Is a conditional CMMC Level 2 certificate the same as Final Level 2?

No. Conditional Level 2 is temporary status tied to an allowed POA&M and a 180-day closeout requirement. Final Level 2 means all applicable requirements are Met under the scoring methodology and is valid for up to three years (32 CFR 170.16; 170.17).

How long does conditional CMMC status last?

Up to 180 days from the Conditional CMMC Status Date, and only while paired with a current affirmation. Calculate from the status date, not the award date (48 CFR 204.7501; 32 CFR 170.21).

Can a conditional CMMC Level 2 certificate win a DoD contract?

Yes, for Levels 2 and 3. A contracting officer can award to a company with a current, affirmed conditional status, and the company performs while it closes the POA&M. Level 1 must be Final for award (48 CFR 204.7502).

What is the minimum score for conditional CMMC Level 2?

A weighted score of at least 88 of 110 (a ratio of 0.8 or higher) under the CMMC Scoring Methodology, not 88 controls met. Below 88 returns No CMMC Status (32 CFR 170.21; 170.24).

Which CMMC Level 2 requirements cannot be on a POA&M?

Six: AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. No item worth more than 1 point may be deferred, except non-FIPS encryption (SC.L2-3.13.11), which scores as 3 points (32 CFR 170.21(a)(2)).

Can I extend the 180-day POA&M deadline?

No. The rule provides no extension. If the closeout is not successfully completed within 180 days of the Conditional CMMC Status Date, the conditional status expires (32 CFR 170.21).

Who performs the POA&M closeout assessment?

For Level 2 (Self), the OSA closes out and posts to SPRS. For Level 2 (C3PAO), an authorized or accredited C3PAO closes out and posts to CMMC eMASS. DIBCAC handles Level 3 (32 CFR 170.21(b)).

Does it have to be the same C3PAO?

No. The rule requires an authorized or accredited C3PAO, not the same one. A different accredited C3PAO can run the closeout and make the Final-status determination (32 CFR 170.21(b)(2)).

What happens if the closeout fails?

On the C3PAO path, the eMASS closeout is finalized once; if any item is still Not Met, the conditional status terminates and a new assessment is required (DoD CMMC FAQ). On the self path, you re-perform the closeout self-assessment and post passing results to SPRS within 180 days; if it is not successfully closed out in time, the conditional self status expires (32 CFR 170.16; 170.21).

Can Level 1 use a POA&M?

No. POA&Ms are not permitted at any time for Level 1 self-assessments, and Level 1 must be Final for award (32 CFR 170.21(a)(1); 48 CFR 204.7502).

Is the closeout scored, and can I add new POA&M items at closeout?

The closeout re-checks only the items on your original POA&M; you cannot add new deferrals at closeout. Passing it means those items are now Met, which yields Final status (32 CFR 170.21(b)).

What if my environment changes while I'm conditional?

Current conditional status depends partly on there being no changes in compliance since your Conditional CMMC Status Date (48 CFR 204.7501). If your scope or controls materially change, your Affirming Official's attestation must reflect it, and a material change can affect whether your status is still current (32 CFR 170.22).

What is the difference between a CMMC POA&M and an Operational Plan of Action?

A CMMC POA&M tracks assessment gaps that must close within 180 days to reach Final status. An Operational Plan of Action (CA.L2-3.12.2) manages temporary operational vulnerabilities and, per the rule's definitions, carries no remediation timeline and is not the same as a POA&M (32 CFR Part 170; DoD CMMC FAQ).

Does reaching Final status reset the three-year clock?

No. 32 CFR 170.4 states the Conditional CMMC Status Date remains the CMMC Status Date after a successful closeout, and no new date is set for a Final that follows a Conditional, so the three years run from the original status date.

Are CMMC certificates public?

No. Per the DoD CMMC FAQ, the public cannot access a list of companies that completed assessments or received certificates. Companies view their own status in SPRS and may share verification with primes.

Check My Closeout DeadlineCheck →

Conditional CMMC Level 2 Certificate: POA&M Closeout, the 180-Day Clock, and What to Do Next

By The Defense Compliance Report Editorial Team · Last verified: June 15, 2026· Next scheduled review: July 2026

Primary sources:32 CFR Part 170; Federal Register CMMC Program Final Rule; DFARS 252.204-7012, 252.204-7021, 252.204-7025; 48 CFR 204.7501–204.7503; DoD CMMC FAQ; NIST SP 800-171 Revision 2 and SP 800-171A.

