rejects draft evidence.32 CFR 170.24 says all evidence must be in final form and that working papers, drafts, and unofficial or unapproved policies are unacceptable. A polished-looking policy binder full of documents marked “Draft v0.9” is, to an assessor, no policy at all. Freeze your approvals, get the controls running, and collect the operational proof — tickets, logs, screenshots with dates — that shows the control lived in the real world, not just on paper.
How Long Does CMMC Level 2 Assessment Preparation Take?
There’s no universal timeline, because preparation time depends on your CUI scope, your existing NIST SP 800-171 maturity, the state of your documentation, your technical debt, your external providers, and whether you’re on the self or C3PAO path. As a planning anchor, 6 to 18 months is the realistic band for most Level 2 efforts.
| Where you’re starting | Realistic planning band | What the work usually is |
|---|---|---|
| Controls mature, evidence disorganized | 30–90 days | Evidence index, mock assessment, final documentation, SPRS prep |
| Scope known, moderate gaps | 3–6 months | Remediation sequencing, finalizing policies/procedures, testing |
| Scope unclear, partial controls | 6–12 months | Scoping, architecture, tooling, SSP, evidence, mock assessment |
| Enterprise scope, major gaps, provider complexity | 12–18+ months | Full program build, enclave decision, technical remediation, vendor coordination |
The trap here is a calendar trick: scheduling an assessment date does not create readiness — it creates pressure. Readiness is created by operating controls, final evidence, and a defensible scope. Book the date once those exist.
Where you sit in the phased rollout
Two rules run the program. The CMMC Program Rule (32 CFR Part 170) became effective December 16, 2024. The DFARS acquisition rule — the one that actually puts CMMC into contracts — became effective November 10, 2025, which started the four-phase rollout. Authorized C3PAOs could not begin official Level 2 certification assessments before January 2, 2025.
| Phase | Begins | What it means for Level 2 (per 32 CFR 170.3(e)) |
|---|---|---|
| Phase 1 | Nov 10, 2025 | Focuses primarily on Level 1 and Level 2 self-assessments; DoD may require Level 2 (C3PAO) at its discretion on more sensitive contracts. |
| Phase 2 | Nov 10, 2026 | DoD intends to include Level 2 (C3PAO) for applicable solicitations and contracts as a condition of award — though it may delay that requirement to an option period; DoD may also begin including Level 3 (DIBCAC) at its discretion. |
| Phase 3 | Nov 10, 2027 | DoD intends Level 2 (C3PAO) for all applicable solicitations and contracts as a condition of award and as a condition to exercise an option period; DoD intends to include Level 3 (DIBCAC), with discretion to delay it to an option period. |
| Phase 4 | Nov 10, 2028 | Full implementation across all applicable DoD contracts. |
The scarcity that’s real, not manufactured: as reported at early-2026 Cyber AB Town Halls, roughly 100 authorized C3PAOs and fewer than 800 certified assessors served a Defense Industrial Base in which the great majority of CUI contractors fall into Level 2 — and only about 1,000 organizations had achieved Level 2 certification at that point. The bar to become and scale a C3PAO is high by design: each firm must reach ISO/IEC 17020 accreditation within 27 months of authorization, and assessment teams must hold Tier 3 background investigations. Confirm current counts in the Cyber AB Marketplace before you rely on them. The practical conclusion: if you wait until your contract deadline to begin, you may not get on a calendar in time. For the full timeline, see our CMMC phases guide.
What Does CMMC Level 2 Assessment Preparation Cost?
There isn’t one cost — there are three, and they get blended together in a way that makes contractors either panic or dangerously under-budget. DoD’s own model puts a small company’s three-year Level 2 (C3PAO) path near $104,670 — but that figure deliberately excludes the cost of implementing the controls, because the rule assumes contractors have been required to meet NIST SP 800-171 since 2017. So the assessment is the cheappart. What you’ll actually spend depends on how much fixing you have left.
