CMMC Compliance
CMMC Level 2 Compliance Package: What It Includes, What It Costs, and What to Verify Before You Buy
If you searched cmmc level 2 compliance package, odds are you’ve already been quoted for one — and the numbers didn’t add up. One quote lands at $35,000. The next at $250,000. Same three words, wildly different scope.
Bottom line: A CMMC Level 2 compliance package is a bundled set of readiness services— CUI scoping, a gap assessment, your System Security Plan (SSP), policies and procedures, control remediation, and often an environment built for CUI like Microsoft GCC High or a CUI enclave — designed to get you ready to meet all 110 security requirements in NIST SP 800-171 Revision 2 before an assessment. What it is not is the certification itself. And under 32 CFR § 170.8 and § 170.9, the firm that builds your readiness package cannot be the C3PAO that certifies you — a conflict-of-interest rule that carries a three-year window.
Is this the right page for you?
| You’re here because… | This page helps if… | This page is not for you if… |
|---|---|---|
| A vendor quoted you a “CMMC package” and you’re not sure what’s in it | You want to know what deliverables should be included before you pay | You just need a plain “what is CMMC?” primer — start with our CMMC 2.0 guide |
| A prime asked about your CMMC Level 2 status | You need to scope a package before requesting quotes | You handle only Federal Contract Information (FCI) — you likely need Level 1, not Level 2 |
| You’re comparing RPOs, MSPs, software, enclaves, and C3PAOs | You need provider-category clarity, not a sales pitch | You already know your provider and just need to book a C3PAO |
| Leadership asked, “what exactly are we buying?” | You want a source-backed buyer’s checklist | You need legal interpretation of your contract clause — that’s a job for counsel |
The right CMMC provider isn’t the same for every contractor — the category you need depends on your required level, FCI/CUI handling, assessment type, cloud environment, and contract timeline. The contract clause sets your level, not a checklist.
Find My CMMC Path →What is a CMMC Level 2 compliance package?
A “CMMC Level 2 compliance package” is buyer-and-vendor shorthand, not an official Department of Defense product. The CMMC Program Rule at 32 CFR Part 170 defines levels, requirements, statuses, and assessments— it does not define a productized “package.” In practice, the term should mean a scoped bundle of services, documents, evidence workflows, and remediation support that helps you implement and demonstrate the Level 2 requirements against NIST SP 800-171 Revision 2.
We verified this the boring way: we read 32 CFR Part 170 and the DFARS clauses looking for the word “package.” It isn’t there. That matters, because when a term has no official definition, vendors get to fill it in — which is precisely why identical-sounding quotes differ by six figures.
The simple definition
A Level 2 compliance package is the practical work needed to move you from “we might handle CUI” to “we have a defined system boundary, implemented controls, documented evidence, and a clear path to the required Level 2 status.” CUI here means Controlled Unclassified Information— sensitive government information (technical drawings, specs, program data) that isn’t classified but still requires safeguarding.
Why the word “package” is dangerous
“Package” hides enormous differences. To one vendor it means a stack of policy templates. To another, a GRC software subscription. To another, managed security operations. To another, a CUI enclave. To another, C3PAO assessment prep. Those are not interchangeable, and paying for the wrong one is the single most common way contractors waste money on CMMC. The component-by-component map below shows you exactly which of those you’re actually buying.
Do you even need CMMC Level 2?
You need CMMC Level 2 if your organization stores, processes, or transmits CUI on systems used to perform a DoD contract — as a prime oras a subcontractor via flow-down. If you handle only FCI (federal contract information that isn’t CUI), you likely need Level 1, not a full Level 2 package. If you support the most sensitive programs, Level 3 may apply in limited cases.
Here’s the split, straight from the rule:
- Level 1 (Foundational): 15 basic safeguarding requirements from FAR 52.204-21. Annual self-assessment. For FCI only.
- Level 2 (Advanced): the 110 requirements in NIST SP 800-171 Revision 2, organized into 14 control families. Self-assessment or C3PAO assessment, set by the contract. For CUI. This is the level most defense contractors land on.
- Level 3 (Expert): Level 2 plus 24 enhanced requirements selected from NIST SP 800-172, assessed by DCMA DIBCAC. For a small subset supporting the most sensitive programs.