A conditional CMMC Level 2 certificateis the temporary Level 2 status you hold when your assessment cleared the minimum score — at least 88 of 110 — but left only POA&M-eligible requirements unmet on a valid Plan of Action & Milestones. You then have a hard 180-day clock to fix them and pass a closeout assessment. Close it out in time and you reach Final status. Miss it, and the status expires and you are back to a fresh assessment of all 110 requirements.

We read the rule ourselves — the current codified text in the electronic Code of Federal Regulations (eCFR), cross-referenced to the Federal Register and Acquisition.gov — so every number below traces to a primary source you can verify, not a vendor’s paraphrase.

The bottom line

Conditional Level 2 is real, but it is not Final Level 2. Treat it as a 180-day evidence-closeout project, not a casual grace period.

Best for: contractors whose only open gaps are narrow, eligible, and already close to evidence-ready.
Not for:anyone missing their System Security Plan, missing a higher-weighted control such as multi-factor authentication, running no encryption in place at all, or carrying a prohibited item on the POA&M.
The qualifier that catches people: a failed or late closeout does not mint a second conditional status. The next stop is Final or No Status.

The fast answers (first-scroll reference)

Your question	The direct answer
Is "Conditional Level 2" a real CMMC status?	Yes. DFARS lists Conditional Level 2 (Self) and Conditional Level 2 (C3PAO) among the seven official CMMC statuses (48 CFR § 204.7501).
How long does it last?	Up to 180 days from the Conditional CMMC Status Date — and only while paired with a current affirmation (48 CFR § 204.7501; § 204.7502).
Can it win a DoD contract?	Yes, for Levels 2 and 3. Level 1 must be Final for award (48 CFR § 204.7502).
What's the minimum score?	88 of 110 (a ratio of 0.8) under the CMMC Scoring Methodology (32 CFR § 170.21; § 170.24).
Who closes the POA&M?	You (self-assessment path) or a C3PAO (certification path); DIBCAC at Level 3 (32 CFR § 170.21).
Biggest trap?	On the C3PAO path, the eMASS closeout is finalized once — if items remain unmet, the status terminates and you start over (DoD CMMC FAQ).

Verified source snapshot — checked June 15, 2026:

32 CFR Part 170(CMMC Program Rule) — effective December 16, 2024.
48 CFR CMMC Acquisition Rule(DFARS 252.204-7021 and 252.204-7025) — effective November 10, 2025.
Phased rollout: Phase 1 began November 10, 2025. Level 2 (C3PAO) requirements expand in Phase 2 from November 10, 2026.
CMMC Level 2 maps to NIST SP 800-171 Revision 2. DoD Class Deviation 2024-O0013 keeps Rev. 2 in force; Rev. 3 is not the assessment standard.
Conditional Level 2 threshold: 88 of 110. Closeout window: 180 days.

The Conditional Level 2 Certificate Closeout Matrix

This is the table we wish existed when we started reading the rule. Nothing here is invented — it is the operational logic of 32 CFR §170.16, §170.17, and §170.21 assembled into one place.

Scenario	What it means	Who closes it / system of record	If it succeeds	If it fails or runs late	Source
Conditional Level 2 (Self)	Your self-assessment scored ≥88/110 and produced a POA&M that meets §170.21	The OSA (you), posting to SPRS	Final Level 2 (Self)	Status expires if not successfully closed out in SPRS within 180 days	32 CFR §170.16, §170.21
Conditional Level 2 (C3PAO)	A C3PAO assessment scored ≥88/110 and produced a valid POA&M	An authorized/accredited C3PAO, posting to CMMC eMASS	Final Level 2 (C3PAO)	Status expires if closeout not finalized in eMASS within 180 days	32 CFR §170.17, §170.21
The qualifying gate	Score ≥0.8 AND every POA&M item is allowed	Depends on path	Clock starts at the Conditional CMMC Status Date	No conditional status if the gate is not met	32 CFR §170.21(a)(2)
A prohibited item on the POA&M	A “Not Met” item is one the rule bars from a POA&M	N/A	N/A	No CMMC Status	32 CFR §170.21(a)(2)(iii); DoD CMMC FAQ
C3PAO closeout finalized with items still Not Met	One or more POA&M items are not fixed at the eMASS closeout	C3PAO	N/A	Status terminated — new assessment required (eMASS finalizes once)	DoD CMMC FAQ
Final after Conditional	All POA&M items remediated, closeout passes	Depends on path	Final Level 2, valid up to 3 years	N/A	32 CFR §170.16, §170.17; §170.4

Check your own deadline before you read further.

