CMMC Level 2 Required in Solicitation: What To Do Now
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
If CMMC Level 2 is required in your solicitation and you’re not sure what to do, the single most important first move is to read the exact status the contracting officer wrote and see whether it says Level 2 (Self) or Level 2 (C3PAO). Those two words point to very different work, cost, and lead time. You also need a current CMMC status in the Supplier Performance Risk System (SPRS) at the required level before award — for Level 2, a current Conditional status can support award while you finish remediation; Level 1 must be Final (it allows no Conditional status).
That’s the bottom line. Now the part that actually settles the panic: seeing “CMMC Level 2” in an RFP, RFQ, or a prime’s flow-down email does notautomatically mean you’ve lost the bid. It means a clock started. Whether you can still win this one — and what you do in the next 48 hours — comes down to a handful of specific facts you can check today. We read the actual clause language on Acquisition.gov and the CMMC rule in the Code of Federal Regulations so you can move on verified information.
Quick triage: read this in 60 seconds
| Your solicitation says… | Your immediate next move | Provider category to consider |
|---|---|---|
| CMMC Level 2 (Self) | Check your SPRS self-assessment status, CMMC Unique Identifier (UID), system scope, and annual affirmation date. | RPO/RP, readiness consultant, MSP/MSSP, GRC platform, CUI enclave if scope needs containment |
| CMMC Level 2 (C3PAO) | Confirm whether you already hold a Conditional or Final Level 2 (C3PAO) status. If not, verify readiness before you call assessors. | Readiness first if you’re not assessment-ready; an authorized C3PAO only when you are |
| Just “CMMC Level 2” (no Self/C3PAO) | Ask the contracting officer or prime to confirm the assessment type in writing. Don’t guess. | Federal-contracts attorney for ambiguity; RP/RPO for scoping |
| “Provide CMMC UID” | Confirm the UID covers the system that will actually handle the contract’s information. | Internal compliance lead; RP/RPO if scope is unclear |
| Access to drawings/TDP requires Level 2 | Verify the access gate — and do not upload drawings or CUI into any form or tool. | CUI enclave / secure collaboration; CO clarification if ambiguous |
What does “CMMC Level 2 required” actually mean in a solicitation?
When a Department of Defense (DoD) solicitation says CMMC Level 2 is required, it means the contracting officer has identified a CMMC status you must hold before award for each information system that will process, store, or transmit FCI or CUI during performance. The required status is set in the solicitation provision DFARS 252.204-7025 (“Notice of Cybersecurity Maturity Model Certification Level Requirements”), and the matching contract clause DFARS 252.204-7021 governs what you must maintain after award. “Required prior to award” is an eligibility gate, not a problem you can resolve later. (DFARS 252.204-7025; DFARS 252.204-7021, Acquisition.gov.)
Here’s the mechanic most explainers skip. The 7025 provision contains a fill-in-the-blank line — “The CMMC level required by this solicitation is: ____” — and the contracting officer is instructed to insert exactly one of four options: CMMC Level 1 (Self), CMMC Level 2 (Self), CMMC Level 2 (C3PAO), or CMMC Level 3 (DIBCAC). That level (or higher) is required prior to award for each in-scope system. We pulled that language directly from the provision text on Acquisition.gov. So your first job isn’t to study a 110-control checklist. It’s to find that filled-in value and read it carefully.
Cybersecurity Maturity Model Certification (CMMC) is the DoD’s program for verifying that defense contractors have actually implemented the cybersecurity requirements they’ve been contractually obligated to meet for years. It became a federal rule when 32 CFR Part 170 took effect on December 16, 2024, and it began appearing in contracts when the acquisition rule — the DFARS rule effective November 10, 2025 — went live. We are currently in Phase 1 (November 10, 2025 through November 9, 2026), the first stage of a multi-year rollout. That timing matters, and we’ll come back to it. (32 CFR Part 170; Federal Register, DFARS Case 2019-D041.)
Where to find the CMMC language in your solicitation
Open the document and search the text for “CMMC,” “252.204-7025,” and “252.204-7021.” The required level lives in the 7025 provision. You may also see CMMC references in Section L (instructions to offerors), Section M (evaluation), a CUI or cybersecurity attachment, or a data-access requirement tied to drawings or a TDP. If a prime sent you a flow-down, the requirement may sit in a subcontract clause or a teaming document instead.