One rule to burn into memory:your contract clause sets your level and assessment type — not a checklist, not a vendor, not you. Reading “Level 2” and assuming “self-assessment” is a frequent, expensive mistake. If you’re unsure whether you’re a Level 1, Level 2 self-assessment, or Level 2 C3PAO case, confirm it against your solicitation and, when in doubt, with a CMMC Registered Practitioner or a federal-contracts attorney.
What’s actually included in a CMMC Level 2 compliance package?
A complete Level 2 readiness package should deliver seven core things: CUI/FCI scoping, a gap assessment against all 110 requirements, an SSP built from your real environment, policies and procedures, control remediation and technology, a compliance-supporting environment where you need one, and support for posting your score to SPRS with the annual affirmation. Continuous managed compliance is a common add-on. The one thing a package cannotinclude is the C3PAO certification itself — that’s a separate, independent engagement.
The CMMC Level 2 Compliance Package Matrix
| Package component | Why it belongs / what it is | Primary-source basis | What you should receive | Best-fit provider category | Verify before you buy |
|---|---|---|---|---|---|
| Contract & assessment-type intake | The package must start from your solicitation, not a generic template | DFARS 252.204-7021; DFARS 252.204-7025 | Clause review, required level & status, CAGE/UID plan, flow-down notes | RPO/RP; contracts counsel | “Are you setting my path from the contract language, or assuming Level 2?” |
| CUI / FCI determination | Level 2 is for CUI; FCI-only may be Level 1 | 32 CFR Part 170; NIST SP 800-171 Rev. 2 | CUI categories, handling summary, no-CUI quote brief | RPO/RP; counsel | “Are you asking me to send CUI during intake? Through what authorized channel?” |
| Assessment scope | Scope must be set before anything else; wrong scope drives cost up or fails you | 32 CFR § 170.19 (scoping) | Asset inventory, network diagram, data-flow map, scope boundary | RPO; MSP/MSSP; enclave provider | “What asset categories are you using, and do I get a scope diagram?” |
| NIST SP 800-171 Rev. 2 gap assessment | Level 2 requirements are identical to the 110 in Rev. 2 | 32 CFR § 170.14; NIST SP 800-171 Rev. 2 | Gap report mapped to every one of the 110 requirements | RPO/RP; GRC platform | “Will the report map each finding to the specific requirement and score impact?” |
| System Security Plan (SSP) | The blueprint of how each control is implemented — and a requirement you can’t defer | NIST SP 800-171 Rev. 2; CA.L2-3.12.4 | SSP with boundary, architecture, implementation statements, connections | RPO; vCISO; GRC platform | “Will the SSP describe my environment, or is it a template?” |
| Policies & procedures | Documented, followed processes across the 14 families | NIST SP 800-171 Rev. 2 (14 families) | Policy/procedure library by family, role assignments | RPO; GRC platform; vCISO | “Which documents are custom vs. boilerplate?” |
| Technical remediation & technology | Docs don’t implement MFA, encryption, logging, segmentation — engineering does | NIST SP 800-171 Rev. 2 controls | Remediation roadmap, owners, closure evidence | MSP; MSSP; cloud implementer | “Which gaps need real engineering work, not just a policy?” |
| Compliance-supporting environment (GCC High / CUI enclave) | Can shrink scope by isolating CUI; not automatically the right answer, and does not by itself make you compliant | DFARS 252.204-7012 (FedRAMP Moderate equivalency) | Enclave/tenant architecture, data-flow plan, boundary diagram | MSP/MSSP; enclave provider; cloud implementer | “Which systems fall out of scope — and what workflows break if we isolate CUI?” |
| Cloud / ESP / CSP responsibility matrix | Service-provider and cloud roles must be documented | 32 CFR § 170.19 (ESP/CSP scoping) | Customer Responsibility Matrix (CRM), shared-responsibility doc, SSP references | MSP/MSSP; cloud implementer | “How will you document shared responsibility for my cloud and service providers?” |
| POA&M strategy | Certain gaps can be deferred briefly — many cannot | 32 CFR § 170.21 | POA&M with scoring impact, owners, due dates, closeout plan | RPO/RP; vCISO; MSSP | “Which items are prohibited from POA&M treatment entirely?” |
| SPRS score & annual affirmation support | Your score and affirmation are the eligibility artifacts | DFARS 252.204-7021; 32 CFR § 170.22 | SPRS submission plan, affirming-official calendar, UID/CAGE planning | RPO/RP; internal compliance owner | “Who is my affirming official, and what evidence do they rely on?” |
| C3PAO readiness handoff (separate purchase) | For the C3PAO path, readiness and formal assessment must stay independent | 32 CFR §§ 170.9, 170.17; Cyber AB CMMC Assessment Process | Scope package, evidence index, interview owners, schedule assumptions | RPO/readiness firm before an authorized C3PAO | “Are you preparing me, assessing me, or both — and how are conflicts handled?” |
| Subcontractor flow-down plan | DFARS 252.204-7021 requires flowing the correct level to subs | DFARS 252.204-7021; 32 CFR § 170.23 | Sub inventory, flow-down checklist, supplier evidence template | RPO/RP; counsel | “Which subs receive FCI or CUI, and what status will each need?” |
| Continuous monitoring / managed compliance | Status and affirmation obligations continue after certification | 32 CFR § 170.22 | Monitoring, evidence collection, affirmation calendar, change management | MSSP; GRC platform | “What’s covered after certification day — and at what recurring cost?” |
➤ Map your Level 2 package before you request quotes.
