Back to Insights
Compliance

The CMMC 2.0 Level 2 Self-Assessment Playbook

By THOR Security Group

For defense contractors and suppliers in the Defense Industrial Base (DIB), complying with the Cybersecurity Maturity Model Certification (CMMC) 2.0 is no longer optional. Under the Department of Defense (DoD) rulings, CMMC requirements are being integrated into standard contract awards.

CMMC 2.0 Level 2 is designed for contractors handling Controlled Unclassified Information (CUI). It aligns exactly with the 110 security controls of NIST SP 800-171.

Depending on the criticality of the CUI you handle, you may be allowed to complete an annual self-assessment rather than hosting a C3PAO (Certified Third-Party Assessment Organization) audit.

This playbook outlines a step-by-step roadmap to conduct your Level 2 self-assessment, calculate your SPRS score, and draft the required compliance documentation.

The CMMC 2.0 Level 2 Assessment Roadmap

Completing your self-assessment requires going beyond verbal validations. You must provide documented proof of every active security control.

graph TD
    A[Step 1: Define CUI Boundary] --> B[Step 2: Control Gap Review]
    B --> C[Step 3: Calculate SPRS Score]
    C --> D[Step 4: Draft SSP & POA&M Documents]

Step 1: Define Your CUI Boundary (Scoping)

Before auditing controls, you must establish where Controlled Unclassified Information (CUI) lives, flows, and is stored in your environment.

  • Identify: Review your contracts to trace where CUI enters your systems.
  • Isolate: Whenever possible, isolate CUI on segregated server segments or secure enclave SaaS environments. The smaller your CUI boundary, the cheaper and faster your assessment will be.
  • Inventory: Document all assets, people, and external subcontractors who touch CUI.

Step 2: Audit the 110 NIST SP 800-171 Controls

Step through each of the 110 controls across the 14 security families (including Access Control, Incident Response, Risk Assessment, and System and Communications Protection). For each control, you must determine if it is:

  • Met: Fully active and documented.
  • Not Met: Missing or partially implemented.
  • Not Applicable: Justified as out of scope for your specific environment.

Step 3: Calculate Your SPRS Score

The DoD tracks compliance using the Supplier Performance Risk System (SPRS) score. Your score must be uploaded to the official SPRS database.

  • Starting Value: Every self-assessment starts at a maximum score of 110.
  • Deductions: For every control that is “Not Met,” points are deducted based on its severity rating:
    • Critical Controls: -5 points (e.g., missing MFA, lack of encryption).
    • Medium Controls: -3 points (e.g., poor incident response documentation).
    • Low Controls: -1 point (e.g., minor access review gaps).
  • The Scale: Scores can drop as low as -203. The DoD expects a plan to reach a perfect 110 score.

Step 4: Develop Your System Security Plan (SSP)

The SSP is your primary compliance deliverable. It must detail exactly how your organization meets each of the 110 controls:

  • Identify the specific hardware, software, and personnel responsible for the control.
  • Describe the active configuration (e.g., “EDR agent version X is deployed to all target endpoints and monitored 24/7 by SOC Y”).
  • Reference supporting evidence files (configuration screenshots, policy documents).

Step 5: Draft the Plan of Action and Milestones (POA&M)

If you have “Not Met” controls (resulting in a score below 110), you must document how and when you will fix them:

  • List every deficiency with a specific remediation plan.
  • Assign a target completion date.
  • Note: Under CMMC 2.0, certain critical controls cannot remain on a POA&M and must be resolved before bidding on contracts.

Critical CMMC Controls Often Missed by Contractors

During self-assessments, contractors frequently fail audits on these specific controls:

  • FIPS 140-2 Validated Encryption (Control 3.13.11): Any encryption used to protect CUI (both at rest and in transit) must utilize FIPS-validated cryptographic modules. Standard commercial encryption is often not sufficient.
  • Multi-Factor Authentication for Local Admins (Control 3.5.3): MFA is required not just for cloud portals but for any administrator logging into local network switches, servers, or firewalls.
  • Security Log Retention & Reviews (Control 3.3.1): You must show you are not only gathering event logs but actively reviewing them for threat indicators.

[!TIP] Audit Your NIST CSF Alignment: Evaluate your organization’s administrative and technological baseline controls instantly with our free Security Self-Assessment.

Action Plan to Prepare

If you must upload your SPRS score to secure an upcoming DoD contract award:

  1. Scope your Boundary: Limit the workstations and networks exposed to CUI.
  2. Execute the Self-Assessment: Go through the 110 controls methodically.
  3. Bring in Expert Guidance: CMMC/NIST compliance is technically dense. Engage a Fractional CISO to oversee the SSP drafting, verify your FIPS cryptography, and run your assessments.

Need help executing your CMMC 2.0 self-assessment or drafting your SSP? Schedule a consultation with a THOR advisor.

Need assistance implementing these controls?

Our fractional CISOs and security consultants are ready to help secure your organization.

Contact a Advisor or call 312.529.0672