110 Controls Mapped

CMMC COMPLIANCE CHECKLIST

CMMC Level 2 requires your organization to implement all 110 security controls from NIST SP 800-171 before a C3PAO assessment. This checklist maps every control family, explains what assessors look for, and gives you a concrete path from gap assessment to certification. Use it to audit your current posture, prioritize remediation, and track progress toward compliance.

CMMC Registered Provider Org|Entire Team CMMC-RP Certified|24+ Years Experience

Get a CMMC Gap Assessment Call (919) 348-4912

CMMC Overview

What Is CMMC and Who Needs It?

The Cybersecurity Maturity Model Certification is the Department of Defense's mandatory cybersecurity framework for defense contractors handling Controlled Unclassified Information.

CMMC 2.0 replaced the original five-tier model with three streamlined levels. Level 1 covers 15 basic safeguarding practices for Federal Contract Information (FCI) and allows annual self-assessment. Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Rev 2 and requires a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) for contracts involving CUI. Level 3 adds requirements from NIST SP 800-172 for the most sensitive DoD programs and requires government-led assessments.

Every company in the Defense Industrial Base (DIB) that handles CUI must achieve at least CMMC Level 2 certification before being awarded new DoD contracts. Prime contractors, subcontractors, and suppliers throughout the supply chain are all subject to CMMC requirements. The DoD began including CMMC clauses in contracts starting in 2025, with full rollout across all applicable solicitations by 2028.

The consequences of non-compliance are severe: loss of existing DoD contracts, ineligibility for new awards, and potential False Claims Act liability if you misrepresent your compliance status. The average SPRS score across the DIB is currently negative, meaning most contractors have significant gaps to close before they can pass a C3PAO assessment.

110Required Controls

14Control Families

6-18 moTypical Timeline

300K+DIB Companies Affected

Video Overview

Preparing for Your CMMC Assessment

Watch our overview of the CMMC assessment process, what C3PAOs evaluate, and how to prepare your organization for a successful certification.

CMMC 5-Point Assessment Overview (6:00)

Level 1 Basics

CMMC Level 1 Checklist: 17 FAR 52.204-21 Practices

Level 1 covers Federal Contract Information (FCI) protection through 17 basic safeguarding practices derived from FAR 52.204-21. These are the minimum cybersecurity requirements for any company doing business with the DoD. Level 1 allows annual self-assessment without a C3PAO.

Every organization in the defense supply chain must meet Level 1 at minimum. These 17 practices represent fundamental cyber hygiene that most businesses should already have in place. If your contracts only involve FCI (not CUI), Level 1 self-assessment may be sufficient. However, if you handle any Controlled Unclassified Information, you must achieve Level 2 certification through a C3PAO assessment.

Limit system access to authorized usersOnly authorized users, processes, and devices may access your information systems.

Limit system access to authorized functionsUsers may only perform transactions and functions they are authorized to execute.

Verify and control external connectionsVerify and control connections to external information systems and publicly accessible content.

Control publicly posted informationReview and approve information posted on publicly accessible systems before publication.

Identify system usersIdentify information system users, processes acting on behalf of users, or devices.

Authenticate users before accessAuthenticate or verify identities of users, processes, or devices before granting system access.

Sanitize media before disposalSanitize or destroy information system media containing FCI before disposal or release for reuse.

Limit physical accessLimit physical access to organizational information systems, equipment, and operating environments.

Escort visitors and monitor accessEscort visitors and monitor visitor activity, maintain audit logs of physical access.

Control physical access devicesManage and control physical access devices such as keys, locks, combinations, and card readers.

Screen individuals before accessScreen individuals prior to authorizing access to systems containing FCI.

Protect communications boundariesMonitor, control, and protect communications at the external boundary and internal boundaries of systems.

Implement subnetwork segmentationImplement subnetworks for publicly accessible system components separated from internal networks.

Identify and remediate flawsIdentify, report, and correct information and information system flaws in a timely manner.

Provide malware protectionProvide protection from malicious code at appropriate locations within organizational systems.

Update malware protectionUpdate malicious code protection mechanisms when new releases are available.

Perform system and file scansPerform periodic scans of information systems and real-time scans of files from external sources.

Not Sure Which CMMC Level You Need?

Our CMMC-RP certified team will review your contracts and determine the exact level and scope required for your organization.

