The email arrives on a Tuesday. Your contracting officer has forwarded a notice: the new contract includes Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, and the performance period begins in four months. You need Cybersecurity Maturity Model Certification (CMMC) Level 2 certification before award. You pull up your last Supplier Performance Risk System (SPRS) submission and stare at a score that reflects good intentions more than verified controls.
You walk through your environment with fresh eyes. The Controlled Unclassified Information (CUI) boundary is vague. The System Security Plan (SSP) was last updated eighteen months ago. Multi-factor authentication (MFA) is deployed on some systems but not all. Access control policies exist in draft. Incident response procedures have never been tested. The gap between where you are and where the assessment requires you to be is not a gap you can paper over with a weekend project.
Ninety days is enough time, but not enough time to waste. The contractors who pass Certified Third-Party Assessment Organization (C3PAO) assessments are not the ones with the most sophisticated technology stacks. They are the ones who spent the preceding months building documented, testable evidence for all 110 controls, scoping their CUI environment tightly, and rehearsing the assessment before the assessor arrived. Start with scope, build toward evidence, and finish with a dress rehearsal. That sequence is the sprint.
Prepare for a CMMC Level 2 assessment in 90 days by following four phases: scope the CUI boundary and run a gap analysis (Days 1-30), implement controls and build the evidence package (Days 31-60), then rehearse the assessment and finalize the SPRS score (Days 61-90). C3PAO assessments typically range from $34,000 to $112,000 depending on in-scope asset count (operator estimates; no published rate card exists). Enclave scoping before the sprint starts reduces both cost and risk.
Understanding CMMC Level 2 Assessment Requirements
CMMC Level 2 maps directly to NIST SP 800-171 Rev 2 in its entirety, incorporating all 110 controls across 14 domains per 32 CFR §170.14(c)(3). No domain is optional. The standard was designed to protect CUI handled by defense contractors, and the assessment verifies that protection is real, not aspirational.
The final DFARS rule integrating CMMC 2.0 took effect November 10, 2025, with phased implementation continuing through 2028 per 32 CFR §170.3(e): Phase 1 (November 2025), Phase 2 (November 2026), Phase 3 (November 2027), and full implementation (November 2028). Contracts written after that date include DFARS 252.204-7021, which requires CMMC Level 2 compliance as a condition of award. For contractors already holding CUI contracts under DFARS 252.204-7012, the transition is mandatory under DFARS 252.204-7012(b).
Self-Assessment vs. C3PAO: The Path Decision
Two assessment paths exist under CMMC 2.0, and the contract determines which applies. Per 32 CFR §170.16, Level 2 self-assessment is permitted only for the narrow subset of Level 2 contracts specifically identified in the solicitation as eligible for that path. The contractor assesses against the 110 controls, calculates an SPRS score, and submits to the Supplier Performance Risk System. No third party reviews the evidence. The attestation carries legal weight under the False Claims Act (31 U.S.C. §3729) and 32 CFR §170.22.
The majority of Level 2 contracts require C3PAO certification under 32 CFR §170.17. A Certified Third-Party Assessment Organization sends trained assessors who review documentation, interview personnel, and test controls against the CMMC Assessment Process. The C3PAO issues a certification finding, which is recorded in the CMMC enterprise system (CMMC eMASS) under DoD CIO program management. DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) separately executes government-led Medium and High assessments under DFARS 252.204-7020 as it appears in the codified DFARS at acquisition.gov. Industry reporting of a renumber to DFARS 252.240-7997 under the February 1, 2026 class deviation is not supported by primary source as of May 2026, and practitioners should anchor citations to -7020 pending OSD memo publication.
SPRS Score: What the Number Actually Means
The SPRS score starts at 110, as detailed in the SPRS score calculation guide. Each of the 110 NIST SP 800-171 controls carries a point value. Unimplemented controls reduce the score. The weighted scoring system assigns heavier penalties to higher-risk controls. A score of 110 means all controls are fully implemented. Industry guidance commonly references 88 as a soft scrutiny threshold, below which contracting officers may request additional justification before award. No DFARS clause specifies a numerical threshold. The 88 figure is practitioner shorthand, not regulatory rule.
