Level 2 isn't a checkbox. It's a 12–18 month organizational transformation with a $100K–$280K price tag and a binary pass/fail assessment at the end. Here's the honest breakdown — no vendor fluff.
Short answer: if you're processing, storing, or transmitting Controlled Unclassified Information (CUI) on behalf of the DoD — Level 2 is mandatory. Full stop.
Level 1 covers federal contract information (FCI) only. Level 2 is required for any contractor handling CUI — technical data, engineering drawings, test results, software code, and operational details that aren't classified but still require protection.
The threshold question isn't "do I have a clearance." It's "does my contract require CUI handling?" If the answer is yes, Level 2 is yours — and there's no graceful deferral. The assessment queue for C3PAOs is growing, so starting early matters.
Level 2 maps to NIST SP 800-171 Rev 2 — 110 security requirements across 14 domains. Here's what assessors actually look at, per domain.
| Domain | Controls | What Assessors Check |
|---|---|---|
| Access Control (AC) | AC.L1-3.1 – AC.L2-3.19 | Role-based access limits, user provisioning/deprovisioning, media sanitization |
| Audit & Accountability (AU) | AU.L2-3.3 – AU.L2-3.19 | Event logging coverage, log review cadence, incident response logs |
| Configuration Management (CM) | CM.L2-3.4 – CM.L2-3.21 | Baseline configs, change control records, asset inventory |
| Identification & Authentication (IA) | IA.L2-3.5 – IA.L2-3.14 | Credential management, MFA enforcement, shared account elimination |
| Incident Response (IR) | IR.L2-3.6 – IR.L2-3.18 | Incident response plan, annual testing, reporting chain documentation |
| Maintenance (MA) | MA.L2-3.7 – MA.L2-3.16 | Maintenance logs, approved tooling list, remote access controls |
| Media Protection (MP) | MP.L1-3.8 – MP.L2-3.19 | Media labeling, sanitization certificates, access controls on removable media |
| Personnel Security (PS) | PS.L2-3.9 – PS.L2-3.14 | Background screening records, termination procedures |
| Physical Protection (PE) | PE.L1-3.10 – PE.L2-3.21 | Badge access logs, visitor sign-in records, facility control testing |
| Risk Assessment (RA) | RA.L2-3.19 – RA.L2-3.28 | Vulnerability scan reports, risk register, supply chain threat assessments |
| Security Assessment (CA) | CA.L2-3.19 – CA.L2-3.29 | System security plan, assessment evidence, POA&M tracking currency |
| Situational Awareness (SA) | SA.L2-3.19 – SA.L2-3.21 | Threat intel monitoring, incident correlation capabilities |
| System & Communications Protection (SC) | SC.L1-3.13 – SC.L2-3.34 | Boundary protection, FIPS-validated encryption, data in transit controls |
| System & Information Integrity (SI) | SI.L1-3.14 – SI.L2-3.23 | Patch management cadence, malicious code protection, SIEM configuration |
67 of the 110 controls are "process-implemented" — meaning you need written policies, documented procedures, and evidence of actual execution. It's not enough to say "we have a policy." Assessors want the policy and the records proving it runs. A single missing evidence artifact can fail a control.
Getting your System Security Plan right is the single biggest factor in assessment success. Here's what "Plan of Action" actually means, step by step.
The System Security Plan is your master compliance document — it describes your security controls, who owns them, and how they're implemented. A proper SSP includes your network architecture diagram, user access inventory, incident response plan, configuration baselines, and subcontractor flow documentation. If you don't have an SSP, you're not ready for assessment.
Before scheduling an assessment, run an internal assessment against all 110 controls using a 0–5 maturity model. Score 0–2 on more than 20% of controls = high risk for third-party assessment. Most contractors we work with land at score 1–2 on first pass. The honest self-assessment here saves you from surprises at the C3PAO stage.
Plan of Action and Milestones is your remediation roadmap. For each gap identified, document: the control gap, required remediation action, responsible person, resource requirements, and completion date. Gaps without a POA&M entry look like you don't know the problem exists. The standard recommendation: no more than 15–20% of controls in active POA&M when you go to third-party assessment.
Evidence is what makes or breaks an assessment. Every control requires artifacts that prove implementation. Most contractors underestimate evidence collection by 3–4x. If you're doing it right, you need a dedicated evidence management system. The table below shows what assessors expect per control area.
| Control Area | Evidence Required |
|---|---|
| Access Control | User provisioning logs, quarterly access review reports, terminated employee checklists |
| Audit & Accountability | SIEM logs, log review sign-off records, incident timeline documentation |
| Configuration Management | Baseline configs, change request tickets, approval records |
| Incident Response | Incident response plan, tabletop test results, incident runbooks |
| Media Protection | Media sanitization certificates, media inventory logs |
| Risk Assessment | Vulnerability scan reports, risk register, threat assessment documentation |
Third-party assessments (C3PAO) run 2–5 days depending on company size and complexity. Larger organizations with more systems and users get longer assessments. Here's what gets covered:
C3PAOs use a binary model — each control is either MET or NOT MET. No partial credit. A single unimplemented access control requirement fails that requirement. Multiple failures across domains can trigger assessment failure and recertification from scratch.
If assessors find significant gaps, you get a remediation period — typically 90 days — to fix findings and resubmit. This costs time and money (you're paying for the rescan). Common reasons for remediation:
Most mid-tier defense contractors need 12–18 months. Here's the phased roadmap with realistic cost ranges.
$100K–$280K over 18 months for a small-to-mid contractor. Large enterprises with existing compliance infrastructure may spend less on implementation but more on documentation overhead. Start now — the C3PAO queue is growing, and prime contractors are already requiring Level 2 from their subcontractors.
You're assessment-ready when you can check off every item below. If you're not sure, run a mock assessment first.
The most common mistake: treating CMMC as an IT project rather than an organizational one. Your IT team can implement the technical controls, but without documented processes, trained personnel, and a GRC infrastructure, you'll fail assessment on process-implemented controls.