Getting CMMC Level 2 certification requires implementing all 110 security requirements from NIST SP 800-171 Revision 2, documenting your environment in a System Security Plan, addressing any gaps through a Plan of Action and Milestones, and completing either an annual self-assessment or a formal third-party audit by a Certified Third-Party Assessment Organization depending on your contract requirements.
For most small manufacturers, the process takes 6 to 18 months and begins with a gap assessment to understand exactly where your current environment stands against those 110 requirements.
That process is more manageable than it sounds. Here is what it actually looks like
Related Topic: How Much Does CMMC Certification Cost for Small Businesses?
Why CMMC Level 2 Applies to Your Business?
Before walking through the process, it is worth being clear on why Level 2 and not Level 1.
CMMC Level 1 covers companies that handle Federal Contract Information — the basic documentation and job data that flows through any defense subcontract. Level 2 is triggered by something more specific: Controlled Unclassified Information.
This is not a choice between levels. It is determined by the nature of the work you do. Most defense contractors and subcontractors across the defense industrial base that receive technical data from their customers are Level 2 businesses whether they know it or not.
Related Topic: Is Google Workspace Business Standard Enough for CMMC Level 1?
The Sequence That Actually Works
CMMC Level 2 certification is not something you prepare for all at once. It follows a sequence, and the order matters.
Start With Scoping
Before you can measure your gaps, you need to know what you are protecting. Scoping means identifying which systems, devices, users, and locations touch CUI — the drawings on the shared drive, the email inbox that receives specifications, the workstation running your CAD software, the server where job files live. Your CMMC Level 2 scope is the boundary around those systems. Everything inside that boundary has to meet the 110 requirements. Everything outside it does not.
Getting scope right is one of the most valuable things you can do early in this process. A smaller, well-defined scope means a more manageable certification effort and lower assessment costs. A poorly defined scope means unnecessary work and a harder assessment.
Conduct a Gap Assessment
Once you know what is in scope, you measure it against the 110 CMMC Level 2 requirements in NIST SP 800-171 Revision 2. This tells you where you already meet the standard and where you do not. For most small manufacturers, a gap assessment surfaces a mix of controls that are in place but undocumented, controls that need configuration work, and a smaller number that require new tools or processes entirely.
The gap assessment is what turns a vague project into a specific list. Without it, you are guessing.
Remediate Your Gaps
This is the work of closing the distance between where you are and where the standard requires you to be. For some manufacturers it means configuring Microsoft 365 security settings, enforcing MFA, tightening access controls, and improving backups. For others it means network segmentation, deploying endpoint detection and response tools, or building out logging and monitoring capabilities.
Remediation is also where most of the cost lives, which is why the gap assessment matters so much. You cannot budget for work you have not measured.
Build Your Documentation
Two documents sit at the center of CMMC Level 2 compliance, and both need to exist before an assessment can happen.
Your System Security Plan describes your environment — what systems are in scope, what security controls are in place, who owns each control, and how it is implemented. Think of it as a written record of your security posture. Assessors review it before they ever look at your systems.
Your Plan of Action and Milestones documents the gaps that are not yet fully closed — what the gap is, how you plan to fix it, and when. A POA&M is not a sign of failure. It is a structured commitment to close known gaps on a defined schedule. CMMC Level 2 compliance expects you to have one.
These are not one-time documents. They are living records that need to be kept current as your environment changes.
Related Topic: Why You Should Hire a Cybersecurity Company for Your Business?
Choosing Your CMMC Assessment Path
Not every defense contractor needs a third-party assessment to achieve CMMC Level 2 certification. Whether you do depends on your contracts.
Under CMMC 2.0, Level 2 has two tracks. For contracts involving critical national security programs, a triennial assessment by an authorized C3PAO is required. The C3PAO reviews your System Security Plan, interviews staff, examines evidence, and issues findings on whether each of the 110 requirements is met.
For non-critical programs, annual self-assessment with senior official affirmation is permitted. You conduct the assessment internally, document your results, and submit your score through the Supplier Performance Risk System (SPRS).
The distinction matters for planning because the C3PAO path is significantly more involved and more expensive. It also requires more lead time — reputable C3PAOs have booking windows that can stretch several months out.
If you are not sure which track applies to your work, the answer lives in your contract language. Look for DFARS clauses, flow-down requirements, and any language your prime has sent about cybersecurity expectations. When in doubt, ask your customer directly.
