Getting a CMMC Level 2 assessment right means understanding that contract eligibility is your goal. This article walks you through lessons from a real-life Level 2 audit, so you know what to expect.
Many organizations underestimate the work involved. Here’s what happened in Teal’s CMMC Level 2 audit, and the lessons you can take away from our lived experience.
Key Takeaways
- A realistic CMMC Level 2 preparation timeline is 12 months or more, even for organizations with an existing compliance framework, like ISO 27001.
- The System Security Plan is likely the most significant document you’ve ever built, and it drives everything that follows.
- Configuration management is the most documentation-intensive control domain in NIST 800-171, but not the most technically complex.
- How you organize evidence before the audit week matters more than what you say during it.
Table of Contents
How long does it take to prepare for a CMMC Level 2 assessment?
Plan for at least a year and expect that timeline to start well before the first artifact gets collected. Organizations that already hold ISO 27001 – or have mature compliance programs -have a structural advantage. However, the depth of documentation that CMMC Level 2 requires is different in kind, not just in degree.
ISO 27001 establishes a risk management posture and general controls framework. CMMC Level 2, mapped to NIST SP 800-171, requires demonstrating that 110 controls are fully implemented across 320 assessment objectives.
It also requires that you can prove each one with traceable evidence. ISO-certified organizations may run a gap assessment and still find a significant amount of work ahead of them.
For organizations starting without any formal compliance framework, the timeline extends further. Building policies, procedures, and a System Security Plan from scratch – while simultaneously implementing and documenting technical controls – takes time that cannot be compressed by adding more people to the project.
What is a System Security Plan, and why is it so important?
The System Security Plan (SSP) is the master document that describes your environment:
- What systems are in scope
- How each control is implemented
- How your organization operates within those boundaries
ISO 27001 does not require one. Most frameworks don’t. For many organizations, building the SSP is the first time they’ve had to describe their entire technical environment in writing.
The SSP matters because it is the anchor for everything a C3PAO will evaluate.
Your evidence should map to it.
Your policies and procedures should trace back to it.
When an assessor asks about a control during the interview week, your answer should reflect what’s in the SSP because they’ve already read it before they walked in.
Building the SSP well requires you to understand your environment accurately, not “aspirationally.” That means scoping decisions need to be made and documented before you can write an SSP with any confidence.
Organizations that rush the SSP or write it to describe their intended state rather than their actual state tend to run into trouble during evidence review.
Why is configuration management the hardest control domain to satisfy?
The hardest part is not the technical configuration. It’s the documentation that proves you followed your own process. Turning on security settings in Microsoft Intune or Exchange Online takes an afternoon. Documenting a baseline, tracking every change to that baseline, recording who approved each change, and maintaining updated documentation every time the baseline shifts – that’s months of operational discipline.
Configuration management (CM) under NIST 800-171 requires organizations to define what a normal state looks like for every in-scope system. Then, prove that any deviations from that state were intentional, approved, and recorded.
For organizations that have historically made configuration changes without a formal change management workflow, this is a significant behavioral shift.
Organizations that try to reconstruct their change history retroactively (rather than capturing it in real time) will find this control domain genuinely difficult to satisfy when an assessor asks to see the record.
How do you collect evidence for 110 controls?
Organize for the assessor, not for yourself. The natural instinct is to create evidence files that make sense internally – organized by system, by date, or by team. The structure that makes the audit go faster is one organized by control and assessment objective, labeled so that any assessor can locate what they need without needing to ask follow-up questions.
For each assessment objective, consider providing the relevant section of your policy, the relevant section of your procedure, and a screenshot confirming the control is implemented.
That may feel like more preparation than the situation requires. However, it makes the actual audit week materially faster. In some cases, faster than the week the audit was scheduled for.
Most C3PAOs provide a secure data room where organizations upload evidence ahead of the interview week. Used well, that structure means the assessor arrives already familiar with your environment. The interview essentially becomes a verification session, instead of one of discovery.
There are GRC tools that automate portions of evidence collection, particularly for controls that generate logs or configuration data automatically. Manual screenshot-and-folder approaches work, but they require consistent discipline across the entire assessment period.
So, organizations with more than six months before their target assessment date should evaluate whether a tooling investment makes sense for their situation.
What should you do during the C3PAO interview week?
Answer the question that was asked – and stop. This sounds obvious. In practice, it’s harder than it sounds, and the consequences of getting it wrong are tangible.
