What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 requires 17 practices (FAR 52.204-21 basic safeguarding) and allows annual self-attestation — no third-party assessment needed. It applies to contractors handling Federal Contract Information (FCI) but no CUI. CMMC Level 2 requires all 110 NIST 800-171 practices and mandates third-party verification by a C3PAO — self-attestation is not sufficient. It applies to contractors handling Controlled Unclassified Information (CUI). The cost differential is significant: Level 1 self-attestation costs $5K–$20K in prep time; Level 2 C3PAO assessments typically cost $50K–$200K total including remediation, assessment fees, and SSP documentation. The trigger is always CUI: if your contract contains DFARS 252.204-7012 and you receive or generate CUI, you need Level 2. [VERIFIED: 32 CFR Part 170 §170.13, §170.14; DFARS 252.204-7012]

How long does CMMC Level 2 certification take?

CMMC Level 2 certification typically takes 9–18 months from initial gap assessment to final certificate. Organizations with strong existing security posture (SPRS score above 80, MFA deployed, audit logging active, documented SSP) can potentially complete in 6–9 months. Organizations starting from a low baseline (SPRS score below 50, no SSP, gaps in access control or audit) should plan 12–18 months. The C3PAO assessment itself takes 2–8 weeks; scheduling lead times are 2–4 months due to limited assessor availability. With Phase 2 enforcement starting November 10, 2026, contractors who have not begun preparation by May 2026 face significant risk of missing the deadline. [AI-GENERATED estimate based on C3PAO community data and CMMC assessment timelines]

What is a POA&M in CMMC Level 2?

A Plan of Action and Milestones (POA&M) documents security gaps and the specific remediation plan to close them. In CMMC Level 2, a POA&M is required for any practice not fully implemented at the time of assessment. Under the CMMC Final Rule (32 CFR Part 170), C3PAOs may issue a Conditional certification if certain practices are in a POA&M at assessment time — but only for non-critical controls. High-weighted controls (those with point values of 5 in the SPRS scoring model) cannot be on a POA&M for a passing assessment; they must be fully implemented. POA&M items must have specific closure milestones (typically 180 days or less) and are tracked in eMASS. A contractor with too many open POA&M items may receive a failing assessment, requiring full remediation before re-assessment. [VERIFIED: 32 CFR Part 170 §170.21; NIST SP 800-171A Rev 2]

What are the most common CMMC Level 2 failures?

The most common CMMC Level 2 failure points are: (1) Multi-Factor Authentication (MFA) — not deployed for privileged accounts or remote access; (2) Audit logging gaps — insufficient log retention, missing coverage of CUI systems, or no log review process; (3) Incomplete System Security Plan — SSP doesn't accurately reflect the current environment or system boundary; (4) CUI identification gaps — contractors haven't inventoried where CUI flows, is stored, or is processed; (5) Incident response plan not tested — a documented plan exists but tabletop exercises haven't been conducted; (6) Configuration management deficiencies — baseline configurations not documented, unauthorized software present; (7) Access control gaps — principle of least privilege not enforced, excessive admin accounts. These seven domains account for the majority of assessment findings across C3PAO reports. [AI-GENERATED analysis based on published C3PAO assessment findings and CMMC community data]

CMMC 2.0 Readiness Support — 110 Controls, Costs & Assessment Path (2026)

Q: How many practices does CMMC Level 2 require?

CMMC Level 2 requires exactly 110 security practices, identical to the 110 controls in NIST SP 800-171 Rev 2. There are no additional CMMC-specific practices beyond NIST 800-171 at Level 2 — the framework aligns precisely with the NIST standard. All 110 must be fully implemented and verified by a C3PAO; partial implementation does not satisfy the requirement. Organizations may carry documented POA&M items during the assessment window, but all practices must reach full implementation within the timeframe specified in the assessment agreement. [VERIFIED: 32 CFR Part 170 §170.14(c), cyberAB.org assessment guide]

What Is CMMC Level 2?

