The complete roadmap for achieving CMMC Level 2 certification — covering all 110 NIST SP 800-171 practices, the C3PAO assessment process, and a realistic stage-by-stage timeline for small businesses.
Level 2 is not just "more of Level 1." It introduces entirely new domains, a third-party assessment requirement, and significantly higher technical complexity.
Every CMMC Level 2 engagement follows these six stages. Click each stage to see exactly what happens, what it costs, and how much of your team's time it requires.
A comprehensive evaluation of your current security posture against all 110 NIST SP 800-171 requirements. Unlike Level 1's 17-practice assessment, Level 2 requires deep technical analysis across 14 control families — including audit logging, configuration management, incident response, and risk assessment.
For a business under 100 users, the GAP assessment takes 3–4 weeks. The CUI scoping exercise alone can take a week — identifying every system, cloud service, and process that touches CUI is critical and often reveals surprises. Expect 12–20 hours of your team's time.
What actually happens during a CMMC Level 2 third-party assessment — from pre-assessment prep through certification. No surprises.
Before a C3PAO sets foot in your environment, you must have a complete, current SSP, a closed or credibly-planned POA&M, and an evidence package ready for review. The C3PAO will request documentation in advance.
The C3PAO team (typically 2–4 assessors) conducts an opening meeting to review scope, confirm the system boundary, and establish the assessment schedule. They review your SSP and documentation before any technical testing begins.
Assessors systematically review your policies, procedures, and SSP against each of the 110 practices. They identify gaps between documented controls and what they expect to see during technical testing.
The most intensive phase. Assessors conduct hands-on technical testing of your systems, interview key personnel, and observe security processes in action. Every practice must be demonstrated — not just documented.
Assessors compile their findings and present preliminary results. You have an opportunity to provide additional evidence or clarification for any practices marked as deficient before the final report is issued.
The C3PAO issues the final assessment report and submits results to the CMMC Portal (eMASS). If all 110 practices are met (or a credible POA&M exists for minor gaps), the C3PAO recommends certification to the CMMC Accreditation Body.
Before your C3PAO arrives, Segler.Net conducts a full mock assessment — reviewing your evidence package, testing your controls, and interviewing your staff using the same methodology C3PAO assessors use. We identify and close gaps before they become assessment findings. A failed C3PAO assessment means paying for a second one — our pre-assessment review is the best insurance against that outcome.
These are the gaps Segler.Net finds most frequently when assessing small businesses for CMMC Level 2. Most are in domains that don't exist at Level 1.
The #1 gap at Level 2. Most small businesses have no centralized audit logging. SIEM or equivalent is required to satisfy the AU domain.
3.3.1Undocumented, inconsistent system configurations. Level 2 requires formal baselines and a change management process.
3.4.1Ad-hoc patching doesn't satisfy RA domain. Requires scheduled scanning, tracked findings, and documented remediation.
3.11.2Most small businesses have no documented IR plan, no tested capability, and no designated incident response team.
3.6.1No enforced complexity, no prohibition on reuse, no cryptographic storage. Level 2 has specific password requirements.
3.5.7CUI in non-FedRAMP cloud services (personal Dropbox, Google Drive, etc.) is a common and serious finding.
3.1.20Shared admin accounts, no PAM solution, and excessive admin rights are common Level 2 failures.
3.1.5CUI stored on unencrypted drives, servers, or cloud storage without FIPS-validated encryption fails SC domain.
3.13.16Every NIST SP 800-171 requirement your business must satisfy for CMMC Level 2 certification. Filter by domain and expand to see individual practices.
Straight answers to what DoD contractors ask most about CMMC Level 2 compliance and C3PAO assessments.
Have a question about your specific CMMC Level 2 situation?
Our San Antonio compliance experts work with DoD contractors on Level 2 engagements daily — no obligation to ask.
Get a comprehensive GAP assessment against all 110 NIST 800-171 practices. We'll give you a clear roadmap, realistic timeline, and honest cost estimate before you commit to anything.