CMMC Level 2 Certification Complete Guide to the 110 Controls, Costs, and C3PAO Assessment

CMMC Level 2 is the "Advanced" tier of the Cybersecurity Maturity Model Certification framework. It applies to any defense contractor or subcontractor that handles, processes, stores, or transmits Controlled Unclassified Information (CUI) as part of a Department of Defense contract. If your organization touches CUI in any capacity, Level 2 is the certification tier you will need.

Unlike CMMC Level 1, which covers only basic cyber hygiene for Federal Contract Information (FCI), Level 2 maps directly to the full set of 110 security requirements defined in NIST Special Publication 800-171 Revision 2. These controls were originally mandated under DFARS clause 252.204-7012 and have been required since 2017. CMMC Level 2 adds a formal verification layer on top of those requirements, meaning you can no longer just self-attest and move on. You must prove it.

The Department of Defense estimates that over 80,000 contractors in the Defense Industrial Base (DIB) will eventually need CMMC Level 2 certification. This includes prime contractors, subcontractors, manufacturers, IT service providers, research institutions, and any other organization that receives CUI through a DoD contract or subcontract. If your contract contains DFARS 252.204-7012 or references NIST 800-171, you should plan for Level 2.

Who Specifically Needs Level 2?

• Prime contractors handling CUI on DoD programs
• Subcontractors at any tier who receive CUI from a prime or another sub
• Cleared defense contractors processing classified information spillover
• Research labs and universities performing DoD-funded research with CUI
• Managed IT service providers who host or manage CUI environments for defense clients
• Manufacturers producing parts, components, or systems under contracts that include technical data marked as CUI

The consequences of not achieving Level 2 certification are straightforward: you will lose eligibility for contracts that require it. As CMMC requirements flow into new solicitations, contractors without the appropriate certification level will be disqualified during the bidding process. For many organizations, this means planning now rather than scrambling later. Learn more about the full CMMC compliance process to understand the broader context.

The jump from Level 1 to Level 2 is significant. You go from 17 basic practices (things like using antivirus and requiring passwords) to 110 comprehensive security controls that cover everything from multi-factor authentication to incident response planning to media sanitization. For most small and mid-sized contractors, Level 2 preparation is a serious project that requires dedicated resources, budget, and expert guidance. Explore the full breakdown of all CMMC levels explained.

Cost Breakdown by Component

These numbers might seem steep, but consider the alternative. Organizations that lose DoD contracts because they cannot prove compliance face far greater financial consequences. A single mid-size DoD contract can be worth millions annually. The cost of certification is an investment in your ability to compete.

The biggest cost variable is remediation. If your organization already has a solid NIST 800-171 compliance program in place, remediation costs will be on the lower end. If you are starting from scratch with minimal security controls, expect higher costs for technology purchases (SIEM, MFA, endpoint detection, encryption), infrastructure changes (network segmentation, enclave design), and staffing (hiring or contracting security personnel).

One important note: the C3PAO assessment fee is just one piece of the puzzle. Many organizations focus on the assessment cost and underestimate the remediation and documentation costs that must come before the assessment. Think of the assessment fee as the final exam, not the entire semester of coursework.

Typical Preparation Phases

1. Gap Assessment and Scoping (Month 1-2)

   Evaluate your current environment against all 110 NIST 800-171 controls. Identify where CUI lives, who accesses it, how it flows through your systems, and which controls you have already implemented versus which ones are missing or partially implemented. This phase also defines your CUI boundary and assessment scope.

2. Remediation Planning (Month 2-3)

   Prioritize the gaps you discovered. Create a detailed project plan with timelines, resource assignments, budget allocations, and milestones. Some remediation items will be quick policy updates. Others will require significant technology purchases, infrastructure changes, or process redesigns.

3. Technology and Infrastructure Remediation (Month 3-12)

   This is typically the longest phase. It includes deploying or upgrading security tools (SIEM, EDR, MFA, vulnerability scanning), redesigning network architecture for proper segmentation, implementing FIPS-validated encryption, configuring audit logging, and establishing secure remote access solutions. Learn more about CMMC remediation services.