Get a Free Consultation Call (919) 348-4912

Complete Checklist

CMMC Level 2 Compliance Checklist: All 14 Control Families

This checklist covers every NIST 800-171 control family required for CMMC Level 2. Use it to identify gaps, assign remediation owners, and track progress toward your C3PAO assessment.

1. Access Control (AC) — 22 Requirements

The largest control family and the one where most contractors fail. Access control governs who can reach CUI, how they authenticate, and what they can do once inside your systems.

3.1.1 — Limit system access to authorized usersRestrict information system access to authorized users, processes acting on behalf of authorized users, and devices. Implement role-based access control (RBAC) and document every user's access justification.

3.1.2 — Limit system access to permitted transactions and functionsEnforce the principle of least privilege so users can only perform authorized functions. Review access rights quarterly and immediately upon role changes.

3.1.3 — Control CUI flowControl the flow of CUI in accordance with approved authorizations. Implement data loss prevention (DLP) tools, network segmentation, and approved information exchange methods to prevent unauthorized CUI transfers.

3.1.5 — Employ the principle of least privilegeAuthorize access only to the minimum necessary CUI and system functions. Use separate admin accounts, restrict elevated privileges, and audit privileged actions.

3.1.7 — Prevent non-privileged users from executing privileged functionsPrevent non-privileged users from executing privileged functions. Disable local admin rights on workstations and enforce application whitelisting.

2. Awareness and Training (AT) — 3 Requirements

Every person who touches CUI must understand the threats and their responsibilities. Assessors look for documented training programs with attendance records.

3.2.1 — Ensure managers and users are aware of security risksProvide security awareness training to all personnel at hire and annually. Training must cover CUI handling, phishing recognition, social engineering, password policies, and incident reporting procedures.

3.2.2 — Ensure personnel are trained for security-related dutiesProvide role-based training to users with significant security responsibilities: system administrators, incident responders, and security managers. Document specific training content and completion records.

3.2.3 — Provide insider threat awarenessTrain all personnel on indicators of insider threat behavior, reporting mechanisms, and the organization's insider threat program. Update training annually with current threat intelligence.

3. Audit and Accountability (AU) — 9 Requirements

Logging is the foundation of accountability. C3PAO assessors will verify that you capture, protect, and regularly review audit records across all CUI-touching systems.

3.3.1 — Create and retain system audit logsCreate and retain system audit records to enable monitoring, analysis, investigation, and reporting. Logs must capture user identity, timestamps, event type, source, and outcome for all CUI system activity.

3.3.2 — Ensure individual accountabilityEnsure actions can be traced to individual users. Eliminate shared accounts, enforce unique user IDs, and correlate authentication events with system activity.

3.3.5 — Correlate audit record review and reportingDeploy a SIEM or centralized log management solution that correlates events across systems. Define alert thresholds for suspicious patterns like multiple failed logins, after-hours access, and privilege escalation.

4. Configuration Management (CM) — 9 Requirements

Baseline configurations and change control prevent unauthorized modifications that could expose CUI. Assessors check for documented baselines and active enforcement.

3.4.1 — Establish and maintain baseline configurationsDocument and maintain baseline configurations for every information system component. Include hardware, software, firmware, and security settings. Update baselines when changes are approved.

3.4.2 — Establish and enforce security configuration settingsApply and enforce security configuration settings for all IT products. Use CIS Benchmarks or DISA STIGs as your baseline, scan for deviations, and remediate drift promptly.

3.4.5 — Define and enforce access restrictions for changeControl and restrict physical and logical access to diagnostic and test equipment, and define access restrictions for systems undergoing configuration changes.

5. Identification and Authentication (IA) — 11 Requirements

Multi-factor authentication is mandatory for all remote access and privileged accounts. Weak authentication is one of the top reasons contractors fail their assessment.

3.5.1 — Identify system users and processesIdentify information system users, processes acting on behalf of users, and devices. Maintain a current inventory of all accounts and their associated authorization levels.

3.5.3 — Use multi-factor authenticationImplement MFA for local and network access to privileged accounts, and for all remote network access. Use phishing-resistant authenticators (FIDO2 tokens or push notifications) rather than SMS codes.

3.5.7 — Enforce minimum password complexityEnforce a minimum password length of 14 characters with complexity requirements. Implement password history, lockout policies, and prevent use of known-compromised passwords.

