CMMC Implementation
CMMC Level 2 Implementation Services: What They Include, Who to Hire First, and What to Verify
CMMC Level 2 implementation services are the readiness and remediation work that gets your systems ready to pass a CMMC Level 2 assessment— scoping your Controlled Unclassified Information (CUI), implementing the 110 security requirements of NIST SP 800-171 Revision 2, writing your System Security Plan (SSP) and Plan of Action & Milestones (POA&M), and building the evidence an assessor will demand. They are not certification.
Here’s the part most vendors won’t put in their pitch: under 32 CFR § 170.8(b)(17)(ii)(G), the firm that gets your environment ready for CMMC generally cannot be on your Level 2 certification team for three years. So “full-service CMMC” from one company is almost always readiness — and a hand-off to an independent C3PAO you engage separately.
Who this page is for — and who it isn’t
| This page is for you if… | This page isn’t the right stop if… |
|---|---|
| You handle (or expect to handle) CUI and a solicitation or prime is pushing CMMC on you | You just want a plain-English “what is CMMC” definition — start with our CMMC levels overview |
| You’re a subcontractor getting flow-down and don’t know what to buy first | You’re already assessment-ready and shopping for a specific C3PAO |
| You’re a CISO, IT director, compliance manager, FSO, contracts officer, or owner comparing implementation help | You want legal advice or a guaranteed certification outcome — no honest provider can promise that |
| You’re weighing an RPO vs. an MSP/MSSP vs. a GRC platform vs. a CUI enclave vs. a C3PAO | You want to paste CUI or contract details into a form — please don’t, here or anywhere public |
Which CMMC Level 2 implementation path fits you?
The right Level 2 implementation path depends on your contract-required CMMC status, where your CUI actually lives, your IT environment, and how much you can do in-house. There is no single “best” provider — there’s a best first call for your situation.
| Your situation | Compare this category first | Why |
|---|---|---|
| You don’t know where CUI lives or what’s in scope | RPO/RP-led readiness (with MSP support if needed) | Scope drives cost, timeline, and evidence. Everything else waits on this. |
| You have CUI across existing IT and weak security operations | CMMC-focused MSP/MSSP | You need controls implemented and operated, not just documented |
| You want to shrink how much of your business is in scope | CUI enclave / secure collaboration + a scoping advisor | An enclave can reduce scope — but only if your data flows, users, and processes actually fit inside it |
| You have decent controls but poor documentation and evidence | GRC platform + RP/RPO advisory | Software organizes evidence; it does not implement controls by itself |
| Your contract says Level 2 (Self) and scope is stable | RP/RPO advisory, internal owner, or MSP | You may not need a C3PAO certification at all |
| Your contract says Level 2 (C3PAO) and you’re ready | An authorized/accredited C3PAO — separate from your implementer | The firm that prepared you generally can’t be the one that certifies you |
| You’re eyeing Level 3 later | Level 2 (C3PAO) readiness first | A Final Level 2 (C3PAO) status is a prerequisite before Level 3 |
Map your Level 2 implementation path before you request a single quote. Tell us your required level, whether you handle FCI or CUI, your assessment type, your IT/cloud environment, and your timeline, and we’ll point you to the provider category to compare first.
Find My CMMC Path →What CMMC Level 2 implementation services actually include
CMMC Level 2 implementation services take you from requirements on paper to controls that are built, documented, operating, and provable. A full engagement typically covers CUI scoping, technical remediation, policy and procedure development, the SSP and POA&M, evidence collection, user training, and preparation for whichever Level 2 assessment path your contract names. It is a bundle of workstreams — not a single product.
CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families and measured against 320 assessment objectives in NIST SP 800-171A. We read the CMMC Program Rule (32 CFR Part 170, effective December 16, 2024) directly to confirm that mapping.
Implementation is not certification. Implementation help builds and documents your controls. A CMMC assessment verifies them. If your contract requires a third-party certification (Level 2 (C3PAO)), that assessment is a separate step, done by a different kind of organization, after the implementation work is finished.
