Last Updated: June 2026 | Reviewed for accuracy based on current CMMC information.
For defense contractors that handle Controlled Unclassified Information, CMMC Level 2 is becoming a contract eligibility requirement. As the Department of Defense continues its phased rollout, more solicitations and contracts will require either Level 2 self-assessment or Level 2 certification through an authorized C3PAO.Sera Brynn is authorized by The Cyber AB to conduct CMMC Level 2 assessments and is also an accredited FedRAMP 3PAO and GovRAMP 3PAO, giving our team direct experience with the assessment standards federal contractors must navigate.
The next major deadline is November 10, 2026, when Phase 2 begins. At that point, DoD intends to expand the use of Level 2 C3PAO requirements for applicable contracts. Contractors that wait until requirements appear in a solicitation may face limited assessment availability, rushed remediation, and avoidable award risk.
This article explains what CMMC Level 2 requires, how the phased rollout works, where POA&M flexibility applies, and how to prepare for a formal C3PAO assessment.
CMMC Phase 2 Begins November 10, 2026
CMMC requirements are being introduced through a phased implementation plan.
Phase 1 began on November 10, 2025, when the DFARS acquisition rule became effective and CMMC requirements began appearing in applicable DoD solicitations and contracts. During Phase 1, DoD may require Level 1 self-assessment, Level 2 self-assessment, or, at its discretion, Level 2 C3PAO certification for applicable contracts.
Phase 2 begins on November 10, 2026. In this phase, DoD intends to include Level 2 C3PAO requirements for applicable solicitations and contracts as a condition of award. DoD may also delay the requirement to an option period depending on the contract.
For executives, the key point is simple: Phase 2 increases the need to begin third-party assessment planning now. CMMC readiness can take months, especially for organizations that still need to define CUI scope, remediate gaps, prepare evidence, and complete a formal assessment.
Understanding the Three CMMC Levels
CMMC has three levels. Each level is tied to the type of information a contractor handles and the security requirements included in the contract.
Level 1: Foundational
Level 1 applies to contractors that handle Federal Contract Information. It includes basic safeguarding requirements and is completed through self-assessment. Level 1 does not require a C3PAO.
Level 2: Advanced
Level 2 applies to contractors that handle Controlled Unclassified Information. It is based on the 110 security requirements in NIST SP 800-171 Rev. 2.
Some Level 2 contracts may require self-assessment. Others require a formal C3PAO assessment. The required CMMC status will be identified in the solicitation or contract.
A final Level 2 C3PAO status is valid for three years, with annual affirmations required in SPRS.
Level 3: Expert
Level 3 applies to contractors that handle the most sensitive DoD programs. It adds selected requirements from NIST SP 800-172 and is assessed by DCMA DIBCAC. Phase 3 begins one year after Phase 2 and expands Level 3 requirements for applicable contracts.
What CMMC Level 2 Actually Requires
CMMC Level 2 requires implementation of the 110 security requirements in NIST SP 800-171 Rev. 2. These requirements are evaluated using the CMMC assessment process and related assessment objectives.
The 14 Level 2 domains are:
Executives should understand that CMMC Level 2 is not only a technology exercise. Assessors review documentation, technical settings, system boundaries, policies, procedures, artifacts, and interviews. The organization must show that requirements are implemented and operating within the defined CMMC assessment scope.
SPRS, Scoring, and Conditional Certification
Before a CMMC Level 2 assessment, organizations should understand how scoring and POA&M rules can affect the final assessment outcome.
For Level 2, organizations are assessed against the 110 requirements in NIST SP 800-171. A final certification requires all applicable requirements to be met. In some cases, a conditional certification may be available if the organization meets the minimum score requirement and any remaining items are eligible for a POA&M.
Not every requirement can be placed on a POA&M, and all approved POA&M items must be closed within 180 days. This is why organizations should review scoring, evidence, and remediation priorities before entering the formal assessment process.
For C3PAO assessments, assessment results are submitted through the official CMMC reporting process and reflected in SPRS.
Executive takeaway: POA&M flexibility exists, but it is limited. Organizations should not treat conditional certification as the plan. The safest path is to enter the assessment with scope, evidence, and key requirements ready for review.
Preparing for Your Third-Party Assessment
Phase 2 of CMMC implementation begins on November 10, 2026, when Level 2 C3PAO certification requirements are expected to appear more broadly in applicable contracts. For defense contractors that need certification, waiting until the requirement appears in a solicitation may create avoidable timing challenges.
C3PAO capacity, assessment logistics, scope validation, evidence review, remediation timing, and internal coordination can all affect when an organization is truly ready for assessment. The steps below reflect the priorities that should be addressed before entering the formal C3PAO assessment process.
1. Engage an Authorized C3PAO
If your contract requires CMMC Level 2 certification, your official assessment must be conducted by an Authorized C3PAO. Even if remediation is still underway, engaging a C3PAO early can help your organization begin assessment planning, understand timing and documentation expectations, and secure a place on the assessment schedule before capacity becomes more constrained.
2. Confirm Your CUI Scope
Start by identifying every system, application, user, process, facility, and external service provider that stores, processes, or transmits CUI.
