CMMC Level 2 Compliance Guide: Requirements, Scoping, & Certification

For any contractor keeping up with the Department of Defense’s compliance requirements, CMMC is not a new concept. However, many organizations still struggle with how to plan, scope, and prepare for CMMC certification. Starting November 2026, applicable DoD solicitations will require CMMC Level 2 certification by a C3PAO. For most organizations in the Defense Industrial Base (DIB), Level 2 is the most common certification level.

Most DoD contractors understand the CMMC Level 2 requirements at a high-level but many fumble the ball on scoping and strategy. Preparation itself is not quick either. In our experience, CMMC Level 2 readiness can take anywhere from 6 to 8 months or longer, depending on the maturity of an organization's security program.

To help cut through the confusion, we put together this guide to walk through the areas that have the biggest impact on successful certification, including:

• CMMC Level 2 requirements
• How to scope your environment correctly (Enterprise vs Enclave)
• How to approach cloud strategy (Microsoft GCC vs GCC High vs commercial)
• CMMC Level 2 gap assessment vs mock assessment
• CMMC Level 2 final certification vs conditional certification

If you’re looking for a step-by-step breakdown of the CMMC Level 2 readiness process, we have outlined the full timeline in our CMMC Level 2 Readiness: A 6–8 Month Preparation Roadmap for Defense Contractors.

Is CMMC Level 2 required for CUI?

Yes, CMMC Level 2 is required for organizations handling Controlled Unclassified Information (CUI). CUI is government-created or owned sensitive, unclassified information that requires protection based on laws, regulations, and government policies.

How do you know if your organization handles CUI?

The first point of confusion for many DoD contractors is trying to determine if they deal with CUI. Part of the challenge is how CUI is identified in the first place. The government determines what qualifies as CUI, not the contractor, and provides that guidance through contract language, markings, and supporting documentation.

However, the DoD marking practices are often inconsistent, which puts the onus on contractors to identify CUI, how it flows through their environment, and which users or endpoints interact with it.

The DoD CUI Registry does offer helpful guidance on CUI categories and government policies, but many organizations don’t fully understand whether they handle CUI until they begin scoping for CMMC Level 2.

In our experience, validating CUI identification early in the readiness process – through contract review and scoping – helps avoid both over-scoping and under-scoping your environment.

CMMC Level 2 requirements explained

CMMC Level 2 requirements align with the security controls outlined in the NIST SP 800-171 Rev 2. The requirements are grouped into 14 domains, totaling 110 controls. Each of these domains includes both technical and administrative controls that must be implemented and supported with evidence during an assessment. For a detailed overview of the requirements, check out the DoD’s CMMC Assessment Guide.

CMMC Level 2 scoping: Defining what is in & out of scope

Scoping is one of the most important, and often misunderstood, parts of CMMC Level 2 preparation. This is the step most organizations either struggle with or get wrong.

In simple terms, scoping is about identifying where CUI exists in your environment, how it flows, and who interacts with it.

Early on, many organizations take an ‘everything is in scope’ approach. The idea is to apply certification requirements across the entire enterprise and avoid worrying about where CUI lives. In practice, that approach can quickly become expensive and difficult to manage. As Joe described, organizations often start broad and then realize, “This might cost a little bit more money than we want to spend… so the next logical thing was, how do we reduce that scope?”

A well-defined scope answers key questions like:

• Where does CUI live across your environment?
• Which systems and devices store, process, or transmit it?
• Which users are authorized to access it?

From there, your environment is broken into different categories, including:

• CUI assets (systems that handle CUI directly)
• Security protection assets (e.g., identity, antivirus, patching systems)
• Contractor risk-managed assets (systems that could access CUI but are not authorized to)

Getting these classifications right is critical, because your assessment scope is driven by your asset inventory and data flow diagrams.

 

CMMC Enterprise vs Enclave approach

One of the biggest scoping decisions is whether to certify:

• Your entire organization (enterprise scope), or
• A segmented portion of your systems and users (enclave scope)

As Brian explained, “It really should be more of a strategy than a price decision.”

An enclave approach can reduce cost and limit disruption, but often introduces additional complexity:

• Managing separate environments
• Ensuring you have separate documents, policies, and plans for the enclave
• Ensuring no data flows outside the enclave

An enterprise approach is more uniform but may require broader changes across the organization, which could be a big lift for some companies. As Brian put it, “When you see enclave style approaches, the common challenges would just be failing to identify anywhere and everywhere where CUI flows. So, you're talking about email, desktops, if it's printed and synced to cloud storage systems, if it's shared with a third party – everywhere that the CUI flows has to be part of that enclave and must be able to be walled off for it to be an effective enclave. And again, the key there being that your assessor or your certifier is going to test those boundaries and make sure that they’re appropriate.”

The right choice between enclave vs enterprise for CMMC compliance depends on:

• How central CMMC-covered work is to your business
• How many users and systems are involved
• Your overall security maturity

Brian suggests, “If you have a lower percent of users and less of a budget, and your operational security or maturity might be lower, an enclave may be more appropriate. And on the contrary, if most of your business and revenue is tied to CMMC contracts, then you want to go with that enterprise approach.”

GCC vs GCC High vs Commercial Microsoft 365

When organizations start planning for CMMC Level 2, one of the biggest decisions they face is which Microsoft environment to use. At a high level, the answer seems clear. Commercial Microsoft 365 is widely used, but once CUI enters the picture, it’s no longer a viable option. From there, the conversation typically shifts to GCC or GCC High.

