Skip to content
ISI is proud to have received a perfect score and a Superior DCSA Security Rating. Read more here!
Talk to an Advisor
Talk to an Advisor

Preparing for a CMMC Level 2 Assessment: A First-Hand Perspective

EXECUTIVE BRIEF

Having passed our CMMC Level 2 assessment, this article provides one of the only first-hand perspectives into the CMMC program available to defense contractors. Here are three key takeaways from this article:

  • CMMC is unique in focusing more on the technical implementation of specified controls
  • Preparation and organization are critical to your compliance journey
  • Defense contractors will need either a dedicated, full-time IT department with DoD compliance experience or help from an expert service provider to achieve a positive assessment outcome

Dig deeper and continue learning below!

 

 

Intro

On January 29, 2025, ISI successfully passed its five-day CMMC Level 2 assessment. While external service providers (ESPs)are not required to achieve a CMMC Certificate of Status, we voluntarily went through this process for two main reasons:

  • To provide enhanced, first-hand experience insights and guidance for our customers
  • To offer a CMMC-proven tool stack and preparation strategy to small- and medium-sized defense contractors

 

Key takeaways from our Level 2 assessment

Our CMMC Level 2 assessment experience highlighted several key takeaways. Here's what we want to pass on to defense contractors:

  • Compared to other assessments like ISO 27001, CMMC is unique in the level of technical detail and documentation required to prove how your approach is safeguarding CUI
  • Thorough documentation and organization of evidence are Your Policy, SSP, and technical implementation need to match exactly
  • If your company plans to achieve compliance in-house, your IT team needs to be prepared for three assessment methodologies (Examine, Test, and Interview)

Our insights come directly from our compliance and IT team, a group of seasoned CMMC practitioners with over 300 combined years of compliance experience.

Check out our proven CMMC preparation strategy below!

 

Our CMMC preparation strategy

Since the establishment of our managed IT and compliance service offering in 2019, we have been strategically developing our preparation strategy to share with customers. Now that our strategy has led to our own certification, we are excited to provide this information to contractors across the DIB.

 

1. Identify the CMMC maturity level that best fits your business

Begin your preparation efforts by aligning your compliance strategy with your overall business goals or trajectory.

Key tasks:

  • Review your current contracts and their cybersecurity requirements (i.e. do your contracts have a DFARS 7012 clause?)
  • Determine which CMMC level satisfies future contracts your business plans to bid on
  • Understand the corresponding security requirements with each maturity level

 

ISI Insight: Level 2 (C3PAO), our certification level, offers the widest range of opportunities for defense contractors. This maturity level satisfies Level 1 requirements and is a pre-requisite for Level 3 certification.

 

2. Review the capabilities of your internal IT department

After determining which CMMC level best suits your business, you’ll want to audit your internal IT department. This will offer an honest insight into the resources your business will require to prepare and achieve compliance.

Key questions to consider:

  • Do you have enough staff to implement and maintain your compliance posturing?
  • Do your current employees have experience with defense-specific cybersecurity requirements?
  • Has your IT department developed comprehensive and cross-functional policies for your business?

 

ISI Insight: If you answered no to any of these questions, consider bringing on an external service provider (ESP) to support your compliance journey.

>> Gauge your readiness posture in just minutes with our online tool.

 

3. Perform a gap assessment

Next you will want to determine how your current compliance posturing stacks up against CMMC requirements. Once you have chosen which maturity level your business is going after, perform a gap assessment using the corresponding compliance regulation as the benchmark.

Regulation for each maturity level:

 

ISI Insight: Some controls may have multiple objectives to it. Even if one objective is deficient and the others meet the requirements, mark the control as UNMET.

 

4. Begin developing a Plan of Action & Milestones (POA&M)

After identifying deficiencies in your compliance posturing through your gap assessment, the next step will be to develop a POA&M to kickstart your remediation efforts.

POA&Ms can be developed on industry-specific applications (like FutureFeed) or on a basic excel sheet. Either way, you will want to make sure your POA&M includes these data points at the task level:

  • Criticality level
  • Point of contact
  • Financial resources needed for remediation
  • Projected remediation timeline
  • Detailed description of the identified deficiency

 

ISI Insight: While POA&Ms are not permitted for CMMC Level 1, they are allowed for conditional Level 2 and Level 3 Certificates of Status. However, it is limited. A quick rule to remember for conditional certification is that three- to five-point controls are not allowed on a POA&M.

 

5. Finalize your compliance budget

Once your POA&M is completed and you have a rough cost estimate for each remediation task, it’s time to finalize your compliance budget. In 2025, the government provided its first cost-estimate for achieving NIST 800-171 compliance, totaling $175,700. However, it is important to note, this estimate includes labor and software costs.

 

ISI Insight: Working with an external service provider can help reduce these costs through economies of scale. For example, Microsoft Government Community Cloud licensing for a 10-person organization is going to be much less expensive if you receive enterprise pricing through your ESP.

 

6. Create or update your System Security Plan (SSP)

Your SSP is a core requirement for CMMC certification. If you do not have an SSP in place, your C3PAO won’t even assess your organization. If you have an outdated SSP, you will fail your assessment.

