What to Do After a CMMC Gap Assessment
By The Defense Compliance Report Editorial Team · Last verified: June 13, 2026
You paid for a gap assessment expecting a finish line. You got a spreadsheet of “Not Met” findings instead. So here’s the part nobody put on the cover page of that report: what to do after a CMMC gap assessment is not “go schedule a C3PAO.” Your next move is to turn the report into a prioritized remediation plan — confirm the required CMMC level and assessment type, validate your CUI scope, finish your System Security Plan, separate the gaps you can defer from the ones you can’t, update your score, build your evidence, and rehearse before you let anyone assess you.
Your next move after the gap assessment, in one screen
| If your gap report shows… | Your next move | Don’t do this yet |
|---|---|---|
| Scope is fuzzy or unconfirmed | Map your CUI flow, asset inventory, and SSP boundary first | Don’t buy tools or book a C3PAO |
| SSP is missing or still a draft | Build a defensible SSP — it can’t go on a POA&M | Don’t call yourself “assessment-ready” |
| Weighted score is below 88 of 110 | Remediate up before counting on conditional status | Don’t rely on a POA&M to get you there |
| A POA&M-prohibited control is “Not Met” | Fix it now — it’s a hard blocker | Don’t tell leadership “we’ll POA&M it” |
| Evidence is scattered or in draft form | Build a final, approved evidence register | Don’t walk into a formal assessment |
| Scope, SSP, score, and evidence are solid | Run a readiness review, then shortlist a C3PAO if your contract requires one | Don’t stall if a Phase 2 deadline is real |
First, what your gap assessment actually gave you — and what it didn’t
A CMMC gap assessment is a diagnostic, not a deliverable. It compares your environment to the 110 NIST SP 800-171 Rev. 2 requirements and produces a findings log — Met, Not Met, sometimes Partially Met — plus a weighted score. By itself it earns you no CMMC status, posts nothing official to SPRS, and starts no regulatory clock. It tells you where you stand. It does not move you.
That distinction matters because award eligibility now hangs on something the gap assessment doesn’t produce. Under the DFARS solicitation provision 252.204-7025 — which we read directly on Acquisition.gov — a contractor is not eligible for award unless, for each contractor information system that will process, store, or transmit FCI or CUI during performance, the required CMMC status is current in SPRS, a current affirmation is posted by a senior official, and one or more CMMC UIDs are provided with the proposal. A gap report produces none of those three things.
So treat the report as your map. The rest of this page is the route — and the first thing the route forces you to answer is whether you even did the right kind of assessment yet.
Is a CMMC gap assessment the same as the official CMMC assessment? (No — and the 180-day clock proves it)
They are two different events. The gap assessment is a private diagnostic you can run with any consultant. The official assessment — a Level 2 self-assessment you affirm, or a C3PAO certification assessment — is the one whose results go on the record and can produce a Conditional or Final CMMC status. The 180-day window to close a POA&M starts at the official assessment, not the gap assessment.
This is the single most common point of confusion, and it has real consequences. There are two things people both call a “POA&M,” and they are not the same. One is your internal remediation tracker— the backlog you build now from the gap report; it has no regulatory status and no clock. The other is the CMMC POA&M that supports Conditional CMMC Status — and that one only exists after the official assessment produces NOT MET requirements, with results submitted to SPRS or CMMC eMASS.
| What it is | Who performs it | System of record | Creates a CMMC status? | Starts 180-day clock? | Source |
|---|---|---|---|---|---|
| Gap assessment | You or any consultant/RPO | None — a private report | No | No | Diagnostic |
| Internal remediation tracker | You | Your own project tool | No | No | Management tool |
| CMMC POA&M (for Conditional status) | Built from the official assessment’s NOT MET items | SPRS (L2 Self) / CMMC eMASS → SPRS (L2 C3PAO) | Conditional, if eligible | Yes — from the Conditional CMMC Status Date | 32 CFR 170.21 |
| Final CMMC Status | After POA&M closeout, or a clean assessment | SPRS / CMMC eMASS | Yes — Final | Clock ends on successful closeout | 32 CFR 170.17 / 170.21 |
In plain terms: the gap assessment does not put you on the 180-day clock. You are not “behind on a POA&M” because you have open findings today. You’re exactly where a gap assessment is supposed to leave you — with a to-do list and time to work it. Build the internal tracker. Don’t confuse it with the regulatory one.
