Key Takeaways
- CMMC compliance is contract-critical for most DoD suppliers.
- Level 2 is the baseline for any DoD contractor that handles Controlled Unclassified Information.
- All 110 practices must be MET or legitimately N/A to certify.
- POA&Ms give you up to 180 days to finish fixes and pass a short close-out assessment.
- Certificates are valid for three years, but you must maintain continuous compliance throughout this period.
- Centraleyes automates evidence collection, live scoring, and remediation tracking to speed certification.
- About 80,000 companies (roughly one-third of the Defense Industrial Base) will fall under CMMC Level 2 whenever a contract involves CUI.
The Cybersecurity Maturity Model Certification (CMMC) was developed to ensure the protection of sensitive data across the Defense Industrial Base (DIB). CMMC aligns with NIST SP 800-171 and focuses on safeguarding Controlled Unclassified Information (CUI). It consists of three levels that target different degrees of cyber maturity and controls across companies in the DoD supply chain.
Because Level 2 is so commonly applicable and because it represents a significant compliance step for many organizations in the defense sector, this blog will primarily focus on the specifics of a CMMC assessment guide for Level 2.
Step 1: Understanding the Assessment Types
Two Types of Assessments
1. Self-Assessment
This is where your organization evaluates its own compliance with the CMMC Level 2 requirements. It applies to certain contracts or subcontracts where a Level 2 self-assessment is required (as per 32 CFR § 170.16). Self assessments also apply to CMMC Level 1 for organizations handling Federal Contract Information (FCI), but it does not apply to Level 3. Level 3 always requires a more comprehensive third-party assessment.
2. Certification Assessment (Third-Party)
Conducted by a Certified Third-Party Assessment Organization (C3PAO), this type of assessment evaluates whether your organization meets the CMMC Level 2 requirements. It results in an official CMMC status of Conditional Level 2 or Final Level 2.
Step 2: Defining the Assessment Scope
Before you begin the CMMC assessment process, you need to define the CMMC assessment scope. This scope outlines the specific assets, systems, and environments that will be assessed for compliance. The scope is defined in accordance with 32 CFR § 170.19.
Key Considerations for Scope:
- Entire Enterprise vs. Specific Enclave: You can choose to assess your entire enterprise network or a specific system or enclave within your organization.
- Inclusion of External Service Providers (ESPs): If your organization uses third-party service providers, they must be included in the assessment scope, as they may also have access to CUI.
The CMMC Assessment Scope defines what is covered during the certification and is a crucial step to avoid unnecessary delays later on.
Step 3: Preparing for the Assessment
Preparation is the key to a smooth assessment process. The goal of this phase is to ensure that all documentation is in place and that your systems, policies, and procedures are ready for examination by the assessors.
1. System Security Plan (SSP):
Your SSP is a formal document that outlines the CMMC controls list in place for protecting CUI. It must describe how your organization meets the CMMC Level 2 requirements, including the systems and processes in place to protect CUI.
Documentation Needs:
You’ll need to ensure your SSP includes system configurations, risk management policies, and security measures.
2. POA&M (Plan of Action and Milestones):
If your organization identifies any gaps in compliance, a POA&M should be created. This document outlines the corrective actions needed to address deficiencies and track progress toward remediation.
3. Evidence Collection:
Ensure that you have all necessary documentation, such as policies, security configurations, system architecture, and audit logs. Assessors will review these documents during the assessment process.
4. Readiness Review:
Before the official assessment, a CMMC readiness assessment review by the C3PAO or internal team will ensure that all necessary evidence is available and that your systems are in compliance with CMMC Level 2 requirements.
Step 4: The CMMC Assessment Process
The CMMC Level 2 assessment is the heart of the certification process. It’s where the rubber meets the road, as assessors evaluate your organization’s cybersecurity practices and ensure they align with the required standards for safeguarding Controlled Unclassified Information (CUI). This step is critical for organizations that need to achieve CMMC certification to continue doing business with the Department of Defense (DoD).