6. Incident Response (IR) — 3 Requirements

You need a documented and tested incident response plan specifically covering CUI-related incidents. Assessors will ask for evidence of tabletop exercises.

3.6.1 — Establish incident response capabilitiesDevelop an incident response plan that includes preparation, detection, analysis, containment, eradication, and recovery phases. The plan must address CUI spillage, unauthorized disclosure, and DoD reporting requirements.

3.6.2 — Track, document, and report incidentsTrack and document all cybersecurity incidents from detection through resolution. Report cyber incidents involving CUI to the DoD DIBNet portal within 72 hours of discovery.

3.6.3 — Test incident response capabilitiesConduct tabletop exercises or functional tests of your incident response plan at least annually. Document lessons learned and update the plan based on test results and actual incidents.

7. Maintenance (MA) — 6 Requirements

System maintenance must be controlled, documented, and supervised when performed by external parties. Remote maintenance sessions require additional safeguards.

3.7.1 — Perform maintenance on systemsPerform maintenance on organizational systems in a timely manner. Use approved maintenance tools and document all maintenance activities including date, personnel, and components serviced.

3.7.5 — Require MFA for remote maintenanceRequire multi-factor authentication for all remote maintenance sessions and terminate the connection when maintenance is complete. Monitor the session in real time when performed by external vendors.

3.7.6 — Supervise external maintenance personnelSupervise maintenance activities of personnel without required access authorization. Escort external maintenance workers and verify that diagnostic tools brought in do not contain unauthorized software.

8. Media Protection (MP) — 9 Requirements

Any media that stores CUI must be protected throughout its lifecycle: storage, transport, sanitization, and disposal. This includes USBs, backup tapes, and cloud storage.

3.8.1 — Protect system media containing CUIRestrict access to system media containing CUI to authorized individuals. Store digital media in access-controlled areas and physical media in locked cabinets with access logs.

3.8.3 — Sanitize media before disposal or reuseSanitize or destroy system media containing CUI before disposal or release for reuse. Use NIST SP 800-88 guidelines for media sanitization and maintain destruction certificates.

3.8.6 — Implement cryptographic mechanisms for portable mediaImplement cryptographic mechanisms to protect CUI stored on digital media during transport. Use FIPS 140-2 validated encryption modules and control the encryption keys.

9. Personnel Security (PS) — 2 Requirements

Personnel security focuses on screening individuals before granting access to CUI and taking prompt action when employees leave or change roles.

3.9.1 — Screen individuals before authorizing accessScreen individuals prior to authorizing access to systems containing CUI. Conduct background checks appropriate to the role, verify employment history, and document clearance status.

3.9.2 — Protect CUI during personnel actionsEnsure CUI and CUI systems are protected during and after personnel actions such as terminations, transfers, and reassignments. Disable accounts within 24 hours of termination and recover all credentials and access devices.

10. Physical Protection (PE) — 6 Requirements

Physical access to facilities and systems that process CUI must be restricted, monitored, and logged. Visitor management is a common gap.

3.10.1 — Limit physical access to authorized individualsLimit physical access to organizational systems, equipment, and operating environments to authorized individuals. Use badge readers, biometric locks, or key-card systems with audit trails.

3.10.2 — Protect and monitor the physical facilityProtect and monitor the physical facility and support infrastructure. Deploy security cameras, maintain visitor logs, escort all visitors in CUI-processing areas, and conduct periodic walk-throughs.

3.10.6 — Enforce safeguarding measures at alternate work sitesEnforce safeguarding measures for CUI at alternate work sites including home offices and remote locations. Provide VPN access, require encrypted drives, and prohibit CUI on personal devices.

11. Risk Assessment (RA) — 3 Requirements

Risk assessments are the foundation of your entire security program. Assessors expect current, documented risk assessments with prioritized findings and active remediation.

3.11.1 — Periodically assess organizational riskPeriodically assess the risk to organizational operations, assets, and individuals resulting from CUI processing, storage, and transmission. Update the risk assessment when significant changes occur or at least annually.

3.11.2 — Scan for vulnerabilitiesScan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities are identified. Run authenticated scans at least quarterly and penetration tests annually.

3.11.3 — Remediate vulnerabilities in a timely mannerRemediate vulnerabilities in accordance with risk assessments. Establish a defined remediation timeline: critical within 15 days, high within 30 days, medium within 90 days, and low within 180 days.

