What It Takes to Achieve CMMC Level 2: A Government Contractor’s Perspective

By Payam Pourkhomami, President & CEO of OSIbeyond

CMMC Level 2 certification has shifted from a distant requirement to an immediate priority. With the DFARS acquisition rule now in effect, contractors without certification are not eligible for many defense contracts. Yet despite years of discussion about CMMC requirements, only a small fraction of the defense industrial base has achieved certification. The majority of contractors are still working to understand what the process actually involves.

To find out what it takes to become CMMC certified, we spoke with Fania Carter, CEO of SSC, a DoD contractor providing IT services, program management and operational support to defense clients. SSC recently became one of the first small businesses to achieve CMMC Level 2 certification and their firsthand experience offers practical insights for contractors facing the same journey.

Why CMMC Matters for DoD Contractors

For years, contractors handling Controlled Unclassified Information were required to comply with NIST SP 800-171, but compliance was based on self-attestation. CMMC changes that by requiring independent verification through third-party assessments. Contractors without the assessment will not be eligible to win or renew contracts that require it. 

The program uses a three-tier model:

• Level 1 applies to contractors handling only Federal Contract Information and requires 15 basic security practices with annual self-assessment. 
• Level 2 sits in the middle and applies to most contractors handling CUI. It requires implementation of all 110 security controls from NIST SP 800-171 and certification through an accredited C3PAO.
• Level 3 applies to contractors working with the most sensitive CUI and adds requirements from NIST SP 800-172, with assessments conducted by the DoD itself. 

For SSC, Level 2 was the clear target. “We support the DoD across IT services, program management, administrative support, logistic facility maintenance and operational support. Our work often involves system access, handling control information, so cybersecurity and data protection are built into how we operate day-to-day,” Carter explained. 

The push toward certification became more urgent when an existing contract made NIST 800-171 compliance a condition for renewal. “One of the contracts that we were already supporting reached out and informed us that the only way we are going to get the option year is if we are able to attest to NIST 800-171 compliance through SPRS,” the CEO said. That requirement, while still based on self-attestation, signaled where things were heading. “I think that pushed me even more toward getting CMMC in place.”

Rather than wait for a mandate, SSC chose to get ahead of it. “We pursued CMMC Level 2 because we knew it was a requirement coming down the pipeline,” Carter said. “Based on the direction of DoD policies and the type of work we do, it was clear this would eventually be a requirement. We wanted to be ready ahead of time, instead of reacting later.”

Indeed, more solicitations will include CMMC requirements as the phased rollout continues and prime contractors are already prioritizing certified subcontractors to reduce supply chain risk. For SSC, getting certified early has already created an advantage. “I definitely feel it’s a competitive advantage,” she said. “Being Level 2 certified positions us as a lower-risk partner and helps avoid delays when opportunities come up that do have a CMMC Level 2 requirement.”

Beginning the Compliance Journey

Most contractors pursuing the two higher CMMC levels will need outside help. Even CMMC Level 2 includes 110 controls that span technical configurations, written policies and operational practices that must be documented and consistently followed. Managing so many requirements alongside day-to-day business operations is extremely difficult for organizations without dedicated compliance staff, especially considering that the requirements continue to evolve.

SSC recognized this early. “Our company was growing and we no longer had the capacity to manage cybersecurity internally,” Carter said. “I needed outside support to keep up.”

One practical approach is to work with a managed service provider that also offers CMMC compliance support and that’s the approach SSC took when they partnered with OSIbeyond. “Once we committed to CMMC Level 2, I knew we wanted a managed service provider that also offered CMMC support,” the CEO explained. “We didn’t want to manage multiple vendors or risk gaps between IT operations and compliance. One key requirement was that whoever we used would also serve as our managed service provider. I didn’t want to separate the two.”

That decision shaped how the workload was divided. “OSIbeyond handled most of the work, including implementation and documentation,” Carter noted. “It was closer to an 80/20 split, with OSI doing about 80% or probably more.” For SSC’s internal team, the commitment averaged 10 to 20 hours per month from key staff, primarily focused on reinforcing new processes and making sure changes were adopted across the organization. 

Having a knowledgeable partner proved essential. “It was critical, actually, because I wasn’t staying informed on all the different changes that were happening,” she said. “They were the expert. I certainly wasn’t. If I didn’t have them on my side, I don’t think I could have gotten this done by myself, even if I had a full-time IT team on board.”

Carter’s advice to other contractors is clear: “I would say that even if you are an IT company and knowledgeable about the rules and regulations concerning CMMC, you would still likely need a consultant. Policies and procedures are going to be constantly changing and if you are running a company, it’s hard for you to know everything that’s going on unless you have a dedicated team.”