Tell us your required level, CUI scope, assessment type, environment, and timeline, and The Defense Compliance Report’s Find My CMMC Path tool will point you to the provider category that fits — before you spend a dollar.
Map my Level 2 package →What does a CMMC Level 2 compliance package cost?
Most small-to-midsize contractors spend $50,000–$200,000+for full Level 2 readiness, and complex environments run higher. The reason online pricing looks chaotic is that people count different things: the DoD’s official estimates cover only the assessment and affirmationactivity and exclude NIST 800-171 implementation, while vendor “package” prices include that implementation. Remediation — not the audit — is usually the biggest line item.
What DoD actually priced (primary source)
The estimates published with the CMMC Final Rule (32 CFR Part 170) cover assessment and affirmation only. They assume you already implemented NIST SP 800-171 Rev. 2, so they are not what it costs to getcompliant — they’re what it costs to prove it.
| DoD estimate (assessment + affirmations, over three years) | Small entity | Other-than-small entity |
|---|---|---|
| Level 2 self-assessment path | ~$37,196 | ~$48,827 |
| Level 2 C3PAO path | ~$104,670 | ~$117,768 |
What DoD didn’t price — the market (industry-reported)
These are the readiness and implementation costs the DoD assumes you already spent. Treat every number here — including ours — as a budgeting signal, not a quote.
| Cost layer | Industry-reported range |
|---|---|
| C3PAO assessment fee alone | ~$30,000–$75,000 (higher for complex scope) |
| Gap / readiness assessment | $5,000–$25,000 |
| SSP + policies & procedures | $3,000–$60,000 |
| Technical remediation & tools | $10,000–$150,000+ |
| CUI enclave (if used) | ~$300–$400 per user/month, up to $3,000–$4,000+/month |
| Outside consultant / vCISO | $250–$400 per hour |
| Ongoing maintenance / managed compliance | $5,000–$30,000+/yr |
| Realistic total first cycle (small–mid contractor) | ~$50,000–$200,000+ (complex environments higher) |
Normalize every quote before you compare
A “package” quote is meaningless until you know what’s in and out. Ask each provider, in writing:
- What is included, and what is explicitly excluded?
- Is technical remediation included, or only documentation?
- Is evidence creation included, or only a control-status report?
- Is SPRS/affirmation support included?
- Is the C3PAO assessment included or separate? (It should be separate — see below.)
- Is software/tool licensing included? For how long?
- Are cloud licensing costs (e.g., GCC High seats) included?
- What assumptions — user count, scope, inherited controls — make this quote valid?
➤ See which package components your situation actually needs. Build a scoped, no-CUI summary with Find My CMMC Path, then request apples-to-apples quotes from the right category. Do not submit CUI, drawings, or sensitive contract details.
Can one vendor prepare and certify you? (The rule nobody selling a package wants to explain)
No. Under 32 CFR § 170.8(b)(17)(ii)(G) and the CMMC Code of Professional Conduct, an ecosystem member cannot participate in the Level 2 certification assessment for an organization it served as a consultant within the previous three years. C3PAOs are independent assessors bound by ISO/IEC 17020 impartiality under 32 CFR § 170.9. So a “we’ll get you certified” package is really readiness— the certification comes from a separate C3PAO you engage later.
