CMMC Level 2: A 90-Day Quickstart Roadmap for Defense Contractors

CMMC Level 2 certification requires compliance with all 110 NIST SP 800-171 controls, and most defense contractors need six to twelve months to reach full readiness. The first 90 days determine whether the rest of that timeline holds or collapses. This is a phase-by-phase action plan for the critical opening stretch of your compliance effort.

If you’re still sorting out whether you need Level 1 or Level 2, start with our CMMC deadline guide for Texas defense contractors. This post picks up where that one leaves off, assuming you’ve confirmed you handle Controlled Unclassified Information (CUI) and need Level 2.

Days 1 Through 14: Gap Assessment and CUI Identification

The first two weeks are about understanding exactly where you stand. A gap assessment evaluates your current environment against all 110 NIST SP 800-171 Rev 2 controls and produces a scored report showing what you meet, what you partially meet, and what’s missing entirely. Your assessor or MSP will walk through all 14 control families, from access control and audit accountability to incident response and system integrity.

At the same time, you need to map every location where CUI lives in your environment. CUI flows through email, file shares, cloud storage, engineering applications, and sometimes places nobody expected. This data flow mapping is a prerequisite for scoping every technical control that follows. If you don’t know where CUI is, you can’t protect it, and your System Security Plan will have gaps that assessors will find.

This phase also forces an infrastructure decision. If your organization uses standard Microsoft 365 and Azure, CUI handling likely requires a migration to Microsoft 365 GCC High and Azure Government. These are FedRAMP High-authorized environments built for CUI. Standard commercial tenants do not meet the data residency and handling requirements for CMMC Level 2, and this migration alone can take four to eight weeks. Start the licensing and planning process on day one.

Days 15 Through 30: Build Your System Security Plan and POA&M

The System Security Plan (SSP) is the single most important document in your CMMC compliance effort. It describes how your organization implements each of the 110 security requirements, documents your system boundaries, and maps every control to your actual environment.

Writing an SSP is not a checkbox exercise. C3PAO assessors read these documents carefully and compare them against what they observe during the assessment. A generic template pulled from the internet will not pass. Your SSP needs to describe your specific network architecture, your specific access control policies, and your specific implementations for each requirement.

During this phase, build your Plan of Action and Milestones (POA&M) for any controls you cannot fully implement before your assessment date. POA&Ms are permitted under CMMC 2.0 but come with strict limits: you cannot use them for certain high-weight controls, and all open items must be closed within 180 days of your assessment. We covered the POA&M constraints in detail in our deadline analysis. Treat the POA&M as a last resort. Every control you close before the assessment is one less risk to your certification.

Days 31 Through 60: Implement Technical Controls

This is the most labor-intensive phase. Your gap assessment identified what’s missing, and now you deploy it. The specific work depends on your starting point, but most defense contractors need to address the same core areas.

Access controls. Implement role-based access across all systems that handle CUI. Deploy multi-factor authentication for every user, not just administrators. Review and restrict privileged access to the minimum necessary for each role.

Audit logging. Deploy a SIEM platform that collects logs from endpoints, servers, firewalls, cloud services, and identity providers. NIST 800-171 requires that you can detect, report, and investigate unauthorized access attempts. Without centralized logging, you have no evidence trail for assessors and no real-time visibility into your own environment. Your managed security provider should handle SIEM deployment and tuning as part of this effort.

Encryption. CUI must be encrypted at rest and in transit. This covers local storage, cloud storage, email, and data transfers between systems. GCC High and Azure Government handle most encryption at the platform level, but you still need to verify that disk-level encryption is active on endpoints and on-premises servers.

Incident response. Write and test a documented incident response plan with assigned roles, communication procedures, and escalation paths. Run a tabletop exercise during this phase to surface gaps in the plan before your assessment, not during it. NIST 800-171 requires that your organization can detect, contain, and recover from security incidents, and assessors verify this through both documentation and interviews.

Security awareness training. Every employee who accesses CUI needs training on handling requirements, phishing identification, and incident reporting procedures. Assessors verify this through training records and employee interviews, not just policy documents on a shelf.

Days 61 Through 90: Validate, Document, and Schedule Your Assessment

The last 30 days are about validation. Run an internal readiness review that walks through every control in your SSP and confirms the implementation matches what you documented. Configuration drift between the SSP and the actual environment is one of the most common assessment failures.

Collect your evidence artifacts systematically. Assessors will request screenshots, configuration exports, policy documents, training records, and system logs. Organize these by control family so your assessment team can locate them quickly. Missing evidence for a control you actually implemented looks the same as not implementing it from the assessor’s perspective.

If you haven’t already, schedule your C3PAO assessment now. As we covered in our deadline analysis, fewer than 80 C3PAOs serve roughly 76,000 organizations. Slots fill months in advance.

This is also the right time to evaluate how your CMMC controls overlap with other compliance obligations. The technical investments you’re making, including MFA, SIEM, encryption, and incident response, map directly to requirements that cyber insurance carriers now demand and to frameworks like HIPAA. If your organization operates in multiple regulated spaces, a coordinated approach avoids paying for the same controls twice under different labels.

Choosing the Right Compliance Partner

CMMC Level 2 touches every layer of your IT environment: identity, endpoints, networking, cloud infrastructure, logging, policies, and training. Most 50 to 200 person defense contractors don’t have the internal staff to plan, implement, and document all 110 controls while also fulfilling contracts.

The right partner brings CMMC-specific experience, established processes for GCC High migration and SIEM deployment, and the ability to produce assessment-ready documentation. Ask potential partners whether they’ve supported organizations through C3PAO assessments. Ask them to explain how they handle CUI scoping and SSP development. Generic IT support won’t get you to certification.

Infonaligy works with Texas defense contractors on CMMC compliance from gap assessment through certification. We handle the technical implementation, the documentation that assessors actually review, and the ongoing monitoring that keeps you compliant between assessment cycles.