What a real implementation engagement should hand you
| Deliverable | Why it matters | Category that usually produces it |
|---|---|---|
| CUI data-flow map | You can’t scope or price the work until you know where CUI travels | RPO/RP, vCISO, MSP |
| Asset inventory + scope categorization | Level 2 scoping under 32 CFR § 170.19 depends on asset categories | RPO/RP, MSP |
| System Security Plan (SSP) | Describes each requirement and how it’s met or planned; core assessment evidence | RPO/RP, GRC platform, internal owner |
| Plan of Action & Milestones (POA&M) | Tracks remaining gaps — allowed only under strict, time-boxed limits (32 CFR § 170.21) | RPO/RP, GRC platform |
| Technical remediation | Identity/MFA, logging, endpoint hardening, vulnerability management, configuration, access control | MSP/MSSP |
| Evidence repository | Shows controls are real and repeatable, not a one-time screenshot | GRC platform, RP/RPO, internal owner |
| Customer Responsibility Matrix (CRM) | Documents shared responsibilities when an External Service Provider is in your scope (32 CFR § 170.19) | MSP/MSSP, cloud/enclave provider |
| Mock evidence review | Tests whether your documents, artifacts, and interviews would survive an assessment | RP/RPO, readiness provider |
The one rule that decides who you hire: the firm that gets you ready can’t certify you
Under the CMMC Program Rule, an organization that consulted on your CMMC preparation generally cannot participate in your Level 2 certification assessment for three years. In plain terms: you can’t hire one company to both get your environment ready and then certify it. It sounds like a hassle. It’s actually a protection.
Here’s the exact basis. 32 CFR § 170.8(b)(17)(ii)(G), together with the Cyber AB Code of Professional Conduct, bars a CMMC Ecosystem member from working on the Level 2 certification assessment of an organization it served as a consultant to prepare for anyCMMC assessment within the prior three years. The Code’s own example is telling: even a consultant who only prepped a company for a Level 1 self-assessment is blocked from that company’s Level 2 certification team. The restriction is on the person or entity, not just the engagement scope.
You’re really running two searches, not one: a readiness/implementation partner to get you ready, and (if your contract requires it) a separate, independent C3PAO to certify you. Industry practitioners consistently put the C3PAO audit fee at roughly 20–30% of the total cost of getting certified; the rest is remediation and evidence. Most of your money goes to implementation.
Find a readiness provider that gets you ready and hands you off cleanly to an independent C3PAO. Start with a readiness provider that will hand you a clean assessment package and cheerfully step aside.
Find My CMMC Path →Do you need implementation help, a C3PAO, or both?
If you’re not assessment-ready, you almost always need implementation help before a C3PAO. A C3PAO is the only entity authorized to perform a Level 2 certification assessment, and it belongs at the end of the process. Level 2 has two paths, and your contract decides which applies — not your vendor’s sales script. See our full self-assessment vs. C3PAO comparison.
| Level 2 (Self) | Level 2 (C3PAO) | |
|---|---|---|
| Control set | 110 requirements, NIST SP 800-171 Rev. 2 | Same 110 requirements |
| Who assesses | Your organization (the OSA) | An authorized/accredited C3PAO |
| Where results go | Posted in SPRS by your organization | Submitted by the C3PAO into CMMC eMASS, then to SPRS |
| Validity | Three years, with annual affirmations | Three years, with annual affirmations |
| Use when | Your contract permits Level 2 (Self) | Your contract requires Level 2 (C3PAO) |
Level 2 does not automatically mean a C3PAO. Some Level 2 contracts allow a self-assessment; others require third-party certification. Read the clause (or have an RP read it) before you assume you need a five-figure audit you may not be required to get.
Which CMMC Level 2 implementation provider category should you compare first?
There is no universal best provider category — there’s a best fit for your situation.Here’s what each one is for:
- RPO / RP (Registered Provider Organization / Registered Practitioner). Best for interpreting requirements, mapping CUI data flows, defining scope, structuring the SSP, planning the POA&M, and sequencing readiness. What they shouldn’tclaim: that they can “certify” you or guarantee a Level 2 status.
- MSP / MSSP (Managed Service Provider / Managed Security Service Provider). Best when controls need to be built and run day to day — identity, endpoints, logging, vulnerability management, secure configuration, incident response. What they shouldn’t claim: that managed tools alone equal CMMC.