During a live audit interview, there’s a natural impulse to demonstrate thoroughness. To show that your organization does something not just in one place but also in another, not just one way but also another way. That impulse often reflects genuine preparation. However, it can also open new lines of questioning that the assessor was not previously pursuing.
Reid described a moment during Teal’s audit week where he went slightly beyond what the assessor was asking and immediately triggered a set of follow-up questions he hadn’t planned for.
“That’s where I thought, ‘Oh, shoot,’” said Reid. “’Now I might be going down a direction that I’m not explaining things well, or I’m introducing more questions.’”
Teal’s thorough preparation meant they could answer those questions, but that clearly moment illustrates the risk you take.
If you demonstrate a control as it was documented, and the assessor is satisfied, stop there. If they want additional context, they will ask for it.
Should you build a CMMC enclave, or assess your whole organization?
Start by mapping where your CUI actually goes. Before you can answer whether an enclave is the right approach for your organization, you need to understand the data flow:
- Which systems store, process, or transmit CUI
- Which people have access
- Which vendors or tools come into contact with that data
An enclave approach scopes a defined, tightly controlled environment for CUI handling rather than applying CMMC controls to the entire organization.
For organizations where some operations involve CUI and others don’t, this avoids applying heightened security requirements uniformly across every user, system, and process. It also creates a cleaner, more defensible scope for the C3PAO to assess.
The right answer depends on where people work, what cloud services the organization uses, how CUI enters and exits the environment, and how the IT infrastructure is structured.
There is no universal answer, but there is almost always a right answer for a specific organization once the CUI data flow is mapped.
One thing organizations consistently underestimate, the data inside management tools is security protection data, and it needs to be protected with the same rigor as CUI, including:
- Passwords
- Patching records
- Security configurations
- Endpoint telemetry
Organizations that scope only around the users who directly handle CUI – without accounting for the management and security tooling layer – often find significant gaps later in the process, when there’s less time to address them.
What should you do first if you haven’t started CMMC Level 2 yet?
Map your CUI. Before engaging a C3PAO, before building an SSP, before running a gap assessment, draw the data flow. On paper, if you need to. Trace where CUI enters your organization, which systems it touches, who has access, where it’s stored, and how it exits.
That map becomes the foundation for every scoping decision that follows.
Without it, gap assessments are imprecise, SSP scope is unclear, and enclave decisions are guesswork. With it, you’re working from reality – which means every hour you spend in the gap assessment and the SSP phase is more productive.
After the map is complete, run a gap assessment against NIST SP 800-171. Most organizations will find gaps even with existing compliance programs. The gap assessment will tell you what that work is, and that’s the starting point for building a realistic project plan that leadership teams can understand and fund.
What this process produced.
The lessons above come from Teal’s own CMMC Level 2 assessment, completed in early 2026 with a C3PAO. Teal met all 110 controls with zero open Plan of Action and Milestones – a result most organizations don’t achieve on their first assessment.
The SSP, the configuration management documentation discipline, the organized evidence package, the year-plus preparation timeline – none of it was incidental. It’s what a clean result requires.
If your organization is working toward CMMC Level 2 certification and you want to understand where your program stands today, a gap assessment against NIST SP 800-171 is the right place to start. It’s a conversation we know how to have, because we’ve been through it ourselves. Explore our CMMC managed IT services to learn more.
FAQ
Can you self-assess CMMC Level 2?
Yes, when your contract allows it. Under CMMC 2.0, organizations handling CUI may conduct a Level 2 self-assessment against all 110 NIST SP 800-171 requirements, post results to SPRS, and submit an annual affirmation of compliance. Not every contract permits self-assessment. Check your contract language before assuming this path is available to you.
What is CMMC Level 2 compliance?
CMMC Level 2 means your organization has fully implemented all 110 security requirements in NIST SP 800-171 to protect CUI. Compliance is verified through either a self-assessment or a third-party C3PAO assessment, recorded in SPRS, affirmed annually, and subject to full reassessment every three years.
How much does a CMMC Level 2 assessment cost?
Self-assessment costs run roughly $34,277 for small entities and $43,403 for larger organizations, covering assessment and initial affirmation. Third-party C3PAO assessments run significantly higher and vary based on your environment’s scope, complexity, and the assessor’s rates. Neither figure includes the cost of remediation work to be done before the assessment.
How long does it take to get CMMC Level 2 certified?
Plan for at least 12 months. That clock starts before a single artifact gets collected. Organizations with existing compliance programs – like ISO 27001 – have a structural head start. However, the depth of documentation CMMC Level 2 requires is different. Organizations starting from scratch should expect the timeline to extend further.
