Jackie Ramsey January 24, 2026 0

If you’re a DoD contractor or subcontractor in January 2026, CMMC 2.0 isn’t an abstract “someday” requirement anymore. It’s phasing into contracts now, and awards can hinge on whether your assessment results and affirmations are visible in SPRS when a contracting officer checks.

I’m writing this for teams that don’t have a full-time compliance department. You need a plan you can execute while still shipping work. Below is my step-by-step approach to CMMC assessment preparation for Level 1 and Level 2, with practical scoping, a tight readiness checklist, and real evidence examples.

Quick definitions up front: FCI (Federal Contract Information) is contract-related data that’s not meant for public release, while CUI (Controlled Unclassified Information) is more sensitive and drives Level 2 scope. Getting scope right is like drawing the walls of your “house” before you install locks.

Requirements can change, so confirm details with official sources like the DoD CMMC pages and the Cyber AB. This is informational only, not legal advice. If you want hands-on help, I can support you as a Business Technology Partner with Cybersecurity Services, Endpoint Security, and Device Hardening for Small Business IT.

Step 1, Know your CMMC level, contract triggers, and what “in scope” really means

Close-up view of security paper with text reminding to sign certificate. Photo by Heather Green

The fastest way to waste money on CMMC is to “secure everything” without scoping. The fastest way to fail is to scope too narrowly and miss where CUI actually lives. I start by reading contract language, flow-downs, and any DFARS clauses, then I map data types and where they move.

In 2026, most small and mid-size contractors land in one of two buckets:

  • Level 1 if you only handle FCI.
  • Level 2 if you handle CUI, even if it’s “just a little” in email or a shared folder.

If you’re bidding work where your prime expects proof in SPRS, treat readiness like a schedule item, not a side quest. I also recommend bookmarking the official DoD references, starting with the DoD CMMC resources and documentation page, then aligning your internal plan to what those sources say today.

Quick CMMC 2.0 overview for 2026: Level 1 vs Level 2 (and where Level 3 fits)

Here’s the plain-English version I use with leadership:

  • Level 1: FCI only, annual self-assessment.
  • Level 2: CUI, aligns to NIST SP 800-171 (110 requirements). In the current phase-in, some contracts allow self-assessment, and some require a third-party assessment by a C3PAO, with results and affirmations recorded in SPRS.
  • Level 3: Rare, for high-value programs, assessed by the DoD (DIBCAC).

Key terms, one sentence each:

  • SSP (System Security Plan): the document that describes your environment, boundaries, and how each requirement is met.
  • POA&M (Plan of Action and Milestones): your time-bound plan to close approved gaps (when allowed).
  • C3PAO: an authorized third party that performs CMMC Level 2 assessments.
  • SPRS: the DoD system used to record assessment scores and compliance affirmations.

For process detail, I reference the Cyber AB’s CMMC Assessment Process (CAP) v2.0 so my prep matches what assessors are trained to follow.

Scope it first: map CUI flows, build an enclave, and sort asset categories

I map where CUI enters, moves, and leaves. Common paths include email, Teams chats, SharePoint sites, OneDrive folders, file shares, line-of-business apps, and third parties. If you’re doing an Office 365 Migration, CUI often hides in old mailboxes, shared mailboxes, Teams channels, SharePoint permissions, and guest access settings.

When possible, I recommend a CUI enclave (a separate, controlled environment) so the rest of the business doesn’t get dragged into scope. That enclave might live in Cloud Infrastructure with a Secure Cloud Architecture, or it might include on-prem systems tied to Data Center Technology.

I also sort assets into the CMMC categories in simple terms: CUI assets (touch CUI), security protection assets (protect the enclave), specialized assets (harder to manage like OT or IoT), contractor risk-managed assets (you accept and manage risk), and out-of-scope assets (no CUI path). For example, I try to keep restaurant systems like Restaurant POS Support and Kitchen Technology Solutions on separate networks and identities from any CUI enclave, so they stay out of scope when the business has both government work and hospitality operations.

For the official scoping logic, I cross-check against the DoD CMMC Level 2 Scoping Guide.

Steps 2 to 5, Run a readiness checklist, do a gap assessment, and fix the highest-risk controls first

Once scope is locked, I move fast through four execution steps. This is where Technology Consulting turns into results, and where Infrastructure Optimization and Cloud Management make compliance less painful.

  1. Step 2: Run a readiness checklist to catch obvious blockers.
  2. Step 3: Perform a gap assessment against the right baseline (FAR 52.204-21 for Level 1, NIST SP 800-171 for Level 2).
  3. Step 4: Prioritize remediation by risk and evidence impact.
  4. Step 5: Prove it works, repeatedly, with artifacts you can hand to an assessor.

This is also where I position Tailored Technology Services for small teams: minimum tools, clear owners, and repeatable routines. It’s “Innovative IT Solutions” only if it’s still understandable on a Monday morning.

