CMMC 2.0 Level 2 Assessments Now Required for DoD Contractors
The Department of Defense has begun requiring CMMC 2.0 Level 2 third-party assessments for contractors handling Controlled Unclassified Information (CUI). Self-attestation is no longer sufficient for Level 2.
CMMC 2.0 Level 2 Requirements
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework requires DoD contractors who handle Controlled Unclassified Information (CUI) to achieve Level 2 certification. Level 2 aligns with the 110 security practices in NIST SP 800-171 and covers areas including access control, incident response, media protection, risk assessment, system and communications protection, and system and information integrity. As of early 2026, the DoD has begun including CMMC Level 2 requirements in new contracts and contract renewals, making third-party assessment mandatory for affected contractors.
What Changed: Third-Party Assessment Now Required
Under the previous CMMC 2.0 implementation timeline, Level 2 contractors could self-attest their compliance for a transitional period. That transitional period has ended. DoD contracts issued in 2026 now require a CMMC Level 2 certification conducted by a CMMC Third-Party Assessment Organization (C3PAO) — an independent organization accredited by the CMMC Accreditation Body (CyberAB). Self-attestation is no longer accepted for Level 2. Contractors who cannot demonstrate a current C3PAO assessment may be ineligible for contract awards or renewals.
The Assessment Process
A CMMC Level 2 assessment conducted by a C3PAO is a comprehensive evaluation of your organization's implementation of all 110 NIST SP 800-171 practices. The assessment includes document review, interviews with personnel, and technical testing of your systems. The process typically takes 2-4 weeks of active assessment time, but preparation can take months. Current wait times for C3PAO assessments are 6-9 months due to high demand. Organizations should begin the process immediately to avoid contract disruptions. Before engaging a C3PAO, conduct a thorough internal readiness assessment to identify and remediate gaps.
How Segler.Net Can Help
Segler.Net has experience helping DoD contractors prepare for CMMC assessments. Our CMMC readiness services include gap assessment against all 110 NIST SP 800-171 practices, System Security Plan (SSP) development and review, remediation planning and implementation, and pre-assessment readiness reviews. We can help you understand your current compliance posture, prioritize remediation efforts, and prepare your documentation for the C3PAO assessment. Contact us to schedule a CMMC readiness consultation.
- If you handle CUI and have DoD contracts, you must now have a C3PAO-conducted CMMC Level 2 assessment
- Self-attestation is no longer accepted for Level 2 — third-party assessment is mandatory
- Begin your C3PAO assessment process immediately — wait times are currently 6-9 months
- Ensure your System Security Plan (SSP) is current and accurately reflects your security posture
- Contact Segler.Net for CMMC readiness assessment and gap remediation support
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.