Enter your Conditional CMMC Status Date, your path (Self or C3PAO), and your open POA&M items. Our free checker returns your exact Day-180 deadline, flags any prohibited POA&M items, tells you who runs your closeout, and shows whether your next move is remediation help or a closeout assessment. Prefer a worksheet? The downloadable checklist does the same checks by hand.

Check My 180-Day POA&M Closeout Deadline →

What is a conditional CMMC Level 2 certificate?

A conditional CMMC Level 2 certificate is temporary Level 2 statusgranted when an assessment meets the qualifying gate but still has allowed unmet requirements documented on a POA&M. It must be closed out within 180 days to become Final. The word “certificate” fits most precisely when a C3PAO issues one; a self-assessment produces the same kind of conditional status, recorded in SPRS. Either way, the status is conditional, not final.

Precision matters here.If you tell a prime contractor you are “certified” when you hold a self-assessed conditional status, you have misstated your position. CMMC does not issue a paper “certificate” for self-assessments — it records a status in SPRS.

Conditional Level 2 (Self) vs Conditional Level 2 (C3PAO)

Conditional Level 2 (Self)

Performed by the Organization Seeking Assessment (OSA)
Results and affirmation post to SPRS
OSA performs its own closeout self-assessment
Required by solicitation — not optional

Conditional Level 2 (C3PAO)

Performed by a Cyber AB-authorized C3PAO
Results post to CMMC eMASS; key data flows to SPRS
C3PAO runs the closeout; eMASS finalizes once
Required when the solicitation specifies Level 2 (C3PAO)

Which one you need is set by your contract, not your preference. A solicitation that requires “Level 2 (C3PAO)” cannot be satisfied by a self-assessment, conditional or otherwise. See CMMC self-assessment vs C3PAO for the full breakdown.

Conditional vs Final vs No Status

There are seven official CMMC statuses (48 CFR §204.7501). For Level 2, three of them decide your fate:

Status	What it means	Usable for award?	What changes it
Conditional Level 2 (Self)	Self-assessment, ≥88/110, valid POA&M	Yes — while current and affirmed	A passing POA&M closeout self-assessment in SPRS
Conditional Level 2 (C3PAO)	C3PAO assessment, ≥88/110, valid POA&M	Yes — while current and affirmed	A passing C3PAO closeout assessment in eMASS
Final Level 2 (Self or C3PAO)	A passing score with no open POA&M	Yes — valid up to 3 years, annual affirmation	New assessment cycle / lapse in affirmation
No CMMC Status	Gate not met, a prohibited item on the POA&M, or a failed closeout	No	A new assessment after remediation

What to actually say to a prime

The public cannot look up your status — the DoD does not publish a list of assessed companies (per the DoD CMMC FAQ). You view your own status in SPRS and share verification yourself. When a prime asks, give them the facts and nothing more:

“We hold Conditional Level 2 [Self / C3PAO] status for the assessed scope, CMMC UID [____], with a Conditional CMMC Status Date of [____] and a closeout deadline of [____]. We will provide SPRS verification through the appropriate channel and will confirm again at closeout.”

Honest, specific, and defensible. It tells the prime you understand the clock — which is exactly the signal a risk-conscious prime is listening for.

If you know your Conditional CMMC Status Date, confirm in two minutes whether your status is still inside the 180-day window and what has to happen before it lapses.

Check Whether My Conditional Status Is Still Current →

Do you qualify — or do you get “No Status”? The 88-point gate

To earn Conditional Level 2, your assessment must score at least 88 of 110(a ratio of 0.8 or higher), every unmet item on your POA&M must be eligible, and none may be one of the prohibited requirements. Fall below 88, or place a barred control on the POA&M, and SPRS returns “No CMMC Status”— not a conditional pass (32 CFR §170.21(a)(2); §170.24; DoD CMMC FAQ).

How the 110-point score works

CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2. NIST published Revision 3 in May 2024, but CMMC Level 2 still assesses against Revision 2. DoD Class Deviation 2024-O0013 keeps Rev. 2 in force, and DoD has said it will adopt Rev. 3 only through future rulemaking. Do not let a vendor “upgrade” you to Rev. 3 controls for CMMC purposes today.

