CMMC Level 2 Gap Assessment: 14 Controls Most Primes Fail

Posted: April 15, 2026 to Compliance.

Every defense prime we audit misses at least six of the 110 NIST SP 800-171 Rev. 2 practices that underpin CMMC Level 2. The other 104 usually look fine. These fourteen are the ones that fail C3PAO assessments most often - and they are the ones that will pull your contract renewal under the Final Rule.

This checklist is written for DoD prime contractors, subcontractors, and the Office of Small Business Programs supplier base. It is based on the gap assessments Petronella Technology Group has performed for clients across North Carolina, Virginia, and the broader Research Triangle defense corridor since the Interim DFARS rule took effect in 2020. Our team includes four CMMC-Registered Practitioners (Craig Petronella, Blake Rea, Justin Summers, Jonathan Wood) and we work alongside C3PAO assessors weekly. We are headquartered at 5540 Centerview Dr., Suite 200, Raleigh NC 27606, founded April 2002, BBB A+ since 2003.

Before the Checklist: Three Common Misconceptions

"I am below the threshold so I do not need Level 2." The DoD's phased rollout under the Final Rule (32 CFR 170) flows CMMC requirements into solicitations starting in 2025 and running through 2028. Your next contract or task order - or your prime's next contract - will almost certainly carry Level 1, 2, or 3 language. Subcontractors flow down prime requirements. Saying "we are too small" is not a control.

"We are already SOC 2, we are covered." SOC 2 overlaps roughly 40% with NIST 800-171. The other 60% - especially the CUI-specific handling controls - has no SOC 2 equivalent. We have watched three clients fail C3PAO on this assumption.

"Self-assessment and assessor assessment are the same bar." The Self-Assessment (Level 1 and some Level 2 contracts) lets you answer "met / not met." The C3PAO audit requires contemporaneous evidence for every control. If you cannot show the audit log, the policy document, and the supporting configuration simultaneously, the practice scores as NOT MET regardless of actual implementation.

The 14 Controls That Fail Most Often

1. AC.L2-3.1.3: Control CUI flow

The practice: "Control the flow of CUI in accordance with approved authorizations." Most primes fail because they have no written data-flow diagram for CUI, and their email, chat, and file-share systems allow CUI to leave scope with no technical enforcement. Fix: produce a CUI data-flow diagram, enforce DLP or tagged-channel egress, and audit quarterly. Petronella Technology Group's ComplianceArmor platform generates the data-flow diagram automatically from your network and email metadata, then maintains it under continuous monitoring as your environment evolves.

2. AC.L2-3.1.20: Verify external connections

"Verify and control/limit connections to and use of external information systems." The failure mode is employees pasting CUI into public LLMs (ChatGPT, Gemini, Copilot), unsanctioned Dropbox or WeTransfer accounts, personal email. The control requires a documented process to identify and approve external connections. Fix: DLP on CUI tags, endpoint browser controls, and a formal Acceptable Use Policy with sign-off. See our private AI alternative for the LLM piece specifically - on-premise inference with no data leaving your network is the only durable answer for CUI environments.

3. AU.L2-3.3.1: Audit record content

"Create and retain system audit logs and records." The trap: most primes log authentication events but not CUI access events. Level 2 requires audit records tied to individual user actions on CUI. Fix: ensure your SIEM captures file-level access, export operations, and print events on CUI-marked assets with 90-day minimum retention. PTG's Managed XDR Suite bundles the SIEM, the EDR, and the audit-log retention into a single managed-service line item that maps cleanly to AU controls.

4. AU.L2-3.3.5: Correlated audit review

"Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity." Failure mode: logs exist but nobody reads them. Fix: a named individual with weekly review cadence, documented escalation path, and monthly summary delivered to the Information System Security Manager (ISSM). PTG's 24/7 SOC delivers this as a managed service for primes that do not have an in-house ISSM team.

5. CM.L2-3.4.1: Baseline configuration

"Establish and maintain baseline configurations and inventories of organizational systems." Almost no mid-market firm has a current inventory. Fix: deploy an asset management tool (Lansweeper, ManageEngine, or equivalent), generate a monthly baseline delta report, and track exceptions in a POA&M. We deploy this as part of our managed IT engagement for clients without existing tooling.

6. CM.L2-3.4.2: Security configuration

"Establish and enforce security configuration settings for information technology products." We see primes deploy Windows 11 with default settings - fail. Fix: apply the DoD STIG or CIS Level 1/2 benchmark to every workstation and server, verify via automated scan monthly, remediate deviations. Our remediation package includes pre-built STIG hardening scripts for Windows 10/11, Windows Server 2019/2022, RHEL 8/9, and Ubuntu 22.04 LTS.