Do you need Level 1, Level 2 Self, Level 2 C3PAO, or Level 3 next?
Your contract determines the required CMMC status — you don’t get to pick the cheaper path after the gap assessment. Level 2 Self and Level 2 C3PAO assess the identical 110 Level 2 requirements; they differ in who assesses you and where results are recorded. The contracting officer specifies which one applies in the solicitation, using DFARS 252.204-7025.
Before you spend a dollar on remediation, find the requirement in writing. The provision at 252.204-7025 requires the contracting officer to state the level — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC) — and whether a self-assessment or a third-party assessment is required, and it requires you to provide your CMMC UID(s) with the proposal.
| Your situation | Likely path | What the gap report should drive next |
|---|---|---|
| FCI only | Level 1 (Self) | Validate the 15 basic safeguarding requirements; annual self-assessment + annual affirmation. Most of this page doesn’t apply to you. |
| CUI, contract says Level 2 Self | Level 2 (Self) | Validate all 110 NIST SP 800-171 Rev. 2 requirements, recompute your score, post to SPRS, affirm. |
| CUI, contract says Level 2 C3PAO | Level 2 (C3PAO) | Remediate and package evidence, then engage an authorized C3PAO once you’re assessment-ready. |
| Most sensitive CUI / specified programs | Level 3 (DIBCAC) | Reach Final Level 2 (C3PAO) first, then prepare for the added subset of NIST SP 800-172 requirements; DCMA DIBCAC assesses Level 3. |
Is your gap assessment’s scope even defensible? (the most expensive post-gap mistake)
Scope is the most expensive thing to get wrong after a gap assessment, because it changes which systems, people, services, evidence, and costs count. Before remediation starts, confirm which assets process, store, transmit, or protect CUI — and confirm the gap report used the same CMMC assessment scope you’ll use for the official assessment.32 CFR Part 170 requires that assessment scope to be defined; the DoD’s Level 2 Scoping Guide gives you the five asset categories to sort your environment into.
Asset categories under the DoD Level 2 Scoping Guide
| Asset category | Plain-English meaning | Post-gap action |
|---|---|---|
| CUI Assets | Process, store, or transmit CUI | Document in inventory, SSP, and network diagram; assess against all Level 2 requirements |
| Security Protection Assets | Provide security functions for CUI assets | Document and assess the relevant capabilities |
| Contractor Risk Managed Assets | Can but aren’t intended to handle CUI | Document risk management and treatment |
| Specialized Assets | OT, IoT, test equipment, restricted systems | Document treatment; expect limited checks |
| Out-of-Scope Assets | Can’t handle CUI and don’t protect it | Make sure the separation is real, not assumed |
Where CUI commonly hides (check these after your gap assessment)
| Where CUI commonly hides | Ask after your gap assessment | If yes, it’s likely in scope |
|---|---|---|
| Email (inboxes, attachments) | Does CUI arrive or get sent by email? | The email system + endpoints |
| Endpoints (laptops, workstations) | Is CUI downloaded, edited, or stored locally? | The devices + their users |
| Shared drives / file servers | Is CUI stored on a network share or NAS? | The storage + access paths |
| Microsoft 365 / GCC High / cloud apps | Is CUI in SharePoint, OneDrive, Teams, or a SaaS app? | The tenant or enclave + the responsibility matrix |
| Engineering / CAD / PLM files | Do drawings, models, or specs contain CUI? | Engineering systems |
| MRP / ERP systems | Do work orders, BOMs, or contract data carry CUI? | The business system |
| Backups | Are your CUI systems backed up? | Backup infrastructure |
| Ticketing / helpdesk | Do tickets or screenshots include CUI? | The ticketing system |
| Vendor / customer portals | Is CUI exchanged through a portal? | The integration + accounts |
| Subcontractor transfer | Do you send CUI to subs? | Flow-down + their systems |
Turn the gap report into a remediation backlog (and know what’s a POA&M vs. an internal to-do)
Convert every “Not Met” and “Partially Met” finding into an owner-assigned remediation item with a requirement ID, an evidence target, a due date, a dependency, a budget decision, and a validation method. Then keep two lists separate: your internal remediation backlog (everything) and your CMMC POA&M candidates (only the gaps the rule actually lets you defer).A vague finding like “access control incomplete” isn’t actionable — Level 2 assessments use the examine, interview, and test methods in NIST SP 800-171A against specific assessment objectives, so your backlog needs that level of granularity.
