The email arrives on a Tuesday. Your contracting officer has forwarded a notice: the new contract includes Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, and the performance period begins in four months. You need Cybersecurity Maturity Model Certification (CMMC) Level 2 certification before award. You pull up your last Supplier Performance Risk System (SPRS) submission and stare at a score that reflects good intentions more than verified controls.
You walk through your environment with fresh eyes. The Controlled Unclassified Information (CUI) boundary is vague. The System Security Plan (SSP) was last updated eighteen months ago. Multi-factor authentication (MFA) is deployed on some systems but not all. Access control policies exist in draft. Incident response procedures have never been tested. The gap between where you are and where the assessment requires you to be is not a gap you can paper over with a weekend project.
Ninety days is enough time, but not enough time to waste. The contractors who pass Certified Third-Party Assessment Organization (C3PAO) assessments are not the ones with the most sophisticated technology stacks. They are the ones who spent the preceding months building documented, testable evidence for all 110 controls, scoping their CUI environment tightly, and rehearsing the assessment before the assessor arrived. Start with scope, build toward evidence, and finish with a dress rehearsal. That sequence is the sprint.
Prepare for a CMMC Level 2 assessment in 90 days by following four phases: scope the CUI boundary and run a gap analysis (Days 1-30), implement controls and build the evidence package (Days 31-60), then rehearse the assessment and finalize the SPRS score (Days 61-90). C3PAO assessments cost $34,000 to $112,000 depending on in-scope asset count. Enclave scoping before the sprint starts reduces both cost and risk.
Understanding CMMC Level 2 Assessment Requirements
CMMC Level 2 maps directly to NIST SP 800-171 Rev 2 in its entirety. All 110 controls across 14 domains. No domain is optional. The standard was designed to protect CUI handled by defense contractors, and the assessment verifies that protection is real, not aspirational.
The final DFARS rule integrating CMMC 2.0 took effect November 10, 2025, with phased implementation continuing through 2026. Contracts written after that date include DFARS 252.204-7021, which requires CMMC Level 2 compliance as a condition of award. For contractors already holding CUI contracts under DFARS 252.204-7012, the transition is mandatory.
Self-Assessment vs. C3PAO: The Path Decision
Two assessment paths exist under CMMC 2.0, and the contract determines which applies. Self-assessment covers non-prioritized CUI: the contractor assesses against the 110 controls, calculates an SPRS score, and submits the score to the Supplier Performance Risk System. No third party reviews the evidence. The attestation carries legal weight under the False Claims Act.
C3PAO assessment covers prioritized CUI, which includes contracts involving programs of record or specific categories identified by the Department of Defense (DoD). A Certified Third-Party Assessment Organization sends trained assessors who review documentation, interview personnel, and test controls against the CMMC Assessment Process. The C3PAO issues a finding, and the Defense Contract Management Agency (DCMA) receives the result.
SPRS Score: What the Number Actually Means
The SPRS score starts at 110, as detailed in the SPRS score calculation guide. Each of the 110 NIST SP 800-171 controls carries a point value. Unimplemented controls reduce the score. The weighted scoring system assigns heavier penalties to higher-risk controls. A score of 110 means all controls are fully implemented. A score below 88 triggers DoD scrutiny under DFARS 252.204-7019.
The score must be current before assessment. “Current” means the assessment was performed against the actual system state, not against a planned state. Submitting an SPRS score based on controls you intend to implement is a False Claims Act exposure, not a compliance strategy.
| Factor | Self-Assessment | C3PAO Third-Party Assessment |
|---|---|---|
| Who assesses | Internal team | Certified Third-Party Assessment Organization |
| Applies when | Non-prioritized CUI contracts | Prioritized CUI contracts, programs of record |
| Evidence reviewed by | Internal only | External assessors, evidence tested on-site |
| Result recorded in | SPRS (self-attested) | CMMC database via DCMA |
| Legal exposure | False Claims Act (self-attestation) | False Claims Act (attestation by senior official) |
| Typical cost range | Internal labor + tooling | $34,000 to $112,000 depending on size and posture |
| POA&M allowed | Yes, with time limits | Yes, for limited findings; major deficiencies block certification |
| Timeline to schedule | Internal calendar | C3PAO backlog; plan 60 to 90 days for scheduling |
Days 1 to 30: Scope Definition and Gap Analysis
The most expensive mistake in CMMC preparation is treating the entire corporate IT environment as the assessment boundary. The assessment covers systems that process, store, or transmit CUI. Systems that have no contact with CUI are out of scope. A disciplined scoping exercise, executed before any remediation work begins, can reduce assessment cost by 30 to 50 percent.