Clause map: what each DFARS clause does — and doesn’t
The Defense Federal Acquisition Regulation Supplement (DFARS) uses several cybersecurity clauses that contractors routinely confuse. They are not interchangeable.
| Clause / provision | Stage | What it does | What it does not do |
|---|---|---|---|
| DFARS 252.204-7025 | Solicitation | Tells offerors the required CMMC level/status and makes current status, affirmation, and CMMC UID an award gate. | Doesn’t perform your assessment or define your full CUI scope by itself. |
| DFARS 252.204-7021 | Contract / performance | Requires maintaining your CMMC status, annual affirmation, UID reporting, and flow-down to subcontractors. | Doesn’t mean every subcontractor needs the same level regardless of data flow. |
| DFARS 252.204-7012 | Safeguarding / incident reporting | Requires safeguarding covered defense information per NIST SP 800-171 and rapid (72-hour) cyber-incident reporting. | Is not the same as a filled-in CMMC 7025 award gate. |
| DFARS 252.204-7019 / -7020 | DoD assessment / SPRS posting | Cover the NIST SP 800-171 DoD Assessment Methodology and posting your score in SPRS. | Don’t replace the CMMC status requirement when 7025/7021 apply. |
For a deeper read on the safeguarding clause, see our explainer on DFARS 252.204-7012. And if you’re seeing 7012 but not7021 or 7025, that combination means something specific — confirm whether the CMMC award gate applies.
When you’re ready to figure out what kind of help you actually need, The Defense Compliance Report’s Find My CMMC Path toolmaps your required level, CUI scope, assessment type, environment, and timeline to the provider category that fits — before you request a single quote. It routes to a category (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave), not a named provider, and it isn’t a score, a ranking, or compliance advice.
Map my solicitation to the right next step →First, find out if it says “Level 2 (Self)” or “Level 2 (C3PAO)”
Level 2 (Self) and Level 2 (C3PAO) both require implementing the same 110 security requirements from NIST SP 800-171 Revision 2, organized into 14 control families — but they are not the same award path. Level 2 (Self) means you conduct the self-assessment and post the result in SPRS. Level 2 (C3PAO) means a Certified Third-Party Assessment Organization (C3PAO) — an independent assessor authorized by the Cyber AB — must assess and certify you, with results recorded in the CMMC instance of eMASS. A Level 2 (Self) status does not satisfy a Level 2 (C3PAO) requirement. (NIST SP 800-171 Rev. 2, NIST CSRC; 32 CFR §§ 170.16–170.17.)
This is the fork that changes everything. Same controls, different verifier — and the C3PAO path typically adds tens of thousands of dollars in assessment fees alone (commonly in the ~$30,000–$80,000+ range in 2026 market reporting), plus scheduling lead time, because you need an outside assessor’s calendar and a higher bar of documented evidence. So the difference between those two words in your solicitation can be a six-figure swing in what you have to do. See our guide on CMMC Level 2 cost for current ranges. Read the line before you spend a dollar.
Level 2 Self vs Level 2 C3PAO at a glance
| Question | Level 2 (Self) | Level 2 (C3PAO) |
|---|---|---|
| Who conducts it? | Your organization (the “Organization Seeking Assessment,” or OSA) | An authorized C3PAO |
| Requirement baseline | 110 NIST SP 800-171 Rev. 2 requirements, 14 families | The same 110 requirements |
| Where results are recorded | SPRS | CMMC instance of eMASS (status reflected for SPRS/award use) |
| How often | Every 3 years + annual affirmation | Every 3 years + annual affirmation |
| Is a POA&M possible? | Limited, under 32 CFR § 170.21 | Limited, under 32 CFR § 170.21 |
| If you’re not ready, call first… | RPO/RP, MSP/MSSP, GRC, or CUI enclave | Readiness (RPO/MSP/MSSP) before a C3PAO |
| The biggest mistake | Treating “Self” as informal or checklist-only | Booking a C3PAO before scope, SSP, and evidence are ready |
Why “Self” doesn’t mean “easy”
This catches good companies off guard, so we’ll say it plainly: Level 2 (Self) is not a lighter standard. You still implement all 110 requirements and their assessment objectives (NIST SP 800-171A defines the assessment objectives behind those 110 requirements). The only thing “Self” removes is the third-party assessor — not the work, not the evidence, and not the annual affirmation signed by a senior official. Because both paths use the same 110-control baseline, the implementation and remediation work — usually your biggest expense — overlaps heavily. The C3PAO path adds the assessor’s fee and a higher evidence bar on top. See our CMMC Level 2 checklist and assessment preparation guide for what the evidence bar actually looks like.