- GRC platform (Governance, Risk, and Compliance software).Best for an evidence repository, control mapping, task ownership, POA&M tracking, and audit trails. What it shouldn’t claim: that software implements controls by itself.
- CUI enclave(a bounded, secured environment for CUI, often on Microsoft GCC High or AWS GovCloud). Best when CUI sprawl is your biggest cost driver. What it shouldn’t claim: that the enclave automatically removes your endpoints, people, and external systems from scope.
- C3PAO (Certified Third-Party Assessment Organization).Best — and only — for the formal Level 2 certification assessment, once you’re ready. What it shouldn’t do: also serve as your preparation, consulting, or remediation provider for the same effort (the three-year conflict window applies).
The CMMC Level 2 Implementation Services Fit Matrix
| If your situation looks like this | First category to compare | What they should help implement | What they should NOT claim | Deliverables to require | Wrong-provider risk |
|---|---|---|---|---|---|
| You handle CUI but don’t know your system boundary | RPO/RP readiness (± MSP) | CUI discovery, data-flow mapping, asset categories, SSP structure, assessment-path decision | That they can certify you or guarantee Level 2 | CUI data-flow diagram, asset inventory, scope memo, SSP outline, assessment-type decision | Buying tools before scope; scope (and cost) balloons |
| Existing IT, weak security operations | CMMC-focused MSP/MSSP | Identity/MFA, endpoint, logging, vuln management, config baselines, incident response | That managed tools are the whole CMMC answer | Shared-responsibility matrix, evidence-ownership plan, log/ticket exports, SSP inputs | Green dashboards but failed evidence and interviews |
| You want to reduce CUI sprawl | CUI enclave + scoping advisor | Controlled collaboration, CUI access boundaries, secure file sharing, data segregation | That the enclave erases all remaining corporate scope | Data-flow map, enclave boundary, CRM, remaining-scope list, user/process rules | Believing the enclave handles endpoints, people, and external systems by itself |
| Mature controls, poor documentation | GRC platform + RP/RPO | Evidence workflow, control mapping, task ownership, POA&M tracking, audit trail | That software implements controls on its own | Rev. 2 mapping, evidence repository, SSP/POA&M exports, owner matrix | Paying for a repository while real gaps stay open |
| Contract requires Level 2 (Self); scope stable | RP/RPO + internal owner or MSP | Self-assessment prep, SPRS score support, evidence collection, affirmation cadence | That a C3PAO is automatically required | Self-assessment package, score basis, SSP, POA&M (if allowed), affirmation calendar | Overspending on a certification path your contract doesn’t require |
| Contract requires Level 2 (C3PAO); you’re ready | Authorized/accredited C3PAO | The formal Level 2 certification assessment | That they can also prepare, consult, or remediate the same effort they assess | Assessment plan, current Cyber AB status source, assessor names, conflict review | Hiring the assessor before evidence is ready — or creating an independence problem |
| Aiming for Level 3 later | Level 2 (C3PAO) readiness first, then C3PAO, then DIBCAC path | Final Level 2 (C3PAO) readiness, then selected NIST SP 800-172 requirements | That you can skip the Final Level 2 (C3PAO) prerequisite | Level 2 scope, Level 3 delta plan, 800-172 mapping, DIBCAC readiness plan | Designing for Level 3 before Level 2 scope is validated |
➤ Match your situation to the right provider category to compare first — before the sales calls start.
Find My CMMC Path →How your CUI scope changes the plan (and the price)
CUI scope is the single biggest driver of cost and timeline in Level 2 implementation. The more places CUI is processed, stored, or transmitted, the more controls you implement and the more evidence you produce. That’s why the first implementation question is never “GCC High or not?” — it’s “where does CUI actually go?”
The rule backs this up. 32 CFR § 170.19 requires you to define your CMMC Assessment Scope before the assessment, and it sorts your environment into asset categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. See our CMMC scoping guide for the full breakdown.
