Everything DoD contractors need to know about CMMC Level 2: the 110 NIST 800-171 controls, the C3PAO assessment, realistic cost and timeline, and how to pass on the first attempt.
Cybersecurity Maturity Model Certification (CMMC) Level 2 is the US Department of Defense's certification program for contractors that handle Controlled Unclassified Information (CUI). It requires implementation of all 110 security practices from NIST Special Publication 800-171, verified by a third-party assessment from an accredited C3PAO.
CMMC 2.0 has three levels. Level 1 covers basic cyber hygiene (17 practices) and is self-assessed. Level 2 covers the full 110 NIST 800-171 controls and — for the majority of DoD contracts — requires a third-party assessment every three years. Level 3 adds a subset of NIST 800-172 enhanced requirements for the most sensitive programs and is assessed by the DoD directly.
For most defense contractors, Level 2 is the target. If your DoD contract or subcontract flow-down references DFARS 252.204-7012, you're handling CUI, and Level 2 certification is coming to your award terms.
If your organization processes, stores, or transmits CUI in support of a DoD contract, you're in scope. The most common cases we see:
CMMC Program Rule (32 CFR Part 170) published — codifies the three-level model and assessment ecosystem.
DFARS acquisition rule (48 CFR) effective — CMMC requirements begin appearing in DoD solicitations.
Level 1 and Level 2 self-assessments required in new contracts as clauses are inserted.
Level 2 C3PAO third-party assessments required for most CUI-handling contracts.
Level 3 assessments begin; requirements flow into option-year exercises on existing contracts.
CMMC requirements fully baked into DoD acquisition — non-certified contractors effectively locked out of CUI work.
CMMC Level 2 requires implementation of all 110 security practices in NIST SP 800-171 (with the assessment moving to Rev 3). The controls are organized into 14 families. Each control must be documented in your System Security Plan (SSP), operational in production, and supported by evidence a C3PAO can inspect.
Not all controls carry equal weight. The DoD scoring methodology deducts 1, 3, or 5 points per unmet control. A single missed 5-point control (like FIPS-validated encryption or full MFA coverage) can drop you well below the passing threshold — even if the other 109 are perfect.
Define the CUI boundary, inventory in-scope assets, and score current implementation against all 110 controls to produce a starting SPRS score.
Draft the System Security Plan and Plan of Action & Milestones — the documents your C3PAO will use as their assessment baseline.
Close the technical, procedural, and evidence gaps: MFA everywhere, FIPS-validated crypto, logging pipeline, CUI enclave, policies, training records.
Assemble the evidence library, dry-run the assessment with an internal or external assessor, and close any residual findings.
An accredited third-party (C3PAO) assesses your implementation against all 110 controls and issues the certification decision.
Costs vary widely with scope. A tightly bounded 25-user CUI enclave is dramatically cheaper than a 500-user unbounded environment. Ranges for mid-market defense contractors in 2026:
Scoping, control-by-control review, SPRS score, remediation roadmap.
MFA, EDR, SIEM, GCC High migration, FIPS-validated crypto, policies, training.
Paid to the accredited assessor; scales with asset count and complexity.
Ongoing SOC, evidence collection, continuous monitoring, POA&M management.
For an organization starting from a baseline commercial IT posture, plan on 6–12 months from kickoff to C3PAO assessment. Organizations with an existing mature NIST 800-171 program can move in 3–5 months. Complex environments — multi-site manufacturers, on-prem-heavy R&D shops, unscoped M365 tenants — routinely take 12–18.
The biggest schedule risks are scope creep (letting CUI leak into general-purpose systems), tooling delays (GCC High tenant provisioning, hardware procurement), and evidence gaps (a control that's technically implemented but has no artifacts to prove it).
Very few generalist MSPs actually implement all 110 controls with evidence. Ask them to show you a live SSP and POA&M — if they can't, you're not ready.
The single biggest cost driver is scope. Isolate CUI into an enclave (M365 GCC High, AWS GovCloud, or a segmented on-prem network) so 'in-scope' means dozens of assets, not thousands.
'Encryption on' is not enough. If the crypto module isn't on the NIST CMVP validated list, the control fails — full stop. This trips up most consumer VPNs and file-sync tools.
AU-family controls require centralized, tamper-resistant logs with defined review cadence. A firewall dashboard nobody reads is not compliance.
Assessors interview random users. If your people can't describe insider-threat reporting or incident response, controls fail even with perfect tooling.
TRNSFRM has walked defense manufacturers, aerospace suppliers, and R&D firms through NIST 800-171 and CMMC readiness since the framework's earliest drafts. Our program is opinionated on purpose: tightly scoped CUI enclaves, GCC High by default when appropriate, evidence-driven remediation, and a mock assessment before we ever hand you to a C3PAO. Every engagement is led by a senior consultant, backed by our SOC, and reported to your leadership monthly.

“CMMC isn't the hardest thing we do — it's the most consequential. Every year we watch small manufacturers lose seven-figure DoD awards because they weren't ready. We won't let that happen to you.”
Jeff Dennis
Founder & CEO, TRNSFRM
The short version of Level 1, 2, and 3.
The 110 controls behind CMMC Level 2.
Export-controlled data handling for defense.
CMMC-ready managed IT for defense manufacturers.
Full DIB security programs.
ITAR + CMMC for aerospace suppliers.
47-point self-assessment in 10 minutes.
Downloadable PDF companion guide.
2026 buying guide for regulated industries.
Regulated-industry programs built by TRNSFRM.
AS9100, CMMC, ITAR programs for aerospace suppliers.
HIPAA-grade IT for ASCs and outpatient surgery.
TISAX, CMMC, and OEM cyber flow-downs.
HIPAA + 42 CFR Part 2 for behavioral health providers.
CMMC 2.0 & NIST 800-171 for the defense industrial base.
Real HIPAA compliance for dental groups and DSOs.
Deeper reads from the TRNSFRM team.
A pragmatic IR playbook, not a shelf binder.
Where teams get cloud wrong — and how to fix it.
The DIB compliance clock is ticking.
Why voice and video attacks now target execs.
Attackers are getting past MFA — here's how.
Start planning your post-quantum crypto migration.