top of page
SECURIM logo SAC
Search

CMMC Level 2 Compliance Is Here: What DoD Contractors Need to Know Now

Graphic illustrating CMMC Level 2 Compliance with a digital shield, C3PAO assessment visuals, the Defense Industrial Base, and DoD contracts under the new CMMC 2.0 requirements
















For years, CMMC has been “coming soon.” That is over.


With the CMMC program rule finalized in 32 CFR and the acquisition rule in 48 CFR now effective, the Department of Defense has officially started phasing CMMC into live contracts.


Phase 1 began on November 10, 2025, and new requirements are already being written into new solicitations.


If you handle Controlled Unclassified Information (CUI), CMMC Level 2 Compliance is your new baseline. This is not a “nice to have” or a future initiative; it is about whether you will be eligible for new work.

What CMMC Level 2 Compliance Really Requires


CMMC Level 2 = NIST SP 800-171 Done for Real


CMMC Level 2 Compliance is designed for organizations that process, store, or transmit CUI. It maps directly to the 110 security requirements in NIST SP 800-171 Rev. 2, enforced via DFARS 252.204-7012.

In other words: if you have been saying “we’re aligned with 800-171,” Level 2 is how DoD now validates that claim.


At a high level, Level 2 requires:

  • A documented and living System Security Plan (SSP) of all 110 controls that explains how each requirement is implemented

  • Objective evidence that your controls are operating (not just written policies on a shelf)

  • Formal assessment (either self or via third-party), every three years, plus annual affirmations in SPRS


Self-assessment vs. Third-party assessment

Under CMMC 2.0, Level 2 comes in two flavors: Self-assessment - For programs where CUI is not considered “critical to national security,” & Third-party assessment - For higher-risk programs where you must be assessed by an accredited CMMC Third-party Assessment Organization (C3PAO) every three years.

Crucially, you do not get to choose which one applies. The solicitation will specify whether a self-assessment is enough, or a C3PAO certification is required.

What’s New in the Latest Rules


A few things have shifted from the “early days” of CMMC to the finalized program and acquisition rules.


Phased Rollout with Real Dates

The final rule establishes a three-year phased implementation tied to the effective date of the acquisition rule (48 CFR) on November 10, 2025


Today’s reality:

  • Phase 1 (Nov 10, 2025 - Nov 9, 2026)

    • DoD requires Level 1 and Level 2 self-assessments at the time of award in applicable new solicitations and contracts.

    • DoD may require C3PAO Certified assessments for Level 2 in select contracts during this phase.

  • Phase 2 (starting Nov 10, 2026)

    • DoD will require C3PAO Certified assessments for new Level 2 solicitations and some existing during this phase.

  • By November 2028

    • Self-assessed or C3PAO assessed (Level 1 or 2, as applicable) becomes mandatory for all DoD contracts that involve FCI or CUI, unless a specific exception applies.


So, while 2028 sounds “far off,” the impact is now.


SPRS Scores + Annual Affirmations

CMMC does not replace your existing NIST 800-171 self-assessment in SPRS, it formalizes and strengthens it:

  • You must enter your Level 2 assessment scores and upload an affirmation to SPRS.

  • Leaders will be personally attesting to the accuracy of those submissions.

  • False claims risk is not theoretical; DoD and DOJ have been clear that misrepresentations can trigger False Claims Act exposure.

  • A passing SPRS score is 110 of 110.

When Do You Really Need Level 2 - Before You Lose Work?


Let us translate the rulemaking into practical milestones.


Short Answer

If your contracts involve CUI it will require CMMC Level 2 Compliance:

  • At a minimum, you must achieve a passing self-assessed Level 2 posture to stay competitive in new bids during year 1.

    • The DoD will allow submission of a score lower than 110 if you have a Plan of Action & Milestones (POA&M) for unmet requirements, but only for a limited 180-day period and only for applicable controls.

  • You need to be ready for a C3PAO assessment, depending on your contract by November 10, 2026

  • By 2028, if you are still not compliant, you will be locked out of any contracts that involve CUI.

 

Key Risk Points

  • Phase 1 (Right Now: Nov 2025-Nov 2026)

    • Level 1 & Level 2 self-assessments required in contracts.

    • DoD or Prime may require third-party Level 2 assessments.

    • C3PAO capacity is limited,

  • Phase 2 (Starting Nov 10, 2026)

    • For contracts designated as requiring C3PAO-assessed Level 2, you will need your certification before receiving an award or risk of losing entirely.

    • C3PAO capacity will remain limited.


  • By November 2028

    • CMMC will be baked into all applicable contracts involving FCI/CUI including Level 3.


Bottom line: If you start today, you are planning how to keep and grow revenue. If you wait until 2026, you will be planning which contracts you are going to lose.

Common Pitfalls on the Road to Level 2


I see the same mistakes repeatedly, many of them from companies that genuinely think they’re close to compliance.


Pitfall 1: Treating CMMC Like a Paperwork Exercise

CMMC is not just about having policies; it is about demonstrating implemented and operating controls:

  • Policy says, “we log and monitor privileged access.”

  • Evidence shows actual logs, alerts, and reviews occurring on a defined cadence.