Build the CUI Data Flow Diagram
Start by tracing every location where CUI enters, moves through, and exits the organization. Email. File shares. Cloud storage. Collaboration platforms. Laptops used for contract work. External drives. Each touchpoint is a potential in-scope system. The data flow diagram becomes the foundation of the System Security Plan and the first artifact an assessor reviews.
The National Archives CUI Registry defines what qualifies as CUI. Defense contractors typically encounter CUI categories including technical data, export-controlled information, and contract-sensitive data. Confirm with the contracting officer which categories apply to your specific contract before scoping decisions are final.
Execute the Gap Analysis Against All 110 Controls
Map current state against all 110 NIST SP 800-171 Rev 2 controls. The NIST SP 800-171A assessment objectives provide the specific evidence requirements for each control. Do not assess controls in the abstract. Assess them against the in-scope environment identified in the data flow diagram.
Document findings in three categories: fully implemented with evidence, partially implemented requiring remediation, and not implemented. Partially and not-implemented controls feed directly into the Plan of Action and Milestones (POA&M) and the remediation plan for Days 31 to 60.
An enclave strategy isolates CUI handling to a defined subset of systems, separate from the broader corporate network. Contractors who process CUI only within a purpose-built enclave, with strict access controls and no CUI on general corporate systems, dramatically reduce the assessment surface. If your architecture allows it, enclave design is a structural cost-reduction lever worth evaluating before the 90-day clock starts.
Prioritize the Remediation Backlog
Not all gaps carry equal weight. Access control (NIST SP 800-171 Rev 2, family 3.1), configuration management (family 3.4), and incident response (family 3.6) are high-penalty domains with assessor scrutiny disproportionate to their control count. MFA for privileged users under control 3.5.3 is a single requirement that assessors test actively, not by reviewing a policy document. Sequence the remediation backlog with scoring weight and assessor attention as the ranking criteria.
Days 31 to 60: Control Implementation and Evidence Collection
Remediation without evidence documentation is remediation that did not happen, from an assessment perspective. Every control implemented in this phase requires an artifact. The artifact must exist in a format an assessor can review, trace to the specific control, and verify against the in-scope environment.
Build the System Security Plan in Parallel
The SSP is the primary assessment document under NIST SP 800-171 Rev 2 control 3.12.4. It maps each of the 110 controls to the implementation status, responsible personnel, and supporting evidence. Write the SSP as controls are implemented, not after. An SSP written retroactively from memory introduces inaccuracies that assessors find.
The SSP must describe the system boundary, the CUI categories handled, user roles and access levels, and the security architecture. Include the data flow diagram, network diagrams, and system component inventories. Assessors use the SSP as a map. If the map does not match the territory, the discrepancy is a finding.
High-Priority Control Domains
Access control (family 3.1) covers 22 requirements. Start with least-privilege enforcement, account management procedures, and MFA for all users accessing CUI systems. Document the access control policy, the account provisioning workflow, and a current user access roster with role assignments.
Configuration management (family 3.4) requires a documented baseline configuration for each system type in scope, a change control process with approval records, and software inventory. The baseline configuration must be enforced, not aspirational.
Audit and accountability (family 3.3) requires logging on all in-scope systems, log retention appropriate to the environment, and review procedures. A SIEM or log aggregation platform, even a basic one, provides demonstrable coverage.
CMMC Level 2 Preparation Checklist
- CUI data flow diagram completed and approved
- System Security Plan drafted covering all 110 controls
- Asset inventory completed for all in-scope systems
- Network boundary diagram current and accurate
- Gap analysis completed against NIST SP 800-171A assessment objectives
- POA&M drafted for all deficient controls with remediation owners and dates
- SPRS score calculated and submitted to Supplier Performance Risk System
- MFA deployed for all users accessing CUI per control 3.5.3
- Least-privilege access enforced with current user access roster per controls 3.1.1 and 3.1.2
- Baseline configurations documented for all in-scope system types per control 3.4.1
- Change control process documented with approval records per control 3.4.3
- Audit logging enabled on all in-scope systems with retention policy per control 3.3.1
- Incident response plan documented, tested, and trained per controls 3.6.1 and 3.6.2
- Media protection procedures covering CUI on portable media per family 3.8
- Personnel security procedures including screening and termination per family 3.9
- Physical access controls for CUI processing locations per family 3.10
- Risk assessment completed within prior 12 months per control 3.11.1
- Security awareness training records current for all users per control 3.2.1
- Evidence packages organized by control family for assessor review
- C3PAO engagement letter signed and assessment date confirmed (if applicable)
- Senior official briefed on attestation requirements and legal obligations
POA&M Strategy
Plans of Action and Milestones allow contractors to proceed with contracts despite residual deficiencies, under defined conditions. For self-assessments, POA&M items must have realistic completion dates and must be closed within the period agreed upon with the contracting officer. For C3PAO assessments, assessors distinguish between minor deficiencies that can be captured in a POA&M and major deficiencies that block certification.
