Start Here: CMMC Level 2 Assessment Prep Guide

You just found out you need CMMC Level 2. Here's what to do first.

If you’re reading this, you probably just got a clause in a contract, or a call from a prime, telling you that CMMC Level 2 is required. Maybe you’ve been vaguely aware of it for a while and finally need to deal with it.

Here’s what you need to know, in order, without the panic.

What CMMC Level 2 actually is

CMMC Level 2 maps directly to NIST SP 800-171 Revision 2. That’s 110 security practices organized into 14 families (Access Control, Incident Response, Audit, etc.).

A C3PAO (certified third-party assessment organization) will evaluate whether your organization meets all 110 practices. “Meets” doesn’t mean “has the tool installed.” It means you’ve defined the control in your environment, you can explain how your implementation satisfies it, and you can show evidence that it’s actually happening.

That three-part pattern is the entire game. Everything else is details.

The timeline you’re working with

Mandatory third-party assessments (Phase 2) begin November 10, 2026. If your contract requires CMMC Level 2, you’ll need to have been assessed by a C3PAO before that date, or at least have one scheduled.

Typical prep timelines run 6 to 18 months depending on how much you already have in place. If you’re starting from scratch, you’re already behind. If you have an MSP or MSSP handling your security, you’re probably closer than you think, but you still need to do the work of defining and documenting everything.

Step 1: Figure out where CUI lives

Before anything else, you need to know what Controlled Unclassified Information (CUI) you handle and where it goes. This defines your assessment boundary: the systems, people, and processes that are in scope.

This is the single hardest conversation for most small contractors. CUI isn’t just in your secure file share. It’s in email attachments. It’s on laptops. It might be in your MSP’s ticketing system if they touch your environment. It might be in a cloud service you forgot you signed up for.

Map it. All of it. If you can’t draw a clear line around where CUI lives in your organization, the assessor will draw one for you, and you won’t like where they put it.

Step 2: Get your SSP started

Your System Security Plan (SSP) is the single most important document in the assessment. It’s where you define, in your own words, how each of the 110 practices applies to your environment and how you meet them.

Think of the SSP as a cheat sheet for the assessor. When they ask about Practice AC.L2-3.1.1, they’re going to look at what your SSP says first, then ask you to demonstrate it. If your SSP is vague, they’ll dig harder. If your SSP is specific and matches what they see in your environment, they’ll move on.

You don’t need a perfect SSP on day one. You need one that exists and says something real about each practice. You’ll revise it as you go.

Step 3: Identify your gaps honestly

Go through the 110 practices and ask yourself three questions for each one:

  1. Have we defined this? Not “do we do this,” but have we actually written down what this practice means in our environment?
  2. Can we explain it? If an assessor asks “how do you handle this?” can someone on your team give a coherent two-sentence answer?
  3. Can we prove it? Do we have evidence (logs, screenshots, reports, sign-off records) that this is actually happening?

If the answer to any of those is “no” for a given practice, that’s your gap. The fix is usually documentation and process, not buying a new tool.

Step 4: Understand shared responsibility (if you use an MSP/MSSP)

If a managed service provider handles part of your IT or security, you need to be crystal clear about who owns what for each practice. “Our MSP handles that” is not an answer that will satisfy an assessor.

You need to be able to say: “This practice is a shared responsibility. Our MSP manages [specific thing], and we can show their service agreement that covers it. On our side, we handle [specific thing], and here’s our evidence.”

The best MSSPs I’ve partnered with actually prepare documentation for assessment day: responsibility matrices, shared control descriptions, evidence packages. If your MSP gives you a blank stare when you ask about CMMC support, that’s a problem worth solving now rather than in the assessment room.

What to Look for in an MSSP

If you're shopping for an MSSP to help with CMMC, ask one question: has your organization been through a CMMC assessment yourselves? Not "do you help clients with CMMC," but have you actually been assessed? An MSSP that has been through it themselves understands what the assessor is looking for in a way that reading documentation never will. There aren't many that have done this, but the difference is night and day.

Step 5: Don’t try to boil the ocean

You don’t need to tackle all 110 practices at once. Start with the families that trip people up the most:

  • Access Control (AC): 22 practices, the biggest family, the most common failure points
  • Audit & Accountability (AU): everyone has logs, almost nobody can explain who reviews them
  • Incident Response (IR): you need a plan, you need to have tested it, you need to be able to talk about it
  • System & Communications Protection (SC): this is where CUI boundary scoping lives

The practice pages on this site cover the hardest ones in detail. Start there and work outward.

Step 6: Practice talking about it

This sounds ridiculous, but it’s the most important step. Get someone on your team, the person who will be in the assessment room, and have them explain each practice out loud. Not read from the SSP. Explain it like they’re talking to someone who has never seen your environment.

If they can’t do it, the assessor will notice. The assessment is a conversation. Prepare for it like one.

Ready to get into specifics? Browse the practice pages, organized by family and prioritized by difficulty.