12. Security Assessment (CA) — 4 Requirements

Internal assessments and continuous monitoring ensure your controls remain effective between C3PAO assessments. This is where your System Security Plan lives.

3.12.1 — Assess security controls periodicallyPeriodically assess the security controls in organizational systems to determine if they are effective. Conduct internal assessments at least annually using the NIST 800-171A assessment procedures.

3.12.2 — Develop and implement Plans of ActionDevelop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities. POA&Ms must include milestones, responsible parties, estimated completion dates, and resource requirements.

3.12.4 — Develop and update a System Security PlanDevelop, document, and maintain a System Security Plan (SSP) that describes the system boundary, operating environment, security requirements, and how each of the 110 controls is implemented or planned. The SSP is the single most important document for your C3PAO assessment.

13. System and Communications Protection (SC) — 16 Requirements

The second-largest control family covers network boundary protection, CUI encryption, session management, and cryptographic key management. This is where CUI enclaves are defined.

3.13.1 — Monitor and protect communications at system boundariesMonitor, control, and protect communications at external and key internal boundaries. Deploy firewalls, intrusion detection/prevention systems, and web application firewalls at every CUI boundary.

3.13.8 — Implement cryptographic mechanisms to prevent unauthorized disclosureImplement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission. Use TLS 1.2 or higher with FIPS 140-2 validated encryption for all CUI data in transit.

3.13.11 — Employ FIPS-validated cryptographyEmploy FIPS-validated cryptography when used to protect CUI. Ensure all encryption implementations use FIPS 140-2 or FIPS 140-3 validated cryptographic modules, not just FIPS-compliant algorithms.

3.13.16 — Protect CUI at restProtect the confidentiality of CUI at rest using encryption. Implement full-disk encryption on all endpoints and database-level encryption for CUI stored in applications and file servers.

14. System and Information Integrity (SI) — 7 Requirements

The final family covers flaw remediation, malware protection, security monitoring, and ensuring the integrity of your CUI processing systems.

3.14.1 — Identify and remediate flaws in a timely mannerIdentify, report, and correct information system flaws in a timely manner. Establish a patch management program that applies critical security updates within 14 days and all others within 30 days.

3.14.2 — Provide malware protectionProvide protection from malicious code at appropriate locations within organizational systems. Deploy endpoint detection and response (EDR) solutions on all systems, keep signatures current, and enable real-time scanning.

3.14.6 — Monitor systems for unauthorized accessMonitor organizational systems including inbound and outbound traffic to detect attacks and indicators of compromise. Deploy a managed detection and response solution or 24/7 SOC monitoring for continuous coverage.

3.14.7 — Identify unauthorized use of systemsIdentify unauthorized use of organizational systems. Correlate audit records, network traffic, and user behavior analytics to detect anomalous patterns that indicate compromise or policy violations.

Advanced Controls

CMMC Level 3: NIST 800-172 Enhanced Requirements

Level 3 adds 24 enhanced security requirements from NIST SP 800-172 for organizations handling the most sensitive CUI in critical DoD programs. Level 3 requires a government-led assessment by the Defense Contract Management Agency (DCMA).

CMMC Level 3 is reserved for contractors working on the most sensitive defense programs where CUI compromise would pose a significant national security risk. To pursue Level 3, your organization must first achieve and maintain Level 2 certification. The additional 24 requirements from NIST SP 800-172 focus on defending against Advanced Persistent Threats (APTs) and nation-state actors. These controls go beyond standard cybersecurity hygiene into active threat hunting, penetration-resistant architecture, and automated incident response.

Unlike Level 2 where a C3PAO conducts the assessment, Level 3 assessments are led by the government (DCMA DIBCAC). The assessment is more rigorous, evaluating not just policy documentation but demonstrating that controls can withstand sophisticated attack scenarios. Most defense contractors do not need Level 3; it applies primarily to programs involving intelligence, weapons systems, and classified-adjacent information.

Penetration-Resistant Architecture

Design systems to limit damage from APT intrusions using micro-segmentation, zero-trust architecture, and diversity in system components to prevent single-exploit lateral movement.

Threat Hunting Operations

Conduct proactive threat hunting activities across organizational systems. Employ threat intelligence, behavioral analytics, and anomaly detection to identify adversaries already inside the network.

Automated Incident Response

Implement automated mechanisms to support incident analysis, containment, and recovery. SOAR platforms and automated playbooks are expected for rapid response to detected threats.

