CMMC 2.0 Level 2: The Complete Readiness Guide for DIB Contractors

#The DoD finally stopped bluffing

I work with defense contractors in Connecticut. Sikorsky supply chain. Electric Boat machining subcontractors. Valley manufacturers stamping parts that end up in Black Hawks, Virginia-class submarines, and F-35 landing gear. Every one of them told me the same thing through 2020, 2021, 2022, 2023. "CMMC isn't going to actually happen. DoD is going to delay it again."

That stopped being true in late 2024. The Final Rule published. The rollout began. The first prime contracts requiring CMMC Level 2 attestation showed up in DoD solicitations. And the DIB contractors who had assumed they'd have another three years to prep discovered they had 90 days to produce a compliant readiness posture or lose the contract.

This is the conversation we now have weekly. "We just got a prime asking for our CMMC readiness. When can you start." And the timeline they imagine (4 weeks) is not the timeline reality requires (6-12 months minimum).

This post is the complete CMMC 2.0 Level 2 readiness guide. Every control family. The 110 controls from NIST SP 800-171. The gap analysis framework. The 12-month implementation path. Cost ranges. C3PAO selection. And the specific compliance errors that kill DIB contractor deals.

#The history that matters

The quick version of how we got here.

• 2016. NIST SP 800-171 published. Required compliance on DoD contracts handling Controlled Unclassified Information. Self-attestation only.
• 2017-2020. DIB cybersecurity was a disaster. Chinese APT40 walked out with F-35 specs, missile defense research, satellite engineering. Defense Inspector General reports catalogued the damage.
• 2020. DoD announced CMMC 1.0. Third-party certification required. Five levels.
• 2021. CMMC 1.0 killed. Industry outcry about cost and complexity.
• 2021 Nov. CMMC 2.0 announced. Simplified to three levels. Draft rulemaking.
• 2022-2023. Extended comment periods, refinements, mock assessments.
• 2024 Oct. CMMC 2.0 Final Rule published (DFARS). Effective December 2024.
• 2025. Phase 1 rollout. Prime contractors require certified subcontractors at specific levels.
• 2026. Active assessments underway. First CMMC Level 2 certifications issued.
• 2028. Full implementation. Every DoD contract with CUI requires the appropriate CMMC level.

The program is real and you are now in the rollout window.

#The three levels

• Level 1. 17 basic safeguarding practices (from FAR 52.204-21). Annual self-attestation. For contractors handling Federal Contract Information (FCI) only, no CUI.
• Level 2. 110 practices from NIST SP 800-171. Third-party C3PAO assessment required every three years for "critical" CUI contracts. Annual self-attestation permitted for "non-critical" CUI.
• Level 3. 110 Level 2 practices + 24 additional from NIST SP 800-172. Government-led assessment. For the most sensitive CUI, primarily nation-state-targeted programs.

Most DIB contractors land at Level 2. Level 2 is what this post covers.

#What is CUI

Controlled Unclassified Information. Federal information that requires safeguarding under laws, regulations, or government-wide policies. But isn't classified.

Categories that typically show up in DIB work:

• Controlled Technical Information (CTI). Engineering drawings, specifications, technical manuals.
• Export Controlled Information. Subject to ITAR or EAR.
• Defense Information. Operational data not otherwise classified.
• Proprietary Business Information. Trade secrets in contracts.

If you handle any CUI anywhere in your environment, that environment is in scope for CMMC Level 2.

If you're a CT machining shop that mills a single critical part from a Sikorsky CAD drawing, you have CUI. That CAD drawing. Wherever it lives on your network. Whatever that network touches.

#Who needs CMMC Level 2

The concrete test:

• Are you a direct DoD contractor or subcontractor?
• Do your contracts include DFARS 252.204-7012 (Safeguarding Covered Defense Information)?
• Does your work require you to receive, process, store, or transmit CUI?

If all three are yes, you need Level 2.

