CMMC 2.0 Level 2 Checklist: Policies, POA&Ms, and SPRS Requirements

/in , , , /by

Why This Matters Now

The CMMC Level 2 checklist has never been more important. The CMMC Program final rule (32 CFR Part 170) is now in effect, and the DoD is implementing CMMC in contracts via a DFARS/48 CFR acquisition rule. This means that solicitations will specify the required level and assessment type, self-assessment versus C3PAO.

Translation: if you touch CUI, you need an executable plan today.

What DoD Reviewers Look For First (By Level)

  • Level 1 (FCI): Annual self-assessment along with an annual affirmation. No POA&Ms are allowed, and results must be submitted to SPRS.
  • Level 2 (CUI): Contractors must complete either a self-assessment or a C3PAO assessment as specified in the solicitation, which occurs every three years, in addition to an annual affirmation. Results are reported in SPRS/eMASS.
  • Level 3 (Expert): DIBCAC-led certification is required every three years, accompanied by an annual affirmation. 

The Three Big Things That Decide Readiness and Success

Policies, procedures, and an SSP aligned with NIST 800-171

  • The DoD is not evaluating your tool list. They are verifying that you have implemented the required controls and documented them in your policies and System Security Plan (SSP).
  • Make sure everything directly maps to the 110 NIST 800-171 requirements, specifying who, what, and where for each control objective.
  • For Level 2, a practice is only considered “MET” if it satisfies all objectives in NIST 800-171A.

RainTech tip:

Tailor policies to your actual environments, including users, enclaves, ESPs/CSPs, and contractor-risk-managed assets, so evidence lines up with what assessors will see in scope.

POA&Ms: When and How They Are Allowed

POA&Ms are permitted only in specific cases and on a strict clock:

  • Level 1: POA&Ms are not permitted.
  • Level 2: You can achieve Conditional status with a score of at least 80% of the maximum (88 out of 110), but only specified items may be included in a POA&M. Certain higher-risk or weighted practices cannot be POA&M’d, and encryption can be POA&M’d only if it’s in use but not yet FIPS-validated. Once assessment results are submitted to SPRS/eMASS, the 180-day clock starts to close all open items, which must be verified through a POA&M closeout assessment, or the Conditional status will expire.
  • Level 3: Follows a similar 80%/180-day Conditional path with additional exclusions.

Note: The rule distinguishes operational plans of action, such as ongoing ops items like patches or configurations, from assessment POA&Ms. Only the latter trigger the 180-day closeout and Conditional status.

SPRS Scores: What They Signal and How to Use Them

  • Max score is 110; scores can be negative under the DoD NIST 800-171 assessment methodology.
  • You must have a current NIST 800-171 assessment score posted in SPRS, no older than 3 years, by award. Contracting officers check SPRS before award. Keep it current and accurate.

Your CMMC 2.0 Checklist (Level 2 Focused)

✅ Documented policies and procedures mapped to all 110 NIST 800-171 controls.

✅ A complete SSP reflecting your real environment, including assets, enclaves, ESPs/CSPs, and diagrams.

✅ POA&Ms, if used, that meet the rule: ≥ 80% score, only eligible items, and a 180-day close plan.

✅ SPRS score submission and annual affirmation, plus triennial self or C3PAO assessment as applicable.

✅ Flow-down readiness for subs.

Flow-Down to Subcontractors (Avoid Surprises)

CMMC flows down the supply chain. If a subcontractor handles CUI, they generally must meet Level 2, with assessment type per the solicitation or contract. Prime contractors are expected to require and verify sub-compliance. Start building your sub-onboarding and evidence collection around this now.

The Conditional to Final Path (Most Screenshot-Worthy)

  • Step 1: Perform your Level 2 assessment, self or C3PAO, and post results.
  • Step 2: If the score is ≥ 80% with only eligible items open, you can receive Conditional Level 2 status.
  • Step 3: Close all POA&M items within 180 days and complete a POA&M closeout assessment to convert to Final Level 2.
  • Step 4: Affirm annually in SPRS and re-assess every 3 years.

How RainTech (RPO) Gets You Award-Ready Without the Headache

  • Policy and SSP build-out: NIST-aligned, environment-specific, evidence-first
  • POA&M strategy and execution: Reach the 80% threshold, select eligible items, and close within the window
  • SPRS uplift: Score calculation, documentation, and regular updates
  • Sub flow-down program: Standardize requirements and evidence exchange with your suppliers
  • Zero-pressure checkup: We’ll baseline your controls, forecast your achievable score, and map a 180-day POA&M close plan

FAQs

  • What is a CMMC POA&M? A Plan of Action and Milestones lists the specific unmet requirements from your CMMC assessment, resources, and milestones to remediate them, and deadlines. At Level 2 or 3, you can earn Conditional status if you meet the minimum score and only place eligible items on the POA&M. You then have 180 days to close everything.
  • What’s a good SPRS score? 110 is perfect, though scores can be negative. The practical goal is to achieve a defensible, current score that meets award requirements and, if necessary, a score of ≥ 80% to achieve Conditional CMMC, while closing gaps. Post or update in SPRS and back it with evidence.
  • Do all contractors need written policies? Yes, especially for CMMC, Level 2. Assessors check that you have implemented controls and that your policies and SSP reflect your real environment, including assets, scope, ESPs/CSPs, and diagrams.
  • Will CMMC apply to my subs? If they process, store, transmit, or protect CUI for your program, expect Level 2 flow-down and be ready to collect evidence. Build this into sub onboarding and contracts.

Ready to get started? Click here to begin your compliance journey.

You might also like
CMMC for Subcontractors: Flowdown Requirements, Costs, and How to Get Started