How long does CMMC Level 2 certification take?

From initial gap assessment to passing a C3PAO assessment, most small defense contractors (under 100 employees) should budget 6–18 months. The timeline depends on how many of the 110 controls you've already implemented, the complexity of your CUI environment, and how quickly gaps can be remediated. Contractors with good IT hygiene already in place may move faster. Those starting from a low SPRS score may take longer — especially if a GCC High migration is required.

What is a System Security Plan (SSP) and who writes it?

The System Security Plan documents how your organization implements each of the 110 NIST SP 800-171 controls. It describes the boundary of your CUI environment, the systems in scope, how each control is met (or why it's not applicable), and any planned remediation in the POA&M. The SSP is required for CMMC Level 2 and is reviewed during the C3PAO assessment. Your IT provider or a CMMC consultant typically writes the technical portions; leadership signs off on the organizational portions.

What is a POA&M in the context of CMMC?

A Plan of Action and Milestones (POA&M) documents controls that are not yet fully implemented, along with a timeline and milestone plan for achieving them. For CMMC Level 2, not all controls need to be fully implemented at the time of assessment — a POA&M can address gaps, but high-priority controls must be implemented before certification. The POA&M is a living document maintained by your IT provider and compliance team between assessment cycles.

Does CMMC Level 2 require Microsoft 365 GCC High?

Not necessarily for CMMC itself — but DFARS 252.204-7012, the contract clause that makes CMMC necessary, requires that cloud services processing CUI meet FedRAMP Moderate or equivalent. Standard Microsoft 365 Commercial does not meet this requirement. Microsoft 365 GCC (Government Community Cloud) meets it for some use cases, but Microsoft 365 GCC High is required for DoD CUI and ITAR-controlled data. If your Microsoft 365 tenant stores or processes CUI and it's not GCC or GCC High, you have a DFARS compliance gap regardless of your CMMC assessment status.

CMMC Level 2 Compliance Checklist for Small Defense Contractors

CMMC Level 2 applies to any defense contractor or subcontractor that handles Controlled Unclassified Information (CUI). That includes most DoD primes and a large fraction of their Tier 1, 2, and 3 subcontractors. If your contract includes DFARS clause 252.204-7012, you're in scope.

Level 2 requires implementing all 110 practices across 14 domains from NIST SP 800-171. A third-party C3PAO assessment is required every three years, plus an annual self-affirmation. Your SPRS score must be maintained in DoD's Supplier Performance Risk System.

Here's what each domain actually requires — and what auditors look for as evidence.

1. Access Control (AC) — 22 Controls

This is the largest domain. It covers who can access CUI, under what conditions, and through what mechanisms.

User account management: Formal provisioning and deprovisioning process; no shared accounts; accounts disabled within 24 hours of termination
Least privilege: Users have only the access needed for their job; administrator accounts used only for administrative tasks
Remote access: All remote connections to CUI systems use encrypted tunnels (VPN or Zero Trust); remote access monitored
Wireless: Wireless networks encrypted (WPA3 or WPA2 minimum); no unauthorized wireless access points
Mobile devices: Mobile device policy; MDM enrollment for devices that access CUI; device encryption enabled

Evidence auditors look for: Active Directory or Azure AD user account export, terminated employee offboarding tickets, MDM enrollment screenshots, VPN configuration documentation.

2. Awareness and Training (AT) — 3 Controls

Security awareness training for all users; specialized training for users with privileged access; insider threat awareness training.

Evidence: Training completion records with dates, user signatures or acknowledgment logs, curriculum descriptions. Annual cadence minimum.

3. Audit and Accountability (AU) — 9 Controls

Audit logs must capture who did what, on which system, at what time — and be protected from tampering.

Logging enabled on all systems that process, store, or transmit CUI
Log review process and alerting on anomalies
Logs protected from modification and retained per policy (typically 90 days online, 1 year archived)
Audit log capacity monitored — logs can't be silently dropped when storage fills

Evidence: SIEM or log aggregation configuration, log retention policy documentation, sample log exports.

4. Configuration Management (CM) — 9 Controls

Baseline configurations documented; changes go through a change management process; unauthorized software blocked.

Documented baseline configuration for each system type (workstations, servers, network devices)
Application whitelisting or software inventory with unauthorized software blocking
Change management tickets for system changes; no unauthorized changes
Least functionality: systems configured to provide only necessary capabilities

Evidence: Configuration baseline documents, application control policy, change management ticket examples.

5. Identification and Authentication (IA) — 11 Controls

Every user uniquely identified; multi-factor authentication required for CUI access.

MFA required for all users accessing CUI systems — this is a bright-line requirement for C3PAO assessors
Password policy enforcing complexity, minimum length (12+ characters), and lockout after failed attempts
Authenticator management: credential rotation, secure storage of service account credentials
Privileged user access: separate accounts for admin functions; admin credentials not used for day-to-day tasks

Evidence: Conditional access policy screenshots, MFA enrollment reports, password policy configuration.