The window is three years, and it’s specific: even a firm that only prepped you for a Level 1 self-assessment is blocked from your Level 2certification team until that window closes. Anyone implying otherwise is either misusing the word “package” or quietly planning to hand you off, and you deserve to know which.
One nuance: a C3PAO canrun a practice or “mock” assessment before you certify, but strict conditions in the Code of Professional Conduct apply if that same C3PAO later performs your certification assessment. Readiness coaching and the official assessment are still different acts.
Claims to challenge before you sign
| The pitch | What the rule actually says | What to ask instead |
|---|---|---|
| “We’ll prepare and certify you — one package.” | Your preparer generally can’t be on your C3PAO team for three years (32 CFR § 170.8(b)(17)(ii)(G)). | “Are you my readiness firm or my C3PAO? Who does the other half, and when?” |
| “Guaranteed CMMC certification.” | No one can guarantee an outcome. The C3PAO is independent and bound by ISO/IEC 17020 impartiality (32 CFR § 170.9). | “What exactly is guaranteed — deliverables, timeline, support? Not the result.” |
| “We’ll just POA&M the rest after the audit.” | You need ≥ 80% (88 of 110) first, only 1-point items are eligible, six requirements can never be deferred, and the SSP can’t be deferred (32 CFR § 170.21). | “Which of my open items are actually POA&M-eligible?” |
| “Our software makes you compliant.” | Software organizes evidence and workflow; it doesn’t implement controls or determine contract applicability. | “Which requirements still need process, staffing, or engineering outside the platform?” |
| “Templates are enough.” | The SSP must document your real boundary, environment, implementation, and connections. | “Will the SSP reflect my actual environment and evidence?” |
| “We’re Cyber AB / DoD approved.” | Providers are listed, not government-endorsed. Verify Authorized C3PAO status on the Cyber AB Marketplace on the day you sign. | “Show me your current Authorized status on cyberab.org, dated today.” |
➤ Not sure whether you need a readiness partner, a compliance-supporting environment, or an assessor first? Compare provider categories and see where you fit with Find My CMMC Path — no vendor pitch, just the category that matches your situation.
Self-assessment vs. C3PAO: which does your package need to prepare you for?
Level 2 has two assessment paths, and your contract clause decides which — not you.Both require implementing all 110 requirements and end with your result reflected in SPRS; the difference is who assesses and how the results get there. Buy a package sized for the wrong path and you’ll either over-build or fail the one you actually need.
In Phase 1 ( through ), many contracts allow a Level 2 self-assessment. Phase 2 begins , when the DoD begins including the Level 2 C3PAO assessment requirement in applicable solicitations. The DoD estimates roughly 35% of the defense industrial base will ultimately need a C3PAO assessment, so for most contractors handling CUI, the C3PAO path is the one to plan for. See our self-assessment vs. C3PAO guide and Phase 2 deadline overview.
| Package area | Level 2 Self-Assessment | Level 2 C3PAO Assessment |
|---|---|---|
| Who assesses | Your organization | An authorized C3PAO |
| Results flow | Your organization submits the score to SPRS | The C3PAO posts results to CMMC eMASS, which transmits to SPRS |
| Evidence rigor | Must support your affirmation and contract obligations | Must withstand independent assessor review |
| Package emphasis | Accurate score, SSP, POA&M, affirmation support | Scope package, evidence index, artifact tracking, assessment logistics |
| Provider sequence | RPO/RP, MSP/MSSP, GRC, internal owner | Readiness firm first, then a separate authorized C3PAO |
| Cost signal (DoD, 3-yr, small entity) | ~$37,196 | ~$104,670 |
| Status currency | Final Level 2 (Self), valid up to 3 years, annual affirmation | Final Level 2 (C3PAO), valid up to 3 years, annual affirmation |
Whichever path applies, the affirmation is not a one-time event: 32 CFR § 170.22 requires an affirmation of continuous compliance after the initial assessment, after any POA&M closeout, and annually thereafter. See our CMMC annual affirmation guide for the mechanics.
