If CUI flows through your environment, CMMC Level 2 is now a condition of doing business with the DoD — appearing in solicitations, not on a someday roadmap. We take contractors from “what’s our SPRS score supposed to be?” to a passed C3PAO assessment.
CMMC 2.0 in one minute
- Level 1 — 15 security requirements from FAR 52.204-21, self-assessed annually and posted to SPRS, for Federal Contract Information only.
- Level 2 — the 110 security requirements of NIST SP 800-171 Rev 2 (the revision CMMC assesses against, not Rev 3), certified by a C3PAO for most contractors handling CUI. This is where the real work is.
- Level 3 — a small set of programs with elevated requirements; if you need it, you know.
How we get you certified
- Scoping — define the CUI boundary first; the single biggest cost lever is shrinking what’s in scope before implementing anything.
- Gap assessment — all 110 controls scored, with the honest SPRS number and what it takes to close each gap.
- Remediation — policies, technical controls, and the POA&M discipline assessors expect.
- Evidence packaging — artifacts mapped control-by-control to 800-171, organized the way assessors actually review them. This is where most self-prepared contractors fail.
- Assessment coordination — C3PAO selection and management through the assessment itself.
What it costs
- C3PAO assessment fees run roughly $30k–$100k+ depending on scope — paid to the assessor, not to us.
- Preparation varies more than any other engagement we run, driven almost entirely by current maturity and CUI boundary size. Scoping-first keeps it sane; see pricing.
- Timeline: plan 4–9 months from gap assessment to assessment-ready for a typical environment that’s starting from partial 800-171 coverage.
Proven, not theoretical
We took a real client through CMMC Level 2 certification in 2026 — full preparation through a passed C3PAO assessment with A-LIGN. The evidence-package approach we built for that engagement is now how we run every CMMC project. More on who we are.
Common questions
- Can we self-assess at Level 2? For now, often yes — Phase 1 of the rollout (through November 2026) lets many solicitations accept a Level 2 self-assessment. That window closes: C3PAO certification becomes the default for CUI contracts when Phase 2 begins November 10, 2026. Start now and the deadline is your competitors’ problem, not yours.
- Does our cloud need to be FedRAMP? CUI in the cloud must sit in services meeting FedRAMP Moderate equivalency — this is a scoping conversation, and getting it wrong is expensive.
- We have a SOC 2 — does that help? It helps culturally, but the control sets differ substantially. The overlap mapping is part of our gap assessment, and the SOC 2 program evidence habits transfer well.