Scope matters because it determines the size and complexity of the assessment. A poorly defined scope can increase cost, delay readiness, and create assessment issues that could have been addressed earlier.
3. Conduct a Gap Assessment
Compare your current environment against the 110 requirements in NIST SP 800-171 Rev. 2 and the applicable CMMC assessment objectives.
A strong gap assessment should identify:
- Requirements that are fully met
- Requirements that are partially met
- Requirements that are not met
- Evidence gaps
- Documentation gaps
- Items that may affect POA&M eligibility
- Remediation priorities
4. Build and Validate the SSP and Evidence Package
The System Security Plan is a core CMMC document. It must accurately describe the assessment scope, system boundaries, control implementation, roles, responsibilities, and related documentation.
The SSP should not be created at the end of the process. It should be developed and updated as remediation progresses.
Your evidence package should include approved policies, procedures, screenshots, configurations, logs, diagrams, training records, access reviews, and other artifacts that show how requirements are implemented.
Entering the assessment process with a clear scope, accurate documentation, organized evidence, and an Authorized C3PAO already engaged can help reduce delays and give your organization a clearer path toward CMMC Level 2 certification.
Schedule Your CMMC Level 2 Assessment with Sera Brynn
Sera Brynn provides:
- Formal CMMC Level 2 C3PAO assessments
- Assessment planning and scoping discussions
- Assessment logistics and evidence readiness coordination
- Assessment execution by credentialed CMMC professionals
- Reporting aligned with CMMC program requirements
Sera Brynn also provides CMMC readiness advisory services under conflict-of-interest rules. Advisory and assessment services cannot be provided for the same client environment when doing so would create a conflict.
If your organization expects to handle CUI under current or future DoD contracts, now is the time to confirm your CMMC path, validate your scope, and determine whether a C3PAO assessment will be required.
Contact Sera Brynn at 877-701-8000 to discuss CMMC Level 2 assessment availability.
Know Your CMMC Assessment Pricing
Need a clearer estimate before scheduling your CMMC Level 2 assessment? Use Sera Brynn’s pricing and scheduling form to share basic details about your environment, assessment scope, and timeline.
Our team will review your information and help you understand assessment pricing, scheduling availability, and the next steps for engaging Sera Brynn as your C3PAO.
Frequently Asked Questions
What is CMMC Level 2 certification?
CMMC Level 2 certification is a cybersecurity assessment status for defense contractors that handle Controlled Unclassified Information. It is based on the 110 security requirements in NIST SP 800-171 Rev. 2.
Some Level 2 contracts allow self-assessment. Others require a formal third-party assessment by an authorized or accredited C3PAO.
Do I need a C3PAO or can I self-assess?
It depends on the CMMC status required in your solicitation or contract. If the contract requires Level 2 Self, the organization performs a self-assessment and submits the required information in SPRS. If the contract requires Level 2 C3PAO, the organization must complete a formal assessment through an authorized or accredited C3PAO.
How long does CMMC Level 2 readiness take?
Timeline depends on the maturity of your current security program, the complexity of your CUI environment, the quality of your documentation, and the amount of remediation required.
Organizations with defined scope, mature controls, and current evidence may move faster. Organizations starting with unclear scope or major control gaps should plan for a longer readiness period.
What is an SPRS score?
The Supplier Performance Risk System (SPRS) score reflects the organization’s implementation of NIST SP 800-171 requirements using the DoD assessment methodology. The score starts at 110 and subtracts points for unmet requirements.
For CMMC Level 2 C3PAO assessments, results are entered into the CMMC instantiation of eMASS and transmitted to SPRS.
Can any CMMC Level 2 requirement be placed on a POA&M?
No. Certain requirements are not eligible for POA&M treatment, and all approved POA&M items must be closed within 180 days. An Authorized C3PAO can explain how POA&M rules apply during the assessment process.
Which Level 2 requirements cannot be placed on a POA&M?
The Level 2 POA&M exclusions are:
- External Connections
- Control Public Information
- System Security Plan
- Escort Visitors
- Physical Access Logs
- Manage Physical Access
CUI Encryption has a limited exception when encryption is employed but is not yet FIPS-validated.
What happens if we fail or receive conditional certification?
A Conditional Level 2 status may be granted when the organization meets the CMMC POA&M rules. For Level 2, the assessment score must be at least 80 percent, which is 88 out of 110, and the POA&M cannot include prohibited requirements. Any allowed POA&M items must be closed within 180 days through a POA&M closeout assessment. If the POA&M is not successfully closed within that timeframe, the Conditional CMMC Status expires. Organizations that do not qualify for conditional status must remediate the gaps before achieving certification.
How long is CMMC Level 2 certification valid?
A final Level 2 C3PAO status is valid for three years. Annual affirmations of continued compliance are required in SPRS.
Is Sera Brynn authorized to conduct CMMC Level 2 assessments?
Yes. Sera Brynn is authorized by The Cyber AB to conduct CMMC Level 2 assessments. Formal assessments are conducted according to CMMC program requirements and applicable conflict-of-interest rules.