Scope patterns and what they usually demand
| Scope pattern | Implementation pressure | Categories to compare first |
|---|---|---|
| CUI in email and file shares across many users | Heavy identity, access, logging, and training burden | MSP/MSSP + RPO |
| CUI limited to a small project team | Prime scope-reduction opportunity | RPO + enclave / secure collaboration |
| CUI in CAD / engineering workflows | Endpoint, file-transfer, export-control, and user-process complexity | MSP/MSSP + enclave + RP |
| Remote-only small business | Device, identity, evidence, and policy discipline | RP/RPO + MSP or managed enclave |
| Mature IT, undocumented controls | Evidence and SSP gap, not a technical gap | GRC platform + RP/RPO |
| An external provider runs part of your environment | CRM and provider-scope risk | MSP/MSSP or enclave provider, with documentation |
One technical trap:don’t assume standard commercial Microsoft 365 is acceptable for CUI. If a cloud service provider processes, stores, or transmits your CUI, the CMMC framework (via 32 CFR Part 170 and DFARS 252.204-7012) expects that cloud environment to meet FedRAMP Moderate authorization or equivalency, with shared responsibilities documented in your CRM and SSP. Verify the exact service offering, its FedRAMP posture, and who owns which control before you place CUI there.
What CMMC Level 2 implementation actually costs
There is no fixed regulatory price for implementation — and the number you’ve probably seen quoted isn’t your implementation budget. The DoD’s widely cited figure of roughly $105,000 is a three-year assessment-and-affirmation estimate that deliberately excludes the cost of implementing the controls.
The DoD number, and why it misleads
We read the DoD’s Regulatory Impact Analysis for the CMMC Program Rule (published with the Final Rule in the Federal Register, October 15, 2024). Its official three-year estimates for Level 2:
| Path | Small entity (3-year) | Other-than-small (3-year) | What it covers |
|---|---|---|---|
| Level 2 (Self) + 3 affirmations | $37,196 | $48,827 | Assessment + affirmation only |
| Level 2 (C3PAO) + 3 affirmations | $104,670 | $117,768 | Assessment + affirmation only — NOT implementation |
| Level 1 self-assessment (annual) | $5,977 | $4,042 | Self-assessment + affirmation |
| Level 3 (DIBCAC) + 3 affirmations | $12,802 | $44,444 | Assessment + affirmation (implementation costed separately) |
The DoD’s own analysis did notinclude the cost of implementing the security requirements, because implementation was already required years earlier — by FAR 52.204-21 (effective June 15, 2016) and DFARS 252.204-7012 (which the analysis describes as requiring NIST SP 800-171 Rev. 2 implementation by December 31, 2017). In the DoD’s view, you should have already spent that money. Treat $104,670 as the cost to proveyou’re compliant — not the cost to become compliant.
What getting ready actually costs (provider-published 2026 ranges)
| Line item | Typical range (2026) | Reported by |
|---|---|---|
| Gap assessment | $3,500–$20,000 | Secureframe |
| Remediation / implementation | $20,000–$150,000+ | Workstreet, Secureframe |
| CUI enclave (if used) | $300–$400 per user/month, or ~$3,000–$4,000/month | Secureframe, PreVeil |
| RPO / readiness consulting (Level 2) | $15,000–$40,000 | Provider-published |
| C3PAO assessment fee | $30,000–$100,000+ | Provider-published |
| Internal staff time | 400–800 hours | Teal CMMC |
| Annual upkeep | $18,000–$35,000/year | Provider-published |
| Reported first-year totals | $60,000–$300,000+ | Teal, Delve (market analyses) |
The quote you’re about to get — decoded
Most quotes bundle everything into one number, so you can’t tell whether you’re buying implementation, tools, managed operations, or assessment prep. The only way to know is to force the line items apart. Use the CMMC Level 2 Implementation Quote Normalizer below.
| Quote line item | Ask them to separate it? | Why |
|---|---|---|
| CUI scoping / data-flow mapping | Yes | So you’re not paying to secure the wrong environment |
| SSP / POA&M / policy work | Yes | Separates documentation from control operation |
| Technical remediation | Yes | Shows what’s actually being implemented |
| Managed services (ongoing) | Yes | Distinguishes one-time project work from a monthly bill |
| GRC software | Yes | Software is not the same as implementation |
| CUI enclave setup | Yes | Lets you compare scope reduction vs. full-environment remediation |
| C3PAO assessment | Yes | Must be separate from readiness/remediation (see the firewall above) |
| Annual maintenance / affirmation support | Yes | CMMC is maintained, not “one and done” |
Don’t request quotes until you know which line items you’re comparing. Use Find My CMMC Path to identify whether your first quote should come from readiness advisory, managed implementation, a GRC/evidence layer, an enclave, or a C3PAO.
