Self-Assessment Guide

CMMC Level 2 Readiness: Do You Actually Need It?

Most defense contractors assume CMMC Level 2 applies to them. Many are wrong — and spending money they don't need to. This guide tells you definitively where you stand, what it actually costs, and what to do next.

6 min read
Updated June 2026
Companion to /cmmc-level-2.html
Step 1 — Find Your Trigger

The Only Question That Matters

CMMC Level 2 doesn't apply to every defense contractor. It triggers based on what your contracts require you to handle — specifically, Controlled Unclassified Information (CUI). Start here.

Your contracts contain DFARS 252.204-7012

This clause requires NIST SP 800-171 compliance, which is the foundation of CMMC Level 2. If you've signed a contract with this clause — and you handle or process CUI — you're already in scope for Level 2.

Level 2 Required
?

You're not sure if your contracts have this clause

Pull your top 3 contracts by value and search for "252.204-7012" or "DFARS" in the contract text. If you find it — you're in. If you don't, you may be Level 1 or not yet in scope.

Possibly Level 2
?

You handle FCI (Federal Contract Information) but not CUI

FCI triggers CMMC Level 1 (17 practices, basic safeguarding). CUI triggers Level 2 (110 controls, full NIST 800-171). Many primes handle both — subcontractors often only handle FCI until a task order changes that.

Possibly Level 1

You only work as a commercial item contractor

If your work is purely commercial and none of your contracts include DFARS clauses or require CUI handling, CMMC may not apply to you at all. Confirm with your legal or contracting officer.

Likely Not in Scope
Step 2 — Assess Your CUI Exposure

What CUI Actually Looks Like

Even if your contract has the DFARS clause, Level 2 only applies to CUI you handle. Many contractors discover they thought they had CUI exposure when they didn't — and vice versa.

You're working on a DoD contract

If your customer is a prime or subcontractor on a defense contract, assume CUI is in scope until proven otherwise. DoD contractors handling technical data, program information, or operational details almost always handle CUI.

Level 2 Likely Required

You receive or generate classified data

Classified information falls under NISPOM / ICD 705, not CMMC. CMMC is for unclassified but sensitive information. Don't assume one means the other — they're separate compliance tracks.

Check NISPOM First
?

Your team uses cloud services (Microsoft 365, Google Workspace, AWS)

This is where most contractors get caught. NIST 800-171 requires cloud services to be FedRAMP Moderate authorized — or your organization must implement 39 specific controls for cloud-based CUI storage. The default Microsoft/Google configurations almost never meet this.

Requires Cloud Review

Your work is purely in unclassified, non-CUI environments

If you can affirmatively state that no CUI has been, is being, or will be generated, processed, stored, or transmitted on your systems — you may be out of scope. This requires a formal determination, not a guess.

CUI Assessment Needed

Based on what you've read — here's where you stand and what to do next.

Step 3 — Quick Self-Check

110 Controls. Where Are You?

CMMC Level 2 maps directly to NIST SP 800-171. Check each area honestly. If you score below 80% in any category, that category will dominate your remediation timeline and cost.

Access Control (AC)

MFA enforced on all accounts. Privileged access documented. No shared admin passwords.

Media Protection (MP)

CUI stored only on encrypted, labeled media. Sanitization procedures documented for disposal.

Audit & Accountability (AU)

Security events logged centrally, retained 1+ years, reviewed monthly, anomalous activity flagged.

Configuration Management (CM)

Baseline configurations documented, change control process exists, unauthorized changes detected and reversed.

Identification & Authentication (IA)

PBI/CTR/PIV enforced for system access. No legacy password-only auth. Service accounts managed.

?

Incident Response (IR)

IR plan tested annually, incidents reported to DoD within 72 hours, evidence preserved, chain of custody maintained.

Risk Assessment (RA)

System security plan current, CUI data flow mapped, monthly vulnerability scans, annual risk assessment.

