AI Compliance —
CMMC Level 2 Assessment Guide: C3PAO, SPRS & POA&M Rules
A detailed walkthrough of the CMMC Level 2 assessment process C3PAO phases, SPRS scoring mechanics, and POA&M eligibility rules for DIB SaaS vendors.
Deepika
cmmc
Share this article

A CMMC Level 2 certification assessment runs on three interlocking systems: a 110-control scoring model in SPRS, strict rules about which gaps can be deferred through a POA&M, and a structured four-phase process run by an accredited C3PAO. Most general CMMC guides stop at "you need Level 2 if you handle CUI." This one goes further — into how the assessment is actually scored, which failures are survivable, and what the C3PAO engagement looks like week by week.
Self-Assessment vs. C3PAO Certification: Which Applies to You
CMMC Level 2 isn't a single path — it splits into two distinct assessment types, and the contract language determines which one applies to your organization:
Level 2 (Self): Annual self-assessment against all 110 NIST SP 800-171 Rev. 2 requirements, with the score submitted to SPRS. Applies to non-prioritized acquisitions.
Level 2 (C3PAO): A formal triennial assessment conducted by a Cyber AB-authorized Certified Third-Party Assessment Organization. Applies to prioritized acquisitions and CUI handling considered higher-risk.
The rollout matters here. Phase 1 (started November 10, 2025) still allows many Level 2 contracts to rely on self-assessment. Phase 2, beginning November 10, 2026, shifts the majority of Level 2 contracts to mandatory C3PAO certification. If you're a subcontractor receiving CUI from a prime that requires Level 2 (C3PAO), that requirement flows down to you regardless of your own contract size — CMMC obligations cascade through the entire supply chain, not just to primes.
How SPRS Scoring Actually Works
Every one of the 110 NIST SP 800-171 requirements carries a point value of 1, 3, or 5, based on how foundational or high-impact that control is. A fully compliant organization scores 110. Each unmet requirement is subtracted from that total — and because some deficiencies compound, the theoretical floor is -203, not zero.
Two thresholds matter in practice:
88 points (80%) is the minimum score needed to qualify for Conditional Level 2 status, assuming no high-value requirements are missing.
110 points is Final status — every requirement MET or marked Not Applicable.
The DoD's own data is part of why this matters: DIBCAC assessments have found that a large share of contractors self-reporting a perfect 110 didn't actually meet that bar, which is a core reason CMMC 2.0 moved toward independent C3PAO verification for higher-risk contracts.
[Image alt text: "SPRS scoring scale for CMMC Level 2 showing 110 point maximum"]
POA&M Rules: What Can (and Can't) Be Deferred
This is where most vendors misjudge their risk. A Plan of Action and Milestones lets you defer remediation of certain gaps — but not all gaps qualify:
1-point requirements are generally POA&M-eligible, with a small list of specific exceptions.
3-point and 5-point requirements are not eligible for a POA&M in most cases — they must be fully implemented at the time of assessment. One narrow exception exists: SC.L2-3.13.11 (encryption requirements) can qualify for a POA&M at reduced weight if encryption is in place but not yet FIPS-validated.
If a NOT MET finding lands on a high-value (3- or 5-point) requirement, the outcome is typically a Determination Letter — not a Conditional certificate. That's a failed assessment, not a deferred one.
Every POA&M item must document the specific deficiency, the planned remediation steps, ownership, and a target date — and it must close out within 180 days of the Conditional status being issued. Miss that window, and Conditional status lapses; you lose your CMMC status and restart the assessment process from scratch, not just the closeout.
The C3PAO Assessment Process: Four Phases
1. Pre-Assessment (Scoping) Roughly a month before formal assessment, the C3PAO runs a scoping call to confirm your assessment boundary, review your System Security Plan, and identify which systems, personnel, and data flows are in scope. This is also when most vendors run a final mock assessment or readiness review.
2. Assess Conformity to Security Requirements Assessors evaluate all 110 requirements against their corresponding assessment objectives — 320 objectives total across the requirement set. A single requirement can have multiple objectives; missing even one can mean the whole requirement is scored NOT MET. Assessors use a mix of document review, system demonstration, and interviews, applying nonstatistical sampling across your environment. Active on-site or remote assessment activity typically runs 2–5 days depending on organization size and scope.
3. Complete and Report Assessment Results The C3PAO compiles a report classifying each requirement as MET, NOT MET, or NOT APPLICABLE, typically delivered within about two weeks of the assessment concluding.
4. Issue Certificate and Closeout POA&M Based on the results, you receive one of three outcomes:
Final Level 2 (C3PAO): All requirements MET or NOT APPLICABLE. Valid for 3 years.
Conditional Level 2 (C3PAO): Score of at least 88, with all NOT MET findings limited to POA&M-eligible requirements. 180 days to close out.
Determination Letter: One or more high-value requirements NOT MET, or score below 88. No certification issued.
Results are submitted through eMASS, the DoD's system of record, and reflected in your SPRS entry.