As you progress and finish your remediation tasks listed in your POA&M, it is imperative you update your SSP with any changes in process or tools to ensure compliance.

 

ISI Insight: If you have your policies and procedures documented but housed across different documents or departments, link them in your SSP to make sure the most up-to-date version is accessible.

 

7. Begin holding semi-regular mock audits

Once you finish remediating all core controls that are not allowed on a POA&M, start holding semi-regular mock Level 2 audits. This is different from a gap assessment as it is not solely focused on the technical aspects of compliance.

A successful mock audit will prepare you to verify compliance in three separate testing methodologies:

  • Examine: Review documentation of policies and anticipated outcomes of system configuration
  • Interview: Individual or group interviews to demonstrate team knowledge of processes and policies as well as adequate training and resources
  • Test: Demonstrating that actual outcomes are aligned with the system configuration’s anticipated outcomes

 

ISI Insight: Your mock audit is only as good as the person running it. If your IT department is not well-versed in CMMC or defense cybersecurity requirements, we highly recommend bringing in external, expert support. A Managed IT and Compliance provider, like ISI, can manage your IT, manage your compliance journey, and conduct a mock audit. You can also hire a C3PAO as a consultant. However, the C3PAO consulting your organization CANNOT perform your official assessment.

 

8. Find a CMMC 3rd-Party Assessment Organization (C3PAO) and schedule your assessment

Once your remediation efforts are underway, begin interviewing potential C3PAOs. You can find a list of approved C3PAOs on the Cyber AB website. Here are two key things to look for when choosing a C3PAO:

  • Can you build a rapport with them? You are going to spend a lot of time with this company. Make sure it is a team you can easily and effectively communicate with.
  • Does their availability align with your compliance timeline? Achieving your CMMC Certificate of Status is key to accepting new defense contracts.

 

ISI Insight: If you are working with a CMMC-certified ESP, see if they have a list of C3PAO. Working with a C3PAO familiar with your ESP’s process and environment can increase predictability for both you and the assessment team, which can result in cost savings.

 

What is the CMMC Assessment Process

The CMMC assessment is broken down into four phases. Find a brief analysis and key insight into each phase below:

  1. Pre-Assessment: Your C3PAO’s assessment team will determine whether your company is prepared to undergo an audit.
  2. Assessment: The assessment team will have your company demonstrate and verify adherence to all applicable NIST 800-171 controls (110) and objectives (320).
  3. Recommendation & Quality Control: Your assessment team will hold an Out-Brief meeting with your company in which they will inform you of their recommendation for final, conditional, or no-issuance of a Certificate of Status for CMMC Level 2 (C3PAO). Their team will also perform a quality assurance review before submitting their recommendation to the Cyber AB.
  4. Issuance of Certificate of Status: The Cyber AB will provide a physical or electronic Certificate of Status if your organization was recommended for final or conditional certification.

 

Benefits of working with a CMMC-certified Managed IT and Compliance provider

You have our first-hand insights and an outline of our preparation strategy. But the truth for many SMB defense contractors is that it won’t be enough. CMMC is unique and requires a dedicated, full-time IT department with the relevant experience to deliver a successful result.

Here is how working with a CMMC-proven Managed IT and Compliance provider, like ISI, can increase predictability and streamline your compliance journey:

  • Verified IT environment: Working with a provider who has successfully gone through an assessment should increase your confidence in the selection and implementation of their tool stack
  • Smaller, auditable scope: Since your ESP has proven their implementation of NIST controls and CMMC practices, your C3PAO will focus on non-verified, in-scope environments
  • Shorter assessment period: The size and predictability of your auditable scope are the biggest factors in determining the time needed and, ultimately, the cost of your assessment

 

FAQ

Who does CMMC Level 2 apply to?

The short answer is Level 2 applies to any organization who is contractually obligated to achieve this level.

While CMMC Level 2 is focused on contractors who handle Controlled Unclassified Information (CUI), there are instances where Level 2 will still apply to you even if you do not actively handle CUI. These instances can include:

  • Your contracts containing the DFARS 7012 clause, contractually obligating you to be able to safely handle and disseminate CUI
  • A flow down of the CMMC Level 2 (C3PAO) certification from your prime contractor.

 

When does CMMC 2.0 go into effect?

The CMMC 2.0 program and marketplace went into effect on December 16, 2024. However, CMMC is broken into two federal regulations:

  • 32 CFR: Establishes the CMMC program and marketplace
  • 48 CFR: The enforcement mechanism that requires proposal officers to include CMMC certification requirements into their contracts

The 48 CFR is not in effect yet, meaning the government cannot begin the phased rollout of CMMC requirements. However, prime contractors are allowed to, and have begun to, flow down requirements before the government rollout.

 

How long does a Level 2 assessment usually take?

The length of your assessment depends on the scale and scope of your business. If you have a small enclave of employees that work on defense contracts, your assessment is likely going to take less time than an organization that must achieve compliance company-wide.

That said, you should expect your assessment to take around 5 business days.

 

Do you have additional CMMC resources?

Check out these free CMMC Resources from ISI:

CMMC Readiness Signal

CMMC Command Center

“How to Talk to Your Boss About CMMC” Slide Deck

 

 

Related Posts