Typical companies:

• Prime contractors with CUI-processing subsidiaries
• Mid-tier subcontractors (those selling to primes)
• Engineering services vendors (SETA, systems engineering)
• Manufacturing subcontractors handling technical drawings
• Software vendors whose products process CUI
• Logistics / supply chain vendors handling DoD contract data

#The 14 control families

NIST SP 800-171 organizes 110 controls into 14 families. Here's the high-level.

#AC. Access Control (22 controls)

Limit system access to authorized users. Enforce access rights through proper authentication. Implement session termination. Protect wireless access.

The family that breaks most DIB contractors. Active Directory hygiene. RBAC. Privileged access management. Session timeouts. Most shops running Windows Server infrastructure have 5-10 AC gaps at baseline.

#AT. Awareness and Training (3 controls)

Train personnel on security awareness and recognizing insider threat. Specifically includes training on CUI handling.

Low-effort. Most compliance platforms ship CUI-aware training modules. Annual completion tracked.

#AU. Audit and Accountability (9 controls)

Create audit logs, protect them from tampering, review them. Event correlation. Audit failure response.

SIEM-centric. Logs shipped centrally, retention adequate, alerting on audit events, tamper-resistant storage.

#CM. Configuration Management (9 controls)

Establish baseline configurations. Control changes. Restrict and monitor configuration changes. Baseline configurations for all system components.

Many shops struggle here because they don't have a CMDB or formal change management. CIS benchmarks applied, changes tracked via tickets, configurations versioned.

#IA. Identification and Authentication (11 controls)

Identify and authenticate users. MFA for privileged accounts. Password requirements. Account management.

MFA on privileged accounts is non-negotiable. CMMC specifies MFA as a Level 2 requirement not just a Level 3.

#IR. Incident Response (3 controls)

Establish incident response capability. Test it. Track incidents.

IR plan documented. Tested annually via tabletop. Incident metrics tracked. Communications with DoD Cyber Crime Center (DC3) for reportable incidents.

#MA. Maintenance (6 controls)

Control and authorize maintenance activities. Use authorized tools. Sanitize equipment before maintenance.

For shops with on-premises servers, this matters. Cloud-native shops can often argue compensating controls.

#MP. Media Protection (9 controls)

Protect CUI on digital and physical media. Sanitize media before disposal. Control access to media containing CUI.

Physical media is under-thought in most shops. Removable USB drives, backup tapes, paper printouts of CAD drawings.

#PS. Personnel Security (2 controls)

Screen individuals before access. Transfer / termination procedures.

Background checks on hires accessing CUI. Formal offboarding.

#PE. Physical Protection (6 controls)

Limit physical access to facilities. Protect from unauthorized access. Monitor physical access logs.

Badge access to CUI-processing spaces. Visitor logs. Surveillance of sensitive areas.

#RA. Risk Assessment (3 controls)

Periodically assess risks. Scan for vulnerabilities. Remediate.

Formal risk assessment annually. Vulnerability scanning quarterly minimum. POA&M (Plan of Action and Milestones) documented.

#CA. Security Assessment (4 controls)

Periodically assess security controls. Develop system security plan (SSP). Plan of Action and Milestones for deficiencies.

The SSP is the centerpiece document. Describes your entire security posture. Lives as source of truth.

#SC. System and Communications Protection (16 controls)

Monitor and control communications. Cryptographic protection of CUI in transit and at rest. Network architecture security.

AES-256 for CUI at rest. TLS 1.2+ for CUI in transit. Network segmentation separating CUI-processing systems from general networks.

#SI. System and Information Integrity (7 controls)

Identify and manage information system flaws. Protect from malicious code. Monitor security alerts.

EDR on every system. Patch management cadence. Security monitoring.

#The scoping trap

The single most consequential decision in a CMMC program is scoping. Get this right and your assessment is manageable. Get it wrong and you're assessing your entire company at Level 2.

