Skip to main content
Back to Blog
Compliance Guide

CMMC Level 2 in 90 Days: A Practical Roadmap for Defense Contractors

May 19, 2026By Matt Johnson16 min read

The Department of Defense has made it official: no CMMC Level 2 certification means no contract. If your organization handles Controlled Unclassified Information (CUI) and you do business with the DIB, you are either in the process of getting certified or you are watching your contract pipeline shrink.

CMMC Level 2 aligns to all 110 practices across the 14 domains of NIST SP 800-171. That sounds daunting. But for most small and mid-size defense contractors, a disciplined 90-day sprint is achievable if you attack it in phases rather than trying to boil the ocean in week one. This guide walks you through exactly how to do that.

Who This Guide Is For

Defense contractors (prime or sub) who handle or may handle CUI under a DoD contract or subcontract. If your DFARS clause includes 252.204-7012, CMMC Level 2 applies to you. This guide assumes you are starting from somewhere between a SPRS score of -40 and +50 and need to reach a clean C3PAO assessment.

What CMMC Level 2 Actually Requires

CMMC Level 2 is a third-party assessment of your implementation of all 110 security practices in NIST SP 800-171 Rev 2. Unlike the old self-attestation model, a Certified Third-Party Assessment Organization (C3PAO) or your Authorized C3PAO Assessment Official (CAIO) physically or virtually reviews your evidence. You cannot score your own exam anymore.

The 110 practices span 14 domains. Here is what each domain covers and roughly how hard it is for most SMBs to achieve full compliance:

22 practices
Medium

Access Control (AC)

Least-privilege, account management, remote access, session controls

3 practices
Easy

Awareness & Training (AT)

Security awareness program, role-based training, insider threat awareness

9 practices
Medium

Audit & Accountability (AU)

Log generation, retention, review - often requires a SIEM

9 practices
Hard

Configuration Management (CM)

Baseline configs, change control, least-functionality settings

11 practices
Medium

Identification & Authentication (IA)

MFA everywhere, password policy, privileged account controls

3 practices
Easy

Incident Response (IR)

IR plan, IR capability, IR testing - documented evidence required

6 practices
Medium

Maintenance (MA)

Controlled maintenance, sanitize media before maintenance, remote maintenance controls

9 practices
Medium

Media Protection (MP)

CUI on removable media, media sanitization, transport controls

2 practices
Easy

Personnel Security (PS)

Screening for CUI-access positions, termination procedures

6 practices
Easy-Medium

Physical Protection (PE)

Physical access controls to CUI systems and CUI spaces

3 practices
Medium

Risk Assessment (RA)

Risk assessment process, vulnerability scanning, risk response

4 practices
Hard

Security Assessment (CA)

System security plan, security control assessments, POA&M process

16 practices
Hard

System & Communications Protection (SC)

Network segmentation, CUI in transit encryption, boundary protection

7 practices
Medium

System & Information Integrity (SI)

Malware protection, security alerts, software patches, spam protection

The 90-Day Roadmap

The biggest mistake contractors make is treating CMMC as an IT project. It is a security program project. The difference matters: IT projects have defined endpoints and deliverables. A security program requires sustained operation and evidence generation over time. Your C3PAO assessor is not just checking that controls exist - they want evidence that the controls have been operating.

Phase 1

Days 1-30: Assessment and Gap Analysis

You cannot fix what you have not measured. Phase 1 is entirely about understanding your current state against all 110 practices. This is where most organizations discover that their self-assessed SPRS score was optimistic - sometimes significantly so.

Phase 1 Deliverables

  • Define your CUI boundary - exactly which systems, networks, and locations touch CUI
  • Conduct a gap assessment against all 110 NIST 800-171 practices with NOT MET / PARTIALLY MET / MET status
  • Draft your System Security Plan (SSP) skeleton - even incomplete, it signals a functioning security program
  • Identify your biggest control gaps in SC (network segmentation) and CM (configuration management)
  • Build your Plan of Action and Milestones (POA&M) for every NOT MET and PARTIALLY MET practice
  • Calculate your actual SPRS score honestly using the scoring methodology
  • Engage a C3PAO early - many have 3-6 month waitlists; get on the calendar now
  • Identify any practices requiring significant investment (SIEM, MFA rollout, network redesign) and start procurement

Critical Note on CUI Scope

The CUI boundary determines your assessment scope. A common mistake is scoping it too broadly (assessing your entire IT environment) or too narrowly (excluding systems that clearly touch CUI). Work with a CMMC Registered Practitioner (RP) or Registered Practitioner Organization (RPO) to scope this correctly before you start remediation.

Phase 2

Days 31-60: Remediation

With a clear gap list in hand, Phase 2 is execution. Triage your POA&M by risk and implementation effort. Quick wins that eliminate point-source findings should go first to build momentum. The hard architectural work (network segmentation, SIEM deployment) must start immediately because it takes the most time.