Supply Chain Risk Management

Assess supply chain risks and implement controls to reduce exposure from compromised vendors, software dependencies, and hardware components in CUI processing environments.

Dual Authorization

Implement dual authorization for critical or sensitive operations. No single individual should be able to execute high-impact actions on CUI systems without approval from a second authorized person.

Enhanced Monitoring

Deploy enhanced monitoring capabilities including network traffic analysis, user behavior analytics, and real-time correlation of security events across all CUI system boundaries.

Level 3 cost and timeline: Organizations pursuing Level 3 should expect total investment of $500,000 to $2 million or more, depending on existing security maturity and system complexity. Timeline ranges from 18 to 36 months. Because DCMA DIBCAC conducts the assessment rather than a commercial C3PAO, scheduling depends on government availability and program priority. Organizations considering Level 3 should engage with their contracting officer and a qualified consultant early. Petronella Technology Group's CMMC consulting team can evaluate whether Level 3 applies to your contracts and develop a phased roadmap.

Assessment Timeline

CMMC Certification Timeline

Most defense contractors need 6 to 18 months to go from initial gap assessment to passing their C3PAO assessment. Here is the typical path.

Gap Assessment

Month 1-2. Evaluate your current posture against all 110 controls. Calculate your SPRS score. Identify every gap and prioritize remediation.

SSP and POA&M

Month 2-4. Develop your System Security Plan documenting how each control is implemented. Create Plans of Action and Milestones for open items.

Remediation

Month 3-12. Close gaps identified in your assessment. Deploy technical controls, update policies, train personnel, and implement monitoring systems.

C3PAO Assessment

Month 9-18. Engage a C3PAO for your formal assessment. Provide evidence, support interviews, and demonstrate control implementation across all 14 families.

Organizations with mature security programs and existing compliance documentation (ISO 27001, SOC 2, FedRAMP) can often complete the process in 6 to 9 months. Those starting from scratch with minimal security infrastructure should plan for 12 to 18 months. The single biggest factor affecting timeline is the size and complexity of your CUI boundary. A CMMC gap assessment provides a realistic timeline estimate based on your specific environment.

Cost of Non-Compliance

What Happens If You Fail CMMC?

The consequences of CMMC non-compliance extend far beyond a failed assessment. Defense contractors that cannot demonstrate compliance face a cascade of business impacts that threaten their viability as government contractors.

Loss of DoD contracts: Without CMMC certification at the required level, your organization cannot bid on or be awarded contracts that require CUI handling. For many defense contractors, DoD work represents 50-80% of their revenue. Losing eligibility means losing the core of your business.

Supply chain exclusion: Prime contractors are increasingly requiring CMMC compliance from their subcontractors before the DoD mandate takes full effect. Even if your specific contract does not yet require CMMC, your prime may drop you in favor of a certified competitor.

False Claims Act exposure: If you self-attested compliance on SPRS and later fail your C3PAO assessment, you could face False Claims Act liability. Recent DOJ settlements in cybersecurity fraud cases have reached tens of millions of dollars. The DOJ's Civil Cyber-Fraud Initiative specifically targets contractors who misrepresent their cybersecurity posture.

Competitive disadvantage: Contractors that achieve CMMC certification early gain a significant competitive advantage. They can bid on contracts that non-certified competitors cannot, and they demonstrate to primes that they take CUI protection seriously.

Incident liability: A data breach involving CUI when your organization is not compliant dramatically increases your legal exposure. Without documented controls and incident response procedures, the financial and reputational damage from a breach is amplified.

Budget Planning

CMMC Certification Cost Breakdown

Understanding the full cost of CMMC certification helps you budget accurately and avoid surprises. Costs vary significantly based on your current security posture, organization size, and the scope of your CUI boundary.

