← All guides
CMMC 2.013 min read17 July 2026

CMMC 2.0 Level 2: Gap Assessment, C3PAO Prep & DFARS 252.204-7012 (2026)

Complete guide to CMMC 2.0 Level 2 compliance: 110 NIST 800-171 practices, C3PAO assessments, SPRS scoring, SSP, POAM, DFARS 252.204-7012 obligations, and cyber incident reporting for US defense contractors.

What is CMMC 2.0 Level 2?

Cybersecurity Maturity Model Certification (CMMC) 2.0 is the US Department of Defense's (DoD) framework for verifying that defense industrial base (DIB) companies adequately protect Controlled Unclassified Information (CUI). The DoD published its CMMC 2.0 Final Rule (32 CFR Part 170) in October 2025, making CMMC 2.0 a contractual requirement flowing through DFARS clauses 252.204-7019, 252.204-7020, and 252.204-7021.

CMMC 2.0 has three levels:

  • Level 1 (Foundational) — 15 practices: Annual self-attestation by a senior company official. Covers the 17 basic safeguarding requirements from 48 CFR 52.204-21. Required for any contract involving Federal Contract Information (FCI).
  • Level 2 (Advanced) — 110 practices: Aligned exactly with NIST SP 800-171 Rev 2. Either triennial self-assessment OR third-party assessment by an accredited C3PAO (CMMC Third-Party Assessor Organization), depending on contract criticality designation by the DoD.
  • Level 3 (Expert) — 110+ practices: Based on NIST SP 800-172 (Enhanced Security Requirements). Government-led assessment by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center). Required for the most sensitive programmes (less than 1% of contracts).

Who Needs CMMC 2.0 Level 2?

Any prime contractor or subcontractor that handles, processes, stores, or transmits CUI under a DoD contract requiring CMMC Level 2 certification. This includes:

  • Defense contractors with contracts containing DFARS 252.204-7012 (Safeguarding Covered Defense Information)
  • Subcontractors receiving CUI from prime contractors — flow-down is mandatory
  • Cloud service providers (CSPs) hosting DoD systems — must have FedRAMP Moderate Authorization Equivalent or higher
  • Managed Service Providers (MSPs) with access to CUI environments

The 110 NIST 800-171 Practices: Domain Overview

NIST SP 800-171 Rev 2 covers 14 practice domains across 110 requirements. For CMMC 2.0 Level 2 assessment, all 110 must be implemented (or have an accepted POAM with remediation timelines):

  • Access Control (AC) — 22 practices: The largest domain. Covers user access restrictions, CUI flow control, least privilege, remote access encryption, wireless access, and mobile device controls.
  • Awareness & Training (AT) — 3 practices: Security awareness for all personnel and role-based training for security responsibilities.
  • Audit & Accountability (AU) — 9 practices: Audit log creation and retention, user traceability, review/analysis/reporting of logs, audit log protection.
  • Configuration Management (CM) — 9 practices: Baseline configurations, security configuration settings, change control, software allowlisting, vulnerability scanning.
  • Identification & Authentication (IA) — 11 practices: MFA (the most commonly failed practice in DIBCAC assessments), device authentication, password management, replay-resistant authentication.
  • Incident Response (IR) — 3 practices: Incident handling, tracking/reporting, and testing.
  • Maintenance (MA) — 6 practices: Controlled maintenance, sanitisation of maintenance equipment, supervision of remote maintenance.
  • Media Protection (MP) — 9 practices: CUI on media access restriction, physical media transport, sanitisation before disposal or reuse.
  • Personnel Security (PS) — 2 practices: Individual screening and termination of access.
  • Physical Protection (PE) — 6 practices: Physical access authorizations, monitoring of physical access, visitor controls.
  • Risk Assessment (RA) — 3 practices: Periodic risk assessments, vulnerability scanning, vulnerability remediation.
  • Security Assessment (CA) — 4 practices: Periodic control assessments, System Security Plan (SSP), Plan of Action & Milestones (POAM), monitoring of controls.
  • System & Communications Protection (SC) — 16 practices: Boundary protection, network segmentation, FIPS 140-2/140-3 encryption for CUI in transit and at rest, deny-all/allow-by-exception network policy, physical separation of user functionality.
  • System & Information Integrity (SI) — 7 practices: Malware protection, security alerts, vulnerability remediation, information system monitoring, email filtering.

