All Posts Next

CMMC Level 2 Checklist: 14 Controls Most Primes Fail

Posted: April 15, 2026 to Compliance.

Every defense prime we audit misses at least six of the 110 NIST SP 800-171 Rev. 2 practices that underpin CMMC Level 2. The other 104 usually look fine. These fourteen are the ones that fail C3PAO assessments most often — and they're the ones that will pull your contract renewal under the Final Rule.

This checklist is written for DoD prime contractors, subcontractors, and the Office of Small Business Programs supplier base. It's based on the gap assessments Petronella Technology Group has performed for clients across North Carolina, Virginia, and the broader Research Triangle defense corridor since the Interim DFARS rule took effect in 2020. Our team includes four CMMC-Registered Practitioners (Craig Petronella, Blake Rea, Justin Summers, Jonathan Wood) and we work alongside C3PAO assessors weekly. We're headquartered at 5540 Centerview Dr, Raleigh NC 27606, founded 2002, BBB A+ since 2003, and hold the PPSB accreditation.

Before the Checklist: Three Common Misconceptions

"I'm below the threshold so I don't need Level 2." The DoD's phased rollout under the Final Rule (32 CFR 170) begins flowing CMMC requirements into solicitations starting in 2025 and running through 2028. Your next contract or task order — or your prime's next contract — will almost certainly carry Level 1, 2, or 3 language. Subcontractors flow down prime requirements. Saying "we're too small" is not a control.

"We're already SOC 2, we're covered." SOC 2 overlaps roughly 40% with NIST 800-171. The other 60% — especially the CUI-specific handling controls — has no SOC 2 equivalent. We've watched three clients fail C3PAO on this assumption.

"Self-assessment and assessor assessment are the same bar." The Self-Assessment (Level 1 and some Level 2 contracts) lets you answer "met / not met." The C3PAO audit requires contemporaneous evidence for every control. If you can't show the audit log, the policy document, and the supporting configuration simultaneously, the practice scores as NOT MET regardless of actual implementation.

The 14 Controls That Fail Most Often

1. AC.L2-3.1.3 — Control CUI flow

The practice: "Control the flow of CUI in accordance with approved authorizations." Most primes fail because they have no written data-flow diagram for CUI, and their email, chat, and file-share systems allow CUI to leave scope with no technical enforcement. Fix: produce a CUI data-flow diagram, enforce DLP or tagged-channel egress, and audit quarterly.

2. AC.L2-3.1.20 — Verify external connections

"Verify and control/limit connections to and use of external information systems." The failure mode is employees pasting CUI into public LLMs (ChatGPT, Gemini, Copilot), unsanctioned Dropbox or WeTransfer accounts, personal email. The control requires a documented process to identify and approve external connections. Fix: DLP on CUI tags, endpoint browser controls, and a formal AUP with sign-off. See our private AI alternative for the LLM piece specifically.

3. AU.L2-3.3.1 — Audit record content

"Create and retain system audit logs and records." The trap: most primes log authentication events but not CUI access events. Level 2 requires audit records tied to individual user actions on CUI. Fix: ensure your SIEM captures file-level access, export operations, and print events on CUI-marked assets with 90-day minimum retention.

4. AU.L2-3.3.5 — Correlated audit review

"Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity." Failure mode: logs exist but nobody reads them. Fix: a named individual with weekly review cadence, documented escalation path, and monthly summary delivered to the Information System Security Manager (ISSM).

5. CM.L2-3.4.1 — Baseline configuration

"Establish and maintain baseline configurations and inventories of organizational systems." Almost no mid-market firm has a current inventory. Fix: deploy an asset management tool (Lansweeper, ManageEngine, or equivalent), generate a monthly baseline delta report, and track exceptions in a POA&M.

6. CM.L2-3.4.2 — Security configuration

"Establish and enforce security configuration settings for information technology products." We see primes deploy Windows 11 with default settings — fail. Fix: apply the DoD STIG or CIS Level 1/2 benchmark to every workstation and server, verify via automated scan monthly, remediate deviations.

7. IA.L2-3.5.3 — Multifactor authentication

"Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts." SMS-based 2FA fails this control. Fix: enforce FIDO2 hardware keys or TOTP app MFA for all privileged accounts, and MFA for all network access. No SMS anywhere near CUI.

8. IR.L2-3.6.1 — Incident response capability

"Establish an operational incident-handling capability for organizational systems." The trap: having an IR plan is not the same as having tested it. Fix: tabletop exercise twice a year with documented results, named on-call roster, 24/7 reachback (internal or outsourced MSSP), and a tested escalation to the DoD Cyber Crime Center if CUI is involved.

9. MA.L2-3.7.5 — Nonlocal maintenance

"Require multifactor authentication to establish nonlocal maintenance sessions via external network connections." Remote-support tools (LogMeIn, Rescue, TeamViewer) often bypass MFA. Fix: enforce MFA at the remote-access gateway, record sessions, and scope access to least-privilege time windows.

10. MP.L2-3.8.3 — Media sanitization

"Sanitize or destroy information system media containing CUI before disposal or release for reuse." Office printers and MFPs have hard drives. Decommissioned laptops get donated. Fix: a documented sanitization procedure (NIST SP 800-88), destruction certificates for every disposed asset, and an exit interview step for departing employees.

