110 requirements. C3PAO assessment. Real stakes. Here's what the path to certification actually looks like — and where you stand today.
CMMC Level 2 applies to defense contractors and subcontractors that handle Controlled Unclassified Information (CUI). It requires implementing 110 security requirements from NIST SP 800-171 and passing a formal assessment conducted by an accredited third-party assessment organization (C3PAO).
Without Level 2 certification, you cannot hold contracts that require CUI protection. That means contracts you may already be performing on, and contracts you want to pursue, are at risk.
This is a contract eligibility question.
CMMC Level 2 applies to defense contractors and subcontractors that handle Controlled Unclassified Information (CUI). It requires implementing 110 security requirements from NIST SP 800-171 and passing a formal assessment conducted by an accredited third-party assessment organization (C3PAO).
Without Level 2 certification, you cannot hold contracts that require CUI protection. That means contracts you may already be performing on, and contracts you want to pursue, are at risk.
14 Security Domains. 110 Requirements. 320 Assessment Objectives.
NIST SP 800-171 organizes the requirements into 14 control families. A C3PAO assessor evaluates 320 individual assessment objectives. They will confirm each control exists, if your team can demonstrate them, and whether your documentation matches reality. For self-assessments, you must be able to show proof of that all three are true.
Security Domains:
| Access Control (AC) | Manage who and what can access CUI environments |
|---|---|
| Awareness & Training (AT) | Ensure personnel understand their security responsibilities. |
| Audit & Accountability (AU) | Log system activity and protect audit records. |
| Protection (PE)Configuration Management (CM) | Maintain secure baselines for all in-scope systems. |
| Identification & Authentication (IA) | Enforce unique identities and strong authentication. |
| Incident Response (IR) | Detect, report, and recover from security incidents. |
| Maintenance (MA) | Control and log maintenance of CUI-holding systems. |
| Media Protection (MP) | Protect and sanitize media containing CUI. |
| Personnel Security (PS) | Screen personnel with access to CUI. |
| Risk Assessment (RA) | Identify and manage risks to CUI environments. |
| Security Assessment (CA) | Regularly evaluate and document control effectiveness. |
| System & Communications Protection (SC) | Protect CUI in transit and at boundaries. |
| System & Information Integrity (SI) | Detect and remediate vulnerabilities and threats. |
| Supplier Assurance (SA) | Manage security requirements across your supply chain. |
How You Are Assessed: Examine. Interview. Test.
A C3PAO assessor uses three methods to evaluate each requirement: examining documentation (policies, procedures, SSP), interviewing personnel, and testing controls directly. Your team will be asked to explain and demonstrate how controls work. Documentation that does not match implementation and operations is one of the most common reasons organizations fail assessments.
Organizations that fail C3PAO assessments tend to stumble in the same three places.
You are attesting, under penalty of false claims liability, that your systems meet the 15 security requirements. That attestation goes into SPRS, where contracting officers can see it. If your self-assessment is inaccurate, you are at risk of losing your contract, being found in breach, and in serious cases, facing False Claims Act exposure.
RTA works alongside your team to make sure the self-assessment reflects reality, your documentation is accurate, and your SPRS submission is defensible.
1. Scope is a Noun and a Verb
You must scope – identify every person, process, and technology that stores, processes, or transmits CUI and separate them from everything else. An improperly defined assessment boundary, a.k.a. “scope” is one of the most common reasons organizations cannot move past the pre-assessment phase. Get this right first.
2. Documentation versus Reality
CMMC Level 2 has 110 requirements and 320 assessment objectives. Every objective is rated “met” or “not met.” Your System Security Plan (SSP) and supporting policies must reflect how your organization really operates. If your documentation describes a process your team doesn’t follow, an assessor will find it when an assessor asks them to explain it or show them how it works.
3. Compliance and Engineering
CMMC is a compliance program, not an engineering project. Technology is rarely the hardest part. Organizations that let technical staff drive the program without experienced compliance leadership tend to build systems that are technically capable but not assessment ready. Compliance and engineering have to work together, with compliance setting the frame.
Answer a few questions about your current environment and practices. We’ll tell you your readiness tier, what it means for your contract eligibility, and what it would take to get compliant.
*By submitting this form, you agree to be contacted by ResilientTech Advisors about your results and CMMC compliance services.