Build one tracker. At minimum, give each finding these fields:
- Requirement ID and assessment objective
- The finding and the evidence reviewed
- Root cause (scope? evidence? implementation?)
- Business owner, technical owner, security owner, budget owner
- Remediation action and any dependency
- Evidence required to prove it MET
- POA&M-candidate status (yes/no — using the rules in the next section)
- Due date, validation method, and a link to the final evidence
Then sequence by assessment consequence, not control-family order. Work the list like this instead:
- Scope and contract-path blockers
- SSP and assessment-record blockers
- POA&M-prohibited controls (named below)
- High point-value and long-lead-time controls
- External service provider / cloud / responsibility-matrix gaps
- Evidence gaps
- Operational process gaps your people can’t yet demonstrate
- Documentation cleanup
Which gaps can you put on a POA&M — and which you can’t (the part most people get wrong)
A CMMC POA&M is not a permission slip for whatever you didn’t finish. To earn Conditional Level 2 status with a POA&M, your weighted score must be at least 88 of 110, no requirement worth more than one point may be on the POA&M (with one narrow encryption exception), and six specific requirements may never be on it. Everything else that’s “Not Met” has to be fixed before the assessment. We pulled these rules straight from 32 CFR 170.21 on June 13, 2026.
First, the scoring reality. Your SPRS-style score starts at 110. Under the scoring methodology in 32 CFR 170.24, each unmet requirement subtracts 1, 3, or 5 points depending on its security impact, with almost no partial credit, and the score can go negative — as low as −203 if nothing is implemented. The conditional-status test is “score ÷ 110 ≥ 0.8,” which means a weighted score of at least 88. Watch the weighting: because a single 5-point miss costs five times what a 1-point miss costs, a handful of high-impact gaps can drop you below 88 faster than a long list of minor ones. Count the weighted score, not the number of open findings.
The Post-Gap POA&M Eligibility Matrix
Your gap report’s “Not Met” column, sorted into what must be fixed before assessment versus what may be eligible for a CMMC POA&M — straight from the rule.
| Rule in 32 CFR 170.21 / 170.24 (what the regulation says) | What it means for your specific findings (what to do) |
|---|---|
| Six Level 2 requirements may NEVER be on a CMMC POA&M for Conditional Level 2 status — they must be MET. If any of these six is “Not Met,” fix it first. It is a hard blocker, not deferrable. | |
| → AC.L2-3.1.20 External Connections | Must be MET |
| → AC.L2-3.1.22 Control Public Information | Must be MET |
| → CA.L2-3.12.4 System Security Plan | Must be MET — you cannot POA&M your SSP. This is the one that surprises people most. |
| → PE.L2-3.10.3 Escort Visitors | Must be MET |
| → PE.L2-3.10.4 Physical Access Logs | Must be MET |
| → PE.L2-3.10.5 Manage Physical Access | Must be MET |
| No requirement worth more than 1 point may be on the POA&M | Every 3-point and 5-point “Not Met” finding is must-fix-before-assessment |
| One exception: SC.L2-3.13.11 CUI Encryption (worth 3) may be on a POA&M — only if encryption is employed but not yet FIPS-validated | If your sole encryption gap is “encrypting but not FIPS-validated,” that specific gap can wait |
| Only 1-point NOT MET requirements are generally POA&M-eligible (and only if you clear 88 and the six-control rule), plus the SC.L2-3.13.11 encryption exception | These are your “defer-with-a-plan” candidates — but you still must close them within 180 days of the official assessment |
| Score ÷ 110 must be ≥ 0.8 (≥ 88) to use a POA&M at all | Below 88, you’re not conditional-status eligible — remediate up first |
What to update right now: SSP, SPRS score, affirmation, or evidence
Fix the SSP and evidence map first if they’re inaccurate, because they anchor your score, your assessment scope, and what your leadership is about to affirm. SPRS and the affirmation matter for contract eligibility — but submitting or affirming before your scope and evidence are defensible creates avoidable contractual risk.
- System Security Plan (SSP).
