What CMMC Level 2 Actually Requires — And Why Most Defense Contractors Aren't Ready
Ensphere Advisory Team
April 16, 2026
If your organization handles Controlled Unclassified Information and works anywhere in the defense supply chain, CMMC Level 2 is no longer a future planning item. Enforcement is here, third-party assessments are becoming the standard, and the window for comfortable preparation is closing faster than most contractors realize.
The frustrating part is that most of the organizations we talk to across Southern California and the Inland Empire are not unprepared because they do not care. They are unprepared because no one has given them a clear picture of what Level 2 actually demands, what their gaps really are, or what getting ready in a practical, sustainable way looks like.
This is that picture.
What Level 2 Actually Demands
CMMC Level 2 is anchored to the 110 security controls in NIST SP 800-171. Those controls span 14 domains covering everything from access control and incident response to configuration management, risk assessment, and system communications protection.
The standard itself is not new. What changed is enforcement. For the majority of defense contractors and subcontractors, self-attestation is being replaced by formal third-party assessments conducted by accredited C3PAO organizations. The Department of Defense is moving toward requiring C3PAO certification for an estimated 70 to 75 percent of Level 2 contractors by late 2026. That means you will need to demonstrate your compliance posture to an external assessor who has no incentive to grade on a curve.
The days of checking your own boxes are ending.
Where Contractors Actually Fall Short
The gaps we consistently see are not exotic technical failures. They are structural and operational problems that have been deferred, ignored, or papered over. Here are the most common ones.
System Security Plans that do not accurately reflect reality. The SSP is the foundational document of your compliance posture. It describes your system boundary, your implemented controls, how they work, and who owns them. Most contractors either do not have one, have one that is dangerously outdated, or have one that was written to look good rather than to accurately describe their environment. An assessor will walk through your SSP and compare it to what they actually observe. Discrepancies are findings.
Control implementation that cannot be proven. Having a security control technically in place is not the same as having documented, auditable evidence that it exists and functions. Assessors do not operate on trust. They look for policies, procedures, configuration records, and operational evidence. If you cannot demonstrate it, it does not count.
No Plan of Action and Milestones. A POA&M is your documented plan for addressing the controls you have not yet fully implemented. It shows assessors that you understand your gaps and have a credible path to closing them. Organizations without a POA&M are telling an assessor they have not seriously evaluated their own posture.
Undefined or overly broad scope. Many contractors have never formally defined which systems, networks, and assets are actually in scope for CMMC. Without a clear, defensible boundary, your entire organization risks being pulled into scope. That increases assessment complexity significantly and opens gaps you did not know existed.
Policies that no one follows. A written policy sitting in a shared drive does not constitute an implemented control. Assessors will ask how the policy is enforced, who is trained on it, and how compliance is verified. Organizations with policies and no operational reality behind them will not survive a serious assessment.
What a Realistic Readiness Path Looks Like
Getting to genuine CMMC Level 2 readiness is a structured process. For most organizations starting from a fragmented or immature security posture, a realistic timeline is three to six months of focused work. Sometimes longer, depending on how deep the gaps run and what internal resources are available.
A practical sequence looks like this.
Start with a gap assessment against all 110 controls. This gives you an honest baseline. What is implemented, what is partially in place, and what is missing entirely. Everything that follows depends on the accuracy of this picture.
Define your system boundary and document your CUI flow. You need to understand exactly where CUI lives in your environment, how it moves, who can access it, and what systems touch it. This is foundational and it is where many contractors discover scope problems they did not anticipate.
Develop or update your SSP. This is not a document you create once and archive. It is a living, accurate representation of your security posture at the time of assessment. It needs to reflect your real environment, not your ideal environment.
Build your POA&M. For every gap your assessment identifies, document a realistic remediation plan with assigned ownership and target completion dates. Vague intentions do not satisfy an assessor.
Implement remediation. Close the gaps through technical controls, policy development, training, and process changes. This is where most of the actual work happens and where having experienced advisory support makes the difference between efficient progress and expensive confusion.
Conduct a readiness review before your formal assessment. Whether you do this internally or bring in an independent advisor, this step validates your posture before a C3PAO assessor arrives. Surprises during a formal assessment are costly in ways that go beyond the assessment fee.
What This Means for Your Organization Right Now
The contractors who will be well positioned are not necessarily the ones with the most sophisticated technology stacks. They are the ones who did the structural work. Who documented their environments accurately, implemented their controls with real intent, and built governance processes that make compliance sustainable rather than a frantic sprint before each assessment cycle.
If you have not started your CMMC readiness process and you handle CUI under DoD contracts, now is the time to begin. Waiting until a contract requirement creates urgency leaves no runway to close gaps properly, and rushing through a compliance program produces exactly the kind of documentation-without-substance that assessors are trained to identify.
Ensphere helps defense contractors and DIB suppliers across Southern California work through this process from initial gap assessment through SSP development, remediation planning, and pre-assessment readiness review. If you want an honest picture of where your organization actually stands, the right place to start is a straightforward conversation.
Ensphere is a cybersecurity and compliance advisory firm serving defense contractors, federal-adjacent businesses, and growth-stage SMBs across Southern California. Our founder holds CCP, CCA, and Lead CCA credentials backed by over a decade of direct experience in defense and intelligence community cybersecurity programs.
