What is CMMC Level 2 and who needs it?

CMMC Level 2 requires compliance with all 110 controls from NIST SP 800-171 Rev 2. Any Defense Industrial Base (DIB) contractor that handles Controlled Unclassified Information (CUI) on DoD contracts will need CMMC Level 2 certification. This affects an estimated 80,000+ contractors.

When is the CMMC certification deadline?

CMMC Phase 2 requires C3PAO third-party assessments starting November 2026. However, DoD is already including CMMC requirements in new contracts. Starting now gives you time to close gaps, build evidence, and avoid last-minute scrambles when every C3PAO is booked solid.

Can I use CMMC Command for my self-assessment?

Yes. The free tier gives you a complete 110-control NIST SP 800-171 assessment with real-time SPRS score calculation. You can document your status, identify gaps, and calculate your exact SPRS score — which you're already required to submit to SPRS.mil.

How does the AI compliance analyst work?

Our 8 AI features analyze your actual assessment data — not generic templates. The AI generates gap analysis narratives, remediation plans with effort estimates, SSP implementation statements, evidence sufficiency reviews, and realistic C3PAO interview questions. It never sees your uploaded documents or CUI — only control metadata.

Do you store CUI or sensitive documents?

No. CMMC Command stores compliance metadata — control statuses, SPRS scores, task assignments, and evidence references. Uploaded evidence files are scanned for CUI markers and we explicitly do not store controlled unclassified information.

How does CMMC Command compare to hiring a consultant?

A typical CMMC consultant charges $200–$400/hr, and most assessments require 80–200 hours ($16K–$80K). CMMC Command replaces the ongoing assessment tracking, gap analysis, document generation, and remediation planning — for $749/mo.

What integrations are supported?

We connect with 10 security tools: Microsoft Entra ID, Microsoft 365 & Defender, CrowdStrike Falcon, Google Workspace, AWS, SentinelOne, Tenable.io, KnowBe4, Jamf Pro, and Okta. Each integration auto-collects compliance evidence mapped to specific NIST controls.

Can I cancel anytime?

Yes. All plans are month-to-month with no long-term contracts. Annual plans offer 2 months free. If you cancel, you retain read-only access to your data for 30 days. We also support full data export.

CMMC Level 2 Requirements: The Complete 2026 Guide for DIB Contractors

What Is CMMC Level 2?

CMMC Level 2 (Cybersecurity Maturity Model Certification Level 2) requires organizations to implement all 110 security controls from NIST SP 800-171 Revision 2. It applies to any Defense Industrial Base (DIB) contractor that processes, stores, or transmits Controlled Unclassified Information (CUI) on Department of Defense contracts.

Unlike CMMC Level 1 (which covers 17 basic practices from FAR 52.204-21), Level 2 demands a comprehensive cybersecurity program with documented policies, trained personnel, and verifiable evidence.

Who Needs CMMC Level 2?

If your organization handles CUI under a DoD contract — and most subcontractors do — you will need Level 2 certification. This affects an estimated 80,000+ contractors across the defense industrial base, including:

Prime contractors with direct DoD contracts involving CUI
Subcontractors who receive CUI flow-down from primes
Suppliers who manufacture components with CUI markings
IT service providers who manage systems containing CUI

How to Know If You Handle CUI

Check your contract for DFARS clause 252.204-7012 (Safeguarding Covered Defense Information). If it's in your contract, you handle CUI and need CMMC Level 2.

The 110 Controls — Organized by Family

NIST SP 800-171 organizes its 110 controls into 14 families:

Family	Code	Controls	Description
Access Control	AC	22	Limit system access to authorized users and functions
Awareness & Training	AT	3	Ensure personnel understand security responsibilities
Audit & Accountability	AU	9	Create, protect, and review system audit logs
Configuration Management	CM	9	Establish and maintain system configurations
Identification & Authentication	IA	11	Verify identities of users, processes, and devices
Incident Response	IR	3	Detect, report, and respond to security incidents
Maintenance	MA	6	Perform timely system maintenance
Media Protection	MP	9	Protect and control system media
Personnel Security	PS	2	Screen personnel and protect CUI during changes
Physical Protection	PE	6	Limit physical access to systems and facilities
Risk Assessment	RA	3	Identify and manage organizational risk
Security Assessment	CA	4	Assess security controls and monitor continuously
System & Communications Protection	SC	16	Protect communications and system boundaries
System & Information Integrity	SI	7	Identify and correct system flaws promptly

SPRS Score — What It Is and Why It Matters

Your Supplier Performance Risk System (SPRS) score is a numerical representation of your NIST SP 800-171 compliance posture. The score ranges from -203 to 110:

110 = all controls fully implemented
0 = baseline (no POA&M items, partial implementation)
Negative scores = significant gaps requiring remediation

The DoD assigns each control a weight of 1, 3, or 5 points. High-weight controls (like access control and system hardening) have the most impact on your score.