System & Communications Protection (SC)

Boundary firewalls configured, traffic monitored, data in transit encrypted (TLS 1.2+), DISA STIGs applied.

?

System & Information Integrity (SI)

Malware detection active, SIEM configured, threat signatures updated within 24 hours, false positives managed.

Personnel Security (PS)

NDA and security awareness training completed before access granted. Annual refresher. Departing employee access revoked same day.

Physical Protection (PE)

CUI systems in locked, access-controlled space. Visitor logs maintained. Media stored in GSA-approved containers.

Security Assessment (CA)

POA&M current and tracked. Security assessment report prepared. Continuous monitoring plan in place.

Legend: = Implemented   = Partially / Inconsistent   = Missing   ? = Unknown / Not Documented

Step 4 — Honest Cost Ranges

What CMMC Level 2 Actually Costs

Nobody publishes real numbers. Here's what contractors actually spend — based on 2025–2026 engagement data from the AltiriOS vCISO practice.

Small Contractor
$45K – $120K
Total program cost, Year 1
  • Gap assessment & POA&M creation
  • SSP (System Security Plan) drafting
  • Policy & procedure documentation
  • Technical remediation (firewall, MFA, SIEM)
  • C3PAO readiness review
  • Staff: 5–50 employees
Mid-Market Contractor
$120K – $280K
Total program cost, Year 1
  • Full NIST 800-171 gap assessment
  • All 110 control implementations
  • Cloud environment remediation
  • Policy & SSP documentation
  • Annual surveillance readiness
  • Staff: 50–300 employees
  • Some CUI data in cloud environments
  • Multiple IT systems in scope
Large / Sub-Prime
$280K – $700K+
Total program cost, Year 1
  • Enterprise-wide CMMC program
  • Multiple locations in scope
  • Extensive cloud & SaaS remediation
  • Third-party supply chain scoping
  • C3PAO pre-assessment
  • Staff: 300+ employees

What drives the range? Primary cost drivers: how many systems process CUI, whether cloud environments are in scope, how many people need security training, and whether you have a current System Security Plan. A contractor who already has NIST 800-171 documentation is 40–60% cheaper to certify than one starting from scratch.

Step 5 — Timeline Realities

What 12–18 Months Actually Looks Like

The CMMC rule allows 12–18 months for Level 2 certification from a standing start. In practice, most contractors who start today won't achieve certification until mid-to-late 2027 at the earliest. Here's why — and what's actually in your control.

Phase 1 — Months 1–3
Gap Assessment & Program Foundation
Map all systems that handle CUI. Conduct NIST 800-171 gap assessment against all 110 controls. Create the System Security Plan (SSP) and Plan of Action & Milestones (POA&M). Identify your CUI data flows. Get leadership sign-off on the scope.
8–12 weeks vCISO / GRC Consultant
Phase 2 — Months 3–8
Technical Implementation & Policy Documentation
Implement all controls in the POA&M. This typically runs in parallel with policy documentation — you can't write meaningful policies for controls you haven't implemented yet. Most organizations find 40–60% of controls already partially implemented; the gap is in documentation and evidence, not technology.
4–6 months IT + Security Team
Phase 3 — Months 8–12
Internal Validation & C3PAO Pre-Assessment
Run through all 110 controls with evidence artifacts. Conduct an internal readiness review or hire a C3PAO for a pre-assessment (~$15K–$35K). Identify remaining gaps. Fix what's fixable. Document what's not — and build a risk acceptance strategy for the assessor.
4–6 months C3PAO Pre-Assessment
Phase 4 — Months 12–18
C3PAO Assessment & Certification
C3PAO conducts the official assessment (2–5 days on-site or remote). Binary pass/fail scoring. If you score 100% — you're certified. If not, you have 90 days to fix remaining POA&M items and request re-assessment (at additional cost). Certification is valid for 3 years with annual surveillance checks.
$40K–$75K C3PAO fee 3-year certification

⚠ Heads up: The CMMC rule is still being phased in by contract year. Your contracts won't all demand Level 2 at once. But the 2025 and 2026 contract awards are increasingly including Level 2 requirements. If you're bidding on new work, assume Level 2 is the floor — not the ceiling.

