Choose risk-first compliance that’s always on, built for you.
Go back to blogs
CMMC 2.0 readiness: How to prepare for assessment and collect evidence
Last updated on
July 10, 2026
10
min. read

CMMC 2.0 is now an enforceable condition of winning Department of Defense work. The 48 CFR acquisition rule took effect on November 10, 2025, which means the CMMC clause (DFARS 252.204-7021) now appears in new DoD contracts. Readiness comes down to three things: defining your scope, implementing the right controls for your level, and being able to prove it with evidence. The clock matters, too. Phase 2 of the rollout, which requires Level 2 third-party certification, begins November 10, 2026, roughly five months from now. Until you can show the level your contract requires, a contracting officer cannot award you the work. To help you get ready before your assessment, below we will look at the CMMC 2.0 requirements by level and how to build an evidence collection strategy.
Key takeaways
- CMMC 2.0 is now enforceable in DoD contracts, and Level 2 third-party certification is required from November 10, 2026.
- Your level depends on the data you handle: Level 1 (FCI) is a self-assessment, while Level 2 (CUI) means all 110 NIST SP 800-171 controls.
- Readiness is about proof: scope your environment, close gaps, and collect dated evidence for every objective.
CMMC 2.0 requirements at a glance
CMMC 2.0 has three levels, and which one applies to you is set by the sensitivity of the information in your contract rather than the size of your company. Level 1 covers Federal Contract Information (FCI), the information created for or provided by the government that is not meant for public release. Level 2 steps up to Controlled Unclassified Information (CUI), which carries specific handling rules and is where most contractors end up, and Level 3 is reserved for the most sensitive CUI on critical programs. If you are not sure where you sit, the contract language and the kind of data your team actually handles will usually point you to the answer, and for the authoritative source, you can see the DoD's official CMMC documentation.
CMMC 2.0 levels compared
Here is how the three levels compare on the data they protect, the requirements involved, and how each is assessed:
CMMC 2.0 Level 1 requirements and how to prepare
Level 1 is the foundational tier for contractors that handle FCI but not CUI. The CMMC 2.0 Level 1 requirements map to the 15 basic safeguarding requirements in FAR clause 52.204-21, things like limiting system access, authenticating users, and protecting information on public systems. (You may still see older sources cite "17 practices," which reflects earlier CMMC framing.) Verification is an annual self-assessment, and no Plan of Action and Milestones (POA&M) is allowed, so every requirement must be fully met at the time you assess.
Readiness for Level 1 is straightforward but not trivial. Confirm the scope of systems that process FCI, verify each of the 15 requirements is genuinely implemented rather than assumed, and make sure the correct senior official completes the affirmation in the Supplier Performance Risk System (SPRS). The common trap is assuming a control is in place because a tool supports it, when an assessor wants it configured and operating. Because no POA&M is allowed at this level, a single unmet requirement blocks your affirmation, though most small teams finish in weeks, not months.
In a nutshell, CMMC Level 1 requirements include:
- Limit system access to authorized users, processes, and devices.
- Restrict what authorized users can do within covered systems.
- Verify and control connections to external systems.
- Protect Federal Contract Information on public-facing systems.
- Identify and authenticate users before granting access.
- Sanitize or destroy media that contains FCI before reuse or disposal.
- Limit physical access to systems, equipment, and operating areas.
- Monitor visitors and keep basic physical access controls in place.
- Protect communications where FCI is stored, processed, or transmitted.
- Update, scan, and protect systems against malicious code.
CMMC 2.0 Level 2 requirements and how to prepare
Level 2 is where most of the work and contracts sit. The CMMC 2.0 Level 2 requirements align with all 110 security requirements in NIST Special Publication 800-171, measured across 320 assessment objectives in 14 control families. There are two assessment paths. Prioritized acquisitions, involving more sensitive CUI, require a triennial assessment by a Certified Third-Party Assessment Organization (C3PAO), with results posted to SPRS. Non-prioritized acquisitions allow an annual self-assessment.
Two documents anchor a Level 2 effort. The System Security Plan (SSP) describes how you meet each of the 110 NIST SP 800-171 controls, defines your system boundary, and names responsible owners. The POA&M tracks the gaps you have not yet closed. POA&Ms are permitted only for a limited set of lower-risk requirements, high-value controls must be met outright, and any POA&Ms must be closed within 180 days.
Your assessment also produces a score on the SPRS scale, which runs from a maximum of 110 down to as low as -203 depending on which requirements are unmet, a fast signal of how close you are. Assess with open POA&M items, and you earn a Conditional certification, which turns Final only once you close them and confirm it in SPRS. For a deeper breakdown of CMMC Level 2 requirements, map your controls before you assume you are ready.
In a nutshell, CMMC Level 2 requirements include:
- Control access to CUI, including remote, wireless, mobile, and external connections.
- Train users on security risks, insider threats, and their role in protecting CUI.
- Create, protect, and review audit logs so user activity can be traced.
- Maintain secure system baselines, control changes, and restrict unnecessary functions.
- Identify and authenticate users, including MFA and password controls.
- Prepare, test, and report incident response procedures.
- Control system maintenance, tools, and maintenance personnel.