What a good Level 2 implementation SOW should include
A strong Statement of Work (SOW) names exactly what will be scoped, implemented, documented, tested, and handed over — plus what’s excluded. “We’ll get you CMMC compliant” is a weaker promise than a SOW that lists workstreams mapped to the 110 requirements, names who owns each one, and specifies the evidence you’ll keep.
Insist on all five of these:
- Scope and assumptions.Contract-required level and assessment type, CAGE codes, business units, CUI data flows, FCI/CUI handling, cloud environment, external service providers, remote users, endpoints, facilities — and the systems explicitly excluded.
- Documentation outputs.SSP (a direct NIST SP 800-171 requirement — 3.12.4 — and central assessment evidence), POA&M (governed by 32 CFR § 170.21), policies and procedures, data-flow and network diagrams, asset inventory, access-control matrix, incident response plan, security-awareness evidence, vulnerability-management procedures, and CRM references wherever an External Service Provider is in scope (32 CFR § 170.19).
- Technical remediation outputs. Identity/MFA, least privilege, endpoint hardening, logging and monitoring, secure configuration, vulnerability management, media protection, encryption, backups, incident response, boundary protection, secure remote access, and account management.
- Evidence and ownership. Youown the evidence package. The SOW should state where artifacts live, who can export them, how long they’re retained, and how evidence is maintained after the engagement ends. If you can’t export it, you’re renting your compliance.
- Assessment hand-off.The provider should prepare a clean package for your Level 2 (Self) submission or your C3PAO assessment — while stating clearly that the engagement itself does not produce a CMMC certificate.
SOW red flags
| Red flag | Why it matters | Ask for this instead |
|---|---|---|
| “We make you CMMC compliant” | Overbroad and usually unsupported | “We implement and document these workstreams mapped to the Level 2 requirements” |
| No CUI scoping deliverable | Scope drives everything downstream | Data-flow and asset-category outputs |
| No evidence ownership | You can get trapped in the vendor’s system | Exportable evidence and documentation |
| No CRM for external services | Undocumented shared responsibility breaks assessments | Provider/service responsibility mapping |
| No readiness-vs-assessment language | Creates C3PAO independence confusion | Explicit separation of readiness and formal assessment |
| Tool-first SOW | Tools aren’t the program | Process, evidence, training, and operations |
How long Level 2 implementation takes — and why timing is now a contract issue
Plan for 6–18 months from a cold start to assessment-ready, driven mostly by remediation and documentation, not the audit itself. The enforcement clock, though, is fixed. Straight from 32 CFR § 170.3(e) and the DFARS acquisition rule (published September 10, 2025, effective November 10, 2025):
- –Phase 1: CMMC requirements begin appearing in new DoD contracts. Level 1 and Level 2 (Self) show up as conditions of award; DoD may, at its discretion, require Level 2 (C3PAO) on prioritized contracts.
- Phase 2 begins: Level 2 (C3PAO) certification is added to applicable solicitations and contracts as a condition of award. See our Phase 2 deadline guide.
- Phase 3 begins: Level 2 (C3PAO) extends to all applicable contracts (including option exercises); Level 3 (DIBCAC) requirements begin.
- Phase 4 begins: Full implementation across all applicable contracts.
As of the March 2026 Cyber AB Town Hall, the ecosystem had roughly 103 authorized C3PAOs and about 759 Certified CMMC Assessors, and only about 1,000 organizations — roughly 1% of the Defense Industrial Base — had achieved Level 2 certification. The DoD’s Final Rule estimated 8,350 medium and large entities alone would need a Level 2 (C3PAO) assessment; industry analyses put the total number of organizations needing Level 2 at 80,000-plus. The move is to make readiness your first priority and book a C3PAO early. (Confirm current C3PAO and assessor counts yourself on the Cyber AB Marketplace.)