MFA is the most-cited CMMC Level 2 gap. If your organization has any CUI-system users without MFA — even one — you have a finding. This includes remote access, email, and any cloud application that stores CUI.

6. Incident Response (IR) — 3 Controls

Written incident response plan; incident handling capability; reporting to DoD within 72 hours of a cyber incident affecting CUI.

Documented IR plan with roles, communication tree, and escalation procedures
DoD incident reporting via dibnet.dod.mil within 72 hours of discovery
Annual IR plan review and tabletop exercise

Evidence: IR plan document with version history, DoD incident reporting capability documentation, tabletop exercise record.

7. Maintenance (MA) — 6 Controls

Controlled maintenance of organizational systems; sanitization of equipment sent for external maintenance; remote maintenance controls.

Maintenance performed by authorized personnel only; external maintenance personnel supervised
Equipment sanitized before sending to external repair — CUI removed or media wiped
Remote maintenance sessions monitored and logged; multi-factor authentication required

Evidence: Maintenance log, media sanitization records, remote maintenance session logs.

8. Media Protection (MP) — 9 Controls

Physical and digital media containing CUI controlled, transported securely, and sanitized before disposal.

Media access restricted to authorized users
CUI not stored on portable media (USB drives, external drives) unless encrypted and authorized
Media sanitized before disposal using NIST 800-88 methods (secure erase, physical destruction)
Portable media use policy and enforcement

Evidence: Media use policy, encryption configuration for portable media, media disposal records.

9. Personnel Security (PS) — 2 Controls

Personnel screening prior to granting CUI access; formal termination and transfer procedures.

Evidence: Background check policy, termination checklist with IT access revocation step.

10. Physical Protection (PE) — 6 Controls

Physical access to systems containing CUI restricted to authorized individuals.

Physical access controls on server rooms and areas where CUI is processed
Visitor management and escorting policy
Physical access monitoring (cameras, badge logs)

Evidence: Physical access control documentation, visitor log, badge system configuration.

11. Risk Assessment (RA) — 3 Controls

Formal risk assessment; vulnerability scanning of CUI systems; timely remediation of findings.

Annual or change-triggered risk assessment documented
Vulnerability scanning: minimum quarterly for internal systems; annually with authenticated scans
Remediation timeline based on CVSS score (Critical: 15 days, High: 30 days, Medium: 90 days)

Evidence: Risk assessment document, vulnerability scan reports with remediation tracking.

12. Security Assessment (CA) — 4 Controls

Periodic assessment of security controls; POA&M for identified weaknesses; monitoring of security controls on an ongoing basis.

System Security Plan (SSP) documenting all 110 controls
Plan of Action and Milestones (POA&M) for any unimplemented controls
Continuous monitoring of security control effectiveness
Documented connections between your CUI system and external systems

Evidence: The SSP itself, current POA&M with milestones and owners, connection documentation.

13. System and Communications Protection (SC) — 16 Controls

Network boundary protection; CUI encrypted in transit; network segmentation; architectural controls.

CUI in transit encrypted: TLS 1.2 minimum for all CUI data transmitted over networks
Network segmentation: CUI systems on isolated network segment, not commingled with guest or uncontrolled systems
Boundary protection: firewall configured to deny by default, allow by exception
DNS filtering and web content filtering
No split tunneling on VPN when accessing CUI systems

Evidence: Network diagram showing CUI boundary, firewall rule documentation, TLS configuration verification, VPN configuration.

14. System and Information Integrity (SI) — 7 Controls

Malware protection; flaw remediation; security alerting; monitoring.

EDR (Endpoint Detection and Response) on all endpoints in CUI scope — not just antivirus
Patch management: OS and application patches applied within defined windows
Security alerts reviewed; anomalous activity detected and addressed
Spam filtering and email protection on all mail systems

Evidence: EDR deployment report, patch management dashboard, security alert review logs.

Your SPRS Score: Calculate It Before Your Auditor Does

Your SPRS score is calculated by starting at 110 and subtracting points for each unimplemented control. Each control has a weighted point value; the most critical controls (like MFA and encryption) have higher deductions. You must submit your score to SPRS before any DoD contract award.

Most contractors start with a score well below 110. A gap assessment with your IT provider should produce a current score and a roadmap to improve it. Contracting officers can see your score — a very low score is a contract risk signal even before your C3PAO assessment.

What to Do Next

If you're starting from scratch, the right sequence is: (1) scope your CUI environment, (2) conduct a gap assessment against all 110 controls, (3) build your SSP and POA&M, (4) remediate gaps, (5) submit SPRS score, (6) schedule C3PAO assessment. Your IT provider should be involved from step 1 — the scoping decision determines how much of your infrastructure is in scope and how complex the compliance program will be.

Find a government contractor IT provider who is a Registered Practitioner Organization (RPO) and has documented Level 2 assessment experience. Ask for references from defense contractors at your size and CMMC level.