4. Documentation Development (Month 6-14)

   Write or update your System Security Plan (SSP), Plan of Action and Milestones (POA&M), security policies, procedures, incident response plan, configuration management plan, and all supporting documentation. Documentation should run in parallel with remediation, not after it.

5. Internal Testing and Mock Assessment (Month 12-15)

   Conduct internal security assessments to validate that your controls work as documented. Run tabletop exercises for incident response. Test your audit logging. Verify MFA enrollment. A mock assessment conducted by an experienced RPO like PTG can identify remaining issues before the formal C3PAO assessment.

6. C3PAO Assessment (Month 14-18)

   Schedule and complete the formal third-party C3PAO assessment. The assessment team will review documentation, interview personnel, examine technical configurations, and test controls. Results are submitted to the Cyber AB for final certification.

Organizations with mature security programs and prior NIST 800-171 compliance efforts can compress this timeline to 6-9 months. Organizations starting from a baseline of minimal security should plan for 12-18 months. Rushing the process almost always leads to failed assessments and wasted money.

A CMMC Level 2 assessment is conducted by a Certified Third-Party Assessment Organization, known as a C3PAO. These organizations are accredited by the Cyber AB (formerly the CMMC Accreditation Body) and employ Certified CMMC Assessors (CCAs) who perform the actual evaluation. You can learn more about what a CCA does in our detailed guide.

Before the Assessment

Your organization selects a C3PAO from the Cyber AB Marketplace. The C3PAO assigns an assessment team (typically a lead assessor and one or more additional CCAs). Before the on-site or virtual assessment begins, you provide the assessment team with your System Security Plan, network diagrams, CUI boundary documentation, and a list of assets in scope. The assessment team reviews this documentation to plan their assessment activities.

During the Assessment

The assessment typically takes 3 to 5 days for small organizations and up to 2 weeks for larger, more complex environments. The assessment team evaluates all 110 controls using three methods.

• Document review: The assessors examine your SSP, policies, procedures, and evidence artifacts to verify that controls are documented and that documentation accurately reflects your environment.
• Technical testing: Assessors verify that technical controls are actually in place by examining system configurations, reviewing audit logs, testing access controls, verifying encryption, and checking security tool deployments.
• Personnel interviews: Team members at various levels are interviewed to confirm they understand their security responsibilities and that policies are actually followed in day-to-day operations.

Assessment Outcomes

Each of the 110 controls receives one of three ratings: MET, NOT MET, or NOT APPLICABLE. To achieve certification, all applicable controls must be rated as MET, though limited POA&M items may be allowed under certain conditions. The C3PAO submits its findings to the Cyber AB through the CMMC Enterprise Mission Assurance Support Service (eMASS). The Cyber AB conducts a quality assurance review before issuing certification.

If your organization does not pass, you will receive a detailed report identifying which controls were rated NOT MET. You can remediate those specific issues and schedule a reassessment, though this adds cost and delays your certification timeline.

The Supplier Performance Risk System (SPRS) score is your organization's self-reported compliance score against NIST 800-171. Every contractor handling CUI is already required to submit an SPRS score under DFARS 252.204-7019 and 252.204-7020. This score reflects how many of the 110 controls you have implemented.

How SPRS Scoring Works

Your SPRS score starts at 110 (perfect score, meaning all controls are fully implemented). For each control that is not implemented, points are subtracted based on the control's weighted value. The minimum possible score is -203. Your score, along with the date of your assessment and anticipated completion date for any POA&M items, is submitted to the SPRS portal.

To achieve CMMC Level 2 certification, your target SPRS score should be 110, meaning all controls are implemented. However, the reality is that most organizations begin their journey with scores well below that. Use our free SPRS calculator to estimate your current score and identify which controls have the highest point values.

SPRS Score as a Starting Point

Your current SPRS score serves as a useful baseline when planning your Level 2 journey. It tells you how far you need to go and which controls are responsible for the largest point deductions. However, keep in mind that SPRS scores are self-reported and often do not reflect the actual state of your controls. The C3PAO will not take your word for it during the assessment. They will verify every control independently.

