Meeting CMMC 2.0 requirements isn't something you can improvise six weeks before a contract deadline. Defense contractors who handle controlled unclassified information (CUI) are subject to a formal set of cybersecurity obligations that now carry real teeth — third-party audits, affirmations, and eventually mandatory inclusion in DoD contracts under DFARS 7012 and its successor clauses. This guide breaks down exactly what you need to do: the controls, the documentation, the technical work, and the assessment process — organized so an IT director or CISO can use it as a working roadmap.
The Department of Defense released the final CMMC 2.0 rule in December 2024, with phased implementation beginning in 2025. Understanding what the framework covers — and doesn't cover — is the first practical step.
Three levels, one clear target for most contractors. Level 1 applies to companies handling Federal Contract Information (FCI) but not CUI — it covers 17 basic safeguarding practices drawn from FAR 52.204-21. Level 2 is where the vast majority of defense contractors land. It requires all 110 NIST 800-171 controls across 14 security domains, and it's the level that requires a formal third-party assessment for most organizations. Level 3 applies to programs involving National Security Systems and requires additional controls from NIST SP 800-172 — it's a smaller population, assessed by DCSA.
The framework is not self-attested at Level 2 for most primes. Unlike the original CMMC 1.0 concept that allowed self-attestation broadly, CMMC 2.0 distinguishes between contractors where self-attestation is permitted and those where a C3PAO must conduct and validate the assessment. The DoD determines which contracts require third-party validation based on the sensitivity of the program.
DFARS 7012 is still the legal foundation. Even as CMMC clauses roll into contracts, contractors are still required to comply with DFARS 252.204-7012, which mandates adequate security per NIST SP 800-171 and requires reporting of cyber incidents to DoD within 72 hours. CMMC certification is the formal verification that those obligations are actually met.
All 110 NIST 800-171 controls fall within 14 security domains. The number of controls per domain varies significantly — understanding which domains carry the most weight helps you prioritize.
Access Control (AC) — 22 controls. The largest domain. Covers who can access what systems, how access is granted and revoked, least-privilege principles, remote access controls, and CUI data flow. This is consistently the domain with the most findings in assessments.
Audit and Accountability (AU) — 9 controls. Requires that systems generate audit logs, that those logs are protected, and that someone reviews them. Many contractors have logging turned on but no documented review process, which counts as a gap.
Awareness and Training (AT) — 3 controls. Small domain, but often overlooked. Requires that personnel are made aware of security risks and that role-based training is provided. Documentation of who completed what training is required evidence.
Configuration Management (CM) — 9 controls. Baseline configurations for all systems, change control processes, and restrictions on software installation. If your endpoints allow users to install arbitrary software, this domain will produce findings.
Identification and Authentication (IA) — 11 controls. Multi-factor authentication, password complexity, management of privileged accounts, and authenticator lifecycle. MFA on all accounts — especially those accessing CUI — is non-negotiable here.
Incident Response (IR) — 3 controls. An incident response plan must exist, be tested, and include reporting procedures that align with DFARS 7012's 72-hour reporting requirement. Tabletop exercises are the standard evidence of testing.
Maintenance (MA) — 6 controls. Covers how systems are maintained, whether maintenance is performed remotely, and what controls are in place during maintenance activities. Remote access for maintenance must be monitored and controlled.
Media Protection (MP) — 9 controls. Sanitization and disposal of media, protection of CUI on portable devices, and controls around physical media containing sensitive data. USB port controls and encryption of removable media are common requirements here.
Personnel Security (PS) — 2 controls. The smallest domain. Requires screening of individuals before granting access to CUI systems and a process for terminating access when personnel leave.
Physical Protection (PE) — 6 controls. Physical access controls to systems that process or store CUI. Badge access logs, visitor management, and physical security of server rooms or workstations.
Risk Assessment (RA) — 3 controls. A periodic risk assessment process, identification of vulnerabilities, and remediation tracking. Vulnerability scanning with documented remediation timelines satisfies this domain.
Security Assessment (CA) — 4 controls. Internal security assessments, system interconnection management, and a Plan of Action & Milestones (POA&M) to address findings. This is where your documentation infrastructure is formally evaluated.
System and Communications Protection (SC) — 16 controls. Network segmentation, encryption of CUI in transit, architectural controls on CUI flow, and protection of communications at system boundaries. This domain often requires the most infrastructure work for organizations without a formal network architecture.
System and Information Integrity (SI) — 7 controls. Anti-malware, security alerting, patch management, and protection against malicious code. Patch cadence documentation and endpoint detection are the primary evidence items here.
Documentation is where many technically capable organizations fall short. A C3PAO assessment is not a penetration test — it's an evidence review. Assessors spend significant time in documents before they ever look at a system.
The System Security Plan (SSP) is your primary artifact. The SSP must describe your information system boundary, how CUI flows through it, the security controls you've implemented, how each control is satisfied, and where responsibility lies. For any control that's not fully implemented, the SSP references the POA&M. Assessors use the SSP to scope the assessment — if it's incomplete, unclear, or inconsistent with what they observe in the environment, that gap itself becomes a finding.