- Protect, mark, store, encrypt, and dispose of media that contains CUI.
- Screen personnel and remove access when roles change or employment ends.
- Limit physical access to systems, facilities, visitors, and alternative work sites.
- Run risk assessments, vulnerability scans, and remediation.
- Maintain an SSP, assess controls, monitor security, and manage POA&Ms.
- Protect network boundaries, communications, encryption, and data at rest or in transit.
- Remediate flaws, update protections, scan for malware, and monitor for attacks.
Building your CMMC evidence collection strategy
By the time you sit an assessment, the question is no longer whether you have the right controls. The question is whether you can prove they work.
For every objective, an assessor tests that proof in three ways:
- Documents and policies: They examine the written policy, procedure, or standard that explains how the control is supposed to work.
- Interviews: They speak with the people who actually run the control to confirm the process is understood and followed.
- Artifacts and configurations: They test a working artifact, system setting, report, screenshot, or configuration to verify the control is operating in practice.
A requirement only counts as met when all three line up.
- Multi-factor authentication: A policy stating that MFA is required will not satisfy an assessor on its own. They will also want to see the configuration that enforces MFA, a record of who has access, and a dated report or screenshot confirming it was switched on during the assessment window.
- Logging: Logging works the same way. A retention policy on paper counts for little unless the retention period is genuinely configured, you can produce a sample of the logs, and there is some sign that a person actually reviews them.
Across all 320 objectives, the shape of the evidence rarely changes: a written policy, someone who can speak to it, and a dated artifact that ties the two together.
This is also where most teams come unstuck. The usual culprits include:
- Undated screenshots: Evidence that cannot prove when the control was operating.
- Shelfware policies: Policies that sit in a folder but are not followed by the team.
- Unmapped artifacts: Evidence that cannot be traced back to a specific requirement.
- Last-minute collection: A pre-audit scramble that misses controls needing evidence over time, not just on the day someone goes looking for it.
A better approach is continuous evidence collection. Map each artifact to the objective it supports, capture it on a schedule rather than once, and keep it audit-ready year-round. Many teams use a GRC platform to pull evidence from cloud and identity systems automatically, so it accumulates as they operate rather than under a deadline. Working from a step-by-step CMMC checklist helps you keep coverage complete rather than discovering holes in the assessment.
Evidence by control family
Here are examples of evidence an assessor will accept, drawn from a few of the 14 control families:
A CMMC readiness timeline before your assessment
Sequence the work so nothing blocks the assessment:
- Scope the CUI boundary: identify every system, tool, and process that stores or transmits CUI.
- Run a gap assessment against the 110 controls, and record findings.
- Remediate the gaps, then document the SSP and POA&M.
- Run a mock assessment to test your evidence before booking a C3PAO.
The mock assessment is the step teams most often skip and regret, because it surfaces missing artifacts while there is still time to fix them. Tie the plan to November 10, 2026, when Phase 2 begins requiring Level 2 certification. Readiness from a low starting point commonly takes several months to more than a year, so the time to start is now. To estimate the effort, see how long CMMC certification takes.
How Scrut can help with CMMC 2.0 readiness
Most of the work in CMMC readiness lands in the areas this guide has covered: scoping your CUI boundary, implementing 110 controls, documenting an SSP and POA&M, and proving all of it with evidence that holds up over time. That is exactly the kind of work a GRC platform is built to absorb. Scrut maps your environment against NIST SP 800-171 using a library of pre-mapped controls, so you begin from a clear view of where you stand instead of a blank spreadsheet, and its policy templates give you a running start on the documentation rather than a blank page.
The larger payoff is on evidence. Scrut connects to your cloud and identity systems through more than 100 integrations, collects evidence automatically, and monitors your controls around the clock, flagging gaps with remediation steps before they become assessment findings. Because that evidence builds up as you operate, you can walk into a self-assessment or a C3PAO engagement with artifacts already dated, mapped, and audit-ready. Book a demo to see how Scrut can shorten your path to CMMC readiness.
FAQs
Is CMMC 2.0 the same as NIST 800-171?
Not quite. Level 2 aligns with the 110 NIST SP 800-171 requirements, but CMMC adds the assessment and certification mechanism that verifies you actually meet them.
Can a POA&M get me through a Level 2 assessment?
Only partially. POA&Ms are allowed for a limited set of lower-risk requirements and must be closed within 180 days. High-value controls must be fully implemented.
How long is a CMMC certification valid?
A Level 2 C3PAO certification is valid for three years, with an annual affirmation of compliance submitted in SPRS.
Do subcontractors need CMMC?
Yes, if they handle FCI or CUI. The required level flows down based on the information a subcontractor actually handles.
Who performs a CMMC assessment?
Level 1 and some Level 2 contracts use a self-assessment by your own senior official. Most Level 2 certifications require a C3PAO accredited by the Cyber AB, and Level 3 is assessed by the government through DIBCAC.
What happens if you fail a CMMC assessment?
You cannot win a contract that requires the level until you remediate. At Level 2, limited lower-risk gaps can sit on a POA&M to be closed within 180 days, but high-value controls must be met first. A failed assessment can be re-attempted once the gaps are fixed.
Table of contents


