A practical 30 / 60 / 90-day roadmap
| Window | Goal | Outputs |
|---|---|---|
| First 30 days | Know exactly what you’re solving | Clause and required-status check; identify FCI and CUI; map CUI data flows; inventory systems, users, facilities, and external providers; decide your first provider category |
| Days 31–60 | Turn gaps into a real plan | SSP draft; POA&M if applicable; prioritized high-impact control gaps; tool-gap list; evidence plan; assign an internal owner to each workstream |
| Days 61–90 | Prove operation | Real artifacts collected; access reviews, logging samples, vulnerability process, training records; CRM/shared-responsibility documentation |
| Months 4–6+ | Stabilize and get ready | Repeatable evidence; mock review; SOW refinement; decision on Level 2 (Self) submission or C3PAO assessment planning |
Start readiness now, while the calendar is still on your side.
Get matched with provider categories that fit your scope and timeline →What to verify before you sign
Before you sign anything, confirm the provider’s category, what they actually perform, whether they’re readiness or assessment (not both on the same engagement), what evidence you’ll own, how external services get documented, and — if it matters — that any Cyber AB status claim is current. A “CMMC expert” badge means nothing without a scoped SOW behind it.
| Verify this | Ask this question |
|---|---|
| Provider category | Are you acting as an RPO/RP, MSP/MSSP, GRC provider, enclave provider, C3PAO, or something else? |
| Readiness vs. assessment | Are you preparing us, assessing us, or both in separately permissible contexts? |
| Cyber AB relevance | Is Cyber AB status relevant to what you’re selling, and what is your current status? (Confirm it yourself on the Cyber AB Marketplace.) |
| Evidence ownership | Will we own and export the SSP, POA&M, policies, diagrams, tickets, logs, and artifacts? |
| Scope method | How will you identify our CUI flows and asset categories before quoting the buildout? |
| Shared responsibility | How will your services be documented in our SSP and CRM? |
| Rev. 2 alignment | Is your Level 2 mapping tied to NIST SP 800-171 Rev. 2? (For CMMC, it must be.) |
| Tool dependence | What happens to our compliance if we stop using your tool or service? |
| C3PAO hand-off | What will be ready for an assessor, and what stays our responsibility? |
| Compensation disclosure | Are you receiving any referral, sponsorship, or partner compensation tied to this recommendation? |
The most expensive mistakes in Level 2 implementation
These are our editorial conclusions, drawn from the verified facts above and from what assessors and readiness providers consistently report.
Buying the tool stack before the scope
The tool might be necessary — but scope determines what it has to protect and what evidence it must produce. Tool-first buying creates expensive rework.
Treating a gap assessment as implementation
A gap assessment tells you what's missing. Implementation fixes, documents, operates, and proves it. They're different purchases.
Calling a C3PAO too early
The assessor is not your remediation team (the firewall forbids it), and booking one before your evidence is ready wastes scarce assessment slots and money.
Assuming Level 2 always requires a C3PAO
Some Level 2 contracts allow self-assessment. The contract clause decides — confirm it before you buy a certification you may not need.
No internal owner
Even with a great MSP or RPO, the evidence, interviews, affirmations, and business-process changes stay with you. Someone inside has to own it.
How The CMMC Path Framework maps your situation to a category
The CMMC Path Framework is our logic for turning your specifics into a provider category to compare first. It takes your required level, FCI/CUI handling, assessment type, IT/cloud environment, CUI scope, internal capacity, and contract timeline, and outputs the category — not a named vendor, not a score, not a ranking, and not compliance advice.
- Inputs: required CMMC level; FCI vs. CUI; Level 2 (Self) vs. Level 2 (C3PAO); CUI scope and data flows; cloud/IT environment; existing controls and evidence; internal team capacity; contract or prime timeline.
- Outputs:the provider category to compare first; the workstreams you’ll likely need; the questions to ask before quotes; and whether you should be talking to readiness providers, managed service providers, GRC platforms, enclave providers, or a C3PAO.