What to Expect During the CMMC Readiness Process

The readiness process revolves around the implementation of technical controls, but contractors must also develop documentation, standardize processes and make sure that day-to-day operations align with written policies because assessors will look for evidence that controls are consistently followed. 

“Standardizing was one of the biggest hurdles we had,” Carter said. “But honestly, change management was just as important as making sure policies and day-to-day practices lined up consistently, not just on paper but in real operations.”

Getting employees on board can be a major challenge. New security procedures often feel like added burden and resistance is common. “People don’t always like change. I mean, even I don’t necessarily like change,” she admitted. “Getting buy-in from the team and helping them understand why these changes mattered was a key part of the process.”

SSC addressed this by communicating openly with staff about the reasons behind the new requirements. “What we did is just talk to the team and let them know why it was important and that we weren’t just doing it because we were adding something else on top of what they had to do, but it was a key requirement,” the CEO said. “Plus, it put the company in a better position to support our customers, so ultimately the company focused on what matters to the customer and having a secure system is important.”

The team also connected cybersecurity practices to employees’ personal experiences. “There’s just so many scams going on, not just within business but also within our personal lives,” Carter noted. “I’ve had teammates who’ve experienced different types of scams, whether it’s through people trying to get their banking information or just getting random text messages. So I think everyone on the team was knowledgeable enough that they were open to the idea.”

Contractors should also expect significant effort aligning existing systems and processes with their documentation. “It’s great to have the documentation so you can have your evidence, but even just making sure all other systems and processes that you are using align with the new CMMC documentation, depending on the size of your company, that could be a lot,” she said. (For guidance on developing a System Security Plan, a critical component of CMMC compliance, see our detailed guide.)

Throughout the process, leadership involvement remained critical. Carter emphasized that the biggest challenge was making sure everything worked in practice, not just on paper, which meant reinforcing new processes over time and staying engaged so that the changes stuck.

The Formal Assessment and What Comes After

Once a contractor has closed all gaps and finalized documentation, the next step is the formal assessment conducted by a C3PAO, or Certified Third-Party Assessor Organization, an independent organization accredited by the Cyber AB to evaluate contractors against CMMC requirements. The assessment typically involves interviews, evidence review and validation of systems and processes.

“Once all the gaps were closed and the documentation was finalized, we could confidently demonstrate that the controls were not only documented, but actually being followed in day-to-day operations,” Carter said. “That’s what determined we were ready.”

The assessment itself was scheduled to run a full week, but SSC completed it ahead of schedule. “It ran Monday through Friday, from about 9:00 AM to 3:00 PM each day. But we actually got done in three to three and a half days, even though it was expected to take about five days,” the CEO said. The format mainly consisted of interviews focused on evidence review and validation of the systems and processes SSC had documented. “The C3PAO had volumes of questions we had to answer and different pieces of evidence and documentation we needed to provide. We shared our screens and worked through the process together.”

About a week after the assessment concluded, SSC received formal confirmation via email. The C3PAO uploaded the certification and SSC was able to verify their CMMC Level 2 status in SPRS.

From start to finish, the entire process took about nine months to a year. “It’s definitely not a month or three-month process,” Carter noted. The total cost, including readiness, implementation and the formal assessment, came to between $90,000 and $105,000.

Certification is valid for three years, but maintaining compliance requires ongoing effort. “We actively work with our managed service provider to maintain our controls, keep our documentation current, train our staff and regularly continue reinforcing the processes so they remain part of normal operations,” she said.

Key Takeaways for Contractors Seeking Certification

CMMC Level 2 certification is achievable, but it requires time, investment and organizational commitment. Based on SSC’s experience, contractors should keep the following in mind:

• Start early: Waiting until a contract requires certification leaves little room for error. “Start early, expect change management to be part of the journey and get your team involved from the very beginning,” Carter advised. 
• Choose the right partner: Not all CMMC consultants are equally qualified. Carter cautioned against providers without deep experience in the federal space: “A lot of companies are jumping into the CMMC service role just because there’s a lot of money to be made. Do the proper research and look for a managed services provider with CMMC expertise that actually has experience.”
• Focus on people, not just technology: Technical controls are only part of the equation. “CMMC isn’t just about systems. It’s about people, processes and consistency,” Carter said. Leadership must stay engaged throughout the process so that changes are adopted and reinforced across the organization.
• Keep your environment simple: Contractors will need to decide whether to secure their entire environment or create a separate enclave for CUI. SSC opted for a full migration to Microsoft GCC High rather than maintaining two separate systems. “I wanted to make sure that we are providing the most secure data for our customers, even if by mistake they sent something to the wrong system,” Carter explained. “A full migration makes the most sense for a smaller company.”

“It’s not an easy process, so I don’t want to give anyone the impression that it’s easy. But if you’re focused, consistent and find a great partner that understands your line of work… I would say that’s number one,” concluded Carter.