What a package must actually get you: the 110 controls, scoring, and the POA&M reality
A package doesn’t “make you certified” — it has to get you to a defensible, passing state. Level 2 scoring is weighted (5, 3, and 1 points per requirement, maximum 110, and it can go negative). To earn Conditional status you need at least 88 of 110, you may put only 1-point items on a POA&M, six specific requirements can never be deferred, and your SSP can’t be deferred either. Then you have 180 daysto close the POA&M through a closeout assessment. “We’ll POA&M the rest” is not a real plan.
The 80% floor. Your assessment score divided by 110 must be ≥ 0.8 — a minimum of 88 points— before you can receive Conditional status at all. Below that, SPRS records your score but issues no CMMC status. We read 32 CFR § 170.21 and § 170.24 line by line for this page.
Only 1-point items are deferrable. Every requirement worth 3 or 5 points must be fully implemented at the time of assessment. There is exactly one narrow exception: SC.L2-3.13.11(CUI encryption) may go on a POA&M at a 3-point cost if encryption is in use but not yet FIPS-validated. If no encryption exists at all, that same gap scores 5 points and cannot be deferred.
Six requirements can never go on a POA&M, no matter their point value (32 CFR § 170.21(a)(2)(iii)). Fair warning: several widely circulated “six controls” lists get this wrong. Here is exactly what the regulation names:
- AC.L2-3.1.20External Connections (controlling connections to external systems)
- AC.L2-3.1.22Control Public Information (controlling CUI on publicly accessible systems)
- CA.L2-3.12.4System Security Plan (the SSP itself)
- PE.L2-3.10.3Escort Visitors
- PE.L2-3.10.4Physical Access Logs
- PE.L2-3.10.5Manage Physical Access
Two are access-control requirements, one is the SSP, and three are physical-protection requirements. All six have to be fully implemented when the assessor arrives.
The 180-day clock is hard.It starts on your Conditional CMMC Status Date — the day results post to SPRS or eMASS, not the last day of the assessment. Miss it and your Conditional status expires and you start a full new assessment. See our conditional status and POA&M closeout guide.
One more distinction: the ongoing internal tracker you keep between assessments is now called an Operational Plan of Action (OPA) (requirement CA.L2-3.12.2). It has no fixed deadline. The POA&Mis the strictly time-bound, assessment-tied artifact with the 180-day window. A good package builds both — and knows which is which.
Which provider category should build your package?
The right category depends on whether your core problem is interpretation, implementation, evidence, security operations, scope reduction, or formal assessment. Most contractors who aren’t yet assessment-ready should start with readiness, managed IT/security, GRC, or enclave help — and engage a C3PAO only for the formal Level 2 (C3PAO) assessment, kept independent from readiness.
This is what The CMMC Path Framework— our method for mapping your required level, FCI/CUI handling, assessment type, IT/cloud environment, and timeline to the provider category you need — is built to resolve. It routes you to a category, not a named provider, and it is not a score, a ranking, or compliance advice.
| Provider category | Best for | Not for | What to verify |
|---|---|---|---|
| RPO / RP | Requirements interpretation, scoping, gap analysis, SSP, POA&M, readiness planning | Managed IT/security operations; formal certification | Cyber AB Marketplace listing, deliverables, conflict boundaries |
| CMMC-focused MSP | Implementing and operating identity, access, config, patching, backup, endpoint controls | The formal C3PAO assessment | CUI/DIB experience, evidence support, GCC High / enclave competence |
| MSSP | Logging, monitoring, alerting, incident-response support, security operations | Writing your full SSP alone | What evidence they generate and how it maps to the 110 requirements |
| GRC platform | Evidence repository, workflow, control mapping, audit readiness | Actual technical remediation | Data security, exportability, requirement mapping, evidence ownership |
| CUI enclave provider | Reducing scope by isolating CUI workflows | Contractors whose CUI is spread across many systems | Boundary, workflow impact, CRM, shared responsibility |
| Cloud implementer | GCC High, Azure Government, AWS GovCloud, tenant hardening | Legal interpretation; formal assessment | Configuration baseline, shared responsibility, FedRAMP/CSP assumptions |
| C3PAO | The formal Level 2 certification assessment, when required | Remediation, if you’re not ready | Authorized status on the Cyber AB Marketplace (dated), scope, conflict-of-interest handling |
➤ Get matched with source-checked provider options by category. Tell us your level, CUI scope, assessment type, environment, and timeline, and Find My CMMC Path will map you to the category that fits — with the questions to ask before you hire.