| The “cost” you’ll see quoted | What it actually is | Source |
|---|---|---|
| $104,670 (small entity) / $117,690 (larger), over three years | DoD's modeled Level 2 (C3PAO) certification assessment plus triennial and two annual affirmations | 32 CFR Part 170 Regulatory Impact Analysis (Federal Register, Oct. 15, 2024) |
| ~$37,000 (small) to ~$49,000 (larger), over three years | DoD's modeled Level 2 self-assessment path with affirmations | 32 CFR Part 170 Regulatory Impact Analysis |
| ~$31,234 | The C3PAO's own fee component inside the $104,670 model (a roughly 120-hour, multi-assessor engagement) — the rest is your internal labor and affirmations | 32 CFR Part 170 Regulatory Impact Analysis |
| Implementation and remediation: not included | DoD explicitly excluded the cost to implement or remediate the controls, assuming contractors were already required to meet NIST SP 800-171 | 32 CFR Part 170 Regulatory Impact / Flexibility Analysis |
| ~$75,000–$300,000+, first cycle, all-in | A composite of 2026 industry analyses covering implementation, tooling, labor, and the assessment — wide because it's driven entirely by your starting maturity | Industry estimates (not a regulatory figure) |
Here’s why this matters more than any single number: the figure that scares people — $104,670 — isn’t even the expensive part.The expensive part is closing gaps, tooling, documentation, managed services, and internal labor — exactly what DoD left out of its model, and exactly what a readiness provider handles. Every system you keep out of the CUI boundary is a system that doesn’t need all 110 controls, so tight scope and FedRAMP-authorized cloud can move your total dramatically. For a deeper breakdown, see our CMMC Level 2 cost guide.
Before you commit a budget, get scoped quotes you can compare.
We’ll match you with readiness, enclave, and managed-compliance provider categories so you can request real numbers against your real scope — no CUI or system details required to start.
Request scoped quotes from matched provider categories →Can You Pass Level 2 with a POA&M — and What Happens on Assessment Day?
Sometimes, but only under strict conditions: you can reach ConditionalLevel 2 if you score at least 88, defer only eligible 1-point items, keep all non-deferrable controls fully met, and close every POA&M item within 180 days. Conditional Level 2 is not Final Level 2 — it’s a time-boxed status that converts to Final only after a closeout assessment confirms the gaps are fixed. Miss the 180-day window and the status expires.
We covered the eligibility math in the gate map above; here’s how it plays out as a decision:
| Gap type | POA&M risk | What to do before you schedule |
|---|---|---|
| A non-deferrable (named-excluded) requirement | High — disqualifying | Remediate before the assessment |
| A 3-point or 5-point control | High — disqualifying | Fix it; test your score impact first |
| A single 1-point implementation gap | Possibly manageable | Confirm eligibility and your closeout plan |
| Evidence gap on an implemented control | Often fixable fast | Collect final evidence before assessment |
| A draft-only policy | Not ready | Approve it, run it, then evidence it |
In a Level 2 self-assessment, your team evaluates the environment against the NIST SP 800-171A objectives, calculates the score, and enters the result and an affirmation in SPRS. The Level 2 self-assessment inputs to SPRS include, at minimum, your CMMC Level, the CMMC Status Date, your assessment scope, your associated CAGE codes, your overall Level 2 score, and your POA&M usage and compliance status.
In a Level 2 C3PAO certification assessment, the assessor plans the engagement, conducts it using examine/interview/test, documents findings, and uploads results into the CMMC instance of eMASS — which transmits your status to SPRS. The C3PAO’s eMASS inputs are broader, including the C3PAO name, the assessment’s unique identifier, assessment-team information, your CAGE codes, your SSP name/date/version, the results for each requirement objective, your POA&M usage, and the names and hash values of the evidence artifacts.
Two recordkeeping facts that catch teams off guard: C3PAOs must retain assessment-related records for six years (unless the CMMC program office authorizes otherwise), and you — the contractor — must retain the hashed evidence artifacts used in a certification assessment for six yearsfrom your CMMC Status Date, and provide the artifact names, hash values, and hashing algorithm for upload to eMASS. Build artifact retention into your program from the start; it’s not optional.
Have gaps but a deadline inside 180 days? Compare readiness provider categories that separate your POA&M-eligible gaps from your true blockers before you schedule anything.
Should You Hire an RPO, MSP, MSSP, vCISO, GRC Platform, Enclave Provider — or a C3PAO?