Priority Remediation Areas

  • Deploy MFA on all accounts with CUI system access, including service accounts where feasible (IA.3.083)
  • Implement network segmentation to isolate CUI systems from general corporate network (SC.3.177)
  • Deploy endpoint detection and response (EDR) on all CUI-processing endpoints (SI.1.210)
  • Stand up centralized log collection and retention for 90 days minimum across CUI systems (AU.2.042)
  • Apply CIS Benchmark or DISA STIG baselines to all CUI-processing systems (CM.2.061)
  • Encrypt CUI at rest and in transit - verify M365 settings, enforce TLS 1.2+, encrypt laptops with BitLocker (SC.3.177, MP.2.120)
  • Stand up a vulnerability scanning program and remediate findings by severity SLA (RA.2.141)
  • Document and test your incident response plan with a tabletop exercise (IR.2.092, IR.2.093)
  • Conduct security awareness training and document completion records (AT.2.056, AT.2.057)
  • Inventory and remove unauthorized software from CUI systems (CM.2.064)

What to Do With Practices You Cannot Remediate in 90 Days

Not every gap can be closed in 90 days. For anything that will remain open at assessment time, your POA&M must include a milestone date (no more than 180 days out for most practices) and interim compensating controls. A well-documented POA&M with realistic timelines is far better than pretending a gap does not exist - assessors can spot the difference.

Phase 3

Days 61-90: Documentation and Assessment Prep

Controls that are not documented are controls that do not exist from an assessor's perspective. Phase 3 is about hardening your evidence package and running a pre-assessment readiness check before your C3PAO shows up.

Documentation Deliverables

  • Complete System Security Plan (SSP) describing every in-scope system and how each of the 110 practices is implemented
  • Network diagram showing CUI boundary, segmentation, and data flows
  • Asset inventory of all CUI-processing hardware, software, and cloud services
  • User access list with role assignments and least-privilege justification
  • Incident response plan with tested evidence (tabletop exercise notes, after-action report)
  • Security awareness training completion records for all users with CUI access
  • Configuration baseline documentation for all CUI systems
  • Vulnerability scan results and remediation records showing ongoing program
  • Change management records showing controlled configuration changes
  • Media sanitization records for any retired or repurposed CUI-processing equipment
  • Current POA&M with milestone dates and compensating controls for open items

Preparing for the C3PAO Assessment

The C3PAO assessment is not a surprise audit - it is a structured evidence review. Most assessors follow a consistent process: a kickoff call to review scope and schedule, document review, interviews with key personnel, and technical testing of specific controls. Here is how to prepare your team.

Before the Assessment

  • Conduct an internal pre-assessment using the CMMC Assessment Guide
  • Assign a single point of contact who knows every control
  • Organize your evidence in a shared folder indexed by practice number
  • Brief key personnel on what to expect during interviews
  • Re-run vulnerability scans and close any remaining high/critical findings

During the Assessment

  • Answer assessor questions directly - do not volunteer information about gaps you did not disclose
  • If a control has a documented exception or compensating control, explain it clearly
  • Do not fake evidence or claim a control is implemented when it is not
  • Take notes on every finding - you will need them for any required POA&M updates
  • Ask for clarification if an assessor requirement is ambiguous

Common Mistakes That Kill CMMC Assessments

  • Scoping CUI too broadly and trying to achieve CMMC compliance on your entire company network - costs 3-5x more than necessary
  • Treating CMMC as a one-time project rather than an ongoing program - assessors look for evidence of sustained operation
  • Leaving POA&M items undocumented - undocumented gaps discovered during assessment become findings without a plan
  • Confusing CMMC Level 1 self-attestation with Level 2 third-party certification requirements
  • Using consumer cloud services (personal Dropbox, Gmail, etc.) for CUI - these are automatic findings
  • Not segmenting CUI systems from BYOD devices or general corporate networks
  • Assuming your MSP is handling compliance - MSPs provide IT services, not CMMC compliance unless they are an RPO
  • Over-relying on Microsoft GCC or GCC High without configuring security controls within M365 - licensing does not equal compliance
  • Waiting until 30 days before a contract deadline to start - C3PAO waitlists run 3-6 months
  • Submitting a SPRS score you know is inflated - the DoD's intent is to use SPRS scores for contract risk decisions

How SOClogix Supports CMMC Level 2

We work with defense contractors as both a Registered Practitioner Organization (RPO) and a managed security provider. That means we can help you get ready and then operate the security controls that require ongoing management after you achieve certification.

Gap assessment against all 110 NIST 800-171 practices
CUI scoping and boundary definition support
System Security Plan (SSP) drafting and review
POA&M development with milestone tracking
Managed SIEM for AU domain logging requirements
Vulnerability management program (RA domain)
Managed EDR and endpoint hardening (SI, CM domains)
MFA deployment and identity security (IA domain)
Incident response plan development and tabletop facilitation
Pre-assessment readiness review before your C3PAO engagement
Matt Johnson

Matt Johnson

CEO & Founder, SOClogix

Full bio →

CMMC Readiness Assessment

Know Where You Stand Before Your C3PAO Does

SOClogix conducts gap assessments against all 110 NIST 800-171 practices and builds the documentation package your C3PAO will review. Schedule a readiness call to find out how far you are from a clean assessment.