Skip to content
CyberAutopsySHIELD · COMPLIANCE
CMMC Level 2ServicesThe MethodIndustriesResourcesAbout Client PortalBook Contract Risk Audit →
PRACTICE · CMMC LEVEL 2

CMMC Level 2. 110 controls. 14 families. One certificate.

Level 2 is the bar required of every DoD contractor or subcontractor that handles Controlled Unclassified Information. It maps one-for-one to NIST SP 800-171 Rev. 2 and is assessed by an accredited C3PAO. There is no in-between status, no provisional posture, no “working toward it.” You are certified, or you are not.

WHAT LEVEL 2 REQUIRES

Five artifacts that must exist before audit day.

Nothing about Level 2 is improvisational. The assessor will ask for these five artifacts within the first hour of the engagement. If any of them is unwritten, the engagement effectively halts.

  1. 01
    System Security Plan (SSP)

    A written description of every system in the CUI boundary and how each of the 110 controls is implemented, by whom, with what tooling, and against what evidence.

  2. 02
    Plan of Action & Milestones (POA&M)

    A dated, owned, closure plan for any control not fully implemented at the time of the score submission. CMMC 2.0 permits a POA&M for a defined subset; high-value controls cannot appear on it.

  3. 03
    SPRS Score (DoD)

    A submitted score in the Supplier Performance Risk System computed against the 110 controls. The current threshold is 88 of 110, with a 180-day POA&M closure obligation.

  4. 04
    Authorization Boundary Diagram

    A signed diagram of the CUI boundary: the systems, data flows, identities, and connections in scope. Out-of-scope exclusions must be justified to NIST 800-171A determination statements.

  5. 05
    Evidence Library

    Per-control artifacts (configurations, screenshots, signed policies, training records) indexed by family and control number. This is the packet the assessor will read.

SPRS SCORING, EXPLAINED

Each unmet control subtracts.

SPRS begins every contractor at 110 and subtracts a weight for each control not fully implemented. Weights run 1, 3, or 5 based on the assessed risk impact. The arithmetic floor is −203, the ceiling is +110, and the CMMC 2.0 minimum required for award eligibility is currently 88 with a closure plan.

A contractor who claims a score of 110 without a defensible evidence packet behind it is volunteering for a False Claims Act exposure. The DOJ’s Civil Cyber-Fraud Initiative has already produced multi-million-dollar settlements over inflated scores. The score must be earned, in writing, against artifacts.

  • 110 starting score, deductions for each unmet control
  • Weights of 1, 3, 5 based on assessment objective impact
  • Minimum 88 with POA&M permitted on lower-weight controls
  • 180-day POA&M closure obligation
  • Annual affirmation by a senior company official
SPRS · DoD SUPPLIER PERFORMANCE RISK SYSTEM
PASS
Self-Assessed Score
97
of 110 possible
Threshold
88
CMMC 2.0 minimum
-2030+110
Controls met
103 / 110
POA&M (allowed)
7 of 7
Confidence
Audit-ready
Submitted
To DoD SPRS
Sample posture from a $200M defense manufacturer engagement. Anonymized.
110 CONTROLS · 14 FAMILIES

You have 14 families to defend.
Three are usually failing.

This is the heatmap we produce in week two. Every cell is a defensible posture, not an opinion. Hover or tap a family to read the typical failure pattern.

Implemented
53
48% of 110
Partial
36
33% of 110
Missing
21
19% of 110

Hover a family to read its typical failure pattern across DoD contractors we’ve assessed.

POA&M RULES UNDER CMMC 2.0

A POA&M is a scalpel, not a parachute.

CMMC 2.0 permits a Plan of Action and Milestones at certification — but only against a constrained list of controls and only inside a fixed 180-day closure window. Used surgically, a POA&M lets us deliver a certificate fast and then close the residue. Used broadly, it is a way to get your certificate revoked.

POA&M ALLOWED

Lower-weight controls (weight 1) where the absence of implementation does not undermine the core protection objective. Examples include certain training documentation gaps.

POA&M NOT ALLOWED

High-impact controls (weight 5). Examples include FIPS-validated cryptography, multifactor authentication for privileged users, and incident reporting to DoD.

POA&M CLOSURE

180 days from certification. Failure to close results in suspension of certification. We track closure inside the Annual Retainer.

REGULATORY TIMELINE

The clauses are already live.

  1. 2016

    DFARS 252.204-7012 finalized — CUI safeguarding and 72-hour incident reporting required of all DoD contractors.

  2. 2020

    DFARS 7019, 7020, 7021 issued via Interim Rule — SPRS scoring, DoD assessment rights, and CMMC certification clauses.

  3. 2021

    CMMC 2.0 announced — collapsed to three levels, NIST 800-171 alignment confirmed, POA&M permitted for limited controls.

  4. 2024

    32 CFR Part 170 published (Oct 15, 2024) — formal CMMC program rule, effective December 16, 2024.

  5. 2025+

    48 CFR rule phase-in via DFARS — contracting officers begin inserting CMMC certification requirements directly into solicitations.

  6. Today

    Subcontractor flow-down is occurring. Primes are requiring evidence of SPRS scores from suppliers as a condition of teaming agreements.

See our four engagement tiers →Book a 15-minute triage call