CMMC Level 2 (Cybersecurity Maturity Model Certification) is the certification tier required for defense contractors who handle Controlled Unclassified Information (CUI). Under the CMMC Final Rule (32 CFR Part 170), published December 26, 2023, Level 2 mandates full implementation of all 110 security practices in NIST SP 800-171 Rev 2, verified by an independent C3PAO — not self-attestation. [VERIFIED: 32 CFR Part 170, dodcio.defense.gov/CMMC/]

The November 10, 2026 Phase 2 enforcement date is when DoD contract solicitations begin requiring CMMC Level 2 certification at award. Contractors without certification will be ineligible for new awards that involve CUI. See our CMMC Phase 2 Deadline guide for the complete enforcement timeline.

110

Security practices required

Security domains

Nov 2026

Phase 2 enforcement date

$50K–$200K

Typical SMB cost range

Free Weekly Briefing

CMMC deadline countdown + defense bid alerts

Get the weekly brief defense contractors actually read — deadlines, new contract awards, compliance changes.

No spam. Unsubscribe anytime.

Free Tool

Check Your CMMC Readiness in 5 Minutes

See which of the 110 NIST SP 800-171 practices your organization has covered — and which will fail a C3PAO audit.

Take the Free Assessment →

All 110 CMMC Level 2 Practices by Domain

CMMC Level 2 is a direct mapping to NIST SP 800-171 Rev 2. All 110 practices must be implemented and verified by a C3PAO. The table below shows all 14 domains, practice counts, and key examples. [VERIFIED: NIST SP 800-171 Rev 2, cyberAB.org]

#	Domain	Practices	Key Focus
AC	Access Control	22	Limit system access to authorized users; enforce least privilege; control remote access; restrict CUI access
AT	Awareness & Training	3	Security awareness training for all users; role-based training for privileged users; insider threat awareness
AU	Audit & Accountability	9	Create and retain system audit logs; review and analyze logs; protect audit information; report audit failures
CM	Configuration Management	9	Establish and maintain baseline configurations; control system changes; restrict unauthorized software; review configs
IA	Identification & Authentication	11	Identify system users; authenticate identities before access; enforce MFA for privileged access and remote access; manage credentials
IR	Incident Response	3	Establish incident-handling capability; track and report incidents; test incident response plans
MA	Maintenance	6	Perform maintenance on systems; control maintenance tools; verify remote maintenance sessions; manage maintenance personnel
MP	Media Protection	9	Protect system media containing CUI; limit access to CUI on media; sanitize media before disposal; transport media securely
PS	Personnel Security	2	Screen individuals before authorizing CUI access; protect CUI during and after personnel terminations and transfers
PE	Physical Protection	6	Limit physical access to systems and CUI; escort visitors; maintain physical access logs; control physical access devices
RA	Risk Assessment	3	Assess risk to organizational operations; scan for vulnerabilities; remediate vulnerabilities per risk assessment
CA	Security Assessment	4	Assess security controls periodically; develop plans of action for deficiencies; monitor security controls on ongoing basis; develop, document, and implement SSP
SC	System & Comms Protection	16	Monitor and control communications; employ architectural designs to segregate networks; protect CUI during transmission; deny by default
SI	System & Info Integrity	7	Identify and correct system flaws; protect against malware; update malware protections; perform security scans; monitor system alerts

The Access Control (AC) and System & Communications Protection (SC) domains carry the most practices (22 and 16 respectively) and are consistently the most challenging for SMBs due to infrastructure requirements. The Identification & Authentication (IA) domain, with 11 practices, is where MFA failures are most common. [AI-GENERATED]

C3PAO Assessment Process & Timeline

A CMMC Level 2 assessment is conducted by a C3PAO (Certified Third-Party Assessment Organization) authorized by the Cyber AB (formerly CMMC Accreditation Body). The assessment results in a certificate entered into the DoD's eMASS system. [VERIFIED: cyberAB.org, 32 CFR Part 170 §170.17]

1

Gap Assessment (4–8 weeks)

Conduct an internal gap assessment against all 110 NIST 800-171 controls. Identify which practices are fully implemented, partially implemented, or not implemented. Calculate your baseline SPRS score. Use our free CMMC readiness tool to get started.
2

Remediation (3–12 months)