The POA&M tracks what isn't done yet. A POA&M is not an admission of failure — it's a structured plan for addressing known gaps. It should include each open finding, the remediation action planned, the responsible owner, the resources required, and a realistic completion milestone. DoD accepts POA&Ms as part of the assessment process, provided they meet specific criteria: items cannot be open indefinitely, and certain high-priority controls (particularly those protecting CUI directly) must be remediated before certification can be granted.
Supporting documentation assessors expect to see:
CMMC documentation should be maintained as living documents, not point-in-time artifacts. Assessors frequently check document revision dates and compare stated procedures against observed configurations to identify inconsistencies.
While all 110 controls matter, certain technical requirements appear most frequently in assessment findings and should be addressed early in any CMMC compliance steps planning.
Access Control and Least Privilege
Multi-Factor Authentication
Encryption
Audit Logging
Patch Management
Cloud Environments
Technical controls without documented policy are a gap, not an implementation. Each security domain requires corresponding written procedures that explain how controls are implemented, who is responsible, and how exceptions are handled.
Minimum required policies for CMMC Level 2:
Policies must be approved by leadership, distributed to relevant personnel, and reviewed at defined intervals (typically annually). Assessors ask to see version history, distribution records, and acknowledgment signatures or training completion records as evidence of implementation.
People are a control, not just a risk factor. The CMMC controls in the Awareness and Training domain require documented evidence that personnel with access to CUI have received appropriate training before that access is granted.
Role-based training matters. General security awareness training covers the baseline — phishing awareness, CUI handling, incident reporting procedures. But personnel in IT, security, or administrative roles with higher-level access need additional training covering their specific responsibilities. System administrators need training on configuration management and access control procedures. Incident responders need training on the IR plan and DFARS reporting requirements.
Evidence requirements for training:
Personnel screening under the PS domain requires that individuals are screened prior to being granted access to systems containing CUI. The specifics of what screening entails (background checks, reference verification) are left to the organization, but the process must be documented.
Termination procedures must ensure that access to CUI systems is revoked promptly when personnel leave or change roles. Documented offboarding checklists with IT sign-off are the standard evidence artifact.
Understanding how a C3PAO conducts an assessment helps you prepare more effectively. The process follows a defined methodology established by the Cyber AB (formerly the CMMC Accreditation Body).
Phase 1: Document Review. Before arriving on-site or scheduling technical testing, assessors review your SSP, network diagrams, asset inventory, and supporting policies. Gaps in documentation at this stage signal what areas will receive closer scrutiny in Phase 2.
Phase 2: Interviews. Assessors conduct structured interviews with key personnel — IT staff, system administrators, the security point of contact. They're verifying that the procedures described in your documentation are actually understood and followed by the people responsible for them. An SSP that describes a log review process, combined with an administrator who doesn't know who reviews logs or how often, is a finding.
Phase 3: Testing and Observation. Assessors directly examine systems. They'll look at active directory group memberships, firewall rule sets, patch levels, audit log configurations, encryption settings, and endpoint protection status. They compare what they observe to what the SSP states.
Phase 4: Scoring. Each of the 110 NIST 800-171 controls receives a score: MET, NOT MET, or NOT APPLICABLE. Controls that are NOT MET must either be remediated before certification or documented in a POA&M with an acceptable closure timeline. The resulting score feeds into the Supplier Performance Risk System (SPRS) — contractors are required to self-report their SPRS score under current DFARS requirements.
What differentiates passing from failing: Organizations that pass assessments consistently have three things: a well-maintained SSP that accurately reflects their environment, personnel who understand and can demonstrate their security procedures, and no critical control gaps in the access control or CUI protection domains.
Certain findings appear repeatedly across CMMC audit prep engagements. Knowing them in advance lets you address them before the assessor arrives.
CUI isn't scoped or labeled. If you can't tell an assessor where your CUI lives, what systems process it, and how it flows between systems, you haven't completed the foundational step the entire assessment depends on.
MFA is partially deployed. Many organizations have MFA on their primary email but not on VPN, remote desktop, or cloud storage — all of which may touch CUI.
Audit logs exist but aren't reviewed. Logging infrastructure passes the technical test, but without evidence of regular log review, the control is scored NOT MET.
The SSP describes what should happen, not what does happen. Policies written to describe an ideal state that doesn't match observed configurations are a common failure pattern. SSPs must accurately reflect current implementation.
Subcontractor CUI handling is undocumented. If you pass CUI to subcontractors, your contracts and documented agreements must address CUI protection requirements. Flow-down of DFARS 7012 obligations is required, and assessors check for it.
Incident response plans haven't been tested. A plan that exists only as a document, with no evidence of tabletop exercises or drills, does not satisfy the IR domain's testing requirement.
