Book 1:1 meeting

(Our Blog)

CMMC Level 2: When a self-assessment isn’t enough

Book 1:1 meeting

1) Executive Summary

  • Most contracts involving CUI expect CMMC Level 2 with a third‑party assessment (C3PAO).

  • A Level 2 self‑assessment only works when the solicitation explicitly allows it—and it’s usually temporary or narrow in scope.

  • The fastest, lowest‑risk path is to plan for C3PAO while keeping SPRS and documentation current.

CEO takeaway: Treat L2 self‑assessment as the exception. If CUI is in scope, assume third‑party review and protect revenue accordingly.



2) What is a Level 2 Assessment?

  • What it covers: The safeguards needed to protect Controlled Unclassified Information (CUI).

  • What it looks like: Policies, technical controls, and records that map to the Level 2 requirements; results recorded in SPRS.

  • Who checks: A C3PAO (third‑party assessor) validates that your controls exist and are operating.



3) Can You Use a Self‑Assessment?

Only if the RFP/contract says so. If it doesn’t, assume third‑party review.

If self‑assessment is allowed, you still need:

  • Current SPRS entry (type, score, date).

  • A short scope/boundary statement for systems/users that touch CUI.

  • Evidence ready to show (policy + record + screenshot) for key controls.

Risks of relying on self‑assessment:

  • The allowance can be revoked on future options or recompetes.

  • Inconsistent partner posture can undermine your claim.

  • False comfort: you may pass a paper review but fail when a third party checks.



4) Decision Guide (1‑Minute)

  1. Does the RFP mention CUI?

    • No → Level 1 may apply; confirm.

    • Yes → Continue.

  2. Does the RFP permit L2 self‑assessment?

    • Yes → You may self‑assess now, but plan for C3PAO within 3–6 months.

    • No → C3PAO required.

  3. Do subs/vendors touch CUI?

    • Yes → They must meet the same level or be truly out of scope.



5) The C3PAO Path (what to do and when)

Week 0–1 — Stand‑up

  • Name a single owner (contracts/security) + exec sponsor.

  • Confirm required level and Gantt a C3PAO target window.

Week 1–3 — Gap & Stabilize

  • Run a gap assessment against L2; fix high‑impact items (MFA everywhere, logging, backups, admin separation).

  • Build a Readiness Pack: 5–7 pages covering SPRS, boundary, partners, and evidence index.

Week 3–6 — Book the assessor

  • Shortlist C3PAOs; hold a readiness call; lock dates; agree on scope and artifacts.

Week 6–10 — Evidence & Dry Run

  • Stage policy + record + screenshot for top controls; conduct a mock interview with your leads.

Assessment window

  • Expect document review + interviews; close minor findings quickly; track any time‑boxed remediations in a POA&M if allowed.

After assessment

  • Update SPRS, finalize evidence, and adopt a monthly compliance rhythm.



6) Budget & Timeline

  • Timeline to “assessment‑ready”: 6–12 weeks for well‑run SMBs; longer with larger scope or legacy issues.

  • Direct costs: Prep support, tooling gaps (MFA, logging, backup), and C3PAO fees.

  • Hidden costs: Proposal delays, emergency consulting, lost options if you slip the calendar.

Rule of thumb: A short, focused sprint now is cheaper than a scramble during award.



7) What COs Expect to See for Level 2

  • Level match clearly stated in your offer.

  • SPRS shows current type/score/date for Level 2.

  • A one‑paragraph boundary statement naming systems/users that touch CUI.

  • Partner alignment (list subs/vendors touching CUI + their status).

  • Light evidence that your controls run day‑to‑day (not just policy docs).



8) Partner Readiness (don’t let them sink your bid)

  • Identify any sub/vendor that touches CUI.

  • Request a 1‑page attestation (level, assessment type/date, contact).

  • If they cannot meet Level 2, remove them from the data flow or replace.



9) Red Flags That Kill Level 2 Quickly

  • Out‑of‑date SPRS or score/date that don’t match your story.

  • Unclear scope (no boundary; everyone is “in”).

  • No MFA on admin or remote access.

  • Flat networks with CUI intermingled across the environment.

  • Partners with unknown or unproven posture.



10) Your 10‑Item Checklist

  • RFP level confirmed; CUI in scope?

  • Self‑assessment allowed? If yes, plan C3PAO anyway.

  • SPRS updated (type/score/date) + screenshot saved.

  • Boundary statement written (Appendix A template).

  • Partners inventoried; attestations in folder.

  • Gap assessment complete; top fixes scheduled.

  • Readiness Pack (5–7 pages) assembled.

  • C3PAO shortlisted; date penciled.

  • Mock interviews done; evidence staged.

  • Monthly compliance cadence defined.



11) Need a CMMC Level 2 Free Assessment?

What you get for Level 2:

  • Readiness in weeks, not quarters: gap assessment → remediation plan → evidence pack → C3PAO coordination.

  • Partner assurance: quick checks and attestations for vendors/subs that touch CUI.

  • Proposal support: boundary statement, SPRS tune‑up, and bid‑day sanity check.

Led by practitioners. CEO Horacio Maysonet, a U.S. Air Force veteran, and a cross‑functional team (compliance, engineering, onboarding, ops) focused on making compliance practical.

Ready to close your business gaps?

Schedule a call with an expert. 

Don’t worry, it’s free!

Book 1:1 meeting

Author

Picture of Aegis

Aegis

Latest articles

(Schedule a Call)

Ready to
close your gaps?

Schedule a call with one of our experts. Don’t worry it’s free!