Scoring is weighted and unforgiving (32 CFR §170.24):

You start at 110.
Each “Not Met” requirement subtracts 1, 3, or 5 points, based on its security impact.
Partial implementation is credited only in limited cases — MFA (IA.L2-3.5.3) and encryption (SC.L2-3.13.11) can carry adjusted 3- or 5-point deductions rather than all-or-nothing.
Scores can run all the way down to −203.
For encryption (SC.L2-3.13.11): if encryption is in place but not FIPS-validated, you lose 3 points; if no encryption is employed, you lose 5.

The 88-point line — and your real margin

The number nobody else puts in front of you.Because only 1-point controls are POA&M-eligible, the most you can defer and still clear 88 is 22 points of 1-point gaps (110 − 22 = 88). Use the 3-point encryption exception and your room shrinks to 19 additional 1-point gaps(19 + 3 = 22). Cross that line and you are not “conditional” — you are below the gate.

Your situation	Result
22 one-point gaps, all eligible	88/110 — the most you can defer and still qualify
19 one-point gaps + the non-FIPS encryption item (3 pts)	88/110 — same ceiling, using the encryption exception
Any prohibited item on the POA&M	No conditional path — No CMMC Status
System Security Plan (CA.L2-3.12.4) Not Met	No Score risk — the assessment may not be scorable at all
A missing 5-point control (e.g., MFA)	Not POA&M-eligible — must be fixed before assessment

A common, expensive misread: “88” is a weighted score, not a count of 88 controls met. Two contractors can each carry “22 points” of gaps and be in completely different shape — one with twenty-two 1-point misses (deferrable), another with four 5-point misses and a 1-pointer (not even close, and not deferrable).

Which CMMC Level 2 requirements cannot be put on a POA&M?

Six Level 2 requirements may neverappear on a POA&M for conditional status, and beyond those six, POA&M items generally cannot exceed 1 point, with the single non-FIPS encryption exception (32 CFR §170.21(a)(2)). We pulled these straight from §170.21(a)(2)(iii):

Requirement	What it covers	Point value	POA&M-eligible?
AC.L2-3.1.20	External connections (CUI)	1	No
AC.L2-3.1.22	Control of public information (CUI)	1	No
CA.L2-3.12.4	System Security Plan (SSP) — and a missing SSP risks “No Score”	1	No
PE.L2-3.10.3	Escort visitors (CUI)	1	No
PE.L2-3.10.4	Physical access logs (CUI)	1	No
PE.L2-3.10.5	Manage physical access (CUI)	1	No

The encryption exception, precisely. SC.L2-3.13.11 (CUI encryption) is the onlyabove-1-point item the rule lets onto a POA&M, and only when encryption is employed but not FIPS-validated (3-point deduction). If no encryptionis in place at all, that is a 5-point deduction and a different situation — it cannot ride the exception (32 CFR §170.24; §170.21(a)(2)(ii)). “We have encryption, just not the validated module” and “we have no encryption” are worlds apart under this rule.

Why the SSP is the one that ends assessments. CA.L2-3.12.4 is on the prohibited list, so it can never be deferred. Per the DoD CMMC FAQ, an SSP marked “Not Met” can trigger a “No Score”result — the scoring rule (32 CFR §170.24) treats the absence of an up-to-date SSP as an assessment that could not be completed due to incomplete information. That means no number at all, not merely a deduction. If your SSP is not current and accurate, nothing else on this page matters yet.

Before you rely on conditional status, tell a prime you’re on track, or schedule a closeout — run your gaps against the eligibility rules.

Download the Level 2 POA&M Eligibility Checklist →

How does the 180-day POA&M closeout assessment work?

A POA&M closeout assessment re-checks only the requirements that were marked “Not Met” and placed on the POA&M in your original assessment — not the whole control set. It must be completed within 180 days of the Conditional CMMC Status Date. Pass, and you become Final Level 2(32 CFR §170.21(b); §170.16; §170.17).

When the 180-day clock actually starts

It starts on the Conditional CMMC Status Date — defined in 32 CFR §170.4 as the date your results are submitted to SPRS or the CMMC instantiation of eMASS. It does not start on:

✗Your contract award date

✗The day you began remediation

✗The day you opened a ticket with a C3PAO

✓The Conditional CMMC Status Date — when results are submitted to SPRS or eMASS. A week of slippage on the front end is a week you do not get back at closeout.