- This is your foundation document, and it’s a POA&M-prohibited control, so it can’t be deferred. It should reflect the real environment: system boundary, CUI flow, the asset categories above, CMMC UID and CAGE-code mapping, any external service provider (ESP) or cloud service provider (CSP) dependencies, the Customer Responsibility Matrix, how each requirement is implemented, and any enduring exceptions. One hard rule we verified in 32 CFR 170.24: evidence must be final and approved — drafts, working papers, and unofficial or unapproved policies do not support a MET finding.
- SPRS score and where it goes.
- Recompute your score after the scope and evidence are clean, then route it correctly under DFARS 252.204-7021 and 252.204-7025. The routing differs by path:
- Level 2 (Self): results go to SPRS (CMMC level, status date, assessment scope, CAGE codes, score, POA&M status), and SPRS issues your CMMC UID.
- Level 2 (C3PAO): results go to the CMMC instantiation of eMASS, then transmit to SPRS — including C3PAO and assessor info, SSP name/date/version, POA&M usage, and artifact names with hash values.
See the full SPRS score guide for the submission walkthrough.
- Affirmation.
- A senior company official — the rule calls them the Affirming Official— affirms continuing compliance in SPRS after the assessment, after conditional or final status, after POA&M closeout, and then annually. This is the person whose name is on it. Don’t let them affirm a posture they can’t defend.
How to prioritize remediation: a 30/60/90-day plan
Don’t remediate in the order the report lists controls. Prioritize by contract risk, scope risk, POA&M eligibility, point value, technical lead time, evidence maturity, and whether your people can actually demonstrate the process. Here’s a 90-day structure that front-loads the blockers.
| Window | Goal | Actions |
|---|---|---|
| Days 0–14 | Stabilize the plan | Confirm level and assessment type, lock CUI scope and CMMC UIDs/CAGEs, set the score baseline, identify POA&M blockers, assign owners |
| Days 15–30 | Build the engine | Stand up the tracker, update the SSP, define evidence targets, decide tool and provider needs |
| Days 31–60 | Remediate high-impact gaps | Implement identity/MFA, logging, endpoint, vulnerability management, configuration, encryption, backup, and incident response — sequenced by point value and dependency |
| Days 61–90 | Validate and rehearse | Collect final evidence, run control-owner interviews and tabletops, recompute the score, close quick evidence gaps, run a readiness review |
| Day 90+ | Decide assessment timing | If scope, SSP, score, evidence, and POA&M status are solid, shortlist a C3PAO where the contract requires one |
How long it takes and what it costs after a gap assessment
For Level 2, plan on roughly 6–18 months from gap assessment to assessment-ready, with remediation as the longest phase. Total first-year cost commonly lands between about $50,000 and $200,000+, driven almost entirely by scope and starting maturity. These are third-party practitioner estimates — not DoD figures and not numbers we’ve validated for your situation. Get scoped quotes before you budget.
| Line item (Level 2) | Typical range (2026 practitioner estimates) | Notes |
|---|---|---|
| Gap assessment (the step you just finished) | ~$2,000–$20,000 | Wide; depends on scope and whether automation was used |
| Remediation / control implementation | ~$20,000–$150,000+ | Usually the largest line item and the biggest variable |
| SSP + documentation | ~$12,000–$60,000 | Required; can’t be deferred |
| C3PAO assessment fee (Level 2) | ~$40,000–$80,000+ | Constrained by a small pool of authorized assessors |
| Level 2 total, first year (small/mid) | ~$50,000–$200,000+ (one 50-person example cited at ~$120K–$350K) | Scope-driven |
| Ongoing / annual after | ~$10,000–$100,000/yr | Monitoring, affirmations, triennial reassessment |
How we built these ranges: we reviewed public pricing pages and buyer guides published by CMMC service providers on June 13, 2026 (including Huntress, PreVeil, Petronella, Workstreet, Cabrillo, and IBSSCORP). These are practitioner estimates for budgeting context — not DoD figures and not quotes we’ve validated for your environment. The authoritative cost basis is the regulatory impact analysis in the CMMC rulemaking. Your real number depends on scope, CUI footprint, current maturity, and region.
For the full cost breakdown, see our CMMC certification cost guide.
