With 110 controls to implement, it’s first essential to define the boundaries of compliance requirements. This prevents unnecessary costs from over-scoping, while guarding against audit failure and security risks from under-scoping.

Identify all assets that process, store, or transmit CUI by analyzing data flows, and categorize in‑scope assets per DoD guidance (e.g., CUI assets, Security Protection Assets, Contractor Risk‑Managed Assets).

Once the scope is defined, implement NIST SP 800-171 Rev. 2 controls, closing any technical and administrative gaps identified during a CMMC pre-assessment. Developing a System Security Plan (SSP) is an essential part of this phase. The SSP tells the story of compliance, describing who is responsible for each control, what tools are used, and how the control is maintained. Organizations using managed service providers (MSPs) or cloud service providers (CSPs) should also document shared responsibilities (often via an SRM).

Conduct a final readiness review to confirm that your organization is ready for formal assessment.

Level 2 CMMC assessments are conducted by a third-party assessor organization (C3PAO). Using the SSP as a blueprint, the auditor utilizes the “examine, interview, test” (EIT) methodology. This consists of reviewing policies, logs, configuration files, and network diagrams, as well as questioning personnel to verify their understanding of security practices. Finally, assessors validate that technical controls are functioning as described.

What are assessors looking for? Essentially, they want to know that:

• Controls are enforced consistently across endpoints and identities.

• Logs and alerts demonstrate ongoing monitoring.

• Incident response procedures are documented and actionable.

Ultimately, assessors focus on tangible evidence that security controls are active, monitored, and institutionalized. If findings are "met," a certificate valid for three years is issued (with annual affirmations required). For eligible contracts, if some non-critical findings are "not met," a conditional certification may be issued, allowing 180 days to remediate through a POA&M.

To earn C3PAO certification, organizations should prioritize three foundational elements.

The system security plan (SSP)

The SSP is the primary piece of evidence. Assessors pore over it to ensure it reflects current reality and isn’t just a planned future state. Detail is crucial in explaining not just that controls are met, but how. For example, “MFA is enforced on all Windows workstations via Duo Security integrated with Active Directory.” Organizations must review the SSP at least annually or after significant changes to the environment.   

Centralized logging

Centralized logging through a SIEM provides proof that controls are working by tracking users’ actions and security controls across your network. Organizations typically retain logs for 12 months, with at least three months of data readily available for immediate analysis. Beyond collecting logs, SIEMs must be configured to alert on specific security events (e.g., multiple failed logins, unauthorized file access).

Endpoint and identity protections

Endpoints are the "front lines" where users interact with CUI. Assessors verify that all devices have endpoint detection and response (EDR) and antivirus protection. All CUI at rest must be encrypted using FIPS 140-2. Organizations must also demonstrate regular vulnerability scans and a patching cadence, with accelerated timelines for critical vulnerabilities (15 days is common).

Assessors focus heavily on who has access. MFA is required for all accounts, and users and devices should be granted only the necessary privileges. Be prepared to show a documented approval process for granting access and evidence of regular access reviews.

Reaching Level 2 CMMC compliance is not cheap. Implementing the 110 required controls, such as continuous monitoring, takes a significant investment in time, personnel, and technology—especially if your business is starting from an immature state. 

A CMMC third-party assessment can represent a significant investment—especially for organizations starting from an immature security baseline. Costs vary based on scope and readiness, but inaccurate scoping and lack of preparation can quickly drive up expenses through remediation, re-architecting, and POA&M closeout efforts. That’s why upfront readiness validation and right-sizing your environment are critical CMMC steps to control both cost and complexity.

However, given the potential costs of security vulnerabilities, the investment in compliance is well spent. State-sponsored actors are increasingly targeting vendors to steal intellectual property and strategic defense data. In addition to harming national security, such breaches can be devastating for contractors, costing an average of $4.44 million. A global survey of small- and medium-sized businesses found that after experiencing a cyberattack, nearly 20% of SMBs close or file for bankruptcy.

Managed security services can help keep the cost of compliance down. Rather than trying to build an internal security operations center (SOC) to meet requirements, organizations can use technology like Huntress that’s powered by a 24/7 human SOC to support controls across multiple CMMC domains:

• Managed EDR addresses the Incident Response (IR) and System and Information Integrity (SI) domains by tracking and reporting incidents and guarding against malicious code.

• Managed ITDR maps to the Identification and Authentication (IA) domain, monitoring for compromised credentials and unauthorized privilege escalation.

• Managed SIEM supports the Audit and Accountability (AU) domain through centralized log collection and security event monitoring.

Discover how Huntress can help you operationalize CMMC controls and provide the assessor-ready documentation that helps you get certified more quickly.