Match the provider to your stage. If you still need remediation, documentation, evidence architecture, or scope reduction, your first call is readiness or implementation help — not a C3PAO. C3PAOs exist to run the formal certification assessment when that path is required and your evidence is ready.
| Provider category | Use it when | Don’t use it when |
|---|---|---|
| RPO / readiness consultant | You need gap analysis, an SSP, a POA&M, evidence prep, or a mock assessment | You need the formal Level 2 (C3PAO) certification |
| MSP / CMMC-focused MSP | You need endpoint, identity, patching, backup, and hands-on implementation | You only need an independent assessment |
| MSSP / SOC | You need logging, monitoring, alerting, and incident support | You expect them to own your entire CMMC program |
| vCISO | Leadership needs governance, risk decisions, and policy ownership | You only need tools deployed |
| GRC / evidence platform | You need evidence workflow and SSP/POA&M management | You think software alone equals compliance — it doesn't |
| CUI enclave / secure collaboration | You need to contain CUI and shrink scope | You can't enforce the boundary operationally |
| C3PAO | Your contract requires Level 2 (C3PAO) and you're assessment-ready | You still need remediation or consulting from that same firm |
The independence rule that decides your hiring order
This is the part that quietly wrecks timelines, so we read the source. 32 CFR §170.8(b)(17)(ii)(G) — reflected in the Cyber AB Code of Professional Conduct — prohibits CMMC Ecosystem members from participating in the Level 2 certification assessment of an organization they previously served as a consultant to prepare for any CMMC assessment within the prior three years. The prohibition applies to the C3PAO as a whole and to every member of the assessment team. In plain terms: the firm that helps you get ready generally cannot be the firm that certifies you. Build your stack with that firewall in mind — readiness provider first, a separate authorized C3PAO when you’re ready — or you’ll discover at the worst possible moment that your assessor is conflicted out.
A note on routing: we route by category first because, for a preparation query, that’s both the honest answer and the one that protects you. Confirm any assessor’s status in the Cyber AB Marketplace, confirm the firm’s category, and confirm its independence posture in writing. We don’t call anyone “verified” or “preferred” on your behalf. For a deeper comparison of authorized C3PAOs, see our C3PAO comparison guide.
Ready to talk to a human about your stack?
Request scoped quotes from matched provider categories — readiness first, C3PAO only when you’re assessment-ready, with the independence firewall intact.
Get matched with source-checked provider options →Why Verifying Your Provider Isn’t Optional: The DoD IG Finding
Provider verification isn’t a matter of taste — DoD’s own watchdog has already flagged gaps in the C3PAO authorization process. Before you rely on any assessor, verify its authorization status, its team’s credentials, and its independence yourself, because a marketplace listing alone is not proof the right people are on your assessment.
In January 2025, the DoD Office of Inspector General released report DODIG-2025-056, Audit of the DoD’s Process for Authorizing Third-Party Organizations to Perform CMMC 2.0 Assessments. Reviewing 11 C3PAOs, the IG found DoD and the Cyber AB had confirmed 10 of 12 authorization requirements, but had authorized two C3PAOs without a signed agreement and Code of Professional Conduct on file, four without verifying their quality-control leads were certified, and all of them without adequately confirming that both a certified assessor and a certified quality-control lead were on the assessment team. Inspector General Robert P. Storch warned that without an effective authorization process, there is a “ripple effect of risks.”
The practical lesson for your preparation:
- Verify the C3PAO’s status directly in the Cyber AB Marketplace — don’t accept “almost certified” or “candidate.”
- Confirm the actual assessment team’s credentials, not just the firm’s logo.
- Get the conflict-of-interest posture in writing, tied to the three-year rule above.
- Treat “CMMC expert” marketing language as a starting point for verification, not the end of it.
The Most Common Level 2 Preparation Mistakes
| The mistake | The rule it ignores | What it costs you |
|---|---|---|
| Treating Level 2 as always third-party | 32 CFR 170.16 / 170.3(e) | Wasted spend on a C3PAO when your contract allowed self-assessment |
| Scoping the whole company by default | 32 CFR 170.19 (asset categories) | A vastly larger, more expensive assessment than you needed |
| Preparing control titles, not objectives | NIST SP 800-171A | Failed objectives during examine/interview/test |
| Relying on draft policies | 32 CFR 170.24(b) (final-evidence rule) | Evidence rejected; controls scored Not Met |
| Assuming GCC High or AWS GovCloud = compliant | 32 CFR 170.16 / 170.17 (CRM, scope) | Unmet requirements you assumed the cloud covered |
| Ignoring external-provider scope | 32 CFR 170.19 (ESP/CSP) | Surprise in-scope assets discovered at assessment |
| Scheduling a C3PAO before readiness | 32 CFR 170.8(b)(17)(ii)(G) + cost reality | Independence conflicts and assessment-rate 'discovery' of gaps |
| Forgetting the annual affirmation | 32 CFR 170.22 | A lapsed CMMC status and lost eligibility |
What Should a Small DIB Contractor Do First?