Can the contracting officer require C3PAO right now, during Phase 1?
Yes. During Phase 1 — the first 12 months — the Department’s stated intent is that most solicitations use self-assessments for Levels 1 and 2, but the rule gives program offices discretion to require Level 2 (C3PAO) even now, and some live solicitations already do. Phase 2 begins November 10, 2026, the stage where DoD intends to require Level 2 (C3PAO) as a condition of award for applicable CUI contracts (DoD may instead defer that requirement to a contract option period in some cases). So don’t assume “we’re in Phase 1, so it must be Self.” Read the provision. (32 CFR § 170.3(e); DoD CIO CMMC resource.)
Here’s the honest part, before we go further. If your solicitation requires Level 2 (C3PAO), you’ve done little or no NIST SP 800-171 work, and the proposal is due in the next 60–90 days — you almost certainly cannot become certified in time, and no consultant, managed service provider, or software platform can change that. The 110 controls take months to implement and document, and C3PAO assessment calendars are limited. Pretending otherwise would cost you money and trust.
But “not certified in time for this one” is not the same as “out.” You have real, legitimate options — a Conditional statusif you can get close enough, teaming or subcontracting with a partner who already holds the status, or asking the contracting officer about timing and scope. We cover all of them below. We’d rather route you to a workable path than sell you false hope.
Can you still bid? What you need in SPRS before award
For a solicitation using DFARS 252.204-7025, “we’re working on CMMC” is not enough. To be eligible for award, you must have — for each information system that will handle FCI or CUI — a current CMMC status in SPRS at the required level or higher, a current annual affirmation of continuous compliance, and the applicable CMMC Unique Identifier (UID). A contracting officer shall not award to an offeror that lacks the required current status in SPRS at award. The relief valve: for Level 2, a current Conditional status can support award while you finish remediation; Level 1 must be Final (it allows no Conditional status). (DFARS 252.204-7025; DFARS Subpart 204.75, Acquisition.gov.)
Three terms award eligibility turns on:
- SPRS (Supplier Performance Risk System): the DoD system of record where your CMMC status and assessment results are posted. Contracting officers check it. See: how to verify CMMC status in SPRS.
- CMMC UID (Unique Identifier): a 10-character alphanumeric identifier assigned to each CMMC assessment and reflected in SPRS for each contractor information system. The 7025 provision requires you to list the applicable UID(s) in your proposal. (DFARS 252.204-7021.)
- Annual affirmation: a yearly attestation of continuous compliance, entered in SPRS by a senior Affirming Official, confirming you still meet the requirements. (32 CFR § 170.22.)
One precise detail that trips up companies that “did CMMC a while ago”: under DFARS 252.204-7021, a Final Level 2 status is considered current only if it’s not older than three years, with an affirmation not older than one year. A lapsed affirmationcan break an otherwise-valid status. We confirmed these “current” definitions in the clause text on Acquisition.gov.
What to verify in SPRS — today
| SPRS item | What to verify | Why it matters |
|---|---|---|
| CAGE code | The correct legal entity is tied to the work | A status under the wrong entity may not help this bid |
| CMMC UID | Covers the system that will actually handle FCI/CUI | The proposal may require a UID for each in-scope system |
| Status | Level 2 (Self) or (C3PAO); Conditional or Final | Must match or exceed what the solicitation requires |
| Assessment date | Within the 3-year window | A Final Level 2 status expires at three years |
| Affirmation date | Within the annual requirement | A lapsed affirmation can break “current” status |
| Scope | Covers the in-scope system, not a different enclave | A status scoped to the wrong boundary may not satisfy this solicitation |
CMMC Level 2 required in solicitation: your first 48 hours
In your first 48 hours, don’t start with vendor calls — start by extracting facts. Copy the exact clause language, identify Self vs C3PAO, confirm the proposal and award timing, check SPRS, map which systems touch FCI or CUI, and document any question that must go to the contracting officer or prime. Vendor selection comes afteryou know what you’re actually solving.