Address identified gaps. Priority order: (1) MFA deployment for privileged/remote access, (2) audit logging coverage, (3) SSP documentation, (4) CUI data flow mapping, (5) configuration management, (6) incident response plan testing. High-weighted controls must be closed before assessment.
3

C3PAO Selection & Scheduling (2–4 months lead time)

Select a C3PAO from the Cyber AB marketplace. Key criteria: authorized status, assessment team experience in your sector (manufacturing vs. IT services vs. research), price, timeline availability. Book 3–6 months in advance — capacity is limited. See our C3PAO selection guide →
4

Assessment Execution (2–8 weeks)

C3PAO assessors review your SSP, interview staff, observe controls in action, and examine evidence artifacts. Expect document requests (policies, logs, configs), interviews with system owners and security personnel, and technical testing. Keep evidence packages organized and readily accessible.
5

Certification or Conditional (2–4 weeks post-assessment)

If all 110 practices pass: Full certification uploaded to eMASS. If some non-critical practices have open POA&M items: Conditional certification (valid, but POA&M items must close within agreed timeframe). Critical/high-weight failures: Assessment fails; remediate and reschedule. Certificate valid for 3 years.

Cost Ranges for CMMC Level 2 Certification

Total cost to achieve CMMC Level 2 certification ranges widely based on organization size, current security posture, and remediation complexity. The ranges below reflect SMB realities in 2025–2026. [AI-GENERATED cost estimates based on published C3PAO pricing and community data]

Cost Category	Low Estimate	High Estimate	Notes
C3PAO Assessment Fee	$20,000	$75,000	Depends on org size, scope of CUI environment, and C3PAO
SSP Documentation	$5,000	$25,000	Can be done internally if staff has expertise; consultant rates $150–$300/hr
Technical Remediation (MFA, logging, configs)	$10,000	$80,000	Major variable; depends on how far below baseline the current environment is
CMMC Consultant / RPO	$0	$50,000	Optional but strongly recommended for first-time organizations; see RPO vs C3PAO guide
Staff Training & Awareness	$2,000	$10,000	Security awareness training platform + role-based training for IT/security staff
Total (typical SMB)	$37,000	$200,000+	Organizations with strong NIST 800-171 baseline can land near the low end

C3PAO Selection Criteria

Not all C3PAOs are equal. The Cyber AB authorizes C3PAOs, but authorization means minimum qualification — not expertise in your sector. Use these criteria to evaluate candidates: [VERIFIED: cyberAB.org marketplace standards]

Authorized status: Verify on the Cyber AB marketplace. Status must be "Authorized C3PAO" — not "Candidate" or "Provisional."
Sector experience: Defense manufacturing, IT/MSP, research, and supply chain environments have different assessment dynamics. Ask for references in your sector.
Lead Assessor credentials: The Certified CMMC Assessor (CCA) leading your assessment matters. Ask about their specific CUI environment experience.
Timeline availability: With Phase 2 enforcement in November 2026, C3PAO schedules are filling fast. Confirm availability for your target window before signing.
Scope confirmation: Ensure the C3PAO clearly defines your assessment scope (system boundary, CUI flows, enclave). Scope creep during assessment is costly.
Re-assessment policy: If you fail, what are the re-assessment terms? Some C3PAOs include one re-assessment; others charge full fees.

→ See our complete C3PAO assessment guide for a full evaluation checklist and what to expect on assessment day.

POA&M Rules in CMMC Level 2

A Plan of Action and Milestones (POA&M) is your documented plan to close gaps. In CMMC Level 2 assessments, POA&M items matter: [VERIFIED: 32 CFR Part 170 §170.21, NIST SP 800-171A]

Conditional certification: If non-critical practices have open POA&M items at assessment time, a C3PAO may issue a Conditional certification. This is valid for contract purposes but requires closure within the agreed timeline (typically 180 days).
High-weighted controls cannot be on POA&M: Practices with a point value of 5 in the SPRS scoring model are considered critical. These must be fully implemented before assessment begins — they cannot be carried as open POA&M items.
POA&M structure: Each item must include: the specific practice, current status, responsible party, resources required, and milestone closure date.
Tracking in eMASS: POA&M items from formal assessments are tracked in the DoD's eMASS system. Contracting officers can see open POA&M status.
Timeline risk: POA&M items with distant closure dates may concern contracting officers. Aim to have no open POA&M items older than 90 days at award.