Cost Category	Level 1 (Self-Assessment)	Level 2 (C3PAO)	Level 3 (Government-Led)
Gap Assessment	$5,000 - $15,000	$15,000 - $50,000	$50,000 - $100,000
SSP and POA&M Development	$2,000 - $8,000	$10,000 - $40,000	$25,000 - $75,000
Technical Remediation	$5,000 - $25,000	$50,000 - $300,000+	$200,000 - $1,000,000+
Policy and Procedure Development	$3,000 - $10,000	$15,000 - $50,000	$30,000 - $80,000
Security Awareness Training	$1,000 - $5,000	$5,000 - $20,000	$10,000 - $30,000
Formal Assessment Fee	$0 (self-assessment)	$50,000 - $150,000	Government-scheduled
Ongoing Annual Compliance	$5,000 - $15,000/yr	$30,000 - $100,000/yr	$75,000 - $250,000/yr
Total Estimated Range	$20,000 - $75,000	$100,000 - $500,000+	$500,000 - $2,000,000+

How to reduce costs: The single most effective cost reduction strategy is minimizing your CUI boundary through a dedicated CUI enclave. By isolating CUI processing into a segmented environment, you reduce the number of systems, users, and controls subject to assessment. Organizations that implement CUI enclaves typically reduce total remediation costs by 40-60%. Petronella deploys proven enclave architectures that have successfully passed C3PAO assessments. Contact us for a cybersecurity assessment to determine the optimal boundary for your organization.

Hidden costs to plan for: Budget for SIEM/log management solutions ($12,000-$60,000/year), endpoint detection and response tools ($5-$15 per endpoint/month), vulnerability scanning licenses, MFA tokens or licenses, encrypted backup solutions, and the internal staff time required for documentation and evidence gathering. Many contractors underestimate the ongoing monitoring and maintenance costs that continue after initial certification.

SPRS Scoring

How to Calculate Your SPRS Score

The Supplier Performance Risk System (SPRS) score quantifies your compliance with NIST SP 800-171. Every defense contractor must submit their score to the DoD before bidding on contracts. Understanding your score is the first step toward CMMC readiness.

Your SPRS score starts at 110 (full compliance with all 110 NIST 800-171 requirements) and is reduced by the weighted value of each unmet requirement. Each of the 110 security requirements has a point value of 1, 3, or 5 based on its security impact. A perfect score is 110. The minimum acceptable score for contract award is -203, which represents having zero controls implemented. The DoD uses your SPRS score to evaluate supply chain risk, and contracting officers can see your score when evaluating bids.

How scoring works: Requirements weighted at 5 points are the most critical (examples: MFA implementation, access control enforcement, encryption of CUI). Requirements weighted at 3 points are significant but less impactful. Requirements weighted at 1 point address supporting controls. If a requirement is NOT MET and has no POA&M, you lose the full point value. If a requirement is NOT MET but has a valid POA&M, the point deduction still applies to your current score but demonstrates a path to compliance.

SPRS Score Range	What It Means	Action Required
110	Full compliance with all NIST 800-171 controls	Ready for C3PAO assessment. Maintain and monitor.
90 to 109	Minor gaps, mostly low-weight controls missing	Close remaining gaps. 2-4 months to assessment readiness.
70 to 89	Moderate gaps, some critical controls missing	Focused remediation on 5-point controls first. 4-8 months.
30 to 69	Significant gaps across multiple control families	Comprehensive remediation program needed. 8-14 months.
Below 30	Major deficiencies, most controls not implemented	Full security program build-out required. 12-18 months.
Negative score	Critical controls missing, high supply chain risk	Immediate action required. Consider CUI enclave to reduce scope.

Where to submit your score: SPRS scores are submitted through the SPRS application at sprs.csd.disa.mil. You must have a valid CAGE code, a DUNS/UEI number, and an active SAM.gov registration. The score must be updated whenever your security posture changes materially, and at minimum every three years for Level 1 self-assessments or when the assessment is triennial.

Common SPRS mistakes: The most frequent error is overscoring: claiming controls as implemented when the evidence would not satisfy a C3PAO assessor. A policy document alone does not mean the control is implemented. You need evidence of consistent execution, such as access review logs, training records, vulnerability scan reports, and incident response test results. Petronella's CMMC gap assessment provides an independently validated SPRS score you can submit with confidence.

POA&M Guidance

Plan of Action and Milestones (POA&M) for CMMC

A POA&M documents how your organization plans to remediate security gaps. Under CMMC 2.0, POA&Ms have specific rules about what gaps are acceptable and the timeline for closure.

Under CMMC 2.0, a limited number of security requirements can remain open with an active POA&M at the time of your C3PAO assessment. However, there are important restrictions. Not all 110 controls are eligible for POA&M treatment. Controls deemed critical by the DoD must be fully implemented before the assessment. Your C3PAO will evaluate whether open POA&M items represent a reasonable remediation path or a fundamental security gap.

