CMMC Level 2: Where Defense Subcontractors Fail Assessments (And How to Close the Gaps Before the C3PAO Arrives)

The C3PAO doesn't care how long you've been working on it. They care what the evidence shows on assessment day. 

The prevailing reality of CMMC Level 2 is that many assessment failures aren't just about missing paperwork; they are implementation failures of the tools themselves. While most contractors have basic security, they lack the granular access controls and persistent encryption required to protect CUI once it leaves a server. If you can’t enforce (and prove) access control at the file level, you aren't just failing a policy; you are failing the core NIST SP 800-171 requirements that CMMC is built upon.

With ~80,000 companies needing CMMC Level 2 certification, the stakes are existential. Industry analysts project that 33,000–44,000 companies will exit the defense market by 2027 rather than achieve certification. For many, achieving certification is viewed as prohibitively difficult, primarily from a cost perspective. Between expensive infrastructure upgrades and the high price of "gap-filling" consultants, many subcontractors feel priced out of the market.

This financial burden is usually the result of trying to 'force' legacy architecture to meet modern federal standards. This 'force-fitting' creates a critical gap: aging tools simply cannot produce the FIPS 140-3 validated evidence or real-time revocation that a C3PAO demands. To bridge this gap with legacy tech, subcontractors often face a total network redesign—unless they find a way to secure the data itself.

The Three Forms of CMMC Assessment Failure

Assessment failures cluster into three categories. Understanding which type applies to your organization determines how you close the gap.

1. Documentation Without Evidence: The policy exists, the SSP says the control is implemented. But the C3PAO asks for evidence — logs, screenshots, configuration exports — and the team goes silent or produces documents that don't match what's running in production. The SSP says MFA is enforced on all systems. The assessor checks and finds three legacy servers excluded from the MFA policy. That's a finding.
2. Scope Underestimation: The CUI boundary is smaller on paper than in practice. A subcontractor's SSP covers the primary file server and the VPN. It doesn't cover the engineer's personal laptop that has design documents on it, or the cloud storage account the PM uses to share files with the customer. Every system, device, or service that touches CUI falls within the CMMC scope. If it's not in the SSP, it's a gap.
3. Control Implementation That Doesn't Map to Practices: CMMC Level 2 has 110 practices across 14 domains. The most common gap is controls that partially satisfy a practice, not zero implementation, but implementation that doesn't meet the specific language of NIST SP 800-171. Control 3.13.10 (FIPS-validated encryption) is among the most cited deficiencies: organizations use encryption, but not FIPS 140-3 validated modules, which is the specific requirement.

Control Family 3.13: The Encryption Requirement That Trips Most Contractors

NIST SP 800-171 Control 3.13.10 requires FIPS-validated cryptography when protecting CUI. This is not "encryption" generically; it requires NIST CMVP-validated encryption modules. BitLocker in certain configurations qualifies. Many popular file sync and collaboration tools do not. Most encrypted email products do not enforce FIPS 140-3 validated modules.

The practical implication: if CUI is shared via an email attachment with a subcontractor, and that email tool is not FIPS 140-3 validated, that's a gap under 3.13.10. If design files are stored in a cloud sync folder not covered by a FIPS-validated encryption module, that's a gap. The control is specific, and assessors test it with specificity.

Per-file encryption using FIPS 140-3 validated modules closes 3.13.10, but only if the SSP documents the specific module, version, and deployment scope. The evidence package for 3.13.10 should include the CMVP certificate number, deployment configuration, and system coverage.

The CUI Boundary Problem: What's In Scope and What Gets Missed

The CMMC assessment scope is defined by where CUI lives, travels, and is processed. Most contractors underestimate this boundary in three ways:

First, subcontractor data flow. When CUI is shared downstream to Tier 3 suppliers, those file transfers fall within your CUI handling obligations. If you share design specifications or procurement data with a subcontractor, and that subcontractor doesn't have adequate controls, that's a gap in your CMMC compliance posture, not theirs alone. The flow-down obligation means your assessment scope includes your supply chain data sharing practices.

Second, endpoints outside the managed environment. Remote workers, contractors using personal devices, and authorized users who save files locally all represent CUI boundary violations if those endpoints aren't within the SSP scope and protected accordingly.

Third, the collaboration platform residue. When a project closes, CUI shared via Teams channels, Slack workspaces, or SharePoint sites frequently remains accessible to users whose project access should have been revoked. Persistent access after authorization ends is a finding under access control practices 3.1.1 and 3.1.2.

Self-Assessment vs. C3PAO: The SPRS Score and Legal Risk

CMMC Phase 1 began in November 2025. 

Phase 2 — when DoD can condition contract awards on Level 2 C3PAO third-party assessments — begins November 2026. 

Until then, Level 2 compliance is demonstrated through self-assessment and SPRS submission.

The SPRS score is not just a compliance metric; it’s a legal representation of the federal government. A self-assessment that overstates compliance, knowingly or through negligence, creates False Claims Act exposure. FCA penalties include civil penalties of $13,000+ per claim plus treble damages. Several defense contractors have faced FCA enforcement for inaccurate SPRS submissions.

The POA&M (Plan of Action and Milestones) provides a remediation window for identified gaps — typically 180 days — but it does not protect against FCA claims if the underlying assessment was not conducted in good faith. Conduct your self-assessment against actual evidence, not assumed implementation.

Building the CMMC Evidence Package

A defensible CMMC assessment evidence package addresses every practice in scope with:

1. Policy documentation — the written policy that mandates the control.
2. Implementation evidence — configuration exports, system screenshots, and audit logs.
3. Scope mapping — documentation of which systems, users, and data flows the control applies to.
4. Testing results — evidence that the control was tested and operates as described.

For practices with technical controls (encryption, MFA, logging), the evidence should include tool-specific configuration exports, not narrative descriptions. The assessor will ask to see the configuration. "We use MFA" is not evidence. 

A screenshot of the Entra ID conditional access policy, an export of the device compliance policy, and a sample of the MFA enforcement logs — that's evidence.

30-Day C3PAO Pre-Assessment Readiness Checklist

Use this checklist to identify documentation gaps before a C3PAO assessment. Each item maps to a commonly deficient practice area.

How Theodosian Addresses CMMC Level 2 Evidence Requirements

Theodosian satisfies 20+ CMMC Level 2 practices across the AC (Access Control), SC (System and Communications Protection), AU (Audit and Accountability), and IR (Incident Response) domains. For the specific gap areas that most often produce assessment failures:

Per-file FIPS 140-3 validated encryption closes practice 3.13.10 with a documented, certificate-bearing encryption module. Every CUI file is encrypted at the file level, not at the server level, which means the encryption follows the file whether it's on a managed endpoint, shared with a subcontractor, or accessed remotely.

Cryptographically timestamped access logs provide the audit evidence required under 3.3.1 and 3.3.2 — who accessed which file, when, from which device, and under what policy conditions. The evidence package maps directly to practice requirements.

Instant revocation provides the ability to terminate access to any file or user instantly across all sessions and devices, addressing the persistent-access-after-authorization gap that assessors consistently flag.

Identify Your Assessment Gaps Before the C3PAO Does

The November 2026 deadline for C3PAO assessment conditioning is approaching. Defense contractors who identify documentation and evidence gaps now have time to remediate. Contractors who discover them during an assessment don't.

FAQs: Closing the Gaps on CMMC Level 2