What are the most common Level 2 gaps?

MFA not fully implemented, audit logs not reviewed, CUI boundaries undefined, incident response plans not tested, and vulnerability scans not at required frequency.

How much does a Level 2 assessment cost?

C3PAO assessment fees range from $30,000 to $120,000 depending on scope and organization size.

CMMC Level 2 Complete Guide

Q: What is the difference between Level 1 and Level 2?

Level 1 requires 15 basic practices and self-assessment. Level 2 requires all 110 NIST 800-171 controls and a C3PAO assessment.

Q: Can I use a managed service provider?

Yes. A FedRAMP High Authorized MDR provider offers inheritable controls via a Shared Responsibility Matrix.

Q: What is the SPRS score requirement?

SPRS ranges from -203 to +110. All 110 controls must ultimately receive MET for certification.

Q: How often must I be reassessed?

CMMC Level 2 certification is valid for three years with annual senior official affirmation.

What Is CMMC Level 2

CMMC Level 2 requires implementation of all 110 security requirements from NIST SP 800-171 Rev 2. It applies to any defense contractor that processes, stores, or transmits Controlled Unclassified Information (CUI) on behalf of the DoD. Level 2 is the certification tier that impacts the vast majority of the Defense Industrial Base.

Unlike Level 1 which allows self-assessment, Level 2 requires a formal C3PAO assessment every three years. See our NIST 800-171 Guide at quzara.com/guides/nist-800-171 for the complete requirements breakdown. When assessment day arrives, our CMMC Audit Preparation Guide at quzara.com/cmmc/audit-preparation covers evidence requirements and common findings. Explore all resources at quzara.com/cmmc/hub.

The 110 Requirements of CMMC Level 2

CMMC Level 2 maps directly to NIST SP 800-171 Rev 2 with no additions or modifications. The 110 requirements span 14 control families: Access Control (22), Awareness and Training (3), Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16), and System and Information Integrity (7). Access Control and System and Communications Protection are the two largest families, typically requiring the most implementation effort. Every requirement must be fully implemented or documented in a POA&M for certification.

C3PAO Assessment Process

Your C3PAO evaluates all 110 requirements against your SSP, POA&Ms, and evidence. Each requirement receives MET, NOT MET, or NOT APPLICABLE. Assessors review documentation, interview personnel, and examine technical implementations. NISTCompliance.ai organizes evidence by control family and enables AI-powered search. The Auditor Co-Pilot accelerates the assessment process.

How to Prepare for Level 2

A structured approach to achieving full NIST 800-171 implementation and passing your C3PAO assessment.

Gap Analysis & SPRS Scoring

Assess all 110 requirements. Calculate SPRS score. NISTCompliance.ai automates across all 14 control families.

CUI Scoping & Boundaries

Define your CUI environment. Map data flows. Identify in-scope systems. Proper scoping reduces assessment cost.

Remediate & Implement Controls

Close gaps systematically. For 24/7 security operations, inherit proven controls from FedRAMP High authorized Cybertorch MDR.

Document Everything

Create SSP, POA&Ms, and evidence repository. NISTCompliance.ai generates audit-ready documentation automatically.

Mock Assessment

Conduct internal readiness review. Verify evidence is complete and team can demonstrate control implementation.

C3PAO Certification

Engage C3PAO. All 110 requirements must receive MET or have approved POA&M. Maintain continuous monitoring post-certification.

CMMC Level 2 FAQ

What is the difference between Level 1 and Level 2? Level 1 requires 15 basic practices and self-assessment for FCI. Level 2 requires all 110 NIST 800-171 controls and a C3PAO assessment for CUI.

Most common Level 2 gaps? MFA gaps (IA), audit logs not reviewed (AU), CUI boundaries undefined (SC), IR plans not tested (IR), vulnerability scans not at required frequency (RA).

Level 2 assessment cost? C3PAO fees range $30,000-$120,000 depending on scope and org size.

Can I use a managed service provider? Yes. Cybertorch MDR is FedRAMP High Authorized with inheritable controls via Shared Responsibility Matrix.

SPRS score requirement? SPRS ranges -203 to +110. All 110 controls must ultimately receive MET. Most primes require minimum scores.

How often must I be reassessed? Certification valid 3 years with annual senior official affirmation and continuous monitoring.