The score must be current before assessment. “Current” means the assessment was performed against the actual system state, not against a planned state. Submitting an SPRS score based on controls you intend to implement is a False Claims Act exposure, not a compliance strategy.
| Factor | Self-Assessment | C3PAO Third-Party Assessment |
|---|---|---|
| Who assesses | Internal team | Certified Third-Party Assessment Organization |
| Applies when | Solicitation specifically identifies as eligible per 32 CFR §170.16 | Majority of Level 2 contracts per 32 CFR §170.17 |
| Evidence reviewed by | Internal only | External assessors, evidence tested on-site |
| Result recorded in | SPRS (self-attested) | CMMC eMASS enterprise system under DoD CIO program management |
| Legal exposure | False Claims Act (self-attestation under 32 CFR §170.22) | False Claims Act (senior official attestation under 32 CFR §170.22) |
| Typical cost range | Internal labor + tooling | $34,000 to $112,000 depending on size and posture (operator estimates) |
| POA&M allowed | Yes, with time limits | Yes, for limited findings; conditional certification with 180-day closeout per 32 CFR §170.21; major deficiencies block certification |
| Timeline to schedule | Internal calendar | C3PAO backlog; plan 6 to 9 months for scheduling (per Cyber AB and industry capacity commentary) |
Days 1 to 30: Scope Definition and Gap Analysis
The most expensive mistake in CMMC preparation is treating the entire corporate IT environment as the assessment boundary. The assessment covers systems that process, store, or transmit CUI. Systems that have no contact with CUI are out of scope. A disciplined scoping exercise, executed before any remediation work begins, can reduce assessment cost by 30 to 50 percent.
Build the CUI Data Flow Diagram
Start by tracing every location where CUI enters, moves through, and exits the organization. Email. File shares. Cloud storage. Collaboration platforms. Laptops used for contract work. External drives. Each touchpoint is a potential in-scope system. The data flow diagram becomes the foundation of the System Security Plan and the first artifact an assessor reviews.
The National Archives CUI Registry defines what qualifies as CUI. Defense contractors typically encounter CUI categories including technical data, export-controlled information, and contract-sensitive data. Confirm with the contracting officer which categories apply to your specific contract before scoping decisions are final. CUI markings follow the NARA Registry taxonomy; the canonical Specified Category example for defense-sensitive technical data is SP-CTI (Controlled Technical Information), not SP-FED (which is a Limited Dissemination Control, not a Specified Category). Designation Indicator placement goes in the lower right of the first page or cover per DCSA Marking guidance, not near the top.
Execute the Gap Analysis Against All 110 Controls
Map current state against all 110 NIST SP 800-171 Rev 2 controls. The NIST SP 800-171A assessment objectives provide the specific evidence requirements for each control. Do not assess controls in the abstract. Assess them against the in-scope environment identified in the data flow diagram.
Document findings in three categories: fully implemented with evidence, partially implemented requiring remediation, and not implemented. Partially and not-implemented controls feed directly into the Plan of Action and Milestones (POA&M) and the remediation plan for Days 31 to 60.
An enclave strategy isolates CUI handling to a defined subset of systems, separate from the broader corporate network. Contractors who process CUI only within a purpose-built enclave, with strict access controls and no CUI on general corporate systems, dramatically reduce the assessment surface. If your architecture allows it, enclave design is a structural cost-reduction lever worth evaluating before the 90-day clock starts.
Prioritize the Remediation Backlog
Not all gaps carry equal weight. Access control (NIST SP 800-171 Rev 2, family 3.1), configuration management (family 3.4), and incident response (family 3.6) are high-penalty domains with assessor scrutiny disproportionate to their control count. MFA for privileged and remote users under control 3.5.3 is a single requirement that assessors test actively, not by reviewing a policy document. Note the distinction: §3.1.5 governs least privilege (employing the principle of least privilege); §3.1.6 governs use of non-privileged accounts when accessing non-security functions. Both are tested. Sequence the remediation backlog with scoring weight and assessor attention as the ranking criteria.
Days 31 to 60: Control Implementation and Evidence Collection
Remediation without evidence documentation is remediation that did not happen, from an assessment perspective. Every control implemented in this phase requires an artifact. The artifact must exist in a format an assessor can review, trace to the specific control, and verify against the in-scope environment.