 

If your effort is focused solely on copying templates without implementing the underlying technical and procedural changes, you are building a house of cards that will collapse under a C3PAO review.


Pitfall 2: Mis-Scoping Your Environment

Level 2 is all about identifying the systems and assets that touch CUI and then securing them appropriately. Mis-scoping is one of the biggest failure points:

  • Including everything in scope drives unnecessary cost and complexity.

  • Under-scoping (forgetting backup systems, admin workstations, third-party SaaS tools) leaves gaps a C3PAO will absolutely notice, and you will FAIL your assessment.

 

Using the official Level 2 scoping guidance and assessment guide from DoD is non-negotiable. I strongly recommend the use of a GRC tool to help.


Pitfall 3: Weak or “Copy-Paste” System Security Plans

Your SSP is the backbone of your Level 2 posture. Common issues:

  • Generic language that does not match your actual architecture

  • Controls claimed as “implemented” with no linked evidence

  • Missing references to diagrams, inventories, and data flows.

 

A strong SSP is specific, current, and cross-referenced with your asset inventory, network diagrams, and evidence library.


Pitfall 4: Over-Reliance on POA&Ms

The final rule allows for Plans of Action and Milestones (POA&Ms) for a limited subset of requirements and only under defined scoring thresholds and timelines, even when doing a self-assessment. It is not a license to procrastinate.

  • Most C3PAO’s will not start an assessment with an outstanding POA&M.

  • If a C3PAO does find a POA&M, you will get conditional approval which is only valid for 180 days. Further, this POA&M will require a C3PAO to re-validate to closure and get final certification.

  • There are limitations to how a POA&M can be resolved, but it cannot be strictly documentation updates.


Typical mistakes:

  • Marking too many controls as “we’ll fix this later” without realistic timelines.

  • Using POA&Ms for foundational security gaps (e.g., no MFA, no centralized logging).

  • Failing to track and close POA&M items, leaving you perpetually “half-compliant.”

 

POA&Ms must be surgical and time bound.


Pitfall 5: Ignoring Subcontractors and Flow-Down

If you are a prime, your subs handling CUI must also meet the applicable CMMC level. If you are a sub, your Prime contractor is under pressure to show they have secured the entire supply chain.


Common issues:

  • No contract language around CUI and CMMC requirements.

  • No mechanism to validate sub compliance or collect their SPRS scores.

  • Relying on “trust us, we’re working on it” from vendors

 

Ignoring flow-down obligations today is how you lose customers tomorrow.


Pitfall 6: Underestimating Lead Time for C3PAO Assessments

A mature Level 2 program requires:

  1. Internal readiness work (often 6-18 months depending on your starting point).

  2. A realistic evidence collection and pre-assessment process.

  3. Scheduling a C3PAO and surviving the actual assessment.

 

If you back into this from a critical contract date, say a recompete in late 2026, you can quickly see why “we’ll start next year” is a dangerous plan.

How to Get Serious About Level 2 - Starting Now


If you’re not sure where to begin, here’s a practical roadmap I recommend to our clients:

  1. Clarify your exposure.

    • Inventory all contracts that involve CUI or are likely to be in the next 3-5 years.

    • Understand whether they are likely to require self-assessed or C3PAO-assessed Level 2.

  2. Baseline against NIST SP 800-171.

    • Perform a gap assessment against all 110 requirements.

    • Score honestly using the DoD assessment methodology and submit it to SPRS.

  3. Fix scoping first.

    • Identify and clearly document the CUI environment.

    • Segment or isolate where possible to reduce scope and cost.

  4. Build a living SSP and evidence library.

    • Treat the SSP as a living document, not a one-time deliverable.

    • Systematize how you collect and maintain evidence (screenshots, configs, tickets, logs, training records).

  5. Prioritize high-impact remediation.

    • Focus on controls that significantly reduce risk (identity and access management, MFA, logging and monitoring, backup and recovery, incident response).

    • Use POA&Ms sparingly and close them quickly.

  6. Plan your C3PAO journey early.

    • Once you’re confident in your internal posture, schedule a pre-assessment or readiness review.

    • Align your target certification date with your most critical contract milestones.

The Strategic View: CMMC as a Competitive Advantage


It is easy to frame CMMC as a compliance burden, and it certainly can feel that way if you are starting from nothing.


But for organizations that move early, CMMC Level 2 Compliance is also a strategic differentiator:

  • You become a lower-risk partner in the eyes of primes and program offices.

  • You can use your certified status to win business from competitors who waited too long.

  • You reduce your exposure to cyber incidents that can disrupt operations, damage your reputation, and trigger costly investigations.

 

From where I sit, the real risk is not “overinvesting” in Level 2; it is waiting until a must-win contract forces your hand.


If you are unsure where you stand today or how to build a realistic roadmap to Level 2, that is exactly the kind of work we do at Securim. We help DoD contractors turn CMMC from a looming threat into a manageable, strategic program that protects both your data and your revenue.


Professional portrait of a cybersecurity and compliance expert featured in a CMMC Level 2 Compliance article, smiling outdoors in natural light.

To understand how the November 10th mandate may impact your contracts, you may schedule time with me below.



Comments

bottom of page