If you do any work with a Department of Defense prime — subcontracting on a DoD program, supplying a DIB manufacturer, or bidding on federal work that touches Controlled Unclassified Information (CUI) — you've already seen the letters: your prime wants CMMC 2.0 Level 2. You have until the next contract renewal. You need an answer that isn't "we're working on it."
This post is the plain-English checklist we walk clients through before the internal (or C3PAO) assessment. It's not a substitute for reading the DoD's official CUI guidance or NIST SP 800-171 Rev. 2, but it's what most small DIB shops actually need to focus on.
1. Identify your CUI footprint first
Before any control work, you have to know where CUI actually lives in your business. Engineering drawings marked as Distribution Statement D. Email threads with primes that include technical specs. SharePoint folders shared with outside counsel during a bid. Contract deliverables stored on a shop laptop. Until you can point to the systems and people that touch CUI, every compliance spend is a guess. Produce a data-flow diagram. It doesn't have to be pretty — it has to be accurate.
2. Set up a CUI enclave (or go tenant-wide)
You have two architectural choices. Option A is a dedicated CUI enclave — a segmented environment (often Microsoft 365 GCC High, separate Azure subscriptions, or a physically isolated network zone) where CUI-touching work happens. Option B is going tenant-wide — treating the whole business as a Level 2 environment. Enclaves are cheaper to operate but impose process discipline on your team; tenant-wide is simpler but scales the control cost to every user. Most small DIB contractors should start with an enclave.
3. Lock down identity
Roughly a third of Level 2 controls tie back to identity and access management. You need:
- Multi-factor authentication on every user account — phishing-resistant (hardware key or Passkey) for anything privileged.
- Unique credentials per person. No shared admin accounts, ever.
- Documented role-based access with periodic reviews.
- Session timeouts and lockout thresholds set to the ranges specified in the NIST baseline.
- Conditional access policies that block legacy authentication protocols.
4. Deploy endpoint detection and centralized logging
Every endpoint that touches CUI needs managed EDR (endpoint detection and response) — not just antivirus. You also need centralized logging (SIEM) with a minimum retention window — the CMMC audit assessor is going to ask whether you can produce, say, 90 days of authentication logs for a specific user on request. "Our server writes to the event log" is not the right answer.
5. Write the System Security Plan and POA&M
Two documents carry the majority of the documentary burden:
- System Security Plan (SSP). A living document describing how each of the 110 Level 2 controls is implemented in your environment. Written plainly enough that a new engineer could read it and understand how you actually do it.
- Plan of Action & Milestones (POA&M). The list of controls you haven't fully implemented yet, with a named owner and a target date for each. Level 2 assessments allow POA&M items for non-critical gaps — but the list can't be a wish.
Both documents should be updated quarterly. If they're static for a year, you've probably lost touch with what's actually in your environment.
6. Run a mock assessment before the real one
Have someone outside the project — an MSP with CMMC experience, a consultant, or a C3PAO-adjacent reviewer — walk your SSP and control evidence as though they were the assessor. You want to find the gaps now, not on the day your prime is waiting for the result.
7. Get your SPRS score submitted
For Level 2 self-assessments, you post your score in the Supplier Performance Risk System (SPRS). DoD primes and contracting officers can look up your score — a negative number means gaps, and the math follows a published rubric. SPRS is DoD-operated and becomes the external face of your posture. Keep it current.
Where we help
Gravity Networks has walked Utah and Tennessee manufacturers, engineering firms, and defense service contractors through this checklist. If you're facing a renewal deadline or a prime's questionnaire and the in-house IT lead is thin, that's the kind of problem we solve. See our defense-contractor services overview or schedule a scoping call — first conversation is 30 minutes and there's no deck.