When to hire an RPO, MSP/MSSP, GRC software, an enclave provider, or a C3PAO
Most companies leaving a gap assessment need readiness, remediation, scope, or evidence help — not a formal assessment yet. A C3PAO belongs later, when your contract requires Level 2 certification and you’re ready to be graded. And the firm that helps you remediate generally cannot also be the C3PAO that assesses you.That separation comes from the CMMC ecosystem’s conflict-of-interest rules under The Cyber AB Code of Professional Conduct.
| Provider category | Use it after a gap assessment when… | Don’t use it when… | Verify before you hire |
|---|---|---|---|
| RPO / readiness consultant | Scope, SSP, policy, POA&M triage, and your readiness plan need work | You need a formal certification | Role, Cyber AB Marketplace listing if claimed, deliverables, conflict boundaries |
| CMMC-focused MSP | Technical controls and day-to-day operations need building | You only need documentation cleanup | CUI-environment experience, responsibility split, MFA/logging/vuln-management deliverables |
| MSSP | Monitoring, log management, detection, and vuln operations need help | You need contract-path interpretation | Services mapped to specific NIST 800-171 responsibilities |
| GRC / evidence software | Evidence tracking, SSP/POA&M workflow, and control ownership are messy | You expect software to implement controls for you | Exportability, control mapping, evidence ownership, limitations |
| CUI enclave provider (e.g., GCC High, GovCloud-based) | Scope is too broad or CUI can be contained | CUI is deeply embedded enterprise-wide with no appetite to redesign | Boundary model, Customer Responsibility Matrix, CUI flow, cloud/FedRAMP evidence |
| C3PAO | Your contract requires Level 2 C3PAO and you’re assessment-ready | You need remediation or implementation advice | Authorized status on the Cyber AB Marketplace, scope, timeline, conflict rules, cost, what evidence they expect |
How to read that table: for readiness, remediation, SSP, POA&M, scoping, or managed compliance, start with the RPO/MSP/MSSP/readiness category. For Microsoft GCC High, secure cloud, or CUI containment, start with the MSP/MSSP/enclave category. Treat GRC software as a supporting layer for evidence and workflow — not the whole solution. Reserve C3PAO conversations for when you’re genuinely ready to be assessed. For a deeper side-by-side, see our RPO vs. C3PAO guide.
Can we fix issues during the official assessment?
Sometimes — but don’t plan on it. For Level 2 (C3PAO) assessments, 32 CFR 170.17 allows a limited re-evaluation within 10 business days after the active assessment when you can produce additional evidence for a NOT MET requirement that already existed but wasn’t provided. It is a narrow correction window, not a substitute for remediation.Treat it as a safety net for an evidence-handling slip, not as a strategy for unfinished controls. If a control isn’t actually implemented, no 10-day window saves it — it goes on a POA&M (if eligible) or it sinks the result.
What changes if you already have Conditional CMMC Status?
Conditional status is not final status. If a POA&M exists, the remaining “Not Met” requirements must be remediated and confirmed through the correct closeout path within 180 days of your Conditional CMMC Status Date — or the conditional status expires, and standard contractual remedies apply. We confirmed both the 180-day window and the closeout paths in 32 CFR 170.17 and 170.21.
| Your status | Who performs the POA&M closeout | Where results are recorded |
|---|---|---|
| Level 2 (Self) | The contractor (OSA) performs a closeout self-assessment | SPRS |
| Level 2 (C3PAO) | An authorized C3PAO performs a closeout certification assessment | CMMC eMASS → SPRS |
| Level 3 (DIBCAC) | DCMA DIBCAC performs the closeout | CMMC eMASS / Department process |
If you’re already conditional, your whole job is closing those items on time through the right path — and remembering that Level 1 has no conditional option at all (Level 1 requires final status, full stop).
The most expensive mistakes after a CMMC gap assessment
The costly mistakes cluster in a predictable place: acting before scope is defensible, hiring the wrong provider category, treating drafts as proof, assuming everything can be POA&M’d, and booking a C3PAO before you can demonstrate implementation. The post-gap phase should reduce uncertainty — not buy a more expensive version of it.
- Treating the gap report as a rehearsal when the scope was wrong. Garbage boundary in, garbage plan out.
- Letting a tool purchase stand in for implementation and evidence. Software doesn’t operate the control; you do.
- Posting an SPRS score or affirming before leadership understands what’s being affirmed. The Affirming Official’s name is on it.
