CMMC Level 2 - NIST SP 800-171

CMMC Level 2 Preparation

for DoD Contractors Handling CUI

Level 2 is required for any contractor handling Controlled Unclassified Information.

110 practices across 14 domains

Third-party assessment required.

We build your compliance program - from gap assessment to C3PAO readiness.

Start my assessment

See What's Included

110 Practices

C3PAO Assessment Report

SPRS & POA&M included

Annual affirmation support

WHO NEEDS LEVEL 2

Does Level 2 apply to you?

Level 2 is triggered by CUI - Controlled Unclassified Information - in your contract scope.

You need Level 1 if....

Your DoD contract includes FAR clause 52.204-21.

You receive, store, or transmit any information the government provided under contract that is not publicly available.

You are a prime or subcontractor in the DoD supply chain.

You need Level 2 if....

Your DoD contract includes DFAR clause 252.204-7012 or 252.204-7021

You handle technical drawings, export-controlled data, or other Controlled Unclassified Information.

Your prime contractor flows CUI down to you

Check your contract now. Look for DFARS clauses 252.204-7012 or 252.204-7021. If either of is present, you handle CUI and need Level 2. Requirements flow down through the supply chain - subcontractors are not exempt.

Key contract clauses that trigger Level 2 - search your contract for these:

DFARS 252.204-7012

DFARS 252.204-7021

NIST SP 800-171

CUI Handling

WHAT WE DELIVER

Everything included in your engagement

Every deliverable needed for a successful C3PAO assessment - nothing outsourced, nothing skipped

Gap assessment report

Plan of Action & Milestones

Network Diagrams & Data Flows

System Security Plan (SSP)

Full policy library

Incident Response Plan

110-practice evaluation with Met/Partial/Not Met status and evidence notes for every finding

Official POA&M documenting every gap and your committed timeline to close it - submitted with your SPRS score

Visual documentation of your CUI boundary, network architecture, and how data moves through your environment.

The master document describing your environment and how every practice is implemented - required by assessors

All required written policies across all 14 domains - access control, incident response, media handlings, and more

Documented IR Plan plus a facilitated tabletop exercise to generate the evidence of testing that assessors require

Mock C3PAO Assessment

Full simulation of the formal assessment - we play the assessor, so you know exactly what to expect and where you stand

SPRS score & Submission

Final SPRS score calculation with full practice-level breakdown and support submitting to the DoD portal

Microsoft 365 GCC High - often required for Level 2

Standard commercial M365 does not meet the data residency and access control requirements for CUI under DFARS 7012. If your organization stores or processes CUI in Microsoft 365, you likely need to migrate to GCC High before your C3PAO assessment. We handle that migration as part of our Microsoft 365 service line - keeping everything under one roof.

INVESTMENT

Transparent, scoped pricing

Every engagement is scoped individually. These ranges reflect typical environments.

Gap assessment only

Understand your gaps

Full preparation

Standalone gap assessment, ideal if you have internal resources to drive remediation.

Everything from gap assessment through mock C3PAO assessment. Up to 75 Users.

110-practice gap report

Executive summary

SPRS Score estimate

All gap assessment deliverables

SSP, POA&M, policy library

Network diagrams & IR Plan

Mock C3PAO Assessment

$3,500-$6,000

$20,000-$45,000

Remediation roadmap

Annual affirmations

Large Environments

$45,000-$75,000 +

Enterprise engagement

Multi-location or 75+ user environments with complex CUI boundaries or GCC High migration included.

All full preparation deliverables

Multi-site scoping

GCC High migration included

On-site assessment support

Start your Level 2 journey today

The sooner you start, the more options you have. Book a free 30-minute consultation - we will tell you exactly where you stand and what it realistically takes to get certified.

Book free assessment

Compare to Level 1

RVA Tech Visions

Technology security and compliance advisory for small and mid-size businesses in the Richmond, VA metro area and beyond.

CMMC Level 2 - NIST SP 800-171

CMMC Level 2 Preparation

for DoD Contractors Handling CUI

Level 2 is required for any contractor handling Controlled Unclassified Information.

110 Practices

C3PAO Assessment Report

SPRS & POA&M included

Annual affirmation support

WHO NEEDS LEVEL 2

Does Level 2 apply to you?

Level 2 is triggered by CUI - Controlled Unclassified Information - in your contract scope.

You need Level 1 if....

Your DoD contract includes FAR clause 52.204-21.

You need Level 2 if....

Check your contract now. Look for DFARS clauses 252.204-7012 or 252.204-7021. If either of is present, you handle CUI and need Level 2. Requirements flow down through the supply chain - subcontractors are not exempt.

WHAT WE DELIVER

Everything included in your engagement

Every deliverable needed for a successful C3PAO assessment - nothing outsourced, nothing skipped

Gap assessment report

Plan of Action & Milestones

Network Diagrams & Data Flows

System Security Plan (SSP)

Full policy library

Incident Response Plan

110-practice evaluation with Met/Partial/Not Met status and evidence notes for every finding

Official POA&M documenting every gap and your committed timeline to close it - submitted with your SPRS score

Visual documentation of your CUI boundary, network architecture, and how data moves through your environment.

The master document describing your environment and how every practice is implemented - required by assessors

All required written policies across all 14 domains - access control, incident response, media handlings, and more

Documented IR Plan plus a facilitated tabletop exercise to generate the evidence of testing that assessors require

Mock C3PAO Assessment

Full simulation of the formal assessment - we play the assessor, so you know exactly what to expect and where you stand

SPRS score & Submission

Final SPRS score calculation with full practice-level breakdown and support submitting to the DoD portal

Microsoft 365 GCC High - often required for Level 2

INVESTMENT

Transparent, scoped pricing

Every engagement is scoped individually. These ranges reflect typical environments.

Gap assessment only

Most Popular

Understand your gaps

Full preparation

Standalone gap assessment, ideal if you have internal resources to drive remediation.

Everything from gap assessment through mock C3PAO assessment. Up to 75 Users.

110-practice gap report

Executive summary

SPRS Score estimate

All gap assessment deliverables

SSP, POA&M, policy library

Network diagrams & IR Plan

Mock C3PAO Assessment

$3,500-$6,000

$20,000-$45,000

Remediation roadmap

Annual affirmations

Large Environments

$45,000-$75,000 +

Enterprise engagement

Multi-location or 75+ user environments with complex CUI boundaries or GCC High migration included.

All full preparation deliverables

Multi-site scoping

GCC High migration included

On-site assessment support

Start your Level 2 journey today

The sooner you start, the more options you have. Book a free 30-minute consultation - we will tell you exactly where you stand and what it realistically takes to get certified.

RVA Tech Visions

Services

Company

About Us