Scope of CMMC Level 2 includes:

• Every system that stores, processes, or transmits CUI
• Every system that provides security functions for CUI systems
• Every system with connectivity to CUI systems that's not segmented

If your CAD department processes CUI and that network is flat with your accounting, HR, and engineering networks, all of those are in scope. Every workstation. Every server. Every application.

If your CAD department is network-segmented, authentication-segmented, and flows to the rest of the business through a limited set of monitored interfaces, only the CAD environment is in scope.

The segmentation project is the single highest-ROI CMMC activity. It can reduce a 5000-host scope to a 50-host scope. The 50-host scope is assessed in weeks. The 5000-host scope is assessed in months and costs proportionally.

#The C3PAO

Certified Third-Party Assessment Organizations. The firms authorized to conduct CMMC assessments.

The list is published on the Cyber AB (Accreditation Body) website. Currently around 50 C3PAOs authorized. Capacity is constrained. Booking assessments 4-6 months out is normal.

Selection criteria:

• Does the C3PAO have industry experience matching yours?
• How many Level 2 assessments have they completed?
• What's their assessment methodology?
• What's the typical engagement length?
• What's their finding rate on first assessments?

Cost for a Level 2 assessment: $40K-$250K depending on scope. More for large/complex environments.

#The 12-month readiness timeline

For a CT mid-market DIB contractor with a reasonable starting security posture, the timeline that works.

#Months 1-2. Scope + SSP baseline

• CUI inventory. What CUI do you have? Where does it live? How does it flow?
• Network + system boundary definition. What's in the CUI enclave?
• System Security Plan (SSP) drafting. Every in-scope system documented.
• Gap analysis against 110 controls.

#Months 3-6. Technical implementation

The heaviest work. Ordered by impact:

• Network segmentation. Isolating the CUI enclave. Firewall rules, VLAN isolation, authentication gateways.
• Identity + MFA. Every access to CUI requires MFA. Privileged access on separate workstations where possible.
• Encryption. AES-256 for CUI at rest. TLS 1.2+ for CUI in transit. Documented key management.
• EDR + SIEM. Deployed on every in-scope system. Logs centralized. Retention 90 days live + 6 months archive.
• Vulnerability management. Quarterly scans, remediation within SLA.
• Patch management. Documented cadence. Compliance reports.
• Configuration management. CIS benchmarks applied. Baseline documented.
• Backup + recovery. CUI backups encrypted. Tested restore.

#Months 7-9. Policy + governance

• All required written policies.
• Incident response plan + tabletop.
• Contingency plan + DR test.
• Personnel security procedures.
• Physical security procedures (if on-premises CUI storage).
• Training program launched.

#Months 10-11. Evidence gathering + pre-assessment

• SSP finalized.
• Plan of Action and Milestones (POA&M) for any remaining gaps.
• Evidence library assembled.
• Internal readiness assessment.
• C3PAO engaged + kickoff scheduled.

#Month 12. C3PAO assessment

• Assessment conducted (1-4 weeks depending on scope).
• Findings remediated if possible during assessment window.
• Final certification decision.

#Budget framework

Honest ranges for a CT mid-market DIB contractor (50-500 employees).

Year-one total: $300K-$1.5M.

• Gap analysis + consulting: $40K-$150K
• SSP + policy writing: $20K-$80K
• Network segmentation: $30K-$300K
• MFA + identity upgrades: $30K-$100K
• EDR + SIEM: $50K-$200K
• Backup + DR upgrades: $20K-$100K
• Vulnerability management: $20K-$60K/year
• Training program: $10K-$40K/year
• C3PAO assessment: $40K-$250K
• Internal staff time: $50K-$250K equivalent
• Contingency for gaps: $20K-$200K

Ongoing annual cost: $150K-$500K.

For larger enterprises (500-5000 employees), multiply all of the above by 2-4x.

#C3PAO assessment week by week

What actually happens in the assessment window.

Week 0 (pre-assessment).

• Document submission. SSP, policies, evidence library, POA&M.
• Scope confirmation.
• Assessment agenda published.

Week 1.

