Skip links
  • About Us
  • Blog
  • Contact Us
Get a Free Assessment
Cyber Security Solutions
CyberSecurity Blogs & Guides

CMMC Level 2: When a self-assessment isn’t enough

1) Executive Summary

  • Most contracts involving CUI expect CMMC Level 2 with a third‑party assessment (C3PAO).

  • A Level 2 self‑assessment only works when the solicitation explicitly allows it—and it’s usually temporary or narrow in scope.

  • The fastest, lowest‑risk path is to plan for C3PAO while keeping SPRS and documentation current.

CEO takeaway: Treat L2 self‑assessment as the exception. If CUI is in scope, assume third‑party review and protect revenue accordingly.

2) What is a Level 2 Assessment?

  • What it covers: The safeguards needed to protect Controlled Unclassified Information (CUI).

  • What it looks like: Policies, technical controls, and records that map to the Level 2 requirements; results recorded in SPRS.

  • Who checks: A C3PAO (third‑party assessor) validates that your controls exist and are operating.

3) Can You Use a Self‑Assessment?

Only if the RFP/contract says so. If it doesn’t, assume third‑party review.

If self‑assessment is allowed, you still need:

  • Current SPRS entry (type, score, date).

  • A short scope/boundary statement for systems/users that touch CUI.

  • Evidence ready to show (policy + record + screenshot) for key controls.

Risks of relying on self‑assessment:

  • The allowance can be revoked on future options or recompetes.

  • Inconsistent partner posture can undermine your claim.

  • False comfort: you may pass a paper review but fail when a third party checks.

4) Decision Guide (1‑Minute)

  1. Does the RFP mention CUI?

    • No → Level 1 may apply; confirm.

    • Yes → Continue.

  2. Does the RFP permit L2 self‑assessment?

    • Yes → You may self‑assess now, but plan for C3PAO within 3–6 months.

    • No → C3PAO required.

  3. Do subs/vendors touch CUI?

    • Yes → They must meet the same level or be truly out of scope.

5) The C3PAO Path (what to do and when)

Week 0–1 — Stand‑up

  • Name a single owner (contracts/security) + exec sponsor.

  • Confirm required level and Gantt a C3PAO target window.

Week 1–3 — Gap & Stabilize

  • Run a gap assessment against L2; fix high‑impact items (MFA everywhere, logging, backups, admin separation).

  • Build a Readiness Pack: 5–7 pages covering SPRS, boundary, partners, and evidence index.

Week 3–6 — Book the assessor

  • Shortlist C3PAOs; hold a readiness call; lock dates; agree on scope and artifacts.

Week 6–10 — Evidence & Dry Run

  • Stage policy + record + screenshot for top controls; conduct a mock interview with your leads.

Assessment window

  • Expect document review + interviews; close minor findings quickly; track any time‑boxed remediations in a POA&M if allowed.

After assessment

  • Update SPRS, finalize evidence, and adopt a monthly compliance rhythm.

6) Budget & Timeline

  • Timeline to “assessment‑ready”: 6–12 weeks for well‑run SMBs; longer with larger scope or legacy issues.

  • Direct costs: Prep support, tooling gaps (MFA, logging, backup), and C3PAO fees.

  • Hidden costs: Proposal delays, emergency consulting, lost options if you slip the calendar.

Rule of thumb: A short, focused sprint now is cheaper than a scramble during award.

7) What COs Expect to See for Level 2

  • Level match clearly stated in your offer.

  • SPRS shows current type/score/date for Level 2.

  • A one‑paragraph boundary statement naming systems/users that touch CUI.

  • Partner alignment (list subs/vendors touching CUI + their status).

  • Light evidence that your controls run day‑to‑day (not just policy docs).

8) Partner Readiness (don’t let them sink your bid)

  • Identify any sub/vendor that touches CUI.

  • Request a 1‑page attestation (level, assessment type/date, contact).

  • If they cannot meet Level 2, remove them from the data flow or replace.

9) Red Flags That Kill Level 2 Quickly

  • Out‑of‑date SPRS or score/date that don’t match your story.

  • Unclear scope (no boundary; everyone is “in”).

  • No MFA on admin or remote access.

  • Flat networks with CUI intermingled across the environment.

  • Partners with unknown or unproven posture.

10) Your 10‑Item Checklist

  • RFP level confirmed; CUI in scope?

  • Self‑assessment allowed? If yes, plan C3PAO anyway.

  • SPRS updated (type/score/date) + screenshot saved.

  • Boundary statement written (Appendix A template).

  • Partners inventoried; attestations in folder.

  • Gap assessment complete; top fixes scheduled.

  • Readiness Pack (5–7 pages) assembled.

  • C3PAO shortlisted; date penciled.

  • Mock interviews done; evidence staged.

  • Monthly compliance cadence defined.

11) Need a CMMC Level 2 Free Assessment?

What you get for Level 2:

  • Readiness in weeks, not quarters: gap assessment → remediation plan → evidence pack → C3PAO coordination.

  • Partner assurance: quick checks and attestations for vendors/subs that touch CUI.

  • Proposal support: boundary statement, SPRS tune‑up, and bid‑day sanity check.

Led by practitioners. CEO Horacio Maysonet, a U.S. Air Force veteran, and a cross‑functional team (compliance, engineering, onboarding, ops) focused on making compliance practical.

Our Belief

You’ve worked hard to build your business. Don’t let an outside threat take it all away from you.
Learn More

Recent Posts

call today to protect your business

Talk to one of our experts today to learn how we can identify your current risks and vulnerabilities and put together a package to better protect your.

Schedule A Call