As Brian explained, the distinction begins with the type of data you’re handling. GCC is designed to support most organizations working with CUI, while GCC High comes into play when export-controlled data, like ITAR, is involved. But even that isn’t always straightforward. As Joe pointed out, there’s often confusion between the two, “ITAR does not automatically denote CUI, and CUI does not denote ITAR… but if you have ITAR requirements, that’s where GCC High comes into play.”

That distinction matters, because many organizations default to GCC High simply to be safe. In practice, that decision can have significant cost implications. GCC typically comes at a moderate premium over commercial licensing, but GCC High can be significantly more expensive, especially at scale.

That’s why some organizations take a more targeted approach — only placing users who actually interact with CUI into GCC High, while keeping the rest of the organization in GCC or even commercial environments. That approach, as Joe described, often introduces a different kind of challenge, “You’ve saved a bunch of money… but now you’ve got to manage two environments.”

And that’s really the tradeoff at the center of this decision — cost versus complexity. A broader deployment may be simpler to manage, while a more targeted approach can reduce spend but requires tighter controls, clearer policies, and more operational discipline.

There’s a common misconception that simply moving to GCC or GCC High solves the compliance problem. In reality, those platforms provide the environment, but not the implementation.

As Brian emphasized, responsibility doesn’t go away, “The weakest point in all of our systems…[is] the users.” Organizations still own user access, configurations, endpoint management, and policy enforcement. The cloud gives you the tools, but how those tools are used is what ultimately determines whether you meet CMMC requirements.

Another area where this becomes clear is scope. Many organizations assume that moving to the cloud removes infrastructure from the assessment. In practice, what matters is where CUI exists. Joe described a scenario they see often, “We’ve gotten it all in the cloud… and then we ask—are you printing anything?” At that point, the discussion shifts quickly. If CUI is printed or handled on-site, physical security and facilities come back into scope.

Ultimately, the decision between GCC and GCC High is less about choosing the most secure option and more about aligning your environment with your actual data, contracts, and operational approach.

Understanding the different types of CMMC assessments

Readiness assessments, gap assessments, mock assessments are often used interchangeably, which adds to the confusion. Many contractors conduct these assessments at different stages as they prepare for CMMC certification.

Here’s a quick overview of the different assessments and where they add value:

Readiness/gap assessments: Understanding where you stand

A CMMC Level 2 gap assessment is not a formal step in the certification process, but it is a great place for organizations to start developing a strategy. It’s essentially a point-in-time audit of your current program against CMMC requirements.

It gives you clarity on:

• How prepared your organization is for a CMMC assessment
• Whether your gaps are technical, procedural, or policy-based
• How mature your current security program is
• What your roadmap to compliance looks like
• What level of effort, cost, and resources will be required

In many cases, it also serves as a lower-cost, low-risk way to begin the process, especially for organizations that aren’t sure where to start.

Typical outputs include:

• A gap register outlining missing or incomplete controls
• Prioritized remediation efforts
• Insight into control maturity
• And, importantly, early input into your System Security Plan (SSP)

While it’s possible to walk through CMMC requirements independently if you have a full in-house information security or compliance team, most organizations benefit from having an experienced third-party involved. That added perspective helps ensure that results are actionable.

Explore our CMMC Level 2 gap assessment services.

Mock assessment: Testing actual readiness

A CMMC Level 2 mock assessment comes in later when an organization feels close to ready for certification. It can provide insight around perceived readiness and actual readiness.

Mock assessments are designed to surface gaps, validate evidence, and test staff readiness before the actual C3PAO assessment. According to Joe, mock assessments should be scheduled at least 8 weeks before your C3PAO assessment to give your team enough time to remediate any gaps.

One common question organizations ask is whether a mock assessment should be done with their C3PAO or with a separate consultant. And the answer, as Joe framed it, depends on what you’re trying to get out of the process. If you work with a consultant or third party (not your C3PAO), you’ll typically get direct guidance on how to remediate gaps and support in building or refining policies and controls.

If you work with your C3PAO, the experience is different. Because of independence requirements, they can’t tell you how to fix issues, but they can show you exactly what they’ll be looking for during certification.

As Joe explained, “The upside of doing it with your C3PAO is you know exactly what they are looking for… you know what’s missing, you know what we’re going to be looking for, when we’re going to be looking for it, and why.” That level of visibility can be especially valuable as you get closer to certification.

CMMC Level 2 certification outcomes: Final vs conditional certification

After going through a C3PAO assessment, contractors can receive one of 3 outcomes: fail, conditional certification, or final certification.

If your organization fails the assessment, you have to start over and prepare to repeat the assessment. A final certification means your organization has successfully met all CMMC Level 2 requirements.

With a final certification:

• All 110 control requirements are fully satisfied
• You receive an official certification from your C3PAO
• Your certification is recorded in DoD systems
• It is valid for three years, with annual reaffirmation required

On the other hand, conditional certification allows organizations to secure DoD contracts with a 180-day grace period to remediate any gaps in CMMC compliance. Once the gaps are resolved, you will be granted final certification. If the gaps are not fixed within that 180-day timeframe, the certification expires and you have to start over.

It’s important to note that conditional certification comes with strict criteria:

• You must meet a minimum compliance score (based on NIST scoring)
• Only certain, lower-impact controls can be incomplete
• Some higher-weighted controls cannot be deferred