CMMC Level 2
No CMMC Level 2, no DoD contract.
If your contracts touch Controlled Unclassified Information, CMMC Level 2 certification is the price of doing business with the DoD. And it's a bigger lift than most contractors expect.
What comes with the contract
You went after the contract. It came with 110 security controls.
CMMC Level 2 isn't a form you sign. It's 110 practices across 14 domains, every one documented, evidenced, and verified by a third-party assessor. Most contractors don't have the time or the people to stand that up while running the business.
What the contract really asks for
0
CMMC Level 2 / NIST SP 800-171
security practices, across 14 domains. Every one documented and verified.
That's the bar for handling the government's data. Not a checkbox, a full program, and one your team has to keep standing up while they do their real jobs.
The contract is the reward. The 110 are the work.
What CMMC Level 2 is
The DoD's bar for protecting its data in your hands.
Plain version: if you handle the government's sensitive-but-unclassified data, you have to prove you protect it. Beyond the 110 practices, four things define the program.
A third-party assessment
Not a self-assessment. An authorized C3PAO has to assess and certify you, and demand far outruns supply, so start early.
A System Security Plan
The foundational document. Most companies show up to an assessment without one. It's the first thing we build.
A defined CUI boundary
You have to know exactly where the government's data lives in your environment before you can protect it.
Ongoing monitoring
Several practices require continuous monitoring and incident response, not a one-time setup. That's where Managed Overwatch comes in.
Who it's for
If any of these is you, the CMMC clock is already running.
CMMC Level 2 applies to you if:
- You hold or are pursuing a DoD contract that involves Controlled Unclassified Information.
- A prime contractor has flowed the requirement down to you.
- You just won an award and certification is a condition of performance.
- You're not sure whether your contracts involve CUI, that uncertainty is itself the first gap.
How it gets done
We make you assessment-ready. The C3PAO certifies.
We run the readiness program end to end, discovery, the gap analysis against all 110 practices, every policy, the SSP, evidence, and assessment support, so your team keeps delivering. Most contractors add Managed Overwatch for the continuous-monitoring practices the assessor checks. We prepare and support; the C3PAO conducts and certifies.
Questions we hear
Common questions
What is CMMC Level 2 and who does it apply to?
CMMC Level 2 is the Department of Defense's certification level for contractors that handle Controlled Unclassified Information (CUI). It covers 110 security practices across 14 domains, drawn from NIST SP 800-171. If your company holds or pursues DoD contracts involving CUI, it applies to you. If you're not sure whether your contracts involve CUI, that uncertainty is itself a gap worth closing.
Is CMMC Level 2 a self-assessment?
No. A third-party assessment organization, a C3PAO, must conduct and certify your program. Simple Plan IT prepares you for that assessment and is present throughout it, but the C3PAO conducts and certifies. We do not conduct assessments or guarantee outcomes. We make you assessment-ready.
How long does CMMC Level 2 certification take?
Typically 9 to 18 months from starting a readiness program to certification, depending on your current maturity. The assessor pipeline is also backlogged, so the assessment you need may not be schedulable for months. Companies that start early have the flexibility to certify before a contract deadline. Companies that wait have deadlines they didn't plan for.
Why do companies fail CMMC assessments?
The most common gaps are missing documentation, no System Security Plan, confusion about where CUI lives, and incident response plans that were written but never tested. We close these before they cost you: we build the SSP first, establish the CUI boundary during discovery, and build and test the incident response plan rather than just writing it.
Does CMMC certification mean my environment is protected?
Getting certified isn't the same as being protected. CMMC Level 2 requires ongoing security monitoring and incident response as part of the 110 practices. Documentation satisfies the assessor; active monitoring satisfies the requirement. Most contractors pursuing CMMC run Managed Overwatch Security alongside it, US-based engineers monitoring the environment 24/7, to meet those monitoring practices.
The requirement is coming whether you're ready or not. Be ready.
We help defense contractors get CMMC-ready without burying a team that has real work to do. The sooner you start, the more the calendar works for you instead of against you.