Don’t start by buying the biggest platform or calling the most famous C3PAO. Start by confirming whether you actually handle CUI, identifying the contract-required CMMC status, narrowing your CUI boundary, finalizing your SSP and asset inventory, and building a gap list against the NIST SP 800-171A objectives. The sequence matters more than the spend.
If you’re a small prime:confirm the clause, identify your CUI, decide enterprise versus enclave, build your SSP and evidence, bring in readiness help if internal capacity is thin, and schedule a C3PAO only if your contract requires it and you’re ready.
If you’re a small sub:ask your prime for the flow-down requirement in writing (it flows down under 32 CFR 170.23), confirm exactly what data you’ll handle, ask whether CUI can be minimized or routed through a controlled enclave, and document your roadmap and any required SPRS posting. See our CMMC guide for small defense contractors.
A word on “is Level 2 worth it if DoD is a minority of our revenue?” — that’s a real business decision, not a compliance one. Weigh the all-in program cost and the recurring maintenance against the contract revenue at stake and your appetite to stay in the defense supply chain. Some small subs rationally choose to exit CUI work or push CUI to a prime’s controlled environment. Others find one contract pays for the whole program several times over. Decide with the real numbers in front of you.
Your First 30 Days
The first 30 days should produce a defensible preparation plan, not a vague aspiration. By day 30 you should know your Level 2 path, your CUI boundary, your scope assumptions, your SSP status, your evidence gaps, your POA&M blockers, the provider category you need, and a target timeline.
- Days 1–3 — Contract and CUI triage. Find the clause language. Confirm Self vs. C3PAO. Identify your CUI categories and data flows. Assign one accountable owner.
- Days 4–10 — Scope and asset inventory. Build the asset inventory, categorize every asset, draft the network and data-flow diagram, and list external providers and inherited controls.
- Days 11–20 — Objective-level evidence walk-through. Map every applicable objective to evidence. Mark each item final, draft, or missing. Assign owners. Flag controls that need a live test.
- Days 21–30 — Remediation and provider plan. Build your POA&M and your non-deferrable blocker list. Decide between readiness, MSP/MSSP, GRC, and enclave help. Decide whether scheduling a C3PAO is premature. Brief leadership on the cost and timeline bands.
Turn this into a real plan built around your scope and deadline.
Tell us your level, scope, and timeline — no CUI, no diagrams, nothing sensitive — and we’ll match you with source-checked CMMC provider options for the next step.
Get matched →What We Verified for This Page
We separate verified regulatory facts from editorial judgment, so you can see exactly what was checked and against which primary source. Verified :
- The Program Rule (32 CFR Part 170) became effective December 16, 2024; the DFARS acquisition rule became effective November 10, 2025, starting Phase 1. (Federal Register; eCFR; DoD CIO CMMC page.)
- CMMC Level 2 maps to NIST SP 800-171 Revision 2 — 110 requirements, 14 families — assessed using NIST SP 800-171A. (eCFR 32 CFR Part 170; NIST CSRC.)
- The two paths: Level 2 self-assessment (32 CFR 170.16) and Level 2 certification assessment (32 CFR 170.17); results to SPRS and the CMMC instance of eMASS, respectively. (eCFR.)
- Conditional status requires a score ≥ 88 (0.8); only 1-point items are POA&M-eligible (47 of 110); the six named exclusions are AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5; the SC.L2-3.13.11 encryption exception; the SSP prerequisite; and the final-evidence rule. (eCFR 32 CFR 170.21 and 170.24.)
- POA&M closeout within 180 days; final status valid 3 years; annual affirmation required or status lapses; six-year record/artifact retention. (eCFR 32 CFR 170.21, 170.22, 170.9, 170.17.)
- Assessment scope must be specified before assessment; the five asset categories; CSPs handling CUI must be FedRAMP Moderate or equivalent on both paths. (DoD CMMC Level 2 Scoping Guide; eCFR 170.16, 170.17, 170.19.)
- The conflict-of-interest three-year prohibition. (32 CFR §170.8(b)(17)(ii)(G); Cyber AB Code of Professional Conduct.)
