written by: James Scobey, Chief Technology Officer, S2i2, Inc. February 2026
If you’re a defense contractor who handles Controlled Unclassified Information (CUI), CMMC (Cybersecurity Maturity Model Certification) Level 2 certification isn’t news to you anymore. The DFARS acquisition rule went into effect on November 10, 2025, and CMMC requirements are already appearing in solicitations across the DoD. Phase 2, which makes third-party C3PAO (certified third-party assessor organization) assessments mandatory for Level 2 contracts, kicks in this November. The era of self-attestation is ending.
At S2i2, we’ve been living this journey firsthand. As an 8(a) certified IT integrator and federal contractor specializing in cybersecurity and cloud technologies, we made the decision early on to pursue CMMC Level 2 certification for our AWS GovCloud-based CUI enclave. That decision has shaped our organization