What Happens During the CMMC Level 2 Assessment?
Once your organization is ready and has completed its preparatory phases, the formal assessment begins. The CMMC Level 2 assessment evaluates how effectively your organization has implemented cybersecurity practices, aligning them with the 110 security practices outlined in NIST SP 800-171 and CMMC Level 2 requirements.
Here’s a breakdown of what happens at each stage:
1. Evidence Review
The C3PAO (Certified Third-Party Assessment Organization) will first review the body of evidence you provide, which includes your System Security Plan (SSP), Plan of Action and Milestones (POA&M), and any other relevant documentation that outlines your organization’s cybersecurity posture. This review ensures that the documentation supports the actual practices in place.
2. Interviews with Key Personnel
Interviews are conducted with personnel who are responsible for implementing cybersecurity practices across your organization. This includes IT staff, security teams, and management. The assessors will use interviews to verify that cybersecurity policies are being followed as per the documentation and that staff members are trained to handle and protect sensitive information.
3. Testing of Controls
The testing phase is crucial to demonstrate that your cybersecurity measures are actively working. Assessors will perform hands-on testing by applying various techniques such as vulnerability scanning, penetration testing, and other assessments to simulate real-world threats. The effectiveness of your system’s security controls will be directly tested to validate their implementation.
Scoring the Assessment
The assessors will score each of the 110 practices that make up CMMC Level 2. The scoring system includes three possible results for each practice:
- MET (Met): This means that the practice has been properly implemented and all objectives have been satisfied based on the evidence provided.
- NOT MET: This indicates that the practice has not been properly implemented, and the organization needs to address the identified deficiencies.
- NOT APPLICABLE: This is used when a practice is not relevant to your organization’s particular environment or scope of assessment.
To achieve CMMC Level 2 certification, your organization must have all 110 practices scored as either MET or Not Applicable. Any practice that is marked as NOT MET will need to be corrected and remediated before the certification can be awarded.
Step 5: Addressing Deficiencies and Remediating Gaps
The CMMC Level 2 assessment is a rigorous process, and it’s not uncommon for organizations to identify deficiencies or areas where they don’t fully meet the required practices. However, the process is designed to provide organizations with an opportunity to address these issues and continue toward achieving certification.
What Happens When a Deficiency Is Identified?
When an assessor marks a requirement as NOT MET, the organization is given a Plan of Action and Milestones (POA&M). This plan serves as the remediation roadmap, allowing the organization to address the deficiency within a specified timeframe.
The remediation process typically works as follows:
1. Documenting the Issue:
The first step is to document the issue in the POA&M, clearly outlining which security requirement was not met and why it wasn’t in compliance with CMMC Level 2. This documentation serves as a foundation for corrective actions.
2. Setting Milestones:
The POA&M will establish clear milestones and deadlines for resolving the deficiencies. These milestones help ensure the remediation process is not only tracked but also keeps the organization accountable. One of the common mistakes organizations make is not setting realistic and achievable timelines. This often leads to delays, so it’s crucial that the milestones are well-defined and adhere to the timeline.
3. Addressing the Gap:
Once the issues are documented and the milestones are set, the next step is to address the gaps. This could mean updating documentation, implementing new security controls, or conducting additional training for staff.
Organizations often underestimate the complexity of remediation. Many assume it’s simply about completing paperwork, but in practice, it can involve technical adjustments to systems, updating processes, and educating employees about new protocols.
4. Verification of Remediation:
Once the deficiencies are addressed, the organization will need to provide evidence of the corrective actions. This evidence could include updated documentation, proof of implemented changes, or logs showing that security controls are now working effectively.
5. Reassessment or Close-out Review:
If the remediation is successful, the C3PAO will verify the corrections and conduct a close-out review to ensure that all issues are resolved before proceeding to certification.
What If Your Organization Receives a Score Below 80%?
If the assessment results in a score below 80% (i.e., fewer than 88 practices are marked MET), the organization will need to correct all identified deficiencies before reassessment. Organizations often question whether they should rush through remediation efforts or take their time to address issues comprehensively.