Who performs the closeout

Conditional status	Who runs the closeout	Where results post	Deadline
Conditional Level 2 (Self)	The OSA, same method as the initial self-assessment	SPRS	180 days from status date
Conditional Level 2 (C3PAO)	An authorized or accredited C3PAO	CMMC eMASS	180 days
Conditional Level 3 (DIBCAC)	DCMA's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)	Per DIBCAC process	180 days

Per §170.21(b)(2), the C3PAO closeout must be performed by “an authorized or accredited C3PAO” — not necessarily the same one that did your initial assessment. Using the same firm is usually smoother. But if scheduling or capacity forces a change, a different accredited C3PAO can run the closeout and make the Final-status determination.

Evidence has to be final, not draft.Under §170.24, a “Met” finding requires evidence in final form— working papers, drafts, and unapproved policies are explicitly unacceptable. For C3PAO submissions, evidence is logged with artifact names and hash values using a NIST-approved hashing algorithm, and must be retained for six years (32 CFR §170.17).

Don’t forget the affirmation — at every step. The rule requires your Affirming Officialto submit an affirmation in SPRS at multiple points: when you achieve conditional status, when you achieve Final status, after a POA&M closeout assessment, and annually after Final status (32 CFR §170.22). That signature is a personal attestation.

A sane Day 0 to Day 180 plan

The deadline is unforgiving, so back-plan it. The single most important habit: a hard internal readiness gate at Day 120, not Day 175.

Window	What should be happening
Day 0–15	Confirm path (Self/C3PAO), status date, UID, score; verify every POA&M item is allowed; confirm no SSP hard stop
Day 15–45	Assign an owner and an evidence owner to each item; tie each fix to an SSP update; line up outside help if needed
Day 45–90	Implement the fixes; produce final policies, configs, logs, screenshots with context
Day 90–120	Internal readiness review — map each artifact to its objective; run a self-challenge as if you were the assessor; book the C3PAO closeout slot now if on the cert path
Day 120–150	Final artifact package; hashing prep; closeout assessment; Affirming Official ready
Day 150–180	Complete the closeout; confirm the SPRS/eMASS update; submit the affirmation; notify the prime

Stop using “about six months.” Use your actual Conditional CMMC Status Date and map the real deadline plus the Day-120 gate.

Calculate My Day-180 Deadline and Closeout Plan →

What happens if you miss the deadline — or an item is still “Not Met”?

The one-shot reality (C3PAO path)

Per the DoD CMMC FAQ, a POA&M closeout assessment is finalized one time in CMMC eMASS during the 180-day period. If even one item is still unmet when it is finalized, the conditional status is terminatedand you are back to a fresh certification assessment of all 110 requirements. There is no “try again next week.” That is why we keep hammering on final evidence and the Day-120 gate — the closeout is a verification event, not a discovery exercise.

The self path expires if you don’t successfully close out

The self-assessment path isn’t run through the eMASS one-time-finalization mechanic — but it is just as final on timing. You must remediate, perform the closeout self-assessment, and post passing results to SPRS within 180 days. If you don’t successfully close out in that window, the conditional self status expires (32 CFR §170.16). Either way, a closeout produces Final or No Status— never a fresh conditional status with a new 180-day clock.

What it does to your contract

If a Conditional Level 2 status expires during performance, standard contractual remedies apply, and you become ineligible for additional awardsthat require that status (for the affected scope) until you achieve a new status (32 CFR §170.16; §170.17). For a small supplier, that can mean watching re-competes and new task orders pass by until you reassess.

The risk under the affirmation: False Claims Act exposure

Because your Affirming Official personally attests to your posture in SPRS, an inflated score or a status you cannot back up is not just a compliance problem — it can become a False Claims Actproblem. The U.S. Department of Justice’s Civil Cyber-Fraud Initiative (announced October 2021) uses the False Claims Act to pursue government contractors and grant recipients that misrepresent their cybersecurity. The practical point is simple: an accurate “No Status” you can fix beats a flattering status you cannot defend. Score honestly, and treat the affirmation as the legal attestation it is. This page is not legal advice.

If you are inside 90 days with open POA&M items, the safe move is remediation support before you trigger the closeout — not hoping the final check is forgiving. Tell us your Level 2 path, your open items, your scope, and your deadline, and we’ll match you with source-checked CMMC remediation options that fit.