A POA&M is not a substitute for control implementation. It is documentation that a gap is known, owned, and on a trajectory to closure. A POA&M that lists 40 controls as “planned” with no evidence of progress signals an organization that submitted a score rather than built compliance.
Days 61 to 90: Assessment Rehearsal and Final Preparation
The last 30 days are not for implementation. They are for verification, rehearsal, and hardening the evidence package against the questions an assessor will actually ask. Contractors who use this phase for remediation have miscalculated the timeline.
Conduct an Internal Assessment Dry Run
Assign someone who did not build the controls to walk through the NIST SP 800-171A assessment objectives, control by control, and test whether the evidence holds. “Examine” objectives require documentation. “Interview” objectives require knowledgeable personnel. “Test” objectives require live system verification.
For every control, confirm three things: the evidence exists, it is current, and it matches what the SSP describes. A control documented as “fully implemented” in the SSP but missing supporting evidence is a finding.
Prepare Personnel for Assessor Interviews
C3PAO assessors interview system administrators, security personnel, and end users. The interviews test whether personnel understand the controls they operate, not whether they can recite policy language. Brief all personnel with assessor-facing roles. Cover the specific controls they are responsible for. Run one tabletop interview per control domain.
Finalize SPRS Score and Attestation
Calculate the final SPRS score based on the current implementation state. Submit to the Supplier Performance Risk System before the assessment date. The score submission is a legal attestation by a senior company official under DFARS 252.204-7019. That official must be briefed on what the score represents and what it does not.
The audit fix. Enter the assessment with as few open POA&M items as possible. For items that cannot be closed, confirm the POA&M documentation is current: realistic completion dates, documented progress, assigned owners, and evidence of activity. A stale POA&M is worse than no POA&M. It signals that the item is tracked on paper but not actively managed.
CMMC Level 2 assessment preparation is a project management problem as much as a technical one. Contractors who pass on the first attempt scope tightly, document evidence as they build, rehearse before the assessor arrives, and treat attestation as the legal obligation it is. The 90-day framework is not aggressive for an organization with foundational controls in place. For an organization starting at zero, six to twelve months is the realistic timeline.
Frequently Asked Questions
How long does CMMC Level 2 assessment preparation take?
Preparation ranges from 6 to 12 months for most defense contractors, depending on starting posture and environment size. Organizations with mature IT governance and existing NIST 800-171 implementation can compress this timeline. The 90-day sprint assumes foundational work is in place.
What is the cost of a C3PAO Level 2 assessment?
C3PAO assessments typically cost between $34,000 and $112,000, varying by organization size, number of in-scope assets, and current posture. Contractors with tightly scoped CUI enclaves pay less. Total program costs including remediation are often multiples of the assessment fee.
What happens if the C3PAO finds deficiencies?
Minor deficiencies can be captured in a POA&M and closed within a defined remediation period. Major deficiencies in high-risk control families can block certification until remediated and reassessed. Contractors who discover major deficiencies during assessment face both remediation costs and reassessment fees.
Do all defense contractors need a C3PAO assessment?
The assessment path is contract-specific. Prioritized CUI contracts require C3PAO assessment. Non-prioritized CUI contracts permit self-assessment. The contracting officer confirms which applies. As DFARS 252.204-7021 rolls out through 2026, more contracts will specify the required path.
What is the SPRS score and who sees it?
The SPRS score is a numerical representation of NIST SP 800-171 implementation status, starting at 110 and reduced by weighted control values. Contracting officers view scores when evaluating contractor readiness. A score below 88 triggers scrutiny under DFARS 252.204-7019.
Can a contractor win a contract with open POA&M items?
For self-assessment paths, yes, with contracting officer acceptance. For C3PAO paths, it depends on whether findings are minor (POA&M allowed) or major (blocks certification). Contractors who miss POA&M closure dates create contract performance risk.
How often does CMMC Level 2 certification need renewal?
C3PAO certifications are valid for three years. Self-assessments must be affirmed annually. Between cycles, contractors are responsible for maintaining controls and updating the SPRS score if implementation status changes materially.
What is the biggest reason contractors fail assessments?
The gap between documented controls and implemented controls. Assessors test whether controls are operational, not whether they are described in a policy. An incident response plan that has never been tested, or access procedures nobody follows, creates findings regardless of what the SSP says.
Subscribe to The Authority Brief for next week’s analysis.
