CMMC 2.0 · Level 2 · C3PAO-ready

CMMC Level 2 compliance for defense contractors — without sprawl, without surprise

If your DoD contract flows down DFARS 252.204-7012, you need CMMC 2.0 Level 2 across all 110 NIST 800-171 controls. MacTech delivers a defensible CUI boundary and the assessment-ready evidence to certify on the first attempt.

The contractors who succeed at Level 2 do three things

  • Shrink CUI to a defined enclave instead of letting it sprawl across corporate IT.
  • Inherit controls from FedRAMP-Moderate-aligned infrastructure — shorter SSP, faster assessment.
  • Author the SSP and POAM as evidence accumulates, not in a panic the month before the C3PAO arrives.

01 — The bar

What CMMC Level 2 actually requires

Level 2 is not a one-time certificate. It is an operating posture: all 110 NIST SP 800-171 Rev 2 controls implemented, evidenced, and re-attested every three years by a Cyber AB–authorized C3PAO.

110 controls, all in scope

Every control in NIST 800-171 Rev 2 applies. There is no Level 2 with a subset; partial credit only delays certification.

CUI boundary, defined and defended

You must identify every system that touches CUI and explain — in writing — how CUI is kept inside that boundary at rest, in transit, and during processing.

Third-party assessment every 3 years

A C3PAO assesses your implementation against a published methodology and submits results to the DoD via eMASS. Self-attestation is not enough.

02 — The path

A four-phase path from gap to certificate

The contractors who finish in 6 months and the ones who slip into year two run the same four phases — the difference is how disciplined they are about scope and evidence.

01

Scope & boundary

Define exactly where CUI is allowed. Document the enclave. Identify external service providers and inherited controls. Outcome: a defensible system-boundary diagram and an asset inventory the assessor can read in one sitting.

02

Gap assessment

Score every one of the 110 controls against current evidence. Categorize as IMPLEMENTED, PARTIAL, or NOT IMPLEMENTED. Outcome: a prioritized remediation backlog and a quantified SPRS score to plan against.

03

Remediate & document

Close gaps in priority order: technical controls first (because they unlock evidence), policy controls second, training last. Author the SSP and POAM as you go — not at the end. Outcome: a complete artifact set, not a binder of TODOs.

04

C3PAO assessment

Run a dress-rehearsal assessment using MacTech's assessment-day runbook. Address findings while there is still time. Schedule the formal C3PAO assessment with confidence. Outcome: pass on first attempt.

03 — What you get

The MacTech CMMC Level 2 stack

A platform-led approach: less consulting drag, more inherited controls, evidence that updates itself between assessments.

CUI Enclave

Boundary + inheritance

FIPS 140-3 controlled boundary that isolates CUI from your general IT. Inherits the maximum possible controls from the underlying platform so your SSP gets shorter, not longer.

Trust Codex

Evidence + SSP authoring

Living crosswalk of all 110 NIST 800-171 controls to your implementation evidence, with assessment-ready exports, POAM tracking, and shared-responsibility matrices.

IR Tabletop & AAR Evidence Kit

IR drills + evidence

Pre-built incident response tabletops with AI scenario generation, after-action reports, and the artifact set C3PAO assessors expect to see for IR-related controls.

Hardening & Validation Suite

Configuration assurance

Automated STIG compliance for RHEL, Windows, and Cisco. Continuous validation feeds your evidence library so configuration drift is detected before the assessor does.

04 — Related

Where Level 2 connects

NIST 800-171 compliance

The control catalog Level 2 maps to — all 110 controls broken down.

Supply-chain cyber compliance

If you are a prime managing sub-tier flowdowns, start here.

CMMC overview

The full CMMC program, all levels, and where MacTech fits.

05 — Questions

CMMC Level 2 — frequently asked

What is CMMC Level 2 and who needs it?

CMMC 2.0 Level 2 is the certification tier required for any defense contractor or subcontractor that stores, processes, or transmits Controlled Unclassified Information (CUI). It maps to all 110 controls in NIST SP 800-171 Rev 2. If your DoD contract or any flowdown clause references DFARS 252.204-7012, you are on the hook for Level 2.

How long does CMMC Level 2 certification take?

Most small-to-mid defense contractors need 6 to 12 months from a clean readiness scan to a C3PAO assessment certificate. The major variables are CUI scope (smaller is faster), evidence maturity, and POAM volume. MacTech customers using the CUI Enclave typically cut this to 90–180 days because the boundary is pre-defined and inherited controls are pre-documented.

How much does CMMC Level 2 cost?

Direct C3PAO assessment fees typically run $15k–$50k. Total program cost — including remediation, documentation, technology, and consulting — usually lands between $80k and $400k for first-time contractors. The biggest cost driver is CUI scope: contractors who isolate CUI inside a defined enclave (rather than letting it sprawl across the enterprise) cut both certification and ongoing maintenance cost by 40–60%.

Do I have to use a C3PAO?

Yes for Level 2 certification on contracts that require it. Self-assessment is only permitted under specific conditions defined in the CMMC rule; most prime flowdowns now require third-party certification by a Cyber AB-authorized C3PAO. MacTech is not a C3PAO — we get you assessment-ready and partner with C3PAOs for the formal assessment.

What is a CUI boundary and why does it matter?

A CUI boundary is the defined set of systems, networks, and physical spaces where CUI is allowed to exist. A tight, documented boundary shrinks the scope of your assessment, reduces ongoing compliance cost, and makes incident response far easier. MacTech's CUI Enclave is a FIPS 140-3 controlled boundary designed to keep CUI off your general corporate IT entirely.

What is a System Security Plan (SSP) for CMMC Level 2?

The SSP is the primary document a C3PAO assessor reads. It describes your system, defines the CUI boundary, and explains how each of the 110 NIST 800-171 controls is implemented — including inherited controls, shared responsibilities, and any planned remediation captured in your POAM. A weak SSP is the #1 reason contractors fail Level 2 assessments.

Can a small business afford CMMC Level 2?

Yes, if scope is managed. The contractors who get hurt are the ones who try to certify their entire enterprise. The contractors who succeed isolate CUI to a small, defined enclave and inherit as many controls as possible from an underlying platform (FedRAMP Moderate IaaS, an authorized SaaS, etc.). MacTech's Compliance Package was built specifically for small DIB subs operating on tight margins.

What is the difference between CMMC Level 1 and Level 2?

Level 1 covers Federal Contract Information (FCI) only — 17 basic safeguarding controls, self-assessed annually. Level 2 covers CUI — all 110 NIST 800-171 controls, third-party assessed every three years by a C3PAO. Most prime contracts flow down Level 2 because primes treat any meaningful technical data as CUI.

Start with a readiness scan

Tell us your contract posture and current CUI footprint. We will return a Level 2 readiness score, a prioritized remediation backlog, and a realistic timeline to your C3PAO assessment.

Run a readiness scanTalk to MacTech