That’s the framework behind The Defense Compliance Report’s Find My CMMC Path tool. It exists because a general answer can’t resolve your level, scope, environment, and timeline for you — but a few inputs can.
What we actually verified for this guide
Verified against primary and authoritative sources on :
- 32 CFR Part 170 is the current CMMC Program Rule (effective December 16, 2024).
- CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Rev. 2, across 14 families and 320 assessment objectives (NIST SP 800-171A).
- Level 2 has two paths — Level 2 (Self) and Level 2 (C3PAO); the contract clause determines which applies.
- Level 2 scope must be defined before assessment and uses the asset categories in 32 CFR § 170.19.
- POA&Ms are limited, conditional, and time-boxed under 32 CFR § 170.21, with a 180-day closeout window.
- A CMMC Ecosystem member that consulted to prepare you for a CMMC assessment generally cannot participate in your Level 2 certification assessment for three years (32 CFR § 170.8(b)(17)(ii)(G); Cyber AB Code of Professional Conduct); C3PAOs must meet ISO/IEC 17020:2012 (§ 170.9).
- DFARS 252.204-7021 requires contractors to have and maintain the required CMMC status for applicable systems and to flow requirements down to subcontractors; DFARS Subpart 204.75 requires contracting officers to check SPRS when CMMC status is required.
- Phase 1 began ; Phase 2 begins (32 CFR § 170.3(e); DFARS acquisition rule).
- The DoD’s Level 2 (C3PAO) three-year cost estimate ($104,670 small / $117,768 other-than-small) covers assessment and affirmation and excludes implementation (CMMC Regulatory Impact Analysis, Federal Register, October 15, 2024).
- February 2026 clause changes are class deviations, not codified rules. Effective February 1, 2026, DoD class deviations under the Revolutionary FAR Overhaul direct contracting officers to use new clause numbers in covered solicitations — FAR 52.204-21 as FAR 52.240-93, DFARS 252.204-7020 as DFARS 252.240-7997, and DFARS 252.204-7019 dropped as a standalone provision. The official FAR and DFARS text on Acquisition.gov still displays the prior numbers; the CMMC clauses (252.204-7021 and 252.204-7025) and the safeguarding clause (252.204-7012) are unchanged.
Not verified for this page:named-provider rankings; specific providers’ current Cyber AB Marketplace status; provider compensation relationships; provider-specific pricing; or any provider’s customer outcomes or certification success rates.
Frequently asked questions about CMMC Level 2 implementation services
Are CMMC Level 2 implementation services the same as certification?
No. Implementation services help you build, remediate, document, operate, and prove your Level 2 control environment. Certification is a separate step — a Level 2 (C3PAO) assessment by an authorized third party — required only when your contract calls for it (32 CFR Part 170).
Do I need a C3PAO for CMMC Level 2?
Only if your contract requires Level 2 (C3PAO) status. Level 2 also has a self-assessment path, where your organization conducts the assessment and posts results in SPRS. Read the contract clause to know which applies.
Can a C3PAO also help with my implementation?
Generally not on the same effort. Under 32 CFR §170.8(b)(17)(ii)(G) and the Cyber AB Code of Professional Conduct, a CMMC Ecosystem member that consulted to prepare you for a CMMC assessment cannot participate in your Level 2 certification assessment for three years. Keep readiness/remediation and formal assessment in separate hands.
Is an RPO required for CMMC Level 2 implementation?
No rule requires every contractor to hire a Registered Provider Organization. But an RPO or Registered Practitioner is genuinely useful for interpreting the requirements, scoping CUI, building the SSP and POA&M, and planning remediation — especially if you don't have in-house CMMC experience.
Is a GRC platform enough for CMMC Level 2?
No. A GRC platform manages evidence, control mapping, tasks, and POA&M work — but it doesn't implement security controls by itself. Use it as an evidence and workflow layer, not as a substitute for technical and operational implementation.
Do we need Microsoft GCC High for CMMC Level 2?
