Skip to main content
INS // Insights

CMMC Level 2: C3PAO Assessment Preparation

Updated April 2026 · 7 min read

CMMC Level 2 became a contractual reality for defense contractors handling Controlled Unclassified Information (CUI). The standard requires third-party assessment by a Certified CMMC Third Party Assessment Organization (C3PAO) — meaning self-attestation is no longer sufficient for Level 2 programs.

For companies building or operating the technical environments that handle CUI, here's what CMMC Level 2 assessment preparation actually involves from an engineering perspective.

What CMMC Level 2 Covers

CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Rev 2, organized across 14 domains:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

Of these 110 requirements, the technical controls — those implemented in systems, code, and configuration — are where engineering teams do the work. Policy and procedure requirements (AT, MA, PS, PE) are largely documentation and HR processes; the remaining requirements live in infrastructure.

High-Value Technical Controls for C3PAO Assessment

These are the controls where C3PAO assessors find the most findings in unprepared environments:

AC-2 / AC-3: Account Management and Access Enforcement

The assessor will verify that every account has a documented owner, accounts are reviewed periodically, privileged access is minimal, and access control enforcement is technical (not honor-system).

Technical implementation:

  • IAM roles with least-privilege policies, no wildcard permissions in production roles
  • No shared accounts — every human user has a unique identity
  • Privileged accounts (admin, root, deployment roles) are separate from daily-use accounts
  • Account lifecycle automation: provisioning via Terraform/IaC, offboarding triggers immediate access revocation
  • Quarterly access reviews documented in an audit trail

IA-5: Authenticator Management

Assessors look for password policy enforcement, MFA implementation, and rotation of secrets/credentials.

  • MFA required for all remote access and all privileged access — no exceptions
  • Password policy enforced at the IdP level (min 12 chars, complexity, history)
  • Service account credentials rotated automatically (AWS Secrets Manager rotation, not manual processes)
  • No long-lived IAM access keys — OIDC/STS patterns eliminate this finding category entirely

AU-2 / AU-6 / AU-9: Audit Event Generation, Review, and Protection

This domain consistently produces findings. The assessor tests:

  • What events are logged (login success/fail, privilege escalation, data access, configuration changes)
  • Where logs go (centralized, tamper-protected, retained 3 years)
  • Whether logs are reviewed (automated alerting on anomalies, not just archived)

Technical evidence required:

  • CloudWatch/CloudTrail centralized log aggregation
  • S3 log bucket with MFA delete enabled and Object Lock for tamper protection
  • GuardDuty or equivalent for anomaly detection
  • Documented log review process with evidence of periodic review (screenshots, SIEM alert records)
# Verify CloudTrail is logging management events in all regions
aws cloudtrail describe-trails --include-shadow-trails --region us-east-1 \
  --query 'trailList[*].{Name:Name,MultiRegion:IsMultiRegionTrail,LogStatus:HasCustomEventSelectors}'

SC-7 / SC-8: Boundary Protection and Transmission Confidentiality

The assessor will test network segmentation, TLS enforcement, and data-at-rest encryption.

  • CUI environments in isolated VPCs/network segments, not shared with development
  • All traffic between system components encrypted (TLS 1.2+ minimum, TLS 1.3 preferred)
  • No TLS-stripping proxies on CUI data paths
  • ALB/NLB SSL policies configured to reject TLS 1.0/1.1

SI-2 / SI-3 / RA-5: Patching, Malware Protection, and Vulnerability Scanning

The assessor wants to see: vulnerability scanning running regularly, a documented process for timed remediation of findings, and evidence of patch compliance.

  • Critical CVEs remediated within 15 days, High within 30 days (tighter timelines than NIST 800-171 baseline)
  • Vulnerability scanner output (Trivy, Inspector) accessible via API and integrated into CI/CD
  • POA&M (Plan of Action and Milestones) for findings not yet remediated, with realistic timelines

Evidence Collection Strategy

C3PAO assessment is evidence-driven. The assessors don't just read your SSP or System Security Plan — they test controls and request evidence that the controls are actually implemented.