- Assuming a C3PAO can fix your gaps and then assess them. The conflict rules prohibit it.
- Calling every open finding a POA&M candidate. Run the matrix above first.
- Leaving control owners out until assessment week. Interviews and tests sink paper-only compliance.
- Skipping assessor verification. When you reach the C3PAO stage, confirm current authorization on the Cyber AB Marketplace and ask exactly who’s on your assessment team — don’t rely on marketing language.
Brief your leadership in one page (executive summary template)
Executives don’t need a control-family lecture; they need the business decision. After a gap assessment, your leadership summary should state the required CMMC status, scope confidence, current score, conditional-status eligibility, top blockers, timeline, budget range, the provider category needed, and the next decision date. Copy this, fill it in, send it.
Post-Gap Executive Summary
- Required CMMC status:
- _______
- Contract trigger (solicitation / prime flow-down / option year / internal):
- _______
- CUI scope (defined enclave / mixed / enterprise / unconfirmed):
- _______
- CMMC UID(s) / CAGE code(s):
- _______
- SSP status (none / draft / current / current + evidence-mapped):
- _______
- Current weighted score (of 110):
- _______
- POA&M eligibility (clears 88? prohibited gaps present?):
- _______
- Top 5 remediation blockers:
- _______
- Evidence maturity (final / draft / scattered):
- _______
- ESP/CSP dependencies + responsibility matrix status:
- _______
- Estimated readiness timeline:
- _______
- Provider category needed:
- _______
- Target official-assessment window:
- _______
- Executive decision needed by:
- _______
- Affirming Official:
- _______
What we actually verified for this guide
We built this page from primary and authoritative sources, checked on June 13, 2026, and we’ll tell you exactly what we confirmed and what we didn’t.
What we read and confirmed:
- 32 CFR 170.21 — the six Level 2 POA&M-prohibited controls, the score ÷ 110 ≥ 0.8 threshold, the one CUI-encryption exception, and the 180-day closeout rule.
- 32 CFR 170.24 — the 1/3/5 weighted scoring, negative scoring, and the final-evidence requirement.
- 32 CFR 170.17 and 170.16 — Level 2 certification and self-assessment mechanics, the 10-business-day re-evaluation window, conditional-status expiry, and remedies.
- 32 CFR 170.14 — Level 2 incorporates NIST SP 800-171 Rev. 2; Level 3 adds selected NIST SP 800-172 (Feb 2021) requirements.
- DFARS 252.204-7025 — award eligibility tied to current CMMC status in SPRS, a current affirmation, and CMMC UIDs in the proposal.
- DoD CIO CMMC page — phase dates: Phase 1 Nov 10, 2025 – Nov 9, 2026; Phase 2 begins Nov 10, 2026; C3PAO at DoD discretion in select Phase 1 procurements.
- DoD Level 2 Scoping Guide — the five asset categories.
- GAO-26-107955 (March 2026) — 92 authorized C3PAOs (Dec 2025), 5,300+ Marketplace listings (Jan 2026), the assessor-capacity finding, and the cited 2019 DoD IG finding.
- The Cyber AB Code of Professional Conduct and CMMC Assessment Process — the consulting/assessment conflict-of-interest separation.
What we did not verify, and you should:
- This is information, not legal, contracting, or compliance advice.
- Cyber AB Marketplace status for any specific provider changes; verify before engaging.
- Cost figures are third-party practitioner estimates, not DoD or DCR-verified numbers — get scoped quotes.
- We do not route you to any named provider on this page; we route to provider categories.
FAQ: what to do after a CMMC gap assessment
- Should I call a C3PAO right after a CMMC gap assessment?
- Usually no. Engage a C3PAO only when your scope, SSP, evidence, score, and POA&M eligibility are defensible and your contract requires Level 2 (C3PAO). Until then, readiness and remediation come first.
- Is a gap assessment the same as a CMMC assessment?
- No. A gap assessment is a private diagnostic. A Level 2 self-assessment or C3PAO certification assessment is the official event that produces a CMMC status under 32 CFR Part 170.
- What’s the first document to fix after a gap assessment?
- Usually the System Security Plan. It anchors your scope, implementation descriptions, and evidence — and under 32 CFR 170.21, the SSP control (CA.L2-3.12.4) cannot be placed on a Level 2 POA&M.
