Recapping CMMC Level 2: Considerations for Government Contractors

Go-To Guide:

Starting Nov. 10, 2025, contractors and subcontractors handling controlled unclassified information (CUI) may be required to have a current CMMC Level 2 self-assessment for new contracts and option exercises involving CUI.
Some contractors and subcontractors may even be required to have a certified third-party Level 2 assessment during the first year.
CMMC Level 2 is bifurcated between self- and third-party assessments against the controls in NIST SP 800-171 rev. 2. Of the contractors that will need to obtain Level 2 status, very few will be able to rely on a self-assessment.
To meet the Level 2 requirements, a company must implement certain baseline security controls, have a minimum assessment score of 80%, and annually affirm compliance with the Level 2 security controls.
While a company may have a “conditional” status based on partially implemented controls and a Plan of Action and Milestones (POAM) for some controls, any unimplemented controls and POAMs must be closed within 180 days of the conditional CMMC status.

On Sept. 10, 2025, the Department Defense (DoD) issued a final rule amending the Defense Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program for government contractors. This final rule established a Nov. 10, 2025, go-live date for the start of phase 1 of CMMC. As we covered in our prior GT Alerts, under the four-phased implementation approach, the focus will be on Level 1 and Level 2 self-assessments in the first year; Level 2 third-party certifications in the second year; Level 3 certifications in the third year; and all contracts and solicitations will include CMMC requirements in the fourth year.

We have previously discussed Level 1. This GT Alert addresses Level 2, which applies to contractors and subcontractors with information systems that store, process, or transmit controlled unclassified information (CUI). Depending on the contract requirements, Level 2 may be achieved through a self-assessment against the applicable security controls or certification by an authorized third-party to assess the implementation of the controls.

Beginning on Nov. 10, contractors and subcontractors may see CMMC requirements in solicitations, contracts, and option exercises. While the initial Phase 1 period contemplates only the implementation of self-assessment requirements for Level 1 and Level 2, DoD retains discretion to require Level 2 third-party assessments for some programs involving CUI.

CMMC Level 2 Application

CMMC Level 2 focuses on safeguarding CUI, which is generally non-public information the government creates or possesses, or which an entity creates or possesses for or on behalf of the government, that requires safeguarding or dissemination controls because of the sensitive nature of the information. CUI is defined by the National Archives and Records Administration (NARA), which has established 20 organizational categories of information that constitute CUI, including defense information.1 Generally, CUI will be marked or otherwise identified in a contract to enable a contractor to identify when it has such information in its possession.

Level 2 is bifurcated into self-assessments and third-party assessments that a certified assessment organization (C3PAO) conducts. For contractors handling CUI that falls under the Defense Organizational Index Grouping of NARA’s registry, which will be many DoD contractors, C3PAO certification is the minimum assessment requirement, meaning self-assessments would be insufficient. Overall, DoD anticipates that approximately 37% of the Defense Industrial Base will need to obtain a Level 2 status, with 35% being required to obtain a certified third-party assessment and just 2% able to rely on a self-assessment. Subcontractors that handle CUI where the prime contract has a C3PAO assessment requirement will also have to obtain a C3PAO assessment.

CMMC Level 2 Requirements

Assessments

CMMC Level 2 requires an assessment every three years. The CMMC Accreditation Body authorizes C3PAOs to perform Level 2 assessments. Both types of Level 2 assessments are conducted against the 110 security controls in NIST SP 800-171 rev. 2 using the assessment methodology in NIST SP 800-171A and the CMMC Assessment guidance.

At the outset, all company information systems that store, process, transmit, or receive CUI must be included in the assessment. Assets that store, process, or transmit CUI but are unable to be fully secured, such as internet of things or operational technologies, are considered “specialized assets” that must be documented in the asset inventory, SSP, and network diagram, even though they are not assessed against the Level 2 security controls.

The assessments are conducted using evidence and documentation demonstrating that a company has met all of the security controls. If a company has not fully implemented a security control, it may be granted a conditional Level 2 status so long as it has implemented all the required baseline controls, achieved a score of at least 80%, and has POAMs in place that will be closed in 180 days. Once an entity has fully implemented all required controls and closed out all POAMs, it will achieve a Level 2 Final status.

If an entity is self-assessing, the score will be reported to the Supplier Performance Risk System (SPRS) by the entity conducting the assessment. If the entity receives a C3PAO assessment, the Level 2 certification assessment results will be posted by the C3PAO into the Enterprise Mission Assurance Support Service (eMASS).

Ongoing Compliance

In addition to the assessment, each year, a senior official of the company must provide affirmation of continuing compliance with the specified security controls. Affirmations are required after the conduct of the initial assessment, POAM closeout, and annually thereafter. The affirmations are stored in SPRS and must be entered by both primes and subcontractors alike. The affirming official must be a senior official responsible for ensuring the entity’s compliance with CMMC Program requirements and have the authority to attest to the company’s continued compliance with all applicable security requirements. Companies are required to retain records of their self or C3POA assessments for at least six years from the date the CMMC status is obtained for each assessment.

Certification expenses vary based on a business’ size and the type of assessment. DoD does not consider the costs of implementing the controls as part of the Level 2 costs, but only the costs of preparing for and conducting the assessment, reporting the score, and making the annual affirmation. DoD views the cost of implementing the controls are part of the requirements under DFARS 252.204-7012, which has been required for contractors and subcontractors possessing CUI since 2018.

For self-assessments, it is estimated that every three years, a business other than a small business may invest $40,691 in planning, preparing, conducting, and reporting their Level 2 self-assessments. This cost may be $32,819 for small businesses. Each year, it is estimated that companies other than small businesses may spend $2,712 on the annual affirmation and small business might spend $1,459.
For C3PAO assessments, it is estimated that every three years, a business other than a small business may invest $109,632 in planning, preparing, conducting, and reporting the Level 2 assessment. This cost may be $100,293 for small businesses. Each year, it is estimated that companies other than small businesses may spend $2,712 on the annual affirmation and small business might spend $1,459.

Whether these costs are recoverable depends on the type of contracts the company performance and additional analysis under the cost account standards, which are outside the scope of the CMMC rulemakings.

Takeaways

Nov. 10 is quickly approaching, and companies should consider acting now to ensure they are prepared for these new requirements to be rolled out in new contract awards and option exercises. While phase 1 focuses on self-assessment requirements, some Level 2 entities might need certified third-party assessments, which will roll out in phase 2 (beginning November 2026), and some of which may appear in certain contracts prior to that date. It may take several months to prepare for, schedule, and conduct third party assessments. To facilitate a smooth assessment process, companies should consider:

Identifying all CUI in a company’s possession and locating it on the company’s information systems. This includes capturing information a company may generate during the performance of a contract that is derived from CUI or identified in the company’s contracts as CUI.
Understanding the scope of the company’s information systems and assets that store, process, transmit, or receive CUI. This may help the company pinpoint the information systems and assets that must be included in any level 2 assessment.
Preparing for, scheduling, and conducting assessments of the identified information systems and assets, ensuring that assets excluded from the scope of the assessment are carefully documented. The SSP, policies, and procedures must be updated to reflect current network diagrams and information security practices.
Identifying an affirming official who is responsible for the company’s CMMC compliance and can reasonably attest to the continued implementation of all required security controls.