- DoD’s modeled costs — $104,670 (small) and $117,690 (larger) over three years, ~$37,000–$49,000 for self-assessment, with implementation and remediation explicitly excluded. (32 CFR Part 170 Regulatory Impact Analysis.)
- DoD IG findings on C3PAO authorization. (DODIG-2025-056, January 10, 2025.)
Frequently Asked Questions
How do I prepare for a CMMC Level 2 assessment?
Confirm whether your contract requires Level 2 (Self) or Level 2 (C3PAO), define your CUI scope, finalize your System Security Plan, map assets, collect final evidence against the NIST SP 800-171A objectives, test your controls, identify any non-deferrable gaps, assign an affirmation owner, and choose the right provider category. Don’t schedule a C3PAO until your scope and evidence are ready.
Is CMMC Level 2 always a C3PAO assessment?
No. Level 2 can be a self-assessment or a C3PAO certification assessment depending on the contract requirement, but both assess the same 110 NIST SP 800-171 Revision 2 requirements. Phase 1 focuses primarily on self-assessments; in Phase 2, beginning November 10, 2026, DoD intends to require Level 2 (C3PAO) certification as a condition of award for applicable CUI contracts, though it can defer that requirement to an option period.
What’s the passing score for CMMC Level 2?
You need a perfect 110 of 110 for unconditional status, or at least 88 of 110 (the 0.8 threshold in 32 CFR 170.21) for Conditional status — and conditional status only counts if your deferred items are eligible and you close them within 180 days.
What can’t go on a POA&M?
Every 3-point and 5-point requirement, plus six specific 1-point requirements (AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5), must be fully met at assessment. Only 1-point items are POA&M-eligible, with one narrow exception: encryption (SC.L2-3.13.11) may be deferred if it’s in use but not yet FIPS-validated. A complete SSP must also exist, or the assessment can’t proceed.
Can draft policies count as evidence?
No. 32 CFR 170.24 states evidence must be in final form and that working papers, drafts, and unapproved policies are unacceptable. Approve and operate your policies, then collect the proof they’re running.
How long does CMMC Level 2 assessment preparation take?
Most efforts run 6 to 18 months. A mature environment with disorganized evidence might need 30–90 days; a low-maturity or broadly scoped environment may need a year or more of remediation, documentation, and evidence work.
What does a CMMC Level 2 assessment cost?
DoD’s model puts the three-year Level 2 (C3PAO) path at about $104,670 for a small entity (around $117,690 for a larger one) and the self-assessment path at roughly $37,000–$49,000 — but those figures exclude the cost of implementing and remediating the controls. Real all-in programs vary widely with your starting maturity.
Should I hire a C3PAO first?
Only if your contract requires Level 2 (C3PAO) and you’re already assessment-ready. If you still need remediation, an SSP, scoping, or evidence work, hire readiness help first — and remember the three-year independence rule means your readiness firm generally can’t also certify you.
Can my RPO certify us?
No. A Registered Provider Organization provides non-certified advisory services and does not conduct certification assessments. Only an authorized C3PAO can issue a Level 2 (C3PAO) certification.
Where do Level 2 assessment results go?
Level 2 self-assessment results are submitted in SPRS. Level 2 C3PAO results are entered into the CMMC instance of eMASS and transmitted to SPRS.
Does GCC High or AWS GovCloud make us CMMC compliant?
No. These environments can support requirements and help reduce scope, but you still own scoping, configuration, your Customer Responsibility Matrix, and your evidence.
Do external service providers count in scope?
They can. An ESP is in scope when its services or assets meet the CUI Asset or Security Protection Asset criteria, and you must document the relationship and responsibilities in your SSP and Customer Responsibility Matrix.
Is NIST SP 800-171 Revision 3 used for CMMC Level 2?
Not currently. CMMC Level 2 maps to Revision 2 unless and until DoD amends the rule. Prepare against Rev. 2.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Get matched →Related Guides
- What Is CMMC? The complete 2026 guide
- CMMC certification process: the 4 paths
- CMMC self-assessment vs. C3PAO assessment
- CMMC Level 2 cost guide
- CMMC gap assessment: what it covers and costs
- CMMC Readiness Checklist (14 control families)
- Best CMMC readiness consultants for defense contractors
- Best C3PAO for CMMC Level 2
- CMMC GRC software: evidence and SSP management
- CMMC flow-down requirements for subcontractors
Primary sources & references