Evidence by type:

  • Artifact evidence: Configuration files, Terraform code, policy documents, screenshots
  • Interview evidence: Technical staff explaining how controls work and how processes operate
  • Test evidence: Assessor-conducted testing of controls (attempting unauthorized access, verifying MFA prompts, testing network segmentation)

Build your evidence collection systematically before the assessment:

  • Control-by-control documentation: For each of the 110 requirements, document: how it's implemented, which system component implements it, what artifact proves it
  • Screenshot archive: Time-stamped screenshots of console configurations for controls that don't produce automated artifacts
  • Policy set: Written policies for domains that require them (IR, MA, AT) — these should match actual operations, not aspirational descriptions
  • Scan outputs: Recent vulnerability scan results (within 30 days) with remediation status for all findings

Common CMMC Level 2 Gaps in Cloud Environments

Based on patterns in assessed defense contractor environments:

  • Incomplete MFA coverage: MFA on the console but not on API access via IAM (use IAM conditions to enforce MFA on all API calls for human users)
  • Logs that exist but aren't reviewed: Logging infrastructure present, but no documented review process and no alerting on anomalies — satisfies AU-2 but fails AU-6
  • CUI in shared environments: CUI data in the same environment as development or test workloads — fails the boundary protection (SC-7) requirement for CUI isolation
  • Long-lived credentials: IAM access keys stored in CI/CD systems — eliminates OIDC benefits and creates IA-5 findings
  • Missing media protection: Portable storage, developer laptops with CUI access — MP controls require encryption and media handling procedures

Rutagon builds cloud environments with CMMC controls implemented from the start — not retrofitted during assessment preparation. For a conversation about your environment's readiness, contact us at rutagon.com/government.

View Rutagon's government capabilities →

Frequently Asked Questions

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 covers 17 basic safeguarding requirements from FAR 52.204-21 and requires annual self-attestation. Level 2 maps to all 110 NIST 800-171 Rev 2 requirements and requires triennial third-party assessment by an accredited C3PAO for contracts involving CUI in critical programs. Some Level 2 programs allow self-attestation; the specific requirement is determined by the DoD in the contract solicitation.

How long does a C3PAO CMMC Level 2 assessment take?

The on-site assessment phase typically takes 3–5 days for a moderate-sized organization. The preparation and pre-assessment review phase takes significantly longer — most organizations need 6–18 months of gap closure work before they're ready for assessment. The assessment organization will review documentation, conduct interviews, and perform technical testing. Assessment results are submitted to the CMMC Accreditation Body (Cyber-AB) for official certification.

Can we use cloud infrastructure to meet CMMC Level 2 requirements?

Yes. Cloud infrastructure — specifically FedRAMP-authorized cloud services — can satisfy many CMMC technical controls through inheritance. AWS GovCloud and Azure Government provide FedRAMP High-authorized environments that inherit physical protection (PE), media protection for cloud storage (MP-5), and several configuration management controls. The system owner inherits CSP controls and implements the remaining controls specific to their application. Understanding which controls are inherited vs. system-owner responsibility is critical for SSP accuracy.

What is a POA&M and why does CMMC require it?

A Plan of Action and Milestones (POA&M) documents known security weaknesses that are not yet remediated, with a plan and timeline for remediation. CMMC Level 2 (via NIST 800-171 CA-5) requires maintaining a POA&M for any gaps in control implementation. Having an open POA&M item doesn't automatically fail an assessment — assessors evaluate whether the weakness is documented, has a credible remediation plan, and doesn't represent an unmitigated critical risk.

What happens if we fail the C3PAO assessment?

A CMMC Level 2 assessment that finds insufficient control implementation results in non-certification. The organization can remediate findings and re-submit for assessment. Contracts requiring CMMC Level 2 certification cannot award or continue to a non-certified contractor performing in-scope work. For this reason, pre-assessment gap analysis — conducted internally or by a C3PAO-readiness assessor — is essential before scheduling the formal assessment.

Discuss your project with Rutagon

Contact Us →

Ready to discuss your project?

We deliver production-grade software for government, defense, and commercial clients. Let's talk about what you need.

Initiate Contact