End-of-life systems remain in scope. Unsupported operating systems or applications that can't receive security patches create findings that are difficult to score around. They need to be upgraded, isolated, or formally accepted as a risk with compensating controls.
CMMC compliance steps work best when sequenced logically. Organizations that try to implement technical controls before scoping their environment or completing their SSP typically waste effort and miss gaps.
Months 1–2: Scoping and Inventory
Identify all systems that process, store, or transmit CUI. Map CUI data flows. Build your asset inventory. Define the assessment boundary. This work is the prerequisite for everything else — without it, you don't know what you're protecting.
Months 2–4: Gap Assessment and SSP Development
Conduct a formal gap assessment against all 110 controls. Document current state for each control in your SSP. Create your POA&M for every control that's not fully implemented. This gives you a prioritized remediation list and the foundational documentation assessors will review.
Months 4–8: Remediation
Address gaps in priority order: start with controls that directly protect CUI (access control, MFA, encryption) and work outward. For cloud-dependent controls, evaluate whether migrating to GCC High is appropriate. Develop and approve all required policies.
Months 8–10: Internal Assessment and Training
Conduct an internal mock assessment against your SSP. Validate that configurations match documented procedures. Deliver training to all personnel with CUI access. Update your SSP to reflect completed remediation.
Months 10–12: C3PAO Assessment
Engage a C3PAO for your formal assessment. Expect the process to take four to eight weeks from kickoff to final scoring. Maintain your POA&M current throughout.
The realistic timeline for an organization starting from a low baseline is twelve to eighteen months. Organizations with mature security programs that align well to NIST 800-171 controls can often compress this to eight to ten months.
What are the CMMC 2.0 requirements for a Level 2 defense contractor?
The CMMC 2.0 requirements for Level 2 are all 110 controls from NIST SP 800-171, organized across 14 security domains. Level 2 is the tier that applies to most defense contractors handling CUI, and it requires either self-attestation or a third-party assessment by an accredited C3PAO, depending on what the specific contract requires. In addition to the technical controls, CMMC level 2 also mandates a current SSP, a maintained POA&M, and documented compliance with DFARS 252.204-7012.
How is a CMMC checklist different from just implementing NIST 800-171?
A CMMC checklist encompasses everything that goes into CMMC certification — not just the 110 NIST 800-171 controls themselves, but the documentation, the formal assessment process, and the ongoing maintenance obligations. NIST 800-171 is the control set; CMMC is the verification framework that confirms you've actually implemented those controls. Many contractors thought they were compliant with 800-171 based on self-assessment and discovered significant gaps when preparing for a formal C3PAO review.
What is a System Security Plan (SSP) and why is it so important?
An SSP is the primary document that describes your information system, its boundary, how CUI flows through it, and how each of the 110 controls is implemented. The SSP is the artifact your assessor uses to understand your environment before conducting interviews and technical testing. An incomplete or inaccurate SSP is itself a finding — and it signals to assessors where to look for additional gaps. Without a current, accurate SSP, a certification assessment cannot proceed.
What happens if we have gaps during a C3PAO assessment?
Gaps identified during a C3PAO assessment are documented as NOT MET findings. Some findings can be addressed through a POA&M — a documented plan to remediate the gap within a defined timeline. However, not all open controls are POA&M-eligible for certification purposes. Controls that directly affect CUI protection typically must be remediated before certification is granted. For lower-priority gaps, DoD has established criteria for what can remain in a POA&M at the time of certification while remediation continues.
How does GCC High relate to CMMC 2.0 requirements?
GCC High is Microsoft's cloud environment built specifically for organizations subject to DoD requirements and ITAR/EAR restrictions. For defense contractors using Microsoft 365 or Azure, GCC high provides the FedRAMP High authorization and data residency controls required to store and process controlled unclassified information in the cloud. Standard Microsoft 365 commercial (even with E3/E5 licensing) does not satisfy the cloud-hosting requirements for CUI under CMMC 2.0. Migrating to GCC High is often a prerequisite for meeting the System and Communications Protection controls in CMMC Level 2.
How long does it take to get CMMC certified?
The time to achieve CMMC 2.0 certification depends heavily on your starting point. Organizations with a mature security program aligned to NIST 800-171 controls may be assessment-ready in six to nine months. Those starting from a low baseline should plan for twelve to eighteen months of preparation before engaging a C3PAO. The formal assessment process itself — from engagement to final scoring — typically takes four to eight weeks. Planning well in advance of contract requirements is essential, since CMMC audit prep cannot be compressed without cutting corners that will show up as findings.
Need help mapping your current security posture against CMMC 2.0 requirements? Daymark's CMMC Readiness Assessment identifies gaps and builds a prioritized remediation roadmap. Contact us to start your compliance journey.
Download our guide “7 Steps to CMMC Compliance.”
As a Microsoft AOS-G partner with deep experience in defense contractor compliance, Daymark brings both the technical expertise and the CMMC documentation frameworks that move organizations from gap assessment to certification-ready — efficiently and without surprises.