The CMMC Level 2 Guide

CMMC Level 2 is a third-party-assessed compliance regime for contractors that handle Controlled Unclassified Information. It maps to the 110 security requirements in NIST SP 800-171 Rev 2. Assessments are conducted by accredited C3PAOs and are valid for three years, with annual affirmations and continuous monitoring in between.

If your DoD contract includes DFARS 252.204-7012 and touches CUI — technical drawings, specs, source-selection sensitive data, export-controlled information — you will need Level 2. Flow-down from primes means subcontractors usually find out with 30–90 days of warning, which is not enough time to start a six-month engagement.

Traditional CMMC engagements run $120k–$300k over 6–9 months on hourly billing from incumbent consultancies, plus a $30k–$50k C3PAO assessment fee. Tolerance delivers the implementation side — SSP, policies, POA&M, gap assessment, training, evidence vault — for a fixed $55k+, with the C3PAO fee paid directly to the assessor.

Six to eight weeks for implementation with Tolerance, versus 24–32 weeks with incumbent consultancies. The C3PAO assessment itself typically runs 2–4 weeks after readiness, depending on C3PAO availability.

Evidence that exists but cannot be located during the assessment window. A scope that silently grew because CUI leaked into a non-authorized tenant. SSPs that describe a system that no longer exists because the environment changed after documentation was written. Employees who were never prepared for the interview portion of the assessment.

If you have a contract clause referencing DFARS 7012 or CMMC and you are not yet in a remediation cycle, the first step is a gap assessment to see where you stand against the 110 controls. Tolerance runs one in two hours. Book a demo to start.