POA&M requirements under CMMC 2.0:

180-Day Closure Requirement

All POA&M items must be closed within 180 days of your conditional certification. If you fail to close them within this window, your certification is revoked. This means your remediation plan must be realistic and adequately resourced before you engage the C3PAO.

Prohibited POA&M Items

Certain high-weight security requirements cannot be placed on a POA&M. These include controls related to multi-factor authentication (3.5.3), FIPS-validated encryption (3.13.11), and other requirements the DoD considers essential to CUI protection. If these are not implemented, you will not receive even a conditional certification.

What a Good POA&M Contains

Each POA&M entry must include: the specific NIST 800-171 requirement number, a description of the weakness, the planned corrective action, required resources (budget and personnel), a responsible individual, milestones with specific dates, the estimated completion date, and the current status. Vague POA&Ms are a red flag for assessors.

POA&M Scoring Impact

Controls on a POA&M still count as "NOT MET" in your SPRS score calculation. Your score reflects your current implementation status, not your planned status. This means your SPRS score may be lower than expected until all POA&M items are fully closed and verified.

Petronella recommends closing as many gaps as possible before engaging a C3PAO. While POA&Ms provide flexibility, relying on them increases risk. If your 180-day remediation timeline slips, you lose your conditional certification and must start the assessment process over. Our CMMC remediation services help contractors close gaps efficiently using proven playbooks and automated compliance monitoring. For more on building effective security training programs, see our NIST 800-50 training blueprint.

Assessment Types

Self-Assessment vs. C3PAO Assessment: Which Do You Need?

CMMC 2.0 offers two assessment paths depending on your required level and the sensitivity of the CUI you handle. Understanding which path applies to your contracts determines your cost, timeline, and preparation requirements.

Self-Assessment (Level 1)

Applies to Level 1 (FCI only, 17 practices)
Annual self-assessment by your organization
No third-party assessment required
Affirmed by senior company official
Results submitted to SPRS
Lower cost: $20,000 - $75,000 total
Faster timeline: 2-6 months typical

C3PAO Assessment (Level 2)

Required for Level 2 (CUI, 110 controls)
Certified C3PAO conducts on-site assessment
Assessors interview staff and review evidence
3-year certification validity
Annual affirmation required between assessments
Higher cost: $100,000 - $500,000+ total
Longer timeline: 6-18 months typical

How to determine your required level: Review your active and target contracts for DFARS clause 252.204-7021 (CMMC requirement). The contract will specify the required CMMC level. If your contracts reference DFARS 252.204-7012 (Safeguarding Covered Defense Information), you are handling CUI and will need Level 2. If you only have FAR 52.204-21 requirements, Level 1 self-assessment is sufficient. When in doubt, ask your contracting officer or prime contractor for clarification.

A note on Level 2 self-assessment: A limited number of Level 2 contracts will allow self-assessment rather than C3PAO assessment, but only for programs that do not involve critical national security information. The DoD will specify in the contract solicitation whether a self-assessment or C3PAO assessment is required. Petronella recommends preparing for C3PAO assessment regardless, as it demonstrates stronger commitment to security and positions you for contracts that require it. Defense contractors in Raleigh and Durham can schedule an in-person consultation with our team.

Petronella CMMC Services

How Petronella Helps You Get Certified

Petronella Technology Group is a CMMC Registered Provider Organization (RPO) with an entire team of CMMC-RP certified practitioners. We guide defense contractors from initial assessment through successful C3PAO certification.

CMMC Gap Assessment

CMMC Remediation

NIST 800-171 Assessment

Penetration Testing

CMMC Compliance Guide

Virtual CISO Consulting

Cybersecurity Assessment ($2,497)

Managed Detection & Response

Our CMMC engagement follows a proven process: comprehensive gap assessment with validated SPRS scoring, SSP and POA&M development, hands-on remediation support, mock assessments that mirror the C3PAO methodology, and ongoing compliance monitoring using AI-powered automation. We have served clients since 2002, and our team includes Craig Petronella (CMMC-RP, CCNA, CWNE, DFE #604180) along with Blake Rea, Justin Summers, and Jonathan Wood, all CMMC-RP certified.

FAQ

CMMC Compliance Checklist FAQ

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 covers 15 basic safeguarding practices from FAR 52.204-21 and applies to organizations handling only Federal Contract Information (FCI). It allows annual self-assessment. Level 2 maps to all 110 NIST SP 800-171 security requirements and applies to organizations handling Controlled Unclassified Information (CUI). Level 2 requires a third-party assessment by a certified C3PAO. The jump from Level 1 to Level 2 is substantial, requiring significantly more documentation, technical controls, and organizational processes. Learn more in our CMMC levels explained guide.

