The Simple 6 Step Playbook Defense Contractors Actually Use
If you handle Controlled Unclassified Information (CUI) for the Department of Defense (DoD), you will need Cybersecurity Maturity Model Certification (CMMC) Level 2 to win new work. Starting in late 2025, most contracts that involve CUI will require a full Level 2 certification from a Certified Third Party Assessment Organization (C3PAO).
You cannot self-attest anymore. You must prove you meet all 110 controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800 171 Revision 2. Most companies take 6 to 12 months and spend about 150 thousand to 450 thousand dollars to get ready.
Here is the simple, no fluff playbook contractors are using right now.
Why This Matters Today
The CMMC Final Rule is already active. Under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, the DoD can require Level 2 certification before award.
Primes are flowing these requirements down to subcontractors. If you support a prime and handle CUI, you must be ready or you risk losing your seat at the table.
There are only about 135 certified C3PAOs and demand is growing fast. Many companies are booking their audits 6 to 9 months in advance.
The Proven 6 Step Path to CMMC Level 2
Step 1. Scope Your Environment
Most audit failures happen because the scope was wrong.
Do this first:
- Create a CUI data flow diagram.
- Build an asset inventory.
- Define your enclave.
- Sort systems into four categories from the CMMC Scoping Guide.
- Validate your scope with a qualified advisor.
Good scoping keeps your audit smaller, cheaper, and easier to maintain.
Step 2. Run a Real Gap Assessment
A proper gap assessment uses the NIST SP 800 171A testing method.
Best practice:
- Work with a registered Registered Practitioner Organization (RPO).
- Score your environment using the official DoD scoring method.
- Expect an early score between 50 and 80 out of 110.
- Record your Supplier Performance Risk System (SPRS) score.
This becomes your starting point.
Step 3. Fix the Big Six Domains
Most security gaps fall into six areas. Fixing these early helps everything else move faster.
The Big Six are:
- Access Control
- Identification and Authentication
- Audit and Accountability
- Incident Response
- System and Communications Protection
- Physical Protection
This usually takes the most time and effort, but it is where companies make the biggest jump in readiness.
Step 4. Build Documentation That Matches Your Environment
Your System Security Plan (SSP) is the main document your assessor will review.
You will also need:
- CUI data flow diagram
- Network diagram
- Asset inventory
- Full policy set
- Plan of Action and Milestones (POA and M)
- Traceability matrix that connects evidence to every requirement
Your documents must tell the same story your systems tell. If they do not match, you will fail.
Step 5. Complete the C3PAO Assessment
When you feel ready, schedule your C3PAO.
What to expect:
- A pre assessment review
- Interviews and evidence collection
- Technical checks
- Validation of your controls
If your score is 88 or higher and only certain items remain open, you may receive Conditional Certification. You must close these items within 180 days.
Certification lasts 3 years, with yearly affirmations required.
Step 6. Stay Certified
CMMC is not one and done. You must maintain your program.
Recommended:
- Quarterly internal reviews
- Regular patching and vulnerability scanning
- Annual incident response testing
- Keeping logs for at least 90 days
- Updating your SSP after major changes
If you miss your annual affirmation, your certification may lapse and contracts may be at risk.
CMMC Level 2 vs Level 3
Here is the simple difference.
Level 2
- 110 controls from NIST SP 800 171
- Assessed by a C3PAO
- Some POA and Ms allowed
- 6 to 12 months typical timeline
Level 3
- 110 controls plus 24 from NIST SP 800 172
- Assessed by the DCMA DIBCAC
- Very limited POA and M options
- Add 12 to 18 months after Level 2
You must finish and finalize Level 2 before starting Level 3.
What Most Contractors Spend in 2025
Based on real project averages:
- Gap Assessment and Planning: 25k to 65k
- Security Tools: 60k to 250k
- Documentation and SSP Development: 30k to 80k
- C3PAO Certification Assessment: 45k to 120k
- Total First Year: 150k to 450k
Getting it right the first time avoids costly delays.
Final Readiness Checklist
You should be ready for audit if you can answer yes to every question.
- Is all CUI scoped and labeled
- Is MFA enabled for all in scope users
- Is FIPS validated encryption active
- Are logs centralized and kept for 90 days
- Do you have a tested incident response plan
- Is your SSP complete and accurate
- Is your SPRS score close to 110
If not, you still have work to do.
Your Next Move
You are now one step closer to being ready for CMMC Level 2. The best way to start is by checking your gaps and understanding what your assessor will look for.
Download our free CMMC Audit Ready Checklist to see where your company stands and what you still need to fix.
➡️ Get your checklist here: CMMC Audit Ready Checklist
Use it to prepare your team, confirm your controls, and move toward certification with confidence.
