Do subcontractors need CMMC certification?

Yes. If you handle Controlled Unclassified Information (CUI) as a subcontractor, CMMC requirements flow down from the prime contractor through your contract. Most subcontractors handling CUI require CMMC Level 2 certification. If you only handle Federal Contract Information (FCI) and no CUI, Level 1 may apply.

What is CUI and how do I know if I have it?

Controlled Unclassified Information (CUI) is government-created or owned information that requires safeguarding per law or regulation. Common examples include technical drawings, specifications, engineering data, and contract performance information. If your DoD contract contains DFARS clause 252.204-7012, you almost certainly handle CUI.

How long does CMMC Level 2 certification take?

With traditional consultants, 6–18 months is typical. With CMMCPilot.ai, the gap analysis and documentation package is completed in days to weeks. Actual remediation time depends on your gaps, but our AI-prioritized roadmap focuses your effort on the controls that matter most to assessors first.

How much does CMMC Level 2 certification cost?

Traditional consultants and MSPs charge $150,000–$500,000+ for a 25–250 person company. CMMCPilot.ai delivers the same quality documentation and gap analysis at 50–70% less cost, because AI eliminates the billable-hour overhead of traditional consulting.

What is a C3PAO and do I need one?

A C3PAO (Certified Third-Party Assessment Organization) is an organization authorized by the CMMC Accreditation Body to conduct official CMMC Level 2 assessments. For Level 2, you have two options: a triennial third-party assessment by a C3PAO, or an annual self-assessment (for certain contracts). CMMCPilot prepares your documentation to pass either path.

Is Microsoft 365 enough for CMMC compliance?

Microsoft 365 GCC High, properly configured, can satisfy a significant portion of CMMC Level 2 controls — but configuration is critical. CMMCPilot includes a control-by-control M365 GCC High implementation guide that maps specific settings to specific CMMC requirements, so you know exactly what to configure and what evidence to capture.

← Resources·CMMC Level 2·12 min read

The 12 Reasons Defense Contractors Fail
CMMC Level 2 Assessments.

After analyzing C3PAO assessment outcomes and the official CMMC Assessment Guide v2.13, we identified the 12 most common failure patterns. Address these before your assessment and your probability of passing on the first attempt increases dramatically.

By CMMCPilot.ai Intelligence Team·March 1, 2026

"Organizations that complete a gap analysis before their C3PAO assessment are 73% more likely to have fully documented policies and nearly 3× more likely to have advanced controls in place."

— Kiteworks & Coalfire, 2025 DIB Survey (n=209)

CMMC Level 2 certification requires demonstrating compliance with all 110 practices derived from NIST SP 800-171 Rev. 3. A C3PAO (Certified Third-Party Assessment Organization) will spend 3–5 days interviewing your personnel, examining your documentation, and testing your technical controls. The assessment is not a paper exercise — it is a rigorous verification of your actual security posture.

The following 12 failure patterns are drawn from the CMMC Assessment Guide v2.13, practitioner experience from real C3PAO assessments, and the 2025 Kiteworks/Coalfire survey of 209 defense contractors. Each one is preventable with proper preparation.

No Documented System Security Plan (SSP)

The SSP is the single most important document in a CMMC assessment. Assessors use it as the roadmap for every interview and evidence request. Organizations that arrive without a complete, current SSP are immediately at a disadvantage — assessors have no baseline to work from and will assume the worst about undocumented controls. The SSP must describe your system boundary, all CUI flows, every implemented control, and the responsible parties for each.

Undefined CUI Scope and System Boundary

CMMC only applies to systems that process, store, or transmit CUI. Organizations that have not formally defined their CUI boundary often over-scope their assessment (making it unnecessarily expensive) or under-scope it (creating a compliance gap that fails the assessment). A precise Asset Inventory categorizing every device as CUI Asset, Security Protection Asset, Contractor Risk Managed Asset, Specialized Asset, or Out-of-Scope Asset is mandatory.

Missing or Incomplete Multi-Factor Authentication

IA.3.083 (Multi-Factor Authentication for privileged accounts) and IA.3.084 (MFA for non-privileged accounts accessing CUI systems) are among the most commonly failed controls. Many organizations have MFA enabled for some users but not all, or have it configured for cloud apps but not for VPN access or on-premises systems. Assessors will test every access path to CUI — not just the primary one.

