Skip to content
Article

CMMC Level 2 Preparation: Insider Tips from DIB Contractors

By Fortwise Team

The reality check

"We thought we were ready because we'd been doing NIST 800-171 self-assessments for years," explains a CISO whose firm barely passed. "The CMMC Level 2 assessment was completely different—they actually verified everything."

Unlike self-attestation, Level 2 assessments require demonstrable evidence for all 110 security requirements. Whether pursuing self-assessment or C3PAO certification, the evidence bar remains high. As one program manager puts it: "Assessors don't care about your plans. They care about what you can prove you're actually doing."

The 6-month realistic timeline

Every successful contractor started serious preparation at least six months before their assessment.

Months 6-5: gap analysis

Map actual CUI data flows and all systems touching CUI, document current versus required practices, and create realistic POA&Ms for gaps you can't close. One contractor discovered 47 gaps initially—sobering but essential.

Months 4-3: implementation sprint

Deploy technical controls (MFA, encryption, logging), develop policies reflecting actual practices, and train staff on new procedures. "Don't implement everything at once," advises one PM. "We tried 15 controls in one month and nearly had a revolt."

Months 2-1: evidence and practice

Conduct multiple mock assessments, organize evidence into logical packages, ensure 90-day evidence currency, and fine-tune your System Security Plan.

Evidence organization: the critical success factor

"Bad evidence organization adds days to your assessment," warns a veteran assessor. Successful contractors use a three-tier system:

  1. Control family folders — 14 folders matching NIST control families
  2. Individual control subfolders — separate folders for each control (3.1.1, 3.1.2, etc.)
  3. Evidence artifacts — policies, procedures, screenshots, and logs for each control

"We created a master spreadsheet linking every control to its evidence," shares one manufacturer. "Assessors could find anything in seconds."

Critical tip: start evidence collection 120 days before assessment, then refresh at the 30-day mark to ensure currency. Several contractors failed because their evidence was too old.

Top 5 assessment failure points

  1. Audit and accountability: "Everyone thinks they have logging until asked for activity logs from three months ago," notes an assessor. Implement centralized log management early.
  2. Incident response: plans exist but lack testing evidence. Hold quarterly tabletop exercises and document everything.
  3. System integrity: patch management lacks consistent evidence. Screenshot your patch dashboard monthly.
  4. Configuration management: baseline configurations drift over time. Implement automated monitoring.
  5. Physical protection: often overlooked for remote workers. Prove home office security for CUI handlers.

The scoping trap

"Scope creep kills more assessments than missing controls," warns an assessor. One contractor found CUI in HR systems, accounting databases, even voicemails. Map everything, then validate twice.

Preparing your team

Technical controls are only half the equation. Every successful assessment requires well-prepared personnel, with interview preparation tailored by tier: executives focus on program oversight and why security matters; managers emphasize process ownership and team oversight; technical staff drill deep on implementation details; general staff cover CUI handling and incident reporting.

"By the actual assessment, our people were confident and consistent," reports one compliance manager who conducted mock interviews with each tier.

Assessment week reality

Day 1: documentation review. Assessors examine SSP consistency and completeness. Assign a knowledgeable liaison who knows where everything lives.

Days 2-3: technical validation through live demonstrations. Have admin credentials ready and ensure key personnel availability.

Final day: personnel interviews and preliminary findings. While formal results come later, major issues surface immediately.

The true costs

Every successful contractor invested significantly: 2-3 full-time positions for six months in personnel time; $50,000-125,000 in external support (gap assessments, remediation, mock reviews); and $50,000-100,000 annually in technology (SIEM, EDR, vulnerability management, MFA).

"We spent about $200,000 for our 100-person company," calculates one CFO. "But we would've lost $10 million in contracts without certification."

Maintaining compliance post-assessment

"The relief lasted about a day," laughs one compliance manager. "Then we realized we have to maintain this forever." Key sustainment strategies: automate evidence collection, conduct quarterly internal assessments, maintain assessment-ready evidence continuously, and build security into all new initiatives.

Your action roadmap

6 months out: conduct a gap assessment, define exact CUI scope, develop your POA&M, and allocate resources.

4 months out: implement technical controls, develop policies and procedures, begin evidence collection, and start training.

2 months out: conduct a mock assessment, organize the evidence repository, and address findings.

1 month out: refresh evidence, finalize documentation, and brief all personnel.

1 week out: verify evidence completeness, confirm logistics, and conduct system checks.

The bottom line

"There's no lucky path through Level 2," concludes a recently certified CEO. "You either do the work or you don't pass."

With CMMC requirements now flowing into DoD contracts, the question isn't whether to prepare but how quickly you can build sustainable compliance. The contractors who succeed treat Level 2 not as a hurdle but as a catalyst for becoming the secure organization their DoD customers expect.

Start now, be thorough, and remember—the assessment just validates the security program you should run every day. As one successful contractor summarized: "CMMC Level 2 forced us to become the professional organization our customers always assumed we were. The assessment was just proof we'd done our homework."

Free 30-minute readiness call

Walk into your CMMC assessment ready.

Book a 30-minute readiness call with a Fortwise advisor. No high-pressure sales — just a clear read on where you stand and what it takes to certify.

  • Confirm which CMMC level your contracts actually require
  • Pinpoint the gaps most likely to fail your assessment
  • Leave with a clear, prioritized path to certification

One-on-one with a CMMC advisor · No obligation · We never store your CUI