CMMC Level 2 Compliance & Certification

Controlled Unclassified Information is the broad category of sensitive-but-unclassified data the government shares with contractors: technical drawings, specifications, manufacturing details, research data, and other information marked for protection. The moment your business receives, generates, or passes that information to a subcontractor, the DoD expects it to be safeguarded under DFARS clause 252.204-7012 and, increasingly, under a CMMC requirement written into the contract through DFARS 252.204-7021.

That sweeps in far more companies than people expect. A machine shop fabricating parts from controlled drawings, an engineering firm developing prototypes, a managed service provider supporting a defense contractor's network, a logistics company moving controlled hardware, a law firm holding export-controlled documents for a defense client, and the prime contractors at the top of the supply chain all fall in scope. Subcontractors are not exempt: a prime is responsible for flowing the requirement down, so smaller suppliers deeper in the chain frequently have to meet Level 2 as well. If you have ever seen CUI markings on a document, received a DFARS flow-down clause, or been asked for your SPRS score, you are in scope. Our team helps you confirm exactly where CUI lives in your environment so you can scope the assessment accurately rather than certifying systems that never touch controlled data. For the broader picture across all three maturity tiers, see our CMMC compliance guide.

Implementing these families correctly is the heart of NIST 800-171 compliance, and it is also where most contractors stall. The controls are written in government language, several require specific technical architecture, and "partially done" still scores as not done.

Under DFARS 252.204-7019 and 252.204-7020, contractors must post a NIST 800-171 self-assessment score in the Supplier Performance Risk System (SPRS). The methodology starts at a perfect 110 and subtracts a weighted value for every control that is not fully implemented, which is why the scale runs all the way down to -203. A negative score is common for companies that have not started the work, and it is visible to the contracting officers deciding who is eligible for award.

Your SPRS score is the single most-watched data point in your CMMC journey because it is concrete, comparable, and reported directly to the DoD. Raising it is not about gaming the math; it is about genuinely closing control gaps in the right order so the score reflects real protection. We help clients calculate an honest baseline, prioritize the highest-weighted remediations first, and track the score up over time. You can estimate where you stand right now with our free SPRS score calculator, then bring the results to a consultation so we can map the fastest credible path to a passing posture.

Most contractors who once met the old "Level 3" definition under CMMC 1.0 now fall under CMMC 2.0 Level 2. If you are unsure which tier your contracts require, our CMMC compliance services team can confirm it against your specific DFARS clauses.

We begin by defining your assessment boundary and mapping exactly how CUI enters, moves through, and leaves your environment, because an accurate scope keeps the project from ballooning. From there we run a control-by-control gap analysis, calculate your honest SPRS baseline, and build the two documents every assessor asks for first: a thorough System Security Plan describing how each of the 110 controls is met, and a Plan of Action and Milestones for anything not yet complete. Remediation follows in priority order, weighting the highest-impact and highest-scoring controls first. Finally we assemble the evidence package and rehearse the assessment so that when a C3PAO or a self-assessment affirmation comes due, nothing is a surprise. Throughout, our ComplianceArmor platform generates and version-controls your policies, SSP, and evidence so the documentation stays audit-ready rather than going stale in a forgotten folder.

The companies that struggle with Level 2 rarely fail because of a single missing firewall. They fail because the scope was never pinned down, so CUI quietly spread into email, file shares, and personal devices that were never meant to hold it. They fail because multifactor authentication was switched on for some systems but not the privileged accounts that matter most. They fail because a System Security Plan was written once, then never updated as the environment changed, leaving the document and the reality out of sync. And they fail because POA&M items were opened with good intentions and then drifted past their milestones with no one accountable.

Under CMMC 2.0 the consequences are sharper than they used to be. A signed affirmation of compliance that is not actually true can become a False Claims Act exposure, and contracting officers can see a weak or stale SPRS score before a bid is even considered. The fix is not heroics close to a deadline; it is a disciplined program that keeps scope tight, evidence current, and the score honest. That discipline is exactly what an experienced CMMC partner brings, and it is why starting early consistently costs less than scrambling later.