Pre-assessment readiness checklist I use before any audit (people, process, tech)

I keep this checklist short, but I don’t skip it:

  • Assign control owners and a single assessment lead.
  • Freeze scope, document system boundaries, confirm CUI locations.
  • Confirm admin accounts, remove stale admins, review MSP access.
  • Enforce MFA where required (including admin portals and remote access).
  • Confirm encryption expectations for endpoints and data storage.
  • Set patch cadence and verify it’s happening.
  • Verify backups, then run a restore test and capture proof.
  • Centralize logging, set retention, and document review steps.
  • Confirm incident response contacts, reporting steps, and a call tree.
  • Keep security training records and proof of completion.
  • Review physical access basics (doors, visitor logs, server room access).

Gap assessment against NIST SP 800-171: what I test and how I score it

For Level 2, I walk each control family against the scoped systems, then mark each requirement as implemented, partial, or not implemented. I attach evidence as I go, not at the end, because “we do that” doesn’t count unless I can show it.

I also keep POA&Ms realistic. In plain terms: some gaps can’t be pushed into a POA&M, POA&Ms must be tightly planned and time-bound (often expected within about 180 days), and too many open gaps can sink you. Paper-only compliance is a trap, assessors will test whether the process actually runs.

Remediation plan that works: a 30/60/90-day timeline plus tools that keep me organized

Here’s a simple 30/60/90 model that fits IT Strategy for SMBs and Managed IT for Small Business teams:

TimeframeWhat I focus onTypical outputs
First 30 daysScope, inventory, baseline hardening, MFA, draft core policiesAsset list, boundary diagram, MFA coverage report, policy set v1
Next 60 daysLogging, vuln management, backups, training, IR tabletopScan reports, remediation tickets, restore-test proof, tabletop notes
Next 90 daysMock assessment, evidence pack, SSP final, fix findingsEvidence map, updated SSP, closed tickets, readiness summary

Tooling doesn’t need to be fancy. I use a lightweight GRC tracker (spreadsheet or platform), a ticketing system, an evidence folder structure by control family, a password manager, EDR for Endpoint Security, and standardized baselines for Device Hardening. If you’re heavy in Microsoft 365, the built-in security features can carry a lot of the load when configured correctly. For hybrid shops, I also verify the on-prem side, because old servers don’t disappear just because your Digital Transformation plan says “cloud-first.”

Steps 6 to 9, Build your evidence and documentation, run a mock assessment, then work with a C3PAO

This is where teams either look calm and credible, or they look like they’re guessing. Assessors want three things: an SSP that matches reality, consistent artifacts, and proof your controls run on a schedule.

When I do CMMC assessment preparation, I build the evidence pack as if assessment day is tomorrow, then I pressure-test it with a mock.

Required documentation and evidence pack: what I prepare so nothing is missing

Core artifacts I prepare and keep current:

  • SSP, policies and standards, and written procedures
  • POA&Ms (when allowed)
  • Network and data flow diagrams, plus system boundaries
  • Asset inventory and software inventory
  • User lists and admin lists
  • Change management records
  • Incident response plan and test records
  • Training logs
  • Vulnerability scans and patch reports
  • Backup job reports and restore-test results
  • Log review proof and retention settings
  • Supplier and MSP access records

I also create an “evidence map” that ties each artifact to one or more controls, so nothing gets lost during interviews.

Concrete evidence examples for common controls (the “show me” list)

When an assessor says “show me,” these examples usually land well for small teams:

  • MFA: written policy plus Entra ID or IdP reports (Conditional Access, MFA registration, admin role coverage).
  • Access reviews: quarterly sign-off record plus group membership export.
  • Incident response: IR plan plus tabletop notes and the related tickets.
  • Training: LMS export or signed roster with dates and topics.
  • Vulnerability management: scan reports plus remediation tickets with closure proof.
  • Backups: backup job success reports plus a documented restore test.
  • Logging: central log settings, retention policy, sample alerts, and an investigation ticket.

Selecting a C3PAO, scheduling, assessment day expectations, and what happens after

When I help select a C3PAO, I verify authorization, ask about availability, confirm scope, and review the assessment plan and pre-reads. On assessment days, expect interviews, artifact review, technical sampling, and follow-up requests.

The most common pitfalls I see are predictable: the wrong scope, an SSP that doesn’t match what’s deployed, missing timestamps on evidence, overuse of POA&Ms, weak MFA coverage (especially admins), and untracked privileged access by MSPs.

After the assessment, the job isn’t over. I keep POA&Ms on a tight schedule, update the SSP as the environment changes, and maintain continuous compliance through recurring access reviews, patch routines, and ticketing. Requirements can change, so I confirm the latest expectations with official DoD and Cyber AB sources before major decisions.

Conclusion

CMMC prep works best when I treat it like building a clean, well-labeled toolbox. First I confirm the level and lock scope, then I run readiness and gap checks, fix high-risk items, and build evidence that proves controls are real and repeatable. After that, I run a mock, tighten the SSP, and schedule the C3PAO at the right time.

If you want help, I offer a scoped readiness workshop or gap assessment tied to Secure Cloud Architecture, Cloud Management, and Business Continuity & Security for small contractors. Before you act, confirm current DoD requirements, and keep your evidence as strong as your technology.

Discover more from Guide to Technology

Subscribe to get the latest posts sent to your email.

Category: 

Leave a Reply