TL;DR: CMMC Level 2 requirements are now appearing in Department of Defense contracts, and Redspin says only 28.7% of organisations have completed a Level 2 assessment while nearly 37% are not scheduled or do not know their next step. The gap is no longer theoretical: contractors must evidence control implementation, assessment readiness, and contractual compliance at the pace of procurement, not at the pace of internal planning.
NHIMG editorial — based on content published by Secureframe: How to Meet CMMC Level 2 Compliance Requirements + Checklist
By the numbers:
- Only 28.7% of organizations have completed a Level 2 assessment with a certified assessor.
Questions worth separating out
Q: What fails when CMMC Level 2 access control is not tightly governed?
A: CMMC Level 2 breaks down when CUI access is broader than job function, because assessors need evidence that access is least privilege, role-based, and revoked when roles change.
Q: Why do CMMC Level 2 programmes depend so heavily on identity and privilege management?
A: Because CUI protection is only credible when the organisation can show who can reach regulated data, who can administer the systems around it, and how quickly that access disappears when it is no longer needed.
Q: What do organisations get wrong about CMMC Level 2 readiness?
A: The most common mistake is treating readiness as a document review instead of an operating-state problem.
Practitioner guidance
- Inventory every CUI-touching identity and system Create a full list of users, admins, contractors, service accounts, and security tools that can access CUI or security protection assets, then assign an owner and system boundary to each.
- Align access reviews to role and contract changes Tie joiner, mover, leaver events to immediate access review and revocation for CUI environments, including privileged roles and any non-human identities that support those workflows.
- Build an assessor-ready evidence pack Collect proof of implementation for the 110 requirements before the assessment window opens, including screenshots, logs, tickets, training records, and remediation tracking.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- A full 110-control compliance checklist mapped to CMMC Level 2 requirements and assessment objectives
- Step-by-step guidance on assessment prep, conditional status, POA&M closure, and annual affirmation
- Cost estimates for self-assessment versus third-party assessment, including readiness and remediation spend
- Operational examples of how CUI, SPD, and SPAs should be scoped inside contractor environments
👉 Read Secureframe's guide to CMMC Level 2 compliance requirements and checklist →
CMMC level 2 compliance: what DIB teams need to prove now?
Explore further
CMMC Level 2 is really an evidence problem disguised as a compliance programme. The article correctly frames the shift from preparation to enforcement, but the harder issue is whether organisations can prove control operation under assessment pressure. In CMMC terms, passing is not about drafting procedures, it is about demonstrating that the controls around CUI are repeatable, monitored, and defensible. Practitioners should treat evidence quality as a control in its own right.
A question worth separating out:
Q: Who is accountable when CMMC readiness gaps delay certification?
A: Accountability sits with the programme owner and the control owners who must ensure the environment, evidence, and documentation stay consistent. In practice, compliance cannot be treated as a documentation-only task. Governance needs named owners for scope, evidence quality, remediation tracking, and final assessment readiness.
👉 Read our full editorial: CMMC level 2 compliance now means proving control maturity