Get Matched With Source-Checked CMMC Remediation Options →

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Conditional vs Final CMMC status — and does Final reset the three-year clock?

Conditional status means open POA&M items and a 180-day clock; Finalstatus means a passing score with no open POA&M, valid for up to three years with an annual affirmation. You reach Final either by passing your initial assessment outright or by passing the closeout (32 CFR §170.16; §170.17; 48 CFR §204.7501).

	Conditional Level 2	Final Level 2
Open POA&M?	Yes	No
Validity	Up to 180 days	Up to 3 years
Award-eligible?	Yes (L2/L3), while current + affirmed	Yes, while current + affirmed
How you get there	≥88/110 with a valid POA&M	A passing score — at initial assessment or via closeout
Affirmation	At status, at closeout, annually after Final	At Final, then annually

Does reaching Final reset your three-year clock? No. 32 CFR §170.4 states plainly that the Conditional CMMC Status Date remains the CMMC Status Date after a successful closeout; a new date is not set for a Final that follows a Conditional. So closing out late does not buy you a longer Final cycle — your three years run from the original status date. Track your dates from the status of record, and verify in SPRS/eMASS.

Who closes your POA&M — readiness help, GRC software, or a C3PAO?

Three different roles close the loop, and confusing them is how engagements go sideways. A remediation partner (an RPO, a CMMC-focused MSP or MSSP, or a virtual CISO) implements the unmet controls. GRC or CUI-enclave softwaremanages evidence and POA&M tracking. The closeout assessment itself goes to a C3PAO (Level 2) or DIBCAC (Level 3). The firm that helps you remediate generally cannot also be the C3PAO that assesses that same work.

Your situation	The category that fits	What to verify first	What not to do
POA&M items not yet remediated	Readiness / RPO / CMMC-focused MSP or MSSP / vCISO	CUI experience, references, Registered Provider status	Don't schedule a closeout as a “discovery” exercise
Technical controls still need building	MSP/MSSP, GCC High or enclave implementation	Whether they implement and document to NIST 800-171A objectives	Don't ask your C3PAO to both implement and assess
Evidence exists but is disorganized	GRC / evidence-workflow software (a supporting layer, not the whole solution)	That it maps controls to assessment objectives	Don't hand an assessor a pile of unmapped artifacts
Evidence is final and mapped	C3PAO closeout assessment (cert path)	Closeout availability in writing, inside your window	Don't miss the 180-day slot
You're not sure which you need	Neutral provider-category match	—	Don't self-diagnose under contract pressure

The conflict-of-interest line you cannot cross.A firm that served as your consultant to prepare you for a CMMC assessment within the prior three years is prohibited from participating in your Level 2 certification assessment, and the prohibition covers the C3PAO as an organization and every member of its assessment team (32 CFR §170.8(b)(17)(ii)(G); §170.9(b)(2)). Keep “who fixes the gaps” and “who verifies them” cleanly separated. And one reminder the rule makes unavoidable: software alone does not make you compliant. A GRC platform organizes your evidence; it does not implement your controls or pass your closeout.

Before we route anyone, we separate readiness and remediation from assessment-only roles — a provider that helps implement controls generally cannot assess that same engagement as your C3PAO. Tell us your Level 2 path, your open POA&M items, your scope, and your deadline.