- Can I put every CMMC Level 2 gap on a POA&M?
- No. Under 32 CFR 170.21, your weighted score must be at least 88 of 110, no requirement worth more than one point may be on the POA&M (except non-FIPS-validated CUI encryption), and six named requirements may never be on it.
- How long do I have to close a CMMC POA&M?
- The closeout must be confirmed within 180 days of your Conditional CMMC Status Date. If it isn’t, the conditional status expires.
- When does the 180-day clock start — at the gap assessment?
- No. It starts at the official assessment (the Conditional CMMC Status Date), not the gap assessment. The gap assessment puts no clock on you.
- Can we fix problems during the official assessment?
- Only narrowly. For Level 2 (C3PAO), 32 CFR 170.17 allows a 10-business-day re-evaluation when you can supply additional evidence for a requirement that was already implemented but not shown. It’s not a substitute for remediation.
- Do I need to update SPRS after a gap assessment?
- The gap assessment itself isn’t a required submission. But for the Level 2 (Self) path, your assessment results and affirmation go to SPRS; for Level 2 (C3PAO), results go to CMMC eMASS and transmit to SPRS.
- What if my gap report says we have no SSP?
- Treat it as a priority blocker, not a documentation chore. CA.L2-3.12.4 cannot go on a Level 2 POA&M, so the SSP must be complete before assessment.
- Can my consultant also be my C3PAO?
- Generally no. Under the CMMC ecosystem’s conflict-of-interest rules, a C3PAO that consults on or remediates your environment can’t assess that same organization. Use an RPO or MSP/MSSP for readiness and keep your assessor independent.
- Does NIST SP 800-171 Rev. 3 change my post-gap plan?
- Not for current CMMC Level 2. 32 CFR 170.14 incorporates NIST SP 800-171 Rev. 2 for Level 2. NIST has withdrawn Rev. 2 in favor of Rev. 3, but Rev. 3 does not control CMMC Level 2 unless DoD amends the rule.
- How do I know my scope is too broad?
- If CUI moves through email, endpoints, file shares, backups, SaaS apps, and vendors without clear separation, your scope is likely larger — and more expensive — than it needs to be. A defined enclave can shrink it.
- What happens if Conditional Level 2 expires?
- If you don’t complete POA&M closeout within 180 days, the conditional status expires and contractual remedies or award ineligibility can follow, depending on your contract.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Get matched with source-checked CMMC provider options →Related resources
- CMMC Certification Process: The 4 Paths, Steps & Cost (2026)
- CMMC Level 2 Requirements: the 110 controls
- CMMC Level 2 Checklist
- CMMC Readiness Checklist
- CMMC Levels Explained
- CMMC Provider Categories
- RPO vs C3PAO: What’s the Difference?
- SPRS Score Guide
- CMMC Certification Cost Guide (2026)
- Find an Authorized C3PAO
Primary sources
- 32 CFR Part 170 (CMMC Program Rule), eCFR
- 32 CFR 170.14 (CMMC Model — Level 2/3 requirements)
- 32 CFR 170.16 (Level 2 self-assessment)
- 32 CFR 170.17 (Level 2 certification assessment)
- 32 CFR 170.21 (POA&M requirements)
- 32 CFR 170.24 (CMMC Scoring Methodology)
- DFARS 252.204-7021 (CMMC requirements clause), Acquisition.gov
- DFARS 252.204-7025 (CMMC level requirements provision), Acquisition.gov
- DFARS 252.204-7012 (Safeguarding CDI / incident reporting), Acquisition.gov
- DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements), Acquisition.gov
- CMMC Final Rule (Federal Register, Oct. 15, 2024)
- DFARS Final Rule (Federal Register, Sept. 10, 2025)
- DoD CIO — CMMC (phases)
- DoD CMMC Scoping Guide, Level 2
- DoD CMMC Assessment Guide, Level 2
- NIST SP 800-171 Rev. 2 (withdrawn May 14, 2024; CMMC Level 2 baseline)
- NIST SP 800-172 (Feb 2021; withdrawn May 13, 2026; Level 3 requirements)
- The Cyber AB — CMMC Assessment Process (CAP) and Code of Professional Conduct
- GAO-26-107955, Defense Contractor Cybersecurity (Mar. 12, 2026)