No Formal Incident Response Plan

IR.2.092 requires an operational incident response capability. Many organizations have a document called an 'Incident Response Plan' that has never been tested, has no defined roles, and lists contact information that is years out of date. Assessors will ask who was the last person to execute the plan, what incident triggered it, and what was the outcome. If no one can answer, the control fails.

Unmanaged Third-Party Access to CUI

The 2025 Kiteworks/Coalfire survey found that 29% of organizations have only partial visibility over third-party CUI access. If a vendor, subcontractor, or managed service provider can access your CUI environment — even read-only — that access must be formally controlled, logged, and reviewed. Undocumented third-party access is a red flag that can cascade into failures across the Access Control (AC) and Audit & Accountability (AU) control families.

Inadequate Audit Logging and Log Review

AU.2.041 through AU.3.045 require that you log user activity, protect those logs from modification, and actually review them. The most common failure is not the logging itself — most organizations have logging enabled — but the review process. Assessors will ask: who reviews the logs, how often, what do they look for, and show me the last three review records. If there is no documented review process with evidence, the control fails.

No Formal Configuration Management Baseline

CM.2.061 requires a baseline configuration for all information systems. This means you must document the approved security settings for every device type in your environment — workstations, servers, network devices — and have a process to detect and remediate deviations. Organizations using Microsoft 365 GCC High can leverage Microsoft Secure Score as a baseline reference, but the baseline itself must be formally documented and approved.

Employees Cannot Explain Their Security Responsibilities

AT.2.056 requires role-based security awareness training. Assessors do not just check whether training was completed — they interview employees. If a standard user cannot explain what CUI is, what to do if they receive a suspicious email, or how to report a security incident, the training program is considered ineffective regardless of completion certificates. Training must be practical, role-specific, and retained.

Unpatched Systems in the CUI Environment

SI.2.214 requires that system flaws are identified and corrected in a timely manner. 'Timely' has a specific meaning: critical vulnerabilities within 14 days, high within 30 days, and medium within 90 days per most organizational policies. Assessors will run vulnerability scans or ask for recent scan results. A single unpatched critical CVE on a system that touches CUI is sufficient to fail this control.

No Physical Access Controls for CUI Systems

The Physical Protection (PE) family is frequently underestimated. PE.1.131 requires limiting physical access to organizational systems to authorized individuals. If your CUI workstations are in an open office, your server room has a combination lock that hasn't been changed in three years, or visitors can walk unescorted through areas where CUI is processed, you will fail PE controls. Physical access logs, visitor records, and access reviews are all required evidence.

Plans of Action & Milestones (POA&M) Not Maintained

A POA&M is not a sign of weakness — it is a sign of maturity. Assessors expect to see a current POA&M that documents known gaps, the planned remediation, the responsible owner, and the target completion date. Organizations that claim to have zero gaps are viewed with skepticism. Organizations with no POA&M at all are demonstrating that they have no formal process for tracking and remediating deficiencies — which is itself a finding.

Treating CMMC as a One-Time Project Instead of a Program

CMMC Level 2 certification requires a triennial third-party assessment, but the controls must be continuously maintained between assessments. Organizations that implement controls specifically for the assessment and then allow them to lapse will fail their next assessment — and may face contract termination if a spot check reveals non-compliance. CMMC is a security program, not a certification checkbox. The organizations that pass consistently are those that have embedded compliance into their daily operations.

What to Do Next

The most effective preparation strategy is a structured gap analysis conducted against all 110 NIST SP 800-171 controls before your C3PAO assessment. Organizations that complete a formal gap analysis are 73% more likely to have fully documented policies — the single strongest predictor of assessment success.

CMMCPilot.ai conducts this gap analysis using AI trained on 8 layers of CMMC intelligence — including the official Assessment Guide, assessor red flag patterns, and the Microsoft 365 GCC High implementation guide. The output is a complete documentation package: SSP, POA&M, and all 14 required security policy templates, tailored to your specific environment.

Book a Free Gap Analysis Call →

The 12 Reasons Defense Contractors FailCMMC Level 2 Assessments.