7. IA.L2-3.5.3: Multifactor authentication

"Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts." SMS-based 2FA fails this control. Fix: enforce FIDO2 hardware keys or TOTP app MFA for all privileged accounts, and MFA for all network access. No SMS anywhere near CUI. We standardize on YubiKey 5 Series for FIDO2 and Microsoft Authenticator or Duo for TOTP across our managed clients.

8. IR.L2-3.6.1: Incident response capability

"Establish an operational incident-handling capability for organizational systems." The trap: having an IR plan is not the same as having tested it. Fix: tabletop exercise twice a year with documented results, named on-call roster, 24/7 reachback (internal or outsourced MSSP), and a tested escalation to the DoD Cyber Crime Center if CUI is involved. Petronella Technology Group has performed digital forensic investigations under NC DFE License #604180-DFE for over a decade - your IR program inherits courtroom-grade chain-of-custody when we run it.

9. MA.L2-3.7.5: Nonlocal maintenance

"Require multifactor authentication to establish nonlocal maintenance sessions via external network connections." Remote-support tools (LogMeIn, Rescue, TeamViewer) often bypass MFA. Fix: enforce MFA at the remote-access gateway, record sessions, and scope access to least-privilege time windows. ConnectWise Control or BeyondTrust with FIDO2 MFA on the technician side, and per-session approval on the customer side, is the pattern that passes assessor review.

10. MP.L2-3.8.3: Media sanitization

"Sanitize or destroy information system media containing CUI before disposal or release for reuse." Office printers and MFPs have hard drives. Decommissioned laptops get donated. Fix: a documented sanitization procedure (NIST SP 800-88), destruction certificates for every disposed asset, and an exit interview step for departing employees. PTG provides asset disposition with NIST SP 800-88 destruction certificates for managed-IT clients in the Triangle.

11. PE.L2-3.10.6: Alternate work sites

"Enforce safeguarding measures for CUI at alternate work sites." COVID-era work-from-home policies usually fail here. Fix: written home-office standards including locked office, no shared displays, VPN-only access, and clean-desk policy. Spot audits quarterly. Our policy template package (included in Flagship Tier) covers all twelve PE-family controls including alternate work sites and is reviewable in the SSP appendix.

12. RA.L2-3.11.2: Vulnerability scanning

"Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified." Monthly scans are the minimum. Quarterly is often what we see - fail. Fix: weekly authenticated scans of the CUI boundary, rapid-response 72-hour patch SLA for critical CVEs, quarterly penetration test. PTG's pentest engagements include a CMMC-aligned report mapped to the relevant SP 800-171 control families so your assessor can use it as evidence directly.

13. SC.L2-3.13.11: FIPS-validated cryptography

"Employ FIPS-validated cryptography when used to protect the confidentiality of CUI." Commercial TLS libraries are not automatically FIPS. Fix: ensure endpoint encryption (BitLocker with FIPS mode, OpenSSL in FIPS mode, AWS KMS FIPS endpoints) and document the validation certificate numbers in your System Security Plan (SSP). Common gotchas: macOS FileVault is NOT FIPS-validated by default; iOS data-protection encryption requires Supervised mode plus the FIPS-validated module configuration.

14. SI.L2-3.14.6: Monitor security alerts

"Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks." The failure: a firewall alert going to a generic inbox with nobody named on it. Fix: 24/7 SOC coverage (MSSP or internal), alert triage SLA under 30 minutes for high-severity, documented response procedures tested twice yearly. PTG operates a 24/7 Security Operations Center for managed clients with SLA-backed triage; primes can engage the SOC standalone or bundled with the assessment-plus-remediation program.

The POA&M Trap

Under the CMMC 2.0 Final Rule, primes can receive a conditional certification if their Plan of Action and Milestones (POA&M) covers fewer than 20% of total practices AND every POA&M item is closed within 180 days. The trap: many primes add controls to POA&M to "buy time" and then miss the 180-day close. Conditional certifications become failures when the second window closes. Fix: treat POA&M items as project deliverables with assigned owners, weekly standups, and a hard 150-day internal close target. PTG's Flagship Tier includes a POA&M draft document with owner assignments, milestone dates, and integration hooks for Jira, ServiceNow, or Asana so the close cadence stays visible to leadership.

Readiness Scoring: Where You Actually Stand

We score gap assessments on the DoD Supplier Performance Risk System (SPRS) methodology - a maximum of 110 points, minus the weighted cost of each unmet control. Scores below 88 typically trigger a C3PAO finding. Scores above 99 usually pass on first assessment.