Get Matched With the Right CMMC Provider Category →

Frequently asked questions

Is a conditional CMMC Level 2 certificate the same as Final Level 2?: No. Conditional Level 2 is temporary status tied to an allowed POA&M and a 180-day closeout requirement. Final Level 2 means all applicable requirements are Met under the scoring methodology and is valid for up to three years (32 CFR §170.16; §170.17).
How long does conditional CMMC status last?: Up to 180 days from the Conditional CMMC Status Date, and only while paired with a current affirmation. Calculate from the status date — not the award date or the day you started remediation (48 CFR §204.7501; 32 CFR §170.21).
Can a conditional CMMC Level 2 certificate win a DoD contract?: Yes, for Levels 2 and 3. A contracting officer can award to a company with a current, affirmed conditional status, and the company performs while it closes the POA&M. Level 1 must be Final for award (48 CFR §204.7502).
What is the minimum score for conditional CMMC Level 2?: A weighted score of at least 88 of 110 (a ratio of 0.8 or higher) under the CMMC Scoring Methodology — not 88 controls “met.” Below 88 returns No CMMC Status (32 CFR §170.21; §170.24).
Which CMMC Level 2 requirements cannot be on a POA&M?: Six: AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. Separately, no item worth more than 1 point may be deferred, except non-FIPS encryption (SC.L2-3.13.11), which scores as 3 points (32 CFR §170.21(a)(2)).
Can I extend the 180-day POA&M deadline?: No. The rule provides no extension. If the closeout is not successfully completed within 180 days of the Conditional CMMC Status Date, the conditional status expires (32 CFR §170.21).
Who performs the POA&M closeout assessment?: For Level 2 (Self), the OSA closes out and posts to SPRS. For Level 2 (C3PAO), an authorized or accredited C3PAO closes out and posts to CMMC eMASS. DIBCAC handles Level 3 (32 CFR §170.21(b)).
Does it have to be the same C3PAO?: No. The rule requires an authorized or accredited C3PAO, not the same one. A different accredited C3PAO can run the closeout and make the Final-status determination (32 CFR §170.21(b)(2)).
What happens if the closeout fails?: On the C3PAO path, the eMASS closeout is finalized once; if any item is still Not Met, the conditional status terminates and a new assessment is required (DoD CMMC FAQ). On the self path, you re-perform the closeout self-assessment and post passing results to SPRS within 180 days; if it is not successfully closed out in time, the conditional self status expires (32 CFR §170.16; §170.21).
Can Level 1 use a POA&M?: No. POA&Ms are not permitted at any time for Level 1 self-assessments, and Level 1 must be Final for award (32 CFR §170.21(a)(1); 48 CFR §204.7502).
Is the closeout scored, and can I add new POA&M items at closeout?: The closeout re-checks only the items on your original POA&M; you cannot add new deferrals at closeout. Passing it means those items are now Met, which yields Final status (32 CFR §170.21(b)).
What if my environment changes while I'm conditional?: Current conditional status depends partly on there being no changes in compliance since your Conditional CMMC Status Date (48 CFR §204.7501). If your scope or controls materially change, your Affirming Official’s attestation must reflect it, and a material change can affect whether your status is still current (32 CFR §170.22).
What is the difference between a CMMC POA&M and an Operational Plan of Action?: A CMMC POA&M tracks assessment gaps that must close within 180 days to reach Final status. An Operational Plan of Action (CA.L2-3.12.2) manages temporary operational vulnerabilities and, per the rule’s definitions, carries no remediation timeline and is not the same as a POA&M. Don’t mislabel an assessment “Not Met” as an OPA item (32 CFR Part 170; DoD CMMC FAQ).
Does reaching Final status reset the three-year clock?: No. 32 CFR §170.4 states the Conditional CMMC Status Date remains the CMMC Status Date after a successful closeout, and no new date is set for a Final that follows a Conditional — so the three years run from the original status date.
Are CMMC certificates public?: No. Per the DoD CMMC FAQ, the public cannot access a list of companies that completed assessments or received certificates. Companies view their own status in SPRS and may share verification with primes.

What we actually verified for this guide

This guide was built from primary regulatory and program sources — not provider marketing.

Source we read	What we used it for
32 CFR Part 170 (§170.4, .8, .9, .16, .17, .21, .22, .24)	Status definitions, the 88-point gate, prohibited POA&M items, scoring, affirmations, closeout, conflict-of-interest
Federal Register — CMMC Program Final Rule	Effective dates and the codified status-date definition
48 CFR §204.7501–204.7503	Definition of "current," award eligibility, SPRS verification by the contracting officer
DFARS 252.204-7021	Ongoing compliance obligations during performance
DFARS 252.204-7025	Solicitation-stage eligibility, CMMC UIDs, the conditional-to-Final requirement
DFARS 252.204-7012 (+ DoD Class Deviation 2024-O0013)	NIST SP 800-171 Rev. 2 as the in-force baseline for CMMC Level 2
DoD CMMC FAQ	One-shot eMASS closeout, No Score / No Status conditions, OPA vs POA&M, public visibility of status
NIST SP 800-171 Rev. 2 / SP 800-171A	The Level 2 requirement baseline and assessment procedures

Verify before you rely on it:the DoD CMMC FAQ is versioned and updates periodically — confirm the current version at the official DoD CIO CMMC page before treating any FAQ-specific point as final.

See how we work in our editorial standards and our corrections policy.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options — without routing a remediation problem to an assessment-only provider, or an operations problem to a document-only consultant.

Get Matched →CMMC Level 2 Assessment Prep Guide →