Centraleyes Pro Tip: Don’t rush the remediation process. Take the time to correct the deficiencies properly, as fixing them hastily may lead to future gaps that could further delay certification.
Step 6: Final Report and Certification Decision
Once the assessment is completed, the C3PAO will prepare a final report summarizing the findings. This report is submitted to the CMMC Accreditation Body (AB) for review.
Final Certification:
- If your organization meets all the CMMC Level 2 requirements, you will receive your CMMC Level 2 certification.
- If deficiencies are found, you will need to address the issues and undergo reassessment to achieve final certification.
Why Use Centraleyes for CMMC Certification?
Whether you’re targeting Level 1, Level 2, or Level 3 certification, our AI-powered tools automate evidence collection, track deficiencies, and ensure real-time oversight. The platform eliminates manual work, ensuring nothing falls through the cracks.
The Centraleyes platform generates System Security Plans (SSPs), SPRS score reports, and POA&Ms automatically from your live control data, ensuring accuracy and compliance with the latest CMMC requirements.
Advanced remediation features help you identify, communicate, assign, and close gaps, set milestones, and automate remediation tracking, ensuring that your organization stays on track to close out issues swiftly. Real-time visibility and seamless collaboration ensure that distributed teams can work together.
What truly sets Centraleyes apart is its ability to oversee multiple entities from one dashboard. Centraleyes offers a single point of control to monitor progress, track milestones, and ensure alignment with multiple client programs simultaneously.
With Centraleyes+ service, you gain access to additional benefits like direct integration with certified auditors for a seamless CMMC audit process.
Schedule a call to learn more about the Centraleyes CMMC Compliance Solution.
FAQs
1. How long is a CMMC certificate valid?
Once you receive a CMMC Level 2 certificate, it is valid for three years. You must maintain continuous compliance; however, you will not undergo another full assessment until the next renewal cycle, unless the DoD requests a spot check.
2. When will CMMC clauses start appearing in every DoD contract?
The Final Rule became effective on 16 December 2024. The DoD began inserting CMMC language into select solicitations in mid-2025, with full rollout across all covered contracts projected by FY 2028.
3. What does a C3PAO actually do, and how do I choose one?
A Certified Third-Party Assessment Organization (C3PAO) is the only entity authorized to perform Level 2 and Level 3 certification audits. The CMMC Accreditation Body lists approved C3PAOs on its marketplace; select one with availability within your timeframe and experience in environments similar to yours (e.g., cloud, manufacturing, classified enclaves).
4. How much should I budget for a Level 2 certification?
Typical total cost—including preparation, remediation, and the C3PAO audit — runs $ 40,000 to $ 100,000 for small and mid-size contractors. Large enterprises can spend several hundred thousand dollars once internal labor and remediation projects are added.
5. How long does the entire Level 2 process take from kickoff to certificate?
Plan on 6 – 12 months end-to-end: roughly two to three months for scoping and evidence collection, one to two weeks of assessment fieldwork, and the balance for remediation and DoD review. Well-prepared organizations can sometimes complete their projects in as little as three to four months.
6. Do subcontractors need their own CMMC certification?
Yes. Any supplier (prime or subcontractor) creating, receiving, transmitting, or storing CUI for a covered contract must achieve the same CMMC level specified, or isolate the CUI in a certified enclave managed by the prime contractor.
7. Can I certify just one enclave instead of my whole network?
Absolutely. CMMC allows an enclave approach, where you can scope and certify a segmented environment that handles all CUI, thereby lowering both cost and complexity. Ensure that no CUI leaks outside the enclave; if it does, the assessment boundary expands to encompass the entire enterprise.
8. How is a POA&M different from my SPRS score?
Your SPRS score is a self-reported snapshot of NIST 800-171 implementation filed before any CMMC audit. A POA&M is a corrective-action plan generated during the official CMMC assessment to fix identified gaps; all items must be closed before you can earn (or keep) certification.