• Kickoff meeting. In-person or virtual.
• SSP walkthrough.
• Technical evidence sampling begins.
• Interviews with key personnel.

Week 2.

• Technical verification (configurations, logs, etc.).
• Control-by-control assessment.
• Finding identification.

Week 3 (if needed).

• Remediation window for minor findings.
• Follow-up verification.

Week 4 (if needed).

• Final finding consolidation.
• Assessor report drafting.

Post-assessment.

• Draft report delivered (2-4 weeks after assessment end).
• Client review + response.
• Final report.
• Certification decision by Cyber AB.

#Common reasons DIB contractors fail assessment

From observing and talking to C3PAOs about assessment patterns:

1. SSP is outdated or incomplete. Describes the environment as of a year ago. Systems added since aren't documented.
2. CUI inventory is wrong. CUI found in locations not declared in the SSP.
3. Scope creep discovered during assessment. Systems the contractor didn't think were in scope turn out to be because they connect to CUI systems.
4. MFA coverage gaps. MFA required but missing on some user or service accounts.
5. Encryption key management not documented. "We use AES-256" is said. Key management lifecycle is not documented.
6. Audit logs not retained for required period. Or not protected from tampering.
7. IR plan not tested. Tabletop evidence missing or stale.
8. Physical security gaps. Facility access to CUI processing areas not properly controlled.
9. Personnel security gaps. Background check records missing for some employees.
10. POA&M not realistic. Remaining gaps listed without genuine remediation plans.

Every one of these is preventable with a thorough pre-assessment. Do the internal audit.

#The POA&M reality

Plan of Action and Milestones. The document that lists control gaps you haven't closed yet and the plan to close them.

POA&M is permitted for some controls. Not for all. Specifically:

• The 26 "must-pass" controls cannot be on POA&M. Full compliance required before assessment.
• Other controls can be on POA&M with a remediation timeline not to exceed 180 days.
• POA&M items are part of the certification. Updated quarterly minimum.

If your POA&M has 50 items, you're not ready. A passing assessment typically has 0-5 POA&M items.

#Flow-down to your subcontractors

If you're a prime contractor, you don't just comply. You flow down CUI handling requirements to every subcontractor. And you monitor their compliance.

• Subcontract terms must require CMMC compliance at the appropriate level.
• Subcontractor SPRS scores (Supplier Performance Risk System) must be validated.
• Subcontractor CUI handling audited.
• Subcontractor breach notifications flowed through to DoD.

This is where smaller subcontractors get squeezed. The prime requires CMMC Level 2, but the small subcontractor can't afford the $300K-$500K compliance investment. The answer is either: prime pays some of the cost, prime accepts limited CUI flow, or subcontractor loses the contract.

#SPRS scoring

Supplier Performance Risk System. DoD's scoring system for contractor cybersecurity posture. Scores range from -203 to +110 based on NIST SP 800-171 compliance self-assessment.

Before CMMC assessments complete, SPRS self-score is what DoD uses to evaluate your cybersecurity posture for contract awards. A score under 88 is increasingly a red flag for new contracts. Under 60 is a near-disqualifier.

Self-scoring accurately matters. Misrepresenting your SPRS score is a False Claims Act violation when caught. DOJ has prosecuted cases since 2021.

#Working with us

We run CMMC Level 2 readiness engagements for DIB contractors primarily in Connecticut and New England. Our typical engagement:

• 3-6 month gap analysis + remediation roadmap
• SSP drafting
• Policy library development
• Technical control implementation support
• Pre-assessment internal audit
• C3PAO engagement coordination

We're familiar with the common technology stack in CT manufacturing (SolidWorks, MasterCAM, PDM systems, Windows Server infrastructure) and the specific CUI flow patterns in DIB subcontracting.

If you're a CT DIB contractor facing a prime's CMMC requirement and need a readiness partner, this is our lane.

Valtik Studios. valtikstudios.com. Based in Connecticut, focused on CMMC 2.0 readiness for the New England DIB supply chain.