Many organizations discover during a professional gap assessment that their actual compliance posture is significantly different from their reported SPRS score. This is common and not something to be embarrassed about. It is better to discover the gaps before the C3PAO assessment than during it.

A Plan of Action and Milestones (POA&M) documents the specific security controls that are not yet fully implemented, along with the steps, resources, and timeline to close those gaps. Under CMMC 2.0, limited use of POA&Ms is permitted during the Level 2 assessment process, but with strict conditions.

What the Rules Allow

• A POA&M may be used for controls that are partially implemented but not yet fully met at the time of assessment.
• POA&M items must be closed within 180 days of the conditional certification date.
• The total point value of controls on POA&M must not bring your SPRS score below a defined threshold (currently proposed at 80% of the maximum score).
• Your organization receives a conditional certification status until all POA&M items are remediated and verified.

What the Rules Do Not Allow

• You cannot place certain high-impact controls on POA&M. Specific controls related to FIPS-validated encryption, multi-factor authentication, and other critical security measures must be fully implemented at the time of assessment.
• POA&Ms are not a workaround for poor planning. If a C3PAO sees too many open items, it signals that your organization is not ready for assessment.
• You cannot use the same POA&M items indefinitely across multiple assessments. The intent is that POA&Ms are a short-term bridge, not a permanent accommodation.

The best approach is to minimize your POA&M items before scheduling a C3PAO assessment. Every open POA&M item introduces risk. If you fail to close items within the 180-day window, your conditional certification can be revoked. Talk to your consulting team about which controls are worth pushing to get done before the assessment versus which ones are reasonable POA&M candidates.

One of the most impactful decisions you will make during your CMMC Level 2 journey is defining your CUI boundary. The CUI boundary determines which systems, networks, people, and facilities are "in scope" for the assessment. Everything inside the boundary must meet all 110 controls. Everything outside the boundary does not. This means that a well-designed CUI boundary can dramatically reduce the cost, complexity, and time required for certification.

What Is a CUI Enclave?

A CUI enclave is a segmented portion of your network specifically designed to handle CUI. Rather than applying all 110 controls to your entire enterprise network, you create a separate, hardened environment where CUI lives. Only the systems and users that need access to CUI operate within the enclave. Your general corporate network, marketing systems, HR applications, and other non-CUI systems remain outside the boundary.

Enclave Design Strategies

• Physical enclave: A separate physical network with dedicated hardware, separate internet connection, and distinct physical access controls. Most secure but most expensive.
• Logical enclave: Uses VLANs, firewalls, and network segmentation to create a virtually separate environment within your existing infrastructure. More cost-effective but requires careful configuration and monitoring.
• Cloud enclave: Leverages a FedRAMP Moderate (or higher) authorized cloud service provider to host CUI. Microsoft GCC High, AWS GovCloud, and Google Cloud for Government are common choices. The cloud provider handles many infrastructure controls, but you remain responsible for user-level controls, access management, and data handling.
• Hybrid enclave: Combines on-premises and cloud components. For example, you might use GCC High for email and document storage while keeping certain engineering systems on a segmented on-premises network.

The key principle is: the smaller your CUI boundary, the lower your compliance burden. This does not mean you should cut corners on protection. It means you should be deliberate about where CUI goes and limit its spread. Data flow mapping, marking policies, and employee training all contribute to keeping CUI contained within the enclave.

Working with an experienced RPO helps you design a CUI boundary that balances security requirements with operational reality. The wrong boundary design can either leave you overexposed (too large a scope) or create operational bottlenecks that frustrate your workforce (too restrictive).

After working with dozens of defense contractors on their compliance journeys, we have seen the same patterns lead to failed or delayed assessments. Knowing these pitfalls can save you months of rework and significant expense.

1. Treating Compliance as a Checklist

CMMC is not a checkbox exercise. Assessors look for controls that are genuinely implemented, consistently followed, and producing measurable results. Having a policy document that says "we use MFA" means nothing if your assessor tests your VPN and finds single-factor authentication. Documentation must match reality.