Build the System Security Plan in Parallel
The SSP is the primary assessment document under NIST SP 800-171 Rev 2 control 3.12.4. It maps each of the 110 controls to the implementation status, responsible personnel, and supporting evidence. Write the SSP as controls are implemented, not after. An SSP written retroactively from memory introduces inaccuracies that assessors find.
The SSP must describe the system boundary, the CUI categories handled, user roles and access levels, and the security architecture. Include the data flow diagram, network diagrams, and system component inventories. Assessors use the SSP as a map. If the map does not match the territory, the discrepancy is a finding.
High-Priority Control Domains
Access control (family 3.1) covers 22 requirements. Start with least-privilege enforcement under §3.1.5, account management procedures, and MFA for all users accessing CUI systems. §3.1.6 specifically requires use of non-privileged accounts when accessing non-security functions. Document the access control policy, the account provisioning workflow, and a current user access roster with role assignments.
Configuration management (family 3.4) requires a documented baseline configuration for each system type in scope, a change control process with approval records, and software inventory. The baseline configuration must be enforced, not aspirational.
Audit and accountability (family 3.3) requires logging on all in-scope systems, log retention appropriate to the environment, and review procedures. A SIEM or log aggregation platform, even a basic one, provides demonstrable coverage.
CMMC Level 2 Preparation Checklist
- CUI data flow diagram completed and approved
- System Security Plan drafted covering all 110 controls
- Asset inventory completed for all in-scope systems
- Network boundary diagram current and accurate
- Gap analysis completed against NIST SP 800-171A assessment objectives
- POA&M drafted for all deficient controls with remediation owners and dates
- SPRS score calculated and submitted to Supplier Performance Risk System
- MFA deployed for all users accessing CUI per control 3.5.3
- Least-privilege access enforced (§3.1.5) with current user access roster; non-privileged account use for non-security functions per §3.1.6
- Baseline configurations documented for all in-scope system types per control 3.4.1
- Change control process documented with approval records per control 3.4.3
- Audit logging enabled on all in-scope systems with retention policy per control 3.3.1
- Incident response plan documented, tested, and trained per controls 3.6.1 and 3.6.2
- Media protection procedures covering CUI on portable media per family 3.8
- Personnel security procedures including screening and termination per family 3.9
- Physical access controls for CUI processing locations per family 3.10
- Risk assessment completed within prior 12 months per control 3.11.1
- Security awareness training records current for all users per control 3.2.1
- Evidence packages organized by control family for assessor review
- C3PAO engagement letter signed and assessment date confirmed (if applicable)
- Senior official briefed on attestation requirements and legal obligations under 32 CFR §170.22
POA&M Strategy
Plans of Action and Milestones allow contractors to proceed with contracts despite residual deficiencies, under defined conditions. For self-assessments, POA&M items must have realistic completion dates and must be closed within the period agreed upon with the contracting officer. For C3PAO assessments, assessors distinguish between minor deficiencies that can be captured in a POA&M and major deficiencies that block certification. For CMMC conditional certifications, 32 CFR §170.21 requires POA&M closeout within 180 days after conditional certification is issued.
A POA&M is not a substitute for control implementation. It is documentation that a gap is known, owned, and on a trajectory to closure. A POA&M that lists 40 controls as “planned” with no evidence of progress signals an organization that submitted a score rather than built compliance.
Days 61 to 90: Assessment Rehearsal and Final Preparation
The last 30 days are not for implementation. They are for verification, rehearsal, and hardening the evidence package against the questions an assessor will actually ask. Contractors who use this phase for remediation have miscalculated the timeline.
Conduct an Internal Assessment Dry Run
Assign someone who did not build the controls to walk through the NIST SP 800-171A assessment objectives, control by control, and test whether the evidence holds. “Examine” objectives require documentation. “Interview” objectives require knowledgeable personnel. “Test” objectives require live system verification.
For every control, confirm three things: the evidence exists, it is current, and it matches what the SSP describes. A control documented as “fully implemented” in the SSP but missing supporting evidence is a finding.
Prepare Personnel for Assessor Interviews
C3PAO assessors interview system administrators, security personnel, and end users. The interviews test whether personnel understand the controls they operate, not whether they can recite policy language. Brief all personnel with assessor-facing roles. Cover the specific controls they are responsible for. Run one tabletop interview per control domain.