Find My CMMC Path →How should the package handle cloud, GCC High, MSPs, and CUI enclaves?
Cloud and enclave choices can reshape a package, but they don’t erase the need for scope, implementation, evidence, and shared-responsibility documentation. If a Cloud Service Provider (CSP) or External Service Provider (ESP) touches your CUI, the package must document those roles in your SSP and a Customer Responsibility Matrix, per the scoping treatment in 32 CFR § 170.19.
There’s a real regulatory hook a cloud-based package must satisfy: DFARS 252.204-7012 requires that cloud services handling covered defense information meet security requirements equivalent to the FedRAMP Moderate baseline. That’s why “just move it to the cloud” isn’t a compliance strategy on its own.
| Your situation | What it usually points to |
|---|---|
| CUI is concentrated among a handful of users and workflows | A CUI enclave may fit — isolate it and shrink scope |
| CUI is spread across engineering, production, email, and shared drives | Enterprise-wide remediation is likely; an enclave alone won’t cover it |
| CUI will live in a cloud service | The CSP must be FedRAMP Moderate authorized or equivalent, documented in the SSP with a CRM |
| An ESP (e.g., an MSP) touches CUI or security-protection data | It must be reflected in your scope, SSP, service description, and CRM |
Do not accept “GCC High makes you compliant.” GCC High, Azure Government, AWS GovCloud, and encrypted-collaboration tools can help with architecture and scope, but they still require configuration, responsibility mapping, evidence, user behavior, and an SSP that reflects the real environment. See our GCC High for CMMC guide.
How do you compare vendor quotes without exposing CUI?
Use a no-CUI quote brief. Give vendors enough to scope the work — required level, assessment type, user count, environment, timeline, and CUI categories by label only— but never upload drawings, controlled technical information, contracts, vulnerability reports, or actual CUI into an intake form. The goal is comparable quotes, not a data spill.
Here’s the no-CUI quote brief. Copy it into your vendor conversations — and if you’d rather have it assembled for you, Find My CMMC Path builds the same brief and points you to the right provider category.
Fill these out without submitting CUI, drawings, export-controlled data, or contract attachments:
- Required CMMC level (Level 1 / Level 2 Self / Level 2 C3PAO / unsure)
- Prime or subcontractor
- Number of users who touch CUI
- Locations
- Current cloud environment (e.g., Microsoft 365 Commercial, GCC High, GovCloud, on-prem)
- CUI categories by label only
- Existing SSP? (yes / no / unsure)
- Existing SPRS score? (yes / no / unsure)
- Existing MSP/MSSP?
- Desired timeline
- Biggest concern
Safe to share: “We expect Level 2 C3PAO.” “About 25 users touch CUI.” “We’re on Microsoft 365 Commercial today.” “No current SSP.”
Never paste into a form: CUI, drawings, controlled technical information, contract attachments, system diagrams with sensitive detail, vulnerability reports, or credentials.
The biggest failure points in CMMC Level 2 packages
The most common failure is treating CMMC as documentation instead of scoped implementation and evidence. Packages fail when the SSP is generic, the CUI boundary is wrong, evidence is missing, provider responsibilities are unclear, or the buyer discovers too late that the package doesn’t support the required assessment type. Each of these is preventable if you know to look.
| Failure point | Practical consequence | How to prevent it |
|---|---|---|
| Wrong CUI scope | Too much or too little environment gets assessed; cost balloons or you fail | Build the asset inventory, data-flow map, and scope diagram first |
| “Rev. 3” confusion | Package doesn’t align to the current Level 2 basis | Require mapping to NIST SP 800-171 Revision 2 for CMMC Level 2 |
| Template SSP | Reviewer can’t tie claims to real systems; scoring risk | Customize the SSP to your actual boundary and connections |
| No evidence map | Control claims can’t be demonstrated at assessment | Require an evidence register with owners |
| POA&M misuse | Conditional status unavailable or lapses at 180 days | Validate eligibility against § 170.21 before assuming deferral |
| C3PAO engaged too early | Costly delay or a failed assessment | Confirm readiness first; keep readiness and assessment independent |
| Software-only approach | Tasks are tracked but controls remain unimplemented | Separate evidence management from technical remediation |
| Unclear ESP/CSP roles | Shared-responsibility gaps surface during assessment | Require a CRM and SSP references |
| Forgotten annual affirmation | Status risk after the initial work is done | Name an affirming official and put affirmation on a calendar |
If you’re reading this and realizing you’re not ready to request quotes yet, that’s useful information. Start with our CMMC readiness checklist and mark what you already have — scope, SSP, SPRS score, POA&M position, evidence map, and provider responsibilities — so your first vendor conversation starts from facts, not guesses.
