Defence subcontractors moving toward Level 2 keep getting tripped up by the same three control families. Here is how to clear them without burning a quarter.
CMMC 2.0 in Plain English
CMMC 2.0 collapsed the original five-level framework into three levels. Level 1 covers basic cyber hygiene — 17 practices, annual self-assessment. Level 2 aligns to NIST SP 800-171's 110 practices and requires a third-party assessment (C3PAO) every three years for contracts involving Controlled Unclassified Information (CUI). Level 3 is reserved for the most sensitive programmes and layers additional NIST 800-172 practices on top. Most subcontractors entering the DoD supply chain for the first time are targeting Level 2.
The Three Control Families Where Projects Stall
Access Control (AC) trips teams up because it requires not just role-based access, but documented justification for every privileged account. Most smaller contractors have informal admin account practices with no formal review cycle. Audit and Accountability (AU) requires comprehensive log collection and review — but many SMBs have no SIEM and are logging to local files that rotate off. Configuration Management (CM) is where the most surprises hide: every device needs a documented baseline configuration, and deviations need a change management record.
The Self-Assessment Trap
CMMC Level 2 contracts can allow self-assessment for non-critical programmes, but the DoD has made clear it will audit self-assessments aggressively. Contractors who score themselves 88 out of 110 on the SPRS without supporting evidence are the first to get flagged. A realistic self-assessment takes a dedicated quarter with outside help. The output is not just a score — it's a System Security Plan (SSP) that documents every practice, and a Plan of Action and Milestones (POA&M) for every gap.
A Practical 90-Day Sprint
Weeks 1-4: asset inventory, data flow mapping, and identifying where CUI lives. Weeks 5-8: close the most critical gaps — MFA everywhere, log centralisation, documented access review process. Weeks 9-12: SSP drafting, POA&M creation, and a dry-run internal assessment against all 110 practices. Having a C3PAO-readiness engagement (not the full assessment, just a readiness review) at week 12 tells you exactly what would fail before you pay for the real thing.
- Level 2 requires a C3PAO third-party assessment for CUI-handling contracts — self-assessment alone will not suffice for most programmes
- Access Control, Audit, and Configuration Management are the three families where most first-time bidders have the largest gaps
- A System Security Plan and POA&M are required outputs — a SPRS score without documentation is a liability
- A 90-day structured sprint covering inventory, gap remediation, and SSP drafting is a realistic first-time preparation timeline