What CMMC Level 2 Actually Requires of a Cyber Subcontractor

CMMC is no longer a future requirement — it is showing up in solicitations now, and it flows down. If a prime is handling Controlled Unclassified Information (CUI), the subcontractors who touch that CUI carry the same expectations. For a small business competing for cyber work, understanding what CMMC Level 2 actually asks for is the difference between being a teaming asset and being a liability on a bid.

Level 2 is NIST SP 800-171, with evidence

CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171. Most firms can recite the control families — access control, audit and accountability, configuration management, and the rest. The harder part is proof. An assessor — or a self-assessment done honestly — does not ask whether you have a policy; it asks for the artifact that shows the control is operating: the log, the ticket, the configuration baseline, the access review.

Self-assessment versus third-party

Not every Level 2 requirement triggers a third-party assessment. Many contracts allow an annual self-assessment with results posted to SPRS and an affirming official's sign-off; others require a C3PAO. Knowing which one applies to a given opportunity — and being honest about your current status — matters. Presenting a self-assessment as a certified assessment is exactly the kind of misrepresentation that ends a teaming relationship.

What actually trips teams up

  • Scoping. Drawing the boundary around where CUI lives is the first and most-skipped step. Over-scope and you drown in controls; under-scope and your SSP doesn't match reality.
  • The SSP and POA&M. A System Security Plan that reflects the environment as it is — not as you wish it were — plus an honest Plan of Action & Milestones for the gaps.
  • Evidence over intent. "We require MFA" is a policy. The enforced configuration and the access review are the evidence.

NexThreat operates to a CMMC Level 2 (self-assessment) baseline and helps prime teams close the gap between policy and proof before it shows up in an assessment. If your team is preparing a bid where CMMC flows down, we are glad to compare notes.

← All news

Book a Consultation

Whether you're a federal agency scoping a cyber requirement or a prime building a winning team, NexThreat brings cleared talent, a GSA Schedule, and mission-proven past performance.

Tell us about your requirement or opportunity and we'll respond promptly.