Common CMMC Level 2 Failure Points

These are the control areas where defense contractors most frequently fail or receive deficiency findings during Level 2 assessments. [AI-GENERATED analysis based on C3PAO community data and published assessment guidance]

❌ MFA Not Fully Deployed

IA.3.083 requires MFA for all privileged access and all remote access. Missing MFA for any admin account or remote session is an immediate finding.

❌ Audit Log Gaps

AU domain (9 practices) requires complete, retained, reviewed logs across CUI systems. Missing log sources or insufficient retention (less than 90 days) fail AU.2.042.

❌ Incomplete SSP

CA.2.061 requires a current SSP. SSPs that don't accurately describe system boundaries, CUI flows, or environment are a frequent deficiency — especially after infrastructure changes.

❌ CUI Not Inventoried

If you don't know where CUI lives, you can't scope your controls. AC.1.001 and MP.2.119 both require you to know your CUI inventory before access and media controls can be assessed.

❌ IR Plan Not Tested

IR.2.093 requires testing your incident response plan. "We have a documented plan" is not sufficient — assessors want evidence of tabletop exercises or drills.

❌ Unauthorized Software Present

CM.2.061 requires a deny-by-default software policy. Finding unapproved applications on CUI systems is a common configuration management failure.

SPRS Score and CMMC Level 2

Before your C3PAO assessment, you must submit a SPRS (Supplier Performance Risk System) self-assessment score to PIEE (Procurement Integrated Enterprise Environment). The SPRS score is calculated from the NIST 800-171 DoD Assessment Methodology, assigning point values to each of the 110 practices. [VERIFIED: DFARS 252.204-7019, DFARS 252.204-7020]

Maximum score: 110 points (all practices fully implemented)
Minimum score: –203 points (no practices implemented)
Typical SMB starting score: 50–80 (common with partial implementations)
SPRS score must be on file in PIEE before a C3PAO assessment can be submitted to eMASS
Your self-assessed SPRS score and your C3PAO assessment score may differ — assessors apply their own judgment to evidence

→ Use our NIST 800-171 checklist to systematically evaluate each control and calculate your SPRS score before engaging a C3PAO.

CMMC Level 2 for Subcontractors

If you are a subcontractor who receives CUI from a prime contractor, you are subject to the same CMMC Level 2 requirements as the prime. The prime contractor is responsible for flowing down CMMC requirements via the subcontract. [VERIFIED: 32 CFR Part 170 §170.3, DFARS 252.204-7021(c)]

Key considerations for subcontractors:

Your prime will require proof of certification (your eMASS record) before sharing CUI
The CUI your prime shares with you determines your system boundary for the assessment
If you are a Managed Service Provider (MSP) for a defense contractor, your systems handling CUI are in scope
Cloud Service Providers (CSPs) in the CUI environment need FedRAMP Moderate authorization or equivalent

→ See our complete subcontractor guide for flow-down requirements, prime-sub agreements, and scoping your environment.

Frequently Asked Questions

CMMC Level 2 requires full implementation of all 110 security practices in NIST SP 800-171 Rev 2, verified by an authorized C3PAO. The 110 practices span 14 security domains: Access Control (22 practices), Awareness & Training (3), Audit & Accountability (9), Configuration Management (9), Identification & Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System & Communications Protection (16), and System & Information Integrity (7). You must also maintain a System Security Plan, a current SPRS score in PIEE, and a passing C3PAO assessment in eMASS. [VERIFIED: NIST SP 800-171 Rev 2, 32 CFR Part 170 §170.14]

CMMC Level 2 requires exactly 110 security practices — identical to NIST SP 800-171 Rev 2. All 110 must be fully implemented and verified by a C3PAO. Partial implementation does not pass. Organizations may have documented POA&M items for non-critical controls, but high-weighted (5-point) controls must be fully implemented at assessment time. [VERIFIED: 32 CFR Part 170 §170.14(c)]