2. Ignoring Evidence Collection

Every control needs evidence. Screenshots, log exports, configuration files, training records, signed policies, vulnerability scan reports. Organizations that do not collect evidence throughout the year are forced to scramble before the assessment. Build evidence collection into your routine operations.

3. Underscoping or Overscoping the CUI Boundary

Defining too broad a boundary makes compliance unnecessarily expensive and complex. Defining too narrow a boundary and missing systems where CUI actually resides will result in assessment findings. Accurate data flow mapping is essential.

4. Skipping the System Security Plan

The SSP is the single most important document in your CMMC assessment. It describes your CUI environment, system boundaries, data flows, interconnections, and how each of the 110 controls is implemented. A weak or incomplete SSP signals to assessors that your program is not mature. Invest the time to make it thorough and accurate.

5. Assuming Cloud Equals Compliant

Moving to GCC High or another FedRAMP-authorized cloud does not automatically make you CMMC compliant. The cloud provider is responsible for infrastructure-level controls, but your organization is still responsible for dozens of controls related to access management, training, incident response, configuration, and data handling. Shared responsibility means shared work.

6. Not Training Your People

When a CCA interviews your help desk technician and they cannot explain your incident reporting process, that is a finding. Every person with access to CUI should understand the basics of your security program. Role-specific training is required for IT staff, security personnel, and anyone with elevated privileges.

7. Waiting Too Long to Start

Organizations that wait until a contract solicitation requires CMMC certification before starting their compliance journey are almost always too late. With 6 to 18 months of preparation required and limited C3PAO availability, starting early is the single best thing you can do. The organizations winning contracts now are the ones that started their CMMC journey two years ago.

8. Using the Wrong Consultant

Be wary of any firm that offers to both prepare you for the assessment and then assess you. This is a conflict of interest that CMMC explicitly prohibits. The consulting firm (RPO) and the assessment organization (C3PAO) must be separate entities. PTG is a Registered Provider Organization. We prepare and advise. We then coordinate with independent C3PAOs for your formal assessment. This separation protects the integrity of the process and your certification.

Our role is consulting and remediation, not formal assessment. There is an important reason for this. The CMMC ecosystem intentionally separates the organizations that help you prepare (RPOs like PTG) from the organizations that assess you (C3PAOs). Combining both roles would be a conflict of interest, and it is prohibited under CMMC rules. This separation exists to protect you. It ensures that your assessor has no financial incentive to overlook gaps, and that your consultant has no incentive to understate your readiness.

Our Level 2 Services

1. Comprehensive Gap Assessment

   We evaluate your current environment against all 110 NIST 800-171 controls and identify exactly where you stand. This includes technical testing, documentation review, data flow mapping, and CUI boundary analysis. You receive a detailed report with specific findings and prioritized remediation recommendations. See our gap assessment services.

2. CUI Boundary Design and Scoping

   We help you design the optimal CUI enclave for your organization, balancing security requirements with operational needs and budget constraints. We identify where CUI enters, where it lives, where it moves, and where it exits. This scoping work directly determines the cost and complexity of your entire compliance program.

3. Technology Remediation

   We implement or upgrade the security tools and infrastructure needed to satisfy the 110 controls. This includes SIEM deployment, endpoint detection and response, multi-factor authentication, FIPS-validated encryption, network segmentation, vulnerability management, and secure configuration baselines. Learn more about our remediation services.

4. Documentation Development

   We build your complete documentation package: System Security Plan, Plan of Action and Milestones, security policies, procedures, incident response plan, configuration management plan, and all supporting artifacts. Every document is tailored to your environment, not a generic template filled with placeholder text.

5. Mock Assessment

   Before your formal C3PAO assessment, we conduct a mock assessment that simulates the real thing. Our team reviews documentation, tests controls, interviews staff, and identifies any remaining gaps. This gives you confidence going into the formal assessment and eliminates surprises.

6. C3PAO Coordination

   We help you select an appropriate C3PAO, coordinate scheduling, prepare your team for interviews, and organize your evidence artifacts. While we do not participate in the formal assessment itself (maintaining the ethical separation), we ensure you are fully prepared for it. After the assessment, we help address any findings or POA&M items.