Not a blanket yes or no. It depends on where your CUI is processed, stored, and transmitted, your contract requirements, and your external providers. If a cloud service provider handles your CUI, the framework expects FedRAMP Moderate authorization or equivalency, with responsibilities documented in your CRM and SSP (32 CFR Part 170; DFARS 252.204-7012). Don't assume standard commercial Microsoft 365 is acceptable for CUI — verify the exact service offering before you place CUI there.
Can a small contractor implement CMMC Level 2 without a big MSP?
Sometimes — if your CUI scope is small, your internal ownership is strong, and your team can operate and document the controls. Many small contractors still need advisory help, an enclave, or a managed provider when internal IT can't maintain the evidence and operations over time.
What evidence should an implementation provider leave behind?
At minimum: scope documentation, CUI data flows, asset inventory, SSP, POA&M (if applicable), policies and procedures, technical configuration evidence, access-review records, vulnerability-management evidence, incident response artifacts, training records, CRM/shared-responsibility documentation, and an assessment-readiness hand-off package — all exportable and owned by you.
Should we buy a tool before hiring an implementation provider?
Not before scope is clear. Tools can be necessary, but tool-first buying often creates expensive rework once your CUI data flows, user groups, endpoints, external services, and assessment type are actually defined.
What happens if we get Conditional Level 2?
A POA&M is allowed only under specific conditions and must be closed out within 180 days (32 CFR §170.21). To qualify for conditional status, your assessment score must be at least 88 of 110 points (0.8), only the lowest-weighted (1-point) requirements may sit on the POA&M — with a narrow encryption exception — and the highest-weighted requirements can't be deferred at all. Miss the 180-day closeout and the conditional status expires.
Is CMMC Level 2 based on NIST SP 800-171 Rev. 2 or Rev. 3?
For the current CMMC Program Rule, Level 2 maps to NIST SP 800-171 Rev. 2. NIST has published Rev. 3 and marks Rev. 2 as superseded, but Rev. 3 does not become the CMMC Level 2 baseline unless the DoD amends the rule. If a provider is quoting you against Rev. 3 for CMMC purposes, ask why.
Did the February 2026 FAR overhaul change my CMMC requirements?
No security control changed. Effective February 1, 2026, DoD class deviations renumbered several clauses for covered solicitations — FAR 52.204-21 becomes FAR 52.240-93, DFARS 252.204-7020 becomes DFARS 252.240-7997, and DFARS 252.204-7019 drops as a standalone provision. These are class deviations, not codified rules, so Acquisition.gov still shows the old numbers. DFARS 252.204-7021, 252.204-7025, and 252.204-7012 are unchanged, and 32 CFR Part 170 still controls the CMMC Program.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Prefer to start on your own first? Begin with our CMMC Level 2 Readiness Checklist (110 requirements, evidence, and SPRS), then come back and get matched when you’re ready to bring in help.
Keep reading
- CMMC levels overview: requirements, levels, and what applies to you
- CMMC Level 2 Checklist: 110 requirements, evidence & SPRS
- CMMC Level 2 self-assessment vs. C3PAO: which path your contract requires
- CMMC RPO vs. C3PAO: roles, boundaries, and who to hire when
- CMMC gap assessment vs. C3PAO assessment: readiness check vs. certification
- CMMC scoping guide: CUI, FCI, and asset categories
- CMMC Level 2 cost breakdown
- Find My CMMC Path
Sources & primary references
- CMMC Program Rule — 32 CFR Part 170 (eCFR, current)
- 32 CFR § 170.8 — Accreditation Body; conflict-of-interest policy
- 32 CFR § 170.9 — C3PAOs; ISO/IEC 17020
- 32 CFR § 170.21 — POA&M requirements; 180-day closeout
- CMMC Program Final Rule (Federal Register, 89 FR 83214, Oct. 15, 2024)
- CMMC Regulatory Impact Analysis (regulations.gov, DOD-2023-OS-0063)
- DFARS Subpart 204.75 — CMMC (Acquisition.gov)
- NIST SP 800-171 Rev. 2 & NIST SP 800-171A (NIST CSRC)
- DoD CMMC program overview (DoD CIO)
- Cyber AB Marketplace (verify current C3PAO/assessor status)