11. PE.L2-3.10.6 — Alternate work sites

"Enforce safeguarding measures for CUI at alternate work sites." COVID-era work-from-home policies usually fail here. Fix: written home-office standards including locked office, no shared displays, VPN-only access, and clean-desk policy. Spot audits quarterly.

12. RA.L2-3.11.2 — Vulnerability scanning

"Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified." Monthly scans are the minimum. Quarterly is often what we see — fail. Fix: weekly authenticated scans of the CUI boundary, rapid-response 72-hour patch SLA for critical CVEs, quarterly penetration test.

13. SC.L2-3.13.11 — FIPS-validated cryptography

"Employ FIPS-validated cryptography when used to protect the confidentiality of CUI." Commercial TLS libraries are not automatically FIPS. Fix: ensure endpoint encryption (BitLocker with FIPS mode, OpenSSL in FIPS mode, AWS KMS FIPS endpoints) and document the validation certificate numbers in your System Security Plan (SSP).

14. SI.L2-3.14.6 — Monitor security alerts

"Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks." The failure: a firewall alert going to a generic inbox with nobody named on it. Fix: 24/7 SOC coverage (MSSP or internal), alert triage SLA under 30 minutes for high-severity, documented response procedures tested twice yearly.

The POA&M Trap

Under the CMMC 2.0 Final Rule, primes can receive a conditional certification if their Plan of Action and Milestones (POA&M) covers fewer than 20% of total practices AND every POA&M item is closed within 180 days. The trap: many primes add controls to POA&M to "buy time" and then miss the 180-day close. Conditional certifications become failures when the second window closes. Fix: treat POA&M items as project deliverables with assigned owners, weekly standups, and a hard 150-day internal close target.

Readiness Scoring: Where You Actually Stand

We score gap assessments on the DoD Supplier Performance Risk System (SPRS) methodology — a maximum of 110 points, minus the weighted cost of each unmet control. Scores below 88 typically trigger a C3PAO finding. Scores above 99 usually pass on first assessment.

In our 2025-2026 engagement data, the median first-time score for a prime requesting our gap assessment is 71. The median score after our 90-day remediation package is 101. The delta comes from closing the fourteen controls above plus a handful of documentation gaps.

Three Questions to Ask Your Internal Team This Week

1. "Show me our current System Security Plan and the last three revisions." If the SSP doesn't exist or hasn't been updated in 12 months, start there.

2. "Pull the last vulnerability scan report and show me the MTTR for critical findings." If MTTR is over 7 days, you have a RA.L2-3.11.2 and SI.L2-3.14.1 problem.

3. "Walk me through what happens if I click a malicious link in an email right now. Who gets notified, in what order, and how do I know?" If nobody can answer in under 60 seconds, your IR.L2-3.6.1 implementation isn't tested.

How Petronella Technology Group Works With Primes

Three engagement tiers for CMMC Level 2 readiness:

CMMC Gap Assessment — Flash Tier ($999, three per month capacity). A 5-business-day scan plus written findings letter covering the 14 controls above plus top-10 other high-risk practices. Suitable for firms at an early stage of readiness or those needing a second opinion. Book Flash.

CMMC Gap Assessment — Flagship Tier ($2,499). Full 110-control SPRS scoring, System Security Plan review, POA&M draft, and 90-minute readout with your leadership team. Start Flagship.

Compliance Readiness Assessment (free). A 12-question online diagnostic mapped to CMMC Level 2 requirements. Red/yellow/green band scoring, recommendations, no call required. Take the free assessment.

For firms approaching a C3PAO window under six months out, we also offer a 90-day Remediation Program bundled with the Flagship — ask during the readout.

Team and Credentials

Craig Petronella holds the CMMC-RP, CCNA, CWNE, and Department of Forensic Examiners #604180 credentials. Blake Rea, Justin Summers, and Jonathan Wood are CMMC-Registered Practitioners. Petronella Technology Group carries the PPSB accreditation, has held a BBB A+ rating since 2003, and was founded in 2002. We operate from 5540 Centerview Dr, Raleigh NC 27606, serving the broader defense industrial base across the Eastern US.

If you're reading this because a prime contract just landed with CMMC flow-down language and you're not sure where to start — book the free assessment or call (919) 348-4912. Craig or one of our CMMC-RPs will pick up.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

HIPAA Security Rule 2026 Update: Q3 Deadlines for CEs NIST Compliance Checklist: Complete Framework Guide for 2026 NIST Compliance Checklist: Complete Framework Guide for 2026 FedRAMP Compliance Checklist: Authorization Guide FedRAMP Compliance Checklist: Authorization Guide HIPAA Security Risk Assessment HIPAA Security Risk Assessment

About the Author

Craig Petronella, CEO and Founder of Petronella Technology Group
CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent more than 30 years working at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential (RP-1372) issued by the Cyber AB, is an NC Licensed Digital Forensics Examiner (License #604180-DFE), and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. Craig also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served 2,500+ clients, maintained a zero-breach record among compliant clients, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books
Related Service
Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS — we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services
All Posts Next
Free cybersecurity consultation available Schedule Now