[Image alt text: "Four phases of the CMMC Level 2 C3PAO assessment process"]
What It Costs and How Long It Takes
Costs scale with environment size and complexity, not just headcount:
Organization Size | Typical Assessment Cost | Formal Process Timeline |
|---|---|---|
Small, limited scope | $30,000–$75,000 | 6–8 weeks, kickoff to certificate |
Mid-size environment | $75,000–$150,000 | 6–8 weeks, plus 3–6 months lead time for booking |
Complex/large environment | $200,000+ | Longer active assessment; extended prep |
These figures cover the C3PAO engagement itself. Preparation and remediation — closing gaps in access control, encryption, logging, and incident response before the assessor arrives — is usually the larger cost. Organizations starting from an immature security posture commonly need 6–18 months of preparation before they're genuinely ready for assessment, and C3PAO capacity is currently constrained, so booking lead time (often 3–6 months) needs to be planned around separately from remediation time.
After Certification: Affirmations and the 3-Year Cycle
Certification isn't a one-time event. During the three-year validity period:
Year 1 affirmation: Due within 12 months of certification, submitted by your organization's designated Affirming Official confirming your compliance posture hasn't materially degraded.
Year 2 affirmation: Due within 24 months, same requirement.
Year 3: Triggers a full reassessment, not just an affirmation.
Affirmations are legal attestations, not formalities — the DoD has previously pursued False Claims Act actions over inaccurate NIST 800-171 compliance representations, and CMMC's annual affirmation requirement extends that same accountability. Material changes to your environment — new systems in scope, major architecture changes, new CUI handling processes — can trigger reassessment before the 3-year mark regardless of where you are in the affirmation cycle.
Readiness Checklist: Preparing for a Level 2 (C3PAO) Assessment
Phase 1 — Scoping & Gap Analysis
[ ] Define your CUI boundary and full assessment scope
[ ] Run a gap analysis against all 110 NIST SP 800-171 requirements
[ ] Identify which requirements are 3- or 5-point (non-POA&M-eligible) and prioritize those first
[ ] Calculate a realistic current SPRS score
Phase 2 — Documentation
[ ] Build or update your System Security Plan (SSP), mapped to each requirement's assessment objectives
[ ] Draft your POA&M strategy for any 1-point gaps you expect to defer
[ ] Collect evidence per objective type: policy documents (Define), system demonstrations (Implement), logs and records (Monitor), and proof of recurring human activity (Review)
Phase 3 — Technical Remediation
[ ] Implement MFA and least-privilege access across all CUI-touching systems
[ ] Deploy FIPS-validated encryption for CUI at rest and in transit
[ ] Establish centralized logging and incident tracking
[ ] Confirm your incident response plan has been tested, not just written
Phase 4 — Pre-Assessment
[ ] Run a mock assessment or engage a Registered Provider Organization (RPO) for a readiness review
[ ] Reconcile your SSP against what's actually implemented — this is the single most common source of NOT MET findings
[ ] Confirm your C3PAO is Cyber AB-authorized before signing any engagement
[ ] Book your assessment slot early given current C3PAO capacity constraints
Common Reasons Assessments Fail
SSP and reality don't match. Documentation describing controls that aren't actually implemented is the most frequently cited failure point.
Treating high-value controls as POA&M candidates. 3- and 5-point requirements need to be fully met before assessment day — there's no partial credit path for most of them.
Underestimating evidence depth per objective. A single requirement can have five assessment objectives; meeting four of five still scores the requirement NOT MET.
Booking the C3PAO before remediation is genuinely complete. Given 3–6 month lead times, vendors sometimes lock in an assessment date that arrives before real gaps are closed.
FAQ
What's the difference between CMMC Level 2 self-assessment and C3PAO certification? Self-assessment is an internal annual evaluation submitted to SPRS by your senior official. C3PAO certification is an independent, triennial assessment performed by an accredited third-party organization, required for prioritized acquisitions and increasingly the default under Phase 2 rollout.
What SPRS score do I need for Conditional Level 2 status? A minimum of 88 out of 110 points, with no NOT MET findings on requirements that carry 3 or 5 points.
Can any control be deferred with a POA&M? No. POA&Ms are generally limited to 1-point requirements, with one narrow exception for a specific encryption control. High-value (3- and 5-point) requirements must be fully met at assessment time.
How long do I have to close out a POA&M? 180 days from the Conditional status determination. Missing that window means losing Conditional status entirely, not an extension.
How long is CMMC Level 2 certification valid? Three years, with annual affirmations due in Year 1 and Year 2, and a full reassessment required by Year 3.
Does a CMMC requirement from a prime contractor flow down to subcontractors? Yes. If a prime's contract requires Level 2 (C3PAO), that same requirement applies to any subcontractor handling CUI on their behalf, regardless of the subcontractor's own contract size.
Managing CMMC alongside SOC 2 or ISO 27001? DSALTA's compliance automation platform helps DIB-adjacent SaaS teams map controls across frameworks and maintain continuous evidence — so CMMC prep doesn't mean starting from zero. Book a demo to see how it works.
Explore more AI Compliance articles
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.