Finalize SPRS Score and Attestation
Calculate the final SPRS score based on the current implementation state. Submit to the Supplier Performance Risk System before the assessment date. The score submission is a legal attestation by a senior company official under 32 CFR §170.22 (senior official affirmation). That official must be briefed on what the score represents and what it does not. Note: industry reporting indicates a February 1, 2026 DFARS class deviation may have suppressed DFARS 252.204-7019 for new prime contracts pending primary-source verification of the OSD memo. The clause remains codified in DFARS Part 252 at acquisition.gov as of May 2026. The attestation legal authority now flows through 32 CFR §170.22 and DFARS 252.204-7021 for CMMC-applicable solicitations.
The audit fix. Enter the assessment with as few open POA&M items as possible. For items that cannot be closed, confirm the POA&M documentation is current: realistic completion dates, documented progress, assigned owners, and evidence of activity. A stale POA&M is worse than no POA&M. It signals that the item is tracked on paper but not actively managed.
CMMC Level 2 assessment preparation is a project management problem as much as a technical one. Contractors who pass on the first attempt scope tightly, document evidence as they build, rehearse before the assessor arrives, and treat attestation as the legal obligation it is. The 90-day framework is not aggressive for an organization with foundational controls in place. For an organization starting at zero, six to twelve months is the realistic timeline. And with C3PAO scheduling now requiring 6 to 9 months of lead time, the clock starts earlier than most contractors expect.
Frequently Asked Questions
How long does CMMC Level 2 assessment preparation take?
Preparation ranges from 6 to 12 months for most defense contractors, depending on starting posture and environment size. Organizations with mature IT governance and existing NIST 800-171 implementation can compress this timeline. The 90-day sprint assumes foundational work is in place. C3PAO scheduling requires 6 to 9 months of lead time in the current market, so assessment planning must begin well before the certification deadline.
What is the cost of a C3PAO Level 2 assessment?
C3PAO assessments typically range from $34,000 to $112,000 based on operator estimates, varying by organization size, number of in-scope assets, and current posture. No published rate card exists; actual pricing varies by C3PAO. Contractors with tightly scoped CUI enclaves pay less. Total program costs including remediation are often multiples of the assessment fee.
What happens if the C3PAO finds deficiencies?
Minor deficiencies can be captured in a POA&M under a conditional certification, with 32 CFR §170.21 requiring closeout within 180 days. Major deficiencies in high-risk control families can block certification until remediated and reassessed. Contractors who discover major deficiencies during assessment face both remediation costs and reassessment fees.
Do all defense contractors need a C3PAO assessment?
The assessment path is contract-specific. Per 32 CFR §170.16, Level 2 self-assessment is limited to the narrow subset of solicitations that specifically identify it as the permitted path. The majority of Level 2 contracts require C3PAO certification per 32 CFR §170.17. The contracting officer confirms which path applies. As DFARS 252.204-7021 phases in through 2028, more contracts will specify the required path.
What is the SPRS score and who sees it?
The SPRS score is a numerical representation of NIST SP 800-171 implementation status, starting at 110 and reduced by weighted control values per the DoD Assessment Methodology. Contracting officers view scores when evaluating contractor readiness. Industry guidance commonly references 88 as a soft scrutiny threshold below which contracting officers may request additional justification, but no DFARS clause specifies a numerical threshold. The 88 figure is practitioner shorthand, not a regulatory rule.
Can a contractor win a contract with open POA&M items?
For self-assessment paths, yes, with contracting officer acceptance. For C3PAO paths, it depends on whether findings are minor (conditional certification + 180-day closeout under 32 CFR §170.21) or major (blocks certification). Contractors who miss POA&M closure dates create contract performance risk.
How often does CMMC Level 2 certification need renewal?
C3PAO certifications are valid for three years per 32 CFR §170.17. Self-assessments must be affirmed annually under 32 CFR §170.22. Between cycles, contractors are responsible for maintaining controls and updating the SPRS score if implementation status changes materially.
What is the biggest reason contractors fail assessments?
The gap between documented controls and implemented controls. Assessors test whether controls are operational, not whether they are described in a policy. An incident response plan that has never been tested, or access procedures nobody follows, creates findings regardless of what the SSP says.
Subscribe to The Authority Brief for next week’s analysis.