How much does CMMC Level 2 certification cost?

Total cost ranges from $100,000 to $500,000+ depending on organizational size, current security posture, and scope of CUI processing. A gap assessment typically costs $15,000 to $50,000. Remediation is the largest variable, ranging from $50,000 for organizations with mature security to $300,000+ for those starting from scratch. The C3PAO assessment itself costs $50,000 to $150,000. CUI enclave solutions can significantly reduce total cost by minimizing the assessment boundary. Petronella's gap assessment provides a detailed cost estimate specific to your environment.

How long does it take to achieve CMMC Level 2 certification?

Most organizations need 6 to 18 months from initial gap assessment to passing the C3PAO assessment. Organizations with existing compliance programs (ISO 27001, SOC 2, or FedRAMP) and documented security policies can often complete in 6 to 9 months. Those building security programs from the ground up should plan for 12 to 18 months. The biggest factors affecting timeline are the size of your CUI boundary, current SPRS score, and available internal resources.

What is a System Security Plan (SSP) and do I need one?

A System Security Plan is the foundational document for your CMMC assessment. It describes your information system boundary, the operating environment, how you implement each of the 110 NIST 800-171 controls, and the connections to other systems. Every organization pursuing CMMC Level 2 must have a complete, current SSP. It is literally the first document your C3PAO will request. Petronella develops SSPs using the DoD-recommended format and populates each control with specific evidence of your implementation.

Can I use a CUI enclave to reduce my CMMC scope?

Yes. A CUI enclave is a segmented network environment specifically designed for processing, storing, and transmitting CUI. By isolating CUI in a dedicated enclave, you reduce the number of systems that fall within your CMMC assessment boundary. This can dramatically reduce both the cost and timeline for certification. The enclave must be properly segmented with documented data flows, and users who access the enclave must still meet all 110 requirements within that boundary. Petronella deploys CUI enclaves using proven architectures that have successfully passed C3PAO assessments.

What happens if my organization fails the C3PAO assessment?

If you do not pass, you receive a report detailing the specific controls that were not met. You can remediate the findings and request a reassessment, but you will need to pay for the reassessment. During the gap period, you cannot be awarded new contracts requiring CMMC at that level. This is why Petronella recommends conducting a thorough gap assessment and mock assessment before engaging a C3PAO, so you identify and close all gaps before the formal assessment begins.

What is an SPRS score and how do I calculate mine?

The Supplier Performance Risk System (SPRS) score measures your compliance with NIST SP 800-171. It starts at 110 (perfect compliance) and is reduced by the weighted value (1, 3, or 5 points) of each unmet security requirement. The minimum possible score is -203. You must submit your current score to SPRS at sprs.csd.disa.mil before bidding on DoD contracts. Petronella provides independently validated SPRS scoring as part of our gap assessment so you submit an accurate score that reflects reality.

What is a POA&M and how many open items can I have?

A Plan of Action and Milestones (POA&M) documents specific security gaps and your plan to remediate them. Under CMMC 2.0, you can receive a conditional certification with some open POA&M items, but all items must be closed within 180 days. Certain critical controls (such as multi-factor authentication and FIPS encryption) cannot be placed on a POA&M and must be fully implemented before assessment. Each POA&M entry must include the specific requirement, corrective action, responsible party, milestones, and estimated completion date. Our remediation team helps contractors close POA&M items efficiently.

When do CMMC requirements take effect for DoD contracts?

The DoD began including CMMC clauses in select contracts in 2025 through a phased rollout. By 2028, all applicable DoD solicitations and contracts involving CUI will require CMMC certification at the appropriate level. However, many prime contractors are already requiring CMMC compliance from subcontractors ahead of the official mandate. Organizations that start the certification process now will be positioned to bid on contracts as requirements expand across the defense industrial base. Download our 2026 compliance guide for the latest enforcement timeline.

Start Your CMMC Compliance Journey

Our CMMC-RP certified team has helped defense contractors across North Carolina prepare for and pass their C3PAO assessments. Get a gap assessment and know exactly where you stand.

Schedule a CMMC Assessment Book a Free Assessment Call (919) 348-4912