When are you actually ready to talk to a C3PAO?
You’re ready when your Level 2 scope is defined, your SSP reflects your real environment, your evidence map is built, your POA&M position is understood, and your contract requires the C3PAO path. If you’re still building controls, you need readiness or managed-compliance help first. The Cyber AB CMMC Assessment Process governs how C3PAOs run Level 2 certification assessments, and it assumes you arrive with scope, evidence, and an SSP in hand.
There’s also a supply reality worth planning around. Phase 2 begins , and the DoD estimates roughly 35% of the defense industrial base will need a C3PAO assessment — against a limited pool of authorized C3PAOs (roughly 100 nationwide as reported at the Cyber AB’s early-2026 Town Hall updates; verify the current count on the Cyber AB Marketplace). Industry reporting has put C3PAO assessment fees in the ~$30,000–$75,000 range and scheduling waitlists at 6–12 months. Book readiness now, verify your assessor’s authorization on the day you sign, and don’t treat the assessment slot as something you can grab at the last minute.
A C3PAO-ready package should include:
- The assessment scope
- The SSP
- The asset inventory and network diagram
- An evidence index
- An interview-owner list
- Your POA&M position
- ESP/CSP responsibility documentation
- An internal readiness review
- Realistic C3PAO scheduling assumptions
How we built this — and what we actually verified
We built this page by separating three kinds of claims: official requirements (tied to primary sources), current-state facts (dated), and editorial judgment (labeled as such and grounded in the verified facts above). Regulatory claims here cite the issuing authority; provider-category guidance is our editorial conclusion, not a government position.
What we verified for this page
- 32 CFR Part 170on the eCFR, including scoping (§ 170.19), the POA&M rules and the exact six non-deferrable requirements (§ 170.21), scoring (§ 170.24), affirmation (§ 170.22), the C3PAO conflict-of-interest rule (§§ 170.8(b)(17) and 170.9), and the confirmation that Level 2 maps to NIST SP 800-171 Revision 2 (§ 170.14) — verified .
- DFARS 252.204-7021 and DFARS 252.204-7025on Acquisition.gov — confirmed as the operative clauses — and DFARS 252.204-7012for the cloud/FedRAMP-equivalency requirement — verified July 2, 2026.
- DoD cost estimatesfor the Level 2 self-assessment and C3PAO paths, from the Final Rule’s regulatory impact analysis, including the point that they exclude NIST 800-171 implementation — verified July 2, 2026.
- Clause-numbering note:as of our review, the codified Acquisition.gov pages still displayed the original DFARS 252.204-7019 and -7020 and FAR 52.204-21 numbers, while the DoD’s Revolutionary FAR Overhaul class deviations (effective February 1, 2026) removed DFARS 252.204-7019 and renumbered -7020 to 252.240-7997 for affected solicitations ahead of formal rulemaking. Expect to see both old and new numbers during the transition — always go by the clause numbers in your actual solicitation.
What we did not verify here
- Any specific provider’s pricing, unless separately documented on a provider page.
- Any provider’s current Cyber AB Marketplace status — verify that yourself, dated, on the day you sign.
- Whether yourcontract requires Level 2 Self or Level 2 C3PAO — that’s in your clause.
- Legal interpretation of your contract, or any certification outcome.
Frequently asked questions
Is “CMMC Level 2 compliance package” an official DoD term?
No. It’s a market term used by buyers and vendors. The official sources — 32 CFR Part 170, the DFARS clauses, and the Cyber AB CMMC Assessment Process — define the program, levels, requirements, statuses, and assessments, but none of them defines a single official product called a “CMMC Level 2 compliance package.”
What should be included in a CMMC Level 2 compliance package?
