A CMMC Level 2 gap assessment compares your current IT environment against the 110 security requirements in NIST SP 800-171. Start with a self-assessment using the NIST 800-171 self-assessment methodology to identify gaps, then prioritize remediation by control family (Access Control, Identification and Authentication, and Incident Response are most commonly deficient). Document remediation in a System Security Plan (SSP) and Plan of Action & Milestones (POA&M). Third-party C3PAO assessments are required for contracts involving critical programs — budget 12–18 months of preparation.
CMMC 2.0 Structure: What Level 2 Actually Requires
CMMC (Cybersecurity Maturity Model Certification) 2.0 has three levels:
- Level 1 (Foundational): 17 practices from FAR 52.204-21. Annual self-assessment. Required for contractors handling Federal Contract Information (FCI) but not CUI.
- Level 2 (Advanced): 110 practices aligned with NIST SP 800-171. Third-party (C3PAO) assessment required for "critical programs"; self-assessment allowed for others. Required for contractors handling Controlled Unclassified Information (CUI).
- Level 3 (Expert): 110+ practices from NIST 800-172. Government-led assessment. Required for highest-priority DoD programs.
Most defense contractors that handle CUI are targeting Level 2. The 110 controls are organized into 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
How to Conduct a Self-Assessment
Before engaging a C3PAO, conduct a self-assessment to understand your current posture and prioritize remediation spending. NIST has published an official self-assessment methodology (NIST SP 800-171A):
- Define your assessment scope. Identify all systems that process, store, or transmit CUI — this is your "CUI environment." The goal is to limit scope; systems outside the CUI environment don't need to meet 800-171.
- Build your System Security Plan (SSP). The SSP documents your environment: network diagram, system components, user types, and how each of the 110 requirements is implemented (or not). This document is reviewed by assessors.
- Score each control. For each of the 110 requirements, determine: fully implemented (MET), partially implemented (PARTIAL), or not implemented (NOT MET).
- Calculate your SPRS score. DoD requires contractors to submit a Supplier Performance Risk System (SPRS) score based on their self-assessment. The maximum score is 110; each deficiency reduces the score (by 1, 3, or 5 points depending on severity).
- Build your Plan of Action & Milestones (POA&M). For each gap, document what you'll do, who's responsible, and when it will be complete.
The Most Commonly Deficient Control Families
Based on industry assessment data, the control families where contractors most often have gaps:
Access Control (AC) — 22 requirements
Commonly deficient areas: least privilege enforcement (staff have more access than they need), remote access controls (VPN without MFA, no session monitoring), and wireless access controls. Fix: implement role-based access control, enforce MFA on all remote access, and document your access control policies.
Identification and Authentication (IA) — 11 requirements
The most commonly deficient family. Requirements include: unique user IDs (no shared accounts), multi-factor authentication for privileged users and remote access, password complexity and management. Fix: MFA for all users, password manager deployment, elimination of shared accounts.
Audit and Accountability (AU) — 9 requirements
Requirements include: audit logging of security-relevant events, log review, log protection, and user accountability. Many small contractors have minimal logging configured. Fix: enable Windows Event Logging at required verbosity, implement centralized log collection, schedule weekly log review.
Incident Response (IR) — 3 requirements
Requires a written incident response capability, documented procedures, and testing. Many contractors have no written IR plan. Fix: create and exercise an incident response plan (see our guide on government contractor incident reporting).
System and Communications Protection (SC) — 16 requirements
Includes network segmentation, encryption in transit, and boundary protection. Fix: implement network segmentation between CUI environment and general corporate network, enforce TLS 1.2+ for all internal and external communications containing CUI.
Preparing Your SSP and POA&M
The System Security Plan and Plan of Action & Milestones are the two documents a C3PAO will spend the most time with. Key points:
- The SSP must accurately describe your environment — don't describe controls you don't actually have. Assessors verify implementations against the SSP; discrepancies are findings.
- A POA&M with controls listed as "in progress" shows good faith effort. Assessors can't certify you for controls with an open POA&M, but a credible remediation plan with near-term completion dates is better than claiming compliance you don't have.
- The SSP should be reviewed and updated whenever your environment changes significantly — adding a new system, changing remote access methodology, onboarding a new IT vendor.
Timeline and Budget Expectations
Contractors starting from a typical SMB IT baseline should plan:
- Self-assessment: 40–120 hours depending on environment size and documentation maturity
- Remediation: 6–18 months for most contractors with significant gaps; budget $50,000–$300,000 depending on current state and environment complexity
- C3PAO assessment: $30,000–$100,000 depending on assessment scope and assessor
- Certification validity: 3 years, with annual affirmation of continued compliance
A GovCon-specialized IT provider with CMMC experience can accelerate remediation and prepare documentation for assessment. Look for MSPs with Registered Practitioner Organization (RPO) status or staff holding CMMC Registered Practitioner (RP) or Certified Professional (CP) credentials.
Frequently Asked Questions
When is CMMC Level 2 certification required?
CMMC requirements are being phased into DoD contracts. CMMC 2.0 began appearing in contracts in 2025. By 2026, most new DoD contracts and task orders for CUI-handling work include CMMC requirements. The specific requirement (self-assessment vs. C3PAO assessment) depends on the contract and program designation. Check your contract's DFARS clauses for the applicable requirement.
Can I handle CMMC preparation with my current IT provider?
Only if your current IT provider has CMMC-specific experience. General IT support is insufficient — CMMC requires understanding of NIST 800-171 control families, SSP documentation, SPRS scoring methodology, and common assessment findings. Look for IT providers who are Registered Practitioner Organizations (RPOs) with the CMMC Accreditation Body.
What is the difference between a self-assessment and a C3PAO assessment?
A self-assessment is conducted by your organization (using NIST 800-171A methodology) and submitted to SPRS. It's accepted for contracts that don't require third-party validation. A C3PAO (Certified Third-Party Assessment Organization) assessment is conducted by an accredited independent assessor and results in a CMMC certificate. C3PAO assessments are required for critical programs and increasingly for any Level 2 work.