| Timeframe | Action | Output |
|---|---|---|
| First 30 minutes | Find the filled-in DFARS 252.204-7025 level | Level 2 (Self), Level 2 (C3PAO), Level 3, Level 1, or “ambiguous” |
| First 60 minutes | Confirm the proposal deadline and expected award timing | Whether status must exist now, before data access, or before award |
| Same day | Check SPRS: status, CMMC UID, affirmation date, scope | Current, stale, missing, wrong-scope, or unknown |
| Same day | Map which systems process/store/transmit FCI or CUI, plus any external/cloud providers | A draft system scope and CUI data path |
| Day 2 | Send a written clarification to the CO or prime if the language is unclear | A documented clarification request |
| Day 2 | Choose a provider category (not a vendor yet) | Readiness/RPO, MSP/MSSP, GRC, enclave, C3PAO, or attorney |
Want a self-serve next step you can take without talking to anyone? Our CMMC Readiness Checklistwalks the 14 NIST SP 800-171 Rev. 2 control families so you can see, roughly, how far your current environment is from Level 2 before you spend on outside help. Treat it as a deliverable, not a sales call — it’s there to lower your uncertainty.
The CMMC Level 2 Solicitation Triage Matrix
Not sure which provider category fits your situation? The triage tool maps your Self/C3PAO status, proposal date, award date, current SPRS status, CMMC UID, affirmation date, FCI/CUI/environment, and prime/sub role to the right next step. Until the interactive version is live here, the Find My CMMC Path tool serves the same purpose.
Run the triage →What we actually verified for this page
We built this from primary and official sources, not secondhand summaries. Here’s what we checked and what each source establishes, so you can verify any claim yourself.
| Source checked | What it establishes | Last verified |
|---|---|---|
| DFARS 252.204-7025 (Acquisition.gov) | The four fill-in CMMC levels, the “required prior to award” gate, and the SPRS status/affirmation/UID requirement | |
| DFARS 252.204-7021 (Acquisition.gov) | “Current” status definitions (Final Level 2 ≤ 3 years; affirmation ≤ 1 year), the 10-character CMMC UID, maintenance, and flow-down | |
| DFARS Subpart 204.75 (Acquisition.gov) | The contracting officer’s award procedure, the SPRS check, and that Level 1 requires Final status | |
| DFARS 252.204-7012 (Acquisition.gov) | NIST SP 800-171 safeguarding, 72-hour incident reporting, and the FedRAMP-Moderate cloud requirement | |
| DoD CIO CMMC resource — About CMMC | Level 2 Self vs C3PAO, NIST SP 800-171 Rev. 2, annual affirmation, POA&M, and phase timing | |
| NIST SP 800-171 Revision 2 (NIST CSRC) | The 110 CUI security requirements across 14 control families | |
| 32 CFR § 170.19 (eCFR) | Level 2 assessment scoping and asset categories | |
| 32 CFR §§ 170.21 / 170.24 (eCFR) | POA&M limits, the 0.8 score threshold, the 180-day closeout, and the point-weighted scoring methodology | |
| 32 CFR § 170.3(e) (eCFR) | The phased implementation schedule (Phase 1 and Phase 2) | |
| Cyber AB Code of Professional Conduct | The C3PAO three-year consulting/independence prohibition | |
| DOJ press releases (Sept. 30, 2025; May 1, 2025) | False Claims Act cybersecurity settlements (Georgia Tech $875K; Raytheon/Nightwing $8.4M) |
CMMC Level 2 required in solicitation: FAQ
Can I bid if CMMC Level 2 is required but we don’t have status yet?
You may be able to submit a proposal, but award eligibility depends on holding the required current CMMC status in SPRS — with a current affirmation and CMMC UID — unless the solicitation or contracting officer states otherwise. For Level 2, a Conditional status can count; Level 1 must be Final. Confirm the timing in your specific solicitation. (DFARS 252.204-7025; DFARS Subpart 204.75.)
Does CMMC Level 2 (Self) count as “CMMC certification”?
Level 2 (Self) is a valid CMMC status path, but it is not the same as a Level 2 (C3PAO) certification assessment. Use the phrase “Level 2 (Self) status” to avoid blurring the two — it matters for award eligibility.
Does a Level 2 (Self) status satisfy a Level 2 (C3PAO) solicitation?
No. If the solicitation requires Level 2 (C3PAO), a self-assessment — even a clean one — does not satisfy the requirement, because it’s a different assessment type conducted by a different party.
What is a CMMC UID?
A CMMC Unique Identifier is a 10-character alphanumeric identifier assigned to each CMMC assessment and reflected in SPRS for each contractor information system. DFARS 252.204-7025 requires you to list the applicable UID(s) in your proposal for systems that will handle FCI or CUI. (DFARS 252.204-7021 / -7025.)