DFARS 252.204-7012: Cyber Incident Reporting

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) remains the contractual foundation. It requires:

  • Adequate security: Implement the 110 NIST 800-171 practices to protect CUI on all covered contractor information systems.
  • 72-hour cyber incident reporting: Report cyber incidents to DoD (via the DIBNet portal) within 72 hours of discovery. A "cyber incident" is any action taken through unauthorised access that compromises a covered contractor information system or reduces the ability to provide operationally critical support.
  • System image preservation: Preserve images of compromised systems and related data for at least 90 days after reporting.
  • Malware submission: Submit malicious software discovered during incident response to US-CERT.
  • Cloud service provider requirements: CSPs must have FedRAMP Moderate Authorization or a DoD-approved equivalent.
  • Subcontractor flow-down: Require subcontractors that will process, store, or transmit CUI to implement these requirements.

SPRS Score: Self-Assessment & Submission

The Supplier Performance Risk System (SPRS) is DoD's system for recording NIST 800-171 self-assessment scores. Under DFARS 252.204-7019, contractors must:

  • Complete a NIST SP 800-171 DoD Assessment using the methodology in NIST SP 800-171A
  • Submit their score to SPRS — scores range from -203 to 110 (perfect score = all 110 practices implemented)
  • Each practice has a defined point value (1, 3, or 5 points) based on criticality — not implementing a Critical practice deducts its point value
  • Upload an up-to-date System Security Plan (SSP) to SPRS along with the score
  • Contracting Officers can view SPRS scores before contract award — a very low score may affect contract eligibility

SSP & POAM: Documentation Requirements

Two documents are mandatory for CMMC 2.0 Level 2 compliance:

  • System Security Plan (SSP): Documents the system boundary, the operating environment, how each of the 110 NIST 800-171 practices is implemented, and the security requirements. Must cover all CUI systems. Required by NIST 800-171 practice CA.L2-3.12.4.
  • Plan of Action & Milestones (POAM): Documents identified deficiencies, planned remediation actions, milestones, and responsible parties. Required for any practice not yet fully implemented. Required by practice CA.L2-3.12.2. At C3PAO assessment, open POAMs may delay or condition certification depending on severity.

C3PAO Assessment: What to Expect

For contracts requiring third-party assessment (higher-priority Level 2 contracts), an accredited C3PAO will conduct a triennial assessment:

  • Documentation review: SSP, POAM, policies, procedures, network diagrams, asset inventories
  • Interviews: Technical staff, IT administrators, security leads, and executives
  • Evidence examination: Configuration screenshots, audit logs, access control lists, vulnerability scan reports, incident response records
  • Physical inspection: Physical access controls, media handling, maintenance logs
  • Assessment results submitted to CMMC Assessor and Instructor Certification Organization (CAICO) and recorded in the CMMC Marketplace
  • Conditional certifications may be granted with remaining POAMs — but Critical practices must be implemented before certification

Most Commonly Failed CMMC Level 2 Practices

Based on DIBCAC assessment findings, the most commonly deficient practices are:

  1. IA.L2-3.5.3/3.5.4 (MFA): MFA not implemented for all privileged and non-privileged accounts with network access to CUI environments. The single most common finding.
  2. SC.L2-3.13.8 (CUI encryption in transit): FIPS 140-2/140-3 validated cryptography not used — consumer cloud services (consumer Microsoft 365, Google Workspace, Dropbox) not approved for CUI.
  3. SC.L2-3.13.16 (CUI encryption at rest): Laptops, servers, and backup media not encrypted.
  4. AU.L2-3.3.1 (Audit logging): Centralised audit logging not configured; logs not covering all required events.
  5. CM.L2-3.4.8 (Software allowlisting): No allowlisting; any software can be installed and run.
  6. AT.L2-3.2.1 (Security awareness training): Annual training not documented; no phishing simulation.
  7. SR.L2-3.17.1-3 (Supply chain risk): Subcontractor CMMC/DFARS flow-down not contractually implemented.

Cloud CUI: GCC High vs Commercial Microsoft 365

A critical implementation decision: commercial Microsoft 365 (Exchange Online, SharePoint Online, Teams on commercial tenants) is NOT approved for CUI. DoD requires:

  • Microsoft 365 GCC High: FedRAMP High authorized, DoD IL4/IL5 approved. Required for most CUI categories.
  • Microsoft 365 GCC: FedRAMP Moderate. Acceptable for some CUI categories but not all.
  • AWS GovCloud (US): FedRAMP High. Acceptable equivalent.
  • Azure Government: FedRAMP High. Acceptable equivalent.

Use the Free CMMC 2.0 Level 2 Gap Assessment Tool

ComplyKit's CMMC 2.0 Level 2 Gap Assessment covers 42 key practices across 6 domains — Access Control, Identification & Authentication, Configuration Management, Incident Response & Audit, System & Communications Protection, and Awareness & Supply Chain. It generates a professional gap assessment report with a prioritized remediation roadmap and DFARS 252.204-7012 deep dive. Free, no account required.