Related Topic: How to Prevent Data Breaches and Protect Business Data?
What Happens During a CMMC Level 2 Assessment?
If your contracts require a third-party assessment, understanding what the process looks like helps you prepare for CMMC Level 2 assessment rather than dread it.
A C3PAO assessment typically runs three to five days on site, though the preparation phase is far longer. Assessors work through each of the 110 NIST SP 800-171 requirements, evaluating your documentation, examining your systems, and interviewing the people responsible for each control. They are looking for evidence — not just that a policy exists, but that it is followed.
Gaps identified during the assessment are documented as findings. Depending on severity, you may be able to address some findings and have them reconsidered during the same assessment window. Others require remediation and a subsequent review. Conditional CMMC status can be issued while POA&M items remain open, subject to a defined closeout timeline.
The manufacturers who perform best in assessments are not necessarily the ones with the most sophisticated tools. They are the ones whose documentation matches their actual practices, whose staff can explain how controls work, and whose POA&M shows that gaps are being actively managed.
Related Topic: How to Protect Business from Hackers and Cyber Attacks
Maintaining CMMC Level 2 Compliance
Certification is not the end of the process. CMMC Level 2 requires ongoing maintenance.
For the self-assessment track, you submit an updated score annually and a senior official affirms its accuracy. For the C3PAO track, you undergo reassessment every three years. In both cases, you are responsible for keeping your System Security Plan current, updating your POA&M as gaps change, and maintaining the security controls that your certification depends on.
The manufacturers who find maintenance manageable are generally the ones working with an MSP that treats compliance as an ongoing operational function rather than a project with a start and end date. When your security controls, documentation, and IT management are handled together, keeping your CMMC posture current does not require a separate effort.
Related Topic: How to Secure Your Company Network | Top Security Best Practices Guide
Where to Start on the Path to CMMC Level 2
The path to CMMC Level 2 certification is clearer than it appears from the outside. The 110 requirements cover real security practices that protect real assets. Many of them you are already doing in some form. The challenge for most small manufacturers is not that the standard is impossible — it is that their current environment is undocumented, partially configured, and never been formally reviewed against what is actually required.
The first step is finding out where you stand. Not buying tools, not hiring consultants for a long engagement, not guessing at what needs to change. A structured CMMC readiness assessment of your current environment against the CMMC Level 2 requirements tells you what you have, what you are missing, and what your path to achieve CMMC Level 2 certification realistically looks like.
Right Hand Technology Group helps small defense subcontract manufacturers work through exactly this process — from initial scoping and gap assessment through remediation, documentation, and assessment readiness. Start with the RightSentry Snapshot and come away with a clear picture of where you stand and what CMMC Level 2 certification will actually require from your business.
Related Topic:
Frequently Asked Questions
Why Do I Need CMMC Level 2 Instead of Level 1?
You need CMMC Level 2 if your organization handles Controlled Unclassified Information (CUI). Level 1 only applies to companies handling Federal Contract Information (FCI). If your contracts include DFARS 252.204-7012 or your customers share technical drawings, engineering specifications, or program documentation marked as CUI, you must achieve Level 2 certification to remain eligible for DoD contracts.
Is CMMC Level 2 Required for CUI?
Yes. The CMMC 2.0 framework requires all Defense Industrial Base organizations that process, store, or transmit CUI to achieve CMMC Level 2 certification. Level 2 follows the 110 security controls in NIST SP 800-171 and protects sensitive information across the defense supply chain.
Can You Self-Attest CMMC Level 2?
Yes, some contracts allow self-attestation. Non-critical programs permit annual self-assessments submitted through SPRS, while critical programs require a C3PAO assessment every three years. Your organization must still implement all 110 NIST SP 800-171 security controls before claiming compliance.
Does CMMC Level 2 Require an Audit?
Some contracts require a formal C3PAO audit, while others allow annual self-assessments. During a C3PAO assessment, auditors review your security controls, systems, documentation, and staff procedures to verify compliance with all Level 2 requirements.
Is Self-Attestation Legally Valid for CMMC Level 2?
Yes, self-attestation is legally valid when the contract permits it. However, company officials must accurately confirm compliance because false claims can trigger legal penalties under the False Claims Act.