At minimum: CUI/FCI scoping, an asset inventory and network diagram, a NIST SP 800-171 Revision 2 gap assessment, an SSP built from your real environment, policies and procedures, technical remediation, an evidence map, and SPRS/affirmation support. If your contract requires the Level 2 C3PAO path, it should also prepare a clean handoff to a separate, authorized C3PAO.
How much does a CMMC Level 2 compliance package cost?
For most small-to-midsize contractors, roughly $50,000–$200,000+, with complex environments higher. DoD’s official estimates cover only the assessment and affirmations — about $104,670 over three years for a small entity on the C3PAO path, about $37,196 for the self-assessment path — and they exclude NIST 800-171 implementation, which is what makes vendor “package” prices vary so widely. Remediation is usually the largest cost.
Does a compliance package include the C3PAO assessment?
No — it shouldn’t, and generally can’t be the same firm. Under 32 CFR § 170.8(b)(17)(ii)(G), the firm that prepares you cannot be on your Level 2 certification team for three years. Readiness and the formal C3PAO assessment are separate, independent engagements.
Can the same company prepare and certify me for CMMC Level 2?
No. The three-year conflict-of-interest rule (32 CFR § 170.8(b)(17)(ii)(G)) bars your preparer from your certification team, and C3PAOs must maintain ISO/IEC 17020 impartiality under § 170.9. Any pitch that bundles “prep plus certification” from one team is either misusing the word “package” or planning to hand you off to an independent assessor.
Do I need a C3PAO or can I self-assess for Level 2?
Your contract clause decides. In Phase 1 (through ), many contracts allow a Level 2 self-assessment, though the DoD may still require a C3PAO. Phase 2 begins , when the DoD begins requiring Level 2 C3PAO assessments in applicable solicitations. Confirm the required path in your solicitation before buying a package sized for the wrong one.
Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?
Build to NIST SP 800-171 Revision 2for CMMC Level 2. NIST has published Revision 3, but 32 CFR Part 170 (§ 170.14) currently incorporates Revision 2 for CMMC Level 2 unless and until the DoD amends the rule. A package built only around Rev. 3 language should still map clearly back to the Rev. 2 requirement set.
Can I just POA&M the controls I don’t meet?
Only within strict limits under 32 CFR § 170.21. You need at least 88 of 110 points to earn Conditional status, only 1-point requirements are POA&M-eligible (with one narrow encryption exception at SC.L2-3.13.11), six specific requirements can never be deferred, and the SSP can’t be deferred. You then have 180 days to close the POA&M via a closeout assessment.
Can software make my company CMMC compliant?
No. GRC platforms and evidence tools organize the work and can shorten it, but they don’t implement controls, staff your processes, or determine what your contract requires. You still need scoped implementation, operational controls, responsible owners, and an accurate affirmation.
Do I need GCC High for CMMC Level 2?
Not necessarily. GCC High, GovCloud, encrypted collaboration, or a CUI enclave may be appropriate depending on your CUI workflows and scope, but any cloud handling covered defense information must meet FedRAMP Moderate equivalency under DFARS 252.204-7012, and your package must document cloud and service-provider responsibilities in the SSP and a Customer Responsibility Matrix.
How long does Level 2 readiness take?
Commonly 6–18 months for small-to-midsize organizations, depending on starting maturity, scope, remediation burden, and provider availability. A vendor’s “16 weeks” claim is only meaningful with visible assumptions — user count, CUI scope, cloud model, inherited controls, staff availability — and whether it means “assessment-ready” or “final status.” See our how-long-does-CMMC-take guide.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Primary sources
- 32 CFR Part 170 — CMMC Program (eCFR)
- 32 CFR § 170.9 — C3PAOs / impartiality
- 32 CFR § 170.21 — Plan of Action and Milestones requirements
- 32 CFR § 170.24 — CMMC Scoring Methodology
- Federal Register — CMMC Program final rule (Oct 15, 2024), incl. cost estimates
- DFARS 252.204-7012 — Safeguarding Covered Defense Information
- DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements
- DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements
- DFARS 252.204-7021 — Contractor Compliance with CMMC Level Requirements
- DFARS 252.204-7025 — Notice of CMMC Level Requirements
- NIST SP 800-171 Revision 2
- DoD CIO — FedRAMP Authorization and Equivalency
- DoD CIO — CMMC resources & documentation (phase timing)
- Cyber AB Marketplace (verify C3PAO status)