CMMC 2.0 Phase 2 enforcement begins November 10, 2026. Solicitations issued after that date require CMMC Level 2 certification for contractors handling CUI (Controlled Unclassified Information). Existing contracts may include certification requirements at option periods.
What CMMC 2.0 Level 2 actually requires
Level 2 maps to NIST SP 800-171 Rev 2 — 110 practices across 14 domains. An independent C3PAO (Certified Third-Party Assessor Organization) assessment is required; self-attestation is only allowed for non-prioritized acquisitions at DoD's discretion.
The 110 practices most DoD contractors struggle with (based on our passive scan findings and contractor self-assessment data from SPRS):
| CMMC Practice | Control | What we find passively | Severity |
|---|---|---|---|
| IA.L2-3.5.3 | Multi-factor authentication | Login pages without MFA indicators on public-facing systems | CRITICAL |
| SI.L2-3.14.1 | Flaw remediation | Unpatched CVEs on internet-facing services (FortiGate, Ivanti, Cisco ASA) | CRITICAL |
| SC.L2-3.13.8 | Transmission encryption | TLS 1.0/1.1 still enabled; weak cipher suites in TLS handshake | HIGH |
| CM.L2-3.4.1 | System baseline config | Exposed dev/debug endpoints, open admin panels, default configurations | HIGH |
| AC.L2-3.1.3 | CUI flow control | S3 bucket public listing (potential CUI exfiltration vector) | HIGH |
| IA.L2-3.5.10 | Credentials in storage | Exposed .env files with API keys, DB credentials, or OAuth secrets | CRITICAL |
| CA.L2-3.12.1 | Security assessment | No external-facing evidence of regular assessment (SPRS score below 90) | MEDIUM |
The gap that surprises most contractors: email security
DMARC, DKIM, and SPF configuration failures are the most common finding in our CMMC contractor dataset — present in 67% of scanned organizations. This maps directly to CMMC AC.L2-3.1.20 (control connections to external systems) and IA.L2-3.5.3 (MFA requirements).
A misconfigured DMARC policy (p=none instead of p=reject) means anyone can send email that appears to come from your company domain — including fake DoD contract communications, fake CFO payment requests, and fake sub-contractor invoices. This is the mechanism behind 90%+ of Business Email Compromise attacks.
Timeline reality check
Getting to CMMC Level 2 certification from scratch takes 6–18 months:
- Gap assessment: 4–8 weeks
- Remediation (most orgs): 3–6 months
- C3PAO scheduling: 6–12 week lead time (assessors are backlogged)
- Assessment itself: 2–4 weeks
- POA&M closure (if any findings): additional weeks
Organizations that haven't started a gap assessment by mid-2026 are at significant risk of missing the November deadline.
Our T1 scan can identify the CMMC gaps visible from public sources in 48 hours — no system access required. This gives you a starting baseline before you engage a C3PAO. Most contractors use our report to prioritize remediation before the formal assessment.
Know your CMMC gap before your assessor does
Our passive scan identifies the most common CMMC 2.0 failures visible from public sources. 48-hour delivery. Includes control mapping to NIST 800-171 practices.
GET FREE DOMAIN CHECK →