In our 2025-2026 engagement data, the median first-time score for a prime requesting our gap assessment is 71. The median score after our 90-day remediation package is 101. The delta comes from closing the fourteen controls above plus a handful of documentation gaps.

You can self-score before any paid engagement using our free SPRS Score Calculator. Most primes who use it discover they are 15-25 points lower than they thought because the unweighted "we have it" answer hides the maturity-of-implementation factor.

Three Questions to Ask Your Internal Team This Week

1. "Show me our current System Security Plan and the last three revisions." If the SSP does not exist or has not been updated in 12 months, start there.

2. "Pull the last vulnerability scan report and show me the MTTR for critical findings." If MTTR is over 7 days, you have a RA.L2-3.11.2 and SI.L2-3.14.1 problem.

3. "Walk me through what happens if I click a malicious link in an email right now. Who gets notified, in what order, and how do I know?" If nobody can answer in under 60 seconds, your IR.L2-3.6.1 implementation is not tested.

CMMC Level 2 Engagement Tiers and Pricing

Petronella Technology Group offers fixed-fee engagements for CMMC Level 2 readiness. No long-term contracts, no consulting hour creep, and a 30-day results promise on every paid engagement.

For firms approaching a C3PAO window under six months out, we recommend the 90-Day Remediation Program bundled with the Flagship Tier. Contact us for a scoped quote, or call 919-348-4912 to discuss your contract milestone and current readiness state.

The free Compliance Readiness Assessment - a 12-question online diagnostic mapped to CMMC Level 2 requirements - gives a red/yellow/green band score with no call required. Suitable for self-checking before booking a paid engagement.

DIY Gap Assessment vs PTG-Managed Engagement

Primes that self-assess typically reach a passing SPRS score in 9-18 months. Primes that engage PTG reach the same score in 90-180 days. Here is what changes:

Why Petronella Technology Group for Your CMMC Level 2 Readiness

Petronella Technology Group has been a managed services and cybersecurity provider since April 2002. The firm holds Cyber AB Certified status, and Craig Petronella plus three teammates carry the CMMC-Registered Practitioner credential. We work alongside C3PAO assessors weekly and bring real-world remediation experience - not just consulting deliverables - to every engagement.

• 30+ years cybersecurity experience. Craig Petronella, our CEO, holds CMMC-RP, NC DFE #604180-DFE, MIT certificates in cybersecurity, AI, blockchain, and compliance, and is a 15-book Amazon best-selling author including the CMMC 2.0 Certification Guide. CMMC implementation has to fit cybersecurity reality, not the other way around.
• Zero client breaches on the managed security program. We do not roll out a CMMC configuration that introduces audit findings or compliance risk to your environment.
• 2,500+ businesses served across cybersecurity, compliance, and managed IT. Our patterns are battle-tested across small primes, mid-market firms, and government contractors with classified data.
• BBB A+ rated since 2003. We have stayed in business through 24 years of technology shifts because we deliver. No long-term contracts required.
• 30-day results promise. Measurable progress within 30 days, or your first month is free.
• Single point of accountability. One team, one invoice, no vendor finger-pointing between an MSP, a compliance consultant, and an integration partner.
• ComplianceArmor platform. Our proprietary ComplianceArmor platform automates SSP generation, evidence collection, and continuous control monitoring - the documentation work that primes typically underestimate by 60-80%.

"Petronella's work has been a major factor in our business success, helping it to become one of the most secured networks of its kind on the Internet."
- Financial Services Firm, Raleigh, NC (verified review)

Team and Credentials

Craig Petronella holds the CMMC-RP, NC Licensed Digital Forensics Examiner #604180-DFE, MIT certificates in cybersecurity, AI, blockchain, and compliance, plus CCNA and Microsoft Cloud credentials. He is a 15-book Amazon best-selling author, host of the Encrypted Ambition podcast (90+ episodes), and has been featured on NBC, ABC, CBS, FOX, and WRAL as a cybersecurity expert. His CMMC 2.0 Certification Guide is the textbook reference for the framework on Amazon.

Blake Rea, Justin Summers, and Jonathan Wood are CMMC-Registered Practitioners. PTG carries the Cyber AB Certified provider designation, has held a BBB A+ rating since 2003, and was founded April 2002. We operate from 5540 Centerview Dr., Suite 200, Raleigh NC 27606, serving the broader defense industrial base across the Eastern US and nationwide.

If you are reading this because a prime contract just landed with CMMC flow-down language and you are not sure where to start - book the free Compliance Readiness Assessment or call 919-348-4912. Craig or one of our CMMC-RPs will pick up.

Buyer-Intent FAQs: CMMC Level 2 Gap Assessment