Who signs the annual affirmation?
A senior Affirming Official within your organization completes the annual affirmation of continuous compliance in SPRS. It attests that you still meet the requirements for your CMMC status. (32 CFR § 170.22.)
Can we use a POA&M for CMMC Level 2?
Yes, but only within limits. Your assessment score divided by 110 must be at least 0.8, only certain requirements are POA&M-eligible (the SSP, several physical-protection and access controls, and most higher-weighted requirements must be fully met), and you must close the POA&M within 180 days of your Conditional CMMC Status Date. Level 1 allows no POA&M. See: Conditional CMMC Level 2 POA&M closeout. (32 CFR § 170.21.)
Is NIST SP 800-171 Revision 3 required for CMMC Level 2?
No — as of June 2026, CMMC Level 2 is assessed against NIST SP 800-171 Revision 2 (110 requirements, 14 families). NIST published Revision 3 in 2024, but it is not the CMMC baseline unless and until the DoD amends the rule. Some guides get this wrong; building to Rev. 3 today risks “unmet” findings against the Rev. 2 baseline assessors actually use. (DoD CIO CMMC resource; NIST CSRC; 32 CFR Part 170.)
What if the solicitation says “CMMC Level 2” but not Self or C3PAO?
Ask the contracting officer (or your prime, if it’s a flow-down) for written clarification of the assessment type. Don’t guess — the difference can be six figures.
What if access to drawings or a technical data package requires Level 2 before I can bid?
Some solicitations gate access to CUI or controlled technical data behind a CMMC status. Confirm exactly what status unlocks access and whether the data can be isolated in a compliant enclave — and do not upload drawings, TDPs, or CUI into any matching form or public tool while you sort it out. (Confirm the access condition in your solicitation; 32 CFR Part 170 for CUI handling.)
Should we call a C3PAO first?
Only if the solicitation requires Level 2 (C3PAO) and you’re assessment-ready. If you’re not ready, call readiness, scoping, managed-security, or enclave help first — and remember a C3PAO that prepared you generally can’t also be the one that certifies you for the same scope. See: gap assessment vs C3PAO assessment.
Can a C3PAO help us remediate and then assess us?
Generally no, for the same scope. The Cyber AB’s Code of Professional Conduct prohibits a C3PAO from assessing a company it has provided consulting, implementation, or product services to within the previous three years, and the assessment team cannot provide advice during the assessment. Verify any proposed arrangement before you sign. (Cyber AB Code of Professional Conduct.)
Can we submit our solicitation, drawings, or CUI into Find My CMMC Path?
No. Never submit CUI, drawings, technical data packages, export-controlled files, sensitive contract details, or system diagrams into any form or tool. The Find My CMMC Path tool only needs general inputs (level, scope type, environment, timeline) to point you to a provider category.
The bottom line
Read the status first. If your solicitation requires CMMC Level 2, find whether it specifies Level 2 (Self) or Level 2 (C3PAO), confirm your SPRS status, CMMC UID, and annual affirmation line up with it, and figure out your scope before you spend. If you’re not fully there, a Conditional status, teaming, or a clarification to the contracting officer can keep you in the game — and starting the readiness work now is what keeps you eligible when the Phase 2 requirement lands on November 10, 2026. You don’t have to figure out the whole program today. You just have to take the next correct step.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Primary sources (expand)
- DFARS 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements — Acquisition.gov
- DFARS 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements — Acquisition.gov
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting — Acquisition.gov
- DFARS Subpart 204.75, Cybersecurity Maturity Model Certification — Acquisition.gov
- 32 CFR Part 170, CMMC Program (esp. §§ 170.3(e), 170.17, 170.19, 170.21, 170.22, 170.23, 170.24) — eCFR
- NIST SP 800-171 Revision 2 and NIST SP 800-171A — NIST CSRC
- DoD CIO, About CMMC — DoD CIO CMMC resource
- Cyber AB, Code of Professional Conduct and CMMC Assessment Process (CAP) — Cyber AB
- Federal Register, CMMC Program Rule (2024) and DFARS Case 2019-D041 — federalregister.gov
- U.S. DOJ, Georgia Tech Research Corporation settlement (Sept. 30, 2025) — justice.gov
- U.S. DOJ, Raytheon/Nightwing settlement (May 1, 2025) — justice.gov