Step 6 — Common Questions

Things Contractors Usually Get Wrong

These questions come up in virtually every vCISO initial call. If any of these are keeping you up at night, we've answered them plainly.

Yes — if your subcontract includes DFARS 252.204-7012 and you handle CUI. Subcontractors are not exempt from CMMC. In fact, many primes are now pushing Level 2 requirements downstream to all subcontractors who might encounter CUI, even if the prime contract only requires Level 1 at the subcontract tier. Check your subcontract language carefully. If your prime contract has the clause, your subcontract almost certainly has it too.
Level 1 = 17 practices, annual self-assessment. Basic safeguarding of Federal Contract Information. Suitable for contractors who only handle FCI (not CUI). Level 2 = 110 practices, requiring a C3PAO assessment. Maps to NIST SP 800-171 Rev 2 (or Rev 3 in 2026 updates). Required for any contractor handling, processing, or storing CUI under a DoD contract. The gap between Level 1 and Level 2 is substantial — it's not 17 → 110 as a linear progression; the complexity increase is non-linear because Level 2 requires policy documentation, evidence artifacts, and continuous monitoring that Level 1 does not.
Yes, but only if they are FedRAMP Moderate authorized or you implement 39 compensating controls. NIST 800-171 Rev 2 control 3.10.3 specifically requires this. Microsoft 365 GCC High is FedRAMP Moderate authorized for DoD customers — but you need to configure it correctly (and separately purchase the GCC High license). GCC (standard) is not FedRAMP Moderate. If you're running standard M365 or commercial AWS, you have a CMMC gap. The 39 compensating controls are documented in NIST SP 800-172 and in the DoD CMMC Assessment Guide.
You get a POA&M and 90 days to fix before re-assessment. Assessment scoring is binary — 100% pass or you don't certify. The 90-day remediation window is not a grace period; it's a hard deadline. After that window, you must schedule a new assessment (pay the fee again) and the C3PAO will re-evaluate all 110 controls. The cost of a failed first assessment is typically 50–75% of the original assessment fee in re-assessment costs and 60–90 days of program delay. Organizations that do thorough internal validation before engaging a C3PAO almost never fail.
It's phased in by contract year — but the timeline is accelerating. The DFARS interim rule (DFARS 2021-D011) already requires self-assessment against NIST 800-171 for all DoD contracts. CMMC adds the third-party assessment requirement. As of the 2024–2025 rulemaking, Level 2 assessments are being phased in across contract awards — starting with the highest-priority programs. By 2028, CMMC Level 2 is expected to be a contract award prerequisite for most DoD contracts involving CUI. If you're planning to bid on DoD work beyond 2027, assume Level 2 is mandatory.
No. CMMC requirements flow from the DFARS clause in your contract, not the contract type. T&M, firm-fixed-price, cost-plus — none of them change your obligation to comply with the security requirements in your contract. The only exemptions are for commercial item contractors who can affirmatively state no CUI is in scope, or contracts where the specific DFARS clause is not included. Read your contract, not the contract type.
Partially. SOC 2 covers some controls but misses 60+ NIST 800-171 requirements. SOC 2 Type II gives you a head start on access control, audit logging, and incident response controls. But SOC 2 doesn't cover CUI handling, FCI safeguarding, media protection for classified data flows, or the 39 cloud-specific controls in NIST SP 800-172. Think of SOC 2 as a foundation — not a certification. Many contractors with mature SOC 2 programs still need 6–9 months of CMMC-specific work.

Stop guessing where you stand.

Take a structured CMMC readiness assessment — or talk to a vCISO who can read your contracts and tell you exactly what you're on the hook for. No sales pitch. Just a clear picture.

Take the CMMC Eligibility Check → Book a Strategy Call

Also available: CMMC Level 2 Deep-Dive · NIST 800-171 Controls Explorer