Level 1 requires 17 practices (FAR 52.204-21) and allows annual self-attestation — applies to FCI, not CUI. Level 2 requires all 110 NIST 800-171 practices and mandates C3PAO third-party verification — applies to CUI. Cost: Level 1 self-attestation runs $5K–$20K; Level 2 total certification typically runs $50K–$200K for SMBs. The trigger for Level 2 is CUI handling — check your contracts for DFARS 252.204-7012. [VERIFIED: 32 CFR Part 170 §170.13, §170.14]

Typically 9–18 months from initial gap assessment to certificate. Organizations with strong baselines (SPRS score above 80, deployed MFA, documented SSP) may complete in 6–9 months. Organizations with significant gaps should plan 12–18 months. The C3PAO assessment phase itself takes 2–8 weeks; scheduling lead times are 2–4 months. With Phase 2 enforcement November 10, 2026, contractors who haven't started by May 2026 face real risk. [AI-GENERATED estimate]

A Plan of Action and Milestones documents gaps and your remediation plan. In CMMC Level 2, a C3PAO may issue a Conditional certificate if non-critical practices have open POA&M items — but high-weighted (5-point SPRS) controls must be fully implemented before assessment. POA&M items must have specific closure milestones (typically 180 days or less) and are tracked in eMASS. [VERIFIED: 32 CFR Part 170 §170.21]

The top failure points are: (1) MFA not fully deployed for privileged/remote access, (2) audit log gaps or insufficient retention, (3) incomplete or outdated SSP, (4) CUI not inventoried and scoped, (5) incident response plan not tested with tabletop exercises, (6) unauthorized software on CUI systems, (7) access control gaps — excess admin accounts, least privilege not enforced. These seven areas account for the majority of C3PAO assessment findings. [AI-GENERATED analysis]

Next Steps for CMMC Level 2 Preparation

With Phase 2 enforcement starting November 10, 2026, the window for preparation is closing. Here is the action sequence: [AI-GENERATED guidance]

Run a gap assessment now. Use our free CMMC readiness tool to get your baseline score and identify gaps across all 14 domains.
Calculate your SPRS score. Use the NIST 800-171 checklist to score each of the 110 controls and document your current state in your SSP.
Prioritize MFA and audit logging. These are the two most common failure points and the highest-weight remediation items. Start here.
Document your SSP. A complete, accurate System Security Plan describing your CUI environment, system boundary, and security controls is required before any C3PAO will begin an assessment.
Select and schedule a C3PAO. Use the Cyber AB marketplace. Book at least 3–4 months in advance. See our C3PAO selection guide.
Submit your SPRS score to PIEE. Required before assessment results can be submitted to eMASS. Access SPRS at sprs.csd.disa.mil.
Monitor contract pipeline. Use our Defense Pulse tool to track new DoD solicitations in your sector — see which are already requiring CMMC Level 2.

Free Tool

Check Your CMMC Readiness in 5 Minutes

Map your current controls against all 110 CMMC Level 2 requirements and get a prioritized gap list instantly.

Take the Free Assessment →

CMMC Level 2 Requirements: Everything Defense Contractors Need to Know

What Is CMMC Level 2?

CMMC deadline countdown + defense bid alerts

Check Your CMMC Readiness in 5 Minutes

All 110 CMMC Level 2 Practices by Domain

C3PAO Assessment Process & Timeline

Gap Assessment (4–8 weeks)

Remediation (3–12 months)

C3PAO Selection & Scheduling (2–4 months lead time)

Assessment Execution (2–8 weeks)

Certification or Conditional (2–4 weeks post-assessment)

Cost Ranges for CMMC Level 2 Certification

C3PAO Selection Criteria

POA&M Rules in CMMC Level 2

Common CMMC Level 2 Failure Points

❌ MFA Not Fully Deployed

❌ Audit Log Gaps

❌ Incomplete SSP

❌ CUI Not Inventoried

❌ IR Plan Not Tested

❌ Unauthorized Software Present

SPRS Score and CMMC Level 2

CMMC Level 2 for Subcontractors

Frequently Asked Questions

Next Steps for CMMC Level 2 Preparation

Check Your CMMC Readiness in 5 Minutes

Get the weekly CMMC brief — free