CMMC Level 2 Certification award checks are here. The next step is Level 2 certification that holds up under review. This guide gives leaders a clear path scope, evidence, SPRS, and C3PAO readiness without busywork.
Status is recorded in SPRS. Many solicitations will require a C3PAO certification as the rollout advances.
What Decision Makers Need to Know Now
- Effective date: The DFARS acquisition rule is effective November 10, 2025. CMMC becomes part of the award check.
- Phased rollout: Phase 1 begins with Level 1 and many Level 2 self-assessments in SPRS; later phases expand third-party Level 2 certification.
- Scope: If you process, store, or transmit CUI, Level 2 applies. Controls map to NIST SP 800-171 (110 requirements).
What Level 2 Really Means
Level 2 is proof that controls are implemented and working, not just written. To be taken seriously at award and through performance, you will need:
- A defined boundary for where CUI lives, with diagrams and inventories.
- A current System Security Plan and mapped evidence for the 110 controls.
- A posted self-assessment and affirmation in SPRS; keep it current.
- C3PAO certification when the solicitation requires it.
A Simple Plan Leaders Can Run
First 30 days
Identify where CUI resides. Record people, apps, devices, vendors. Baseline against NIST 800-171 and collect existing artifacts.
Days 31 to 60
Post your self-assessment in SPRS. Add the required details and complete the affirmation. Prioritize fixes for access control, MFA, logging, backups, incident response.
Days 61 to 90
Run a short audit rehearsal. Hold brief interviews, walk through artifacts, confirm subcontractor alignment. If required, reserve a C3PAO window.
Evidence Assessors Ask For First
- Updated SSP that matches the real boundary
- Asset and user inventories
- Enforced MFA for in-scope systems
- Log samples that show useful events retained
- Access reviews with adds and removals
- Change records with testing and approvals
- Backup test results
- Security awareness and phishing drill records
- Incident response tabletop notes
- Subcontractor due-diligence checks
(These align to the families and assessment approach of NIST SP 800-171 and its companion assessment guidance.)
Pitfalls That Stall Awards
- Over-scoping: Certifying everything instead of the CUI enclave drives cost and delay.
- Paper without proof: Policies with no logs, reviews, or drills fail quickly.
- Stale SPRS: Scores and affirmations not kept current can block eligibility.
Prime and Sub Alignment
Level requirements flow down. Primes must verify that subs have the correct status in SPRS at the same level. Build a light check: collect each sub’s CAGE, level, score date, and affirmation.
How Centrend Helps
- Scope and segmentation that keeps the footprint small
- Gap mapping to NIST 800-171 with a clear fix list
- Evidence and artifact building that matches assessor expectations
- SPRS support for posting and annual affirmation
- C3PAO readiness with interviews and artifact walk-throughs
Next step: Get CMMC Level 2 Cert Ready!
Book a short CMMC Level 2 Certification readiness review. Leave with a plan your team can start this week.
Meet with a Centrend readiness lead. We map your scope, set your next three steps, and outline timing and effort.