How SPRS Is Calculated

Start at 110 (perfect score)
For each not implemented control: subtract its DOD weight
For each partially implemented control with a POA&M: no deduction (but must have a documented plan)
Controls without a POA&M that aren't fully implemented: subtract the weight

You are already required to submit your SPRS score to SPRS.mil per DFARS 252.204-7019. A tool like CMMC Command calculates this automatically using the official DOD weight table.

The CMMC 2.0 Timeline

Key Milestones

December 2024: CMMC final rule published (32 CFR Part 170)
Q1 2025: Phase 1 begins — contracting officers may include CMMC Level 1 self-assessment requirements
Q2 2025: Phase 2 begins — CMMC Level 2 certification requirements appear in select contracts
November 2026: Phase 2 full enforcement — C3PAO third-party assessments required for all contracts with CUI
2027+: Phase 3 — CMMC Level 3 requirements for highest-sensitivity programs

What "Phase 2" Means for You

Starting November 2026, the DoD will require CMMC Level 2 certification (not just self-assessment) for contracts involving CUI. This means a C3PAO (Certified Third-Party Assessment Organization) must conduct an independent assessment of your cybersecurity program.

There are currently only ~93 authorized C3PAOs in the ecosystem. With 80,000+ contractors needing assessments, scheduling will be extremely competitive. Starting early is not optional — it's a strategic necessity.

The C3PAO Assessment Process

A CMMC Level 2 assessment typically involves:

Pre-assessment: C3PAO reviews your SSP, POA&M, and evidence artifacts
On-site assessment: 3-5 days of interviews, demonstrations, and evidence review
Finding resolution: 90 days to address any identified deficiencies
Certification decision: C3PAO submits results to CMMC Accreditation Body (Cyber AB)
Certificate issued: Valid for 3 years

What Assessors Look For

C3PAO assessors evaluate your compliance against all 320 assessment objectives from NIST SP 800-171A. For each of the 110 controls, there are 1-5 specific objectives that must be MET, NOT MET, or NOT APPLICABLE.

Key areas assessors focus on:

Documented policies and procedures for each control family
Technical evidence that controls are implemented (screenshots, configurations, logs)
Personnel awareness of security responsibilities
Incident response capability and testing
Continuous monitoring practices

Getting Audit-Ready: A Practical Approach

Step 1: Baseline Assessment (Week 1-2)

Assess all 110 controls honestly. Mark each as Implemented, Partially Implemented, or Not Implemented. Calculate your SPRS score. This gives you a clear picture of your gaps.

Step 2: Gap Analysis & Prioritization (Week 2-3)

Focus on high-weight controls first (weight 5). A single weight-5 control is worth five weight-1 controls. Prioritize by SPRS impact and implementation difficulty.

Step 3: Remediation (Week 3-10)

Close gaps systematically. Document everything — your SSP narrative, your evidence, your POA&M timelines. The documentation is as important as the technical implementation.

Step 4: Evidence Collection (Ongoing)

Build your evidence vault: policy documents, configuration screenshots, training records, audit logs, incident response plans. Organize by control family.

Step 5: SSP & POA&M Finalization (Week 10-12)

Your System Security Plan and Plan of Action & Milestones should be living documents. Finalize them before scheduling your C3PAO assessment.

Step 6: Mock Assessment (Week 12)

Run a readiness review. Can you answer assessor questions for every control? Is your evidence organized and accessible?

Common Mistakes That Delay Certification

Starting too late — most contractors need 60-90 days minimum
Underestimating documentation — technical controls without evidence don't count
Ignoring policies — assessors review policies first
Not training staff — AT controls require documented awareness training
Spreadsheet-based tracking — doesn't scale, prone to errors, no audit trail

How CMMC Command Helps

CMMC Command automates the compliance journey from self-assessment to audit-ready:

Free tier: Full 110-control assessment with real-time SPRS scoring
Starter ($249/mo): Evidence vault, SSP/POA&M generation, policy templates
Professional ($749/mo): 9 AI features, security tool integrations, remediation task board

The platform calculates your exact SPRS score using official DOD weights, generates DOD-format documents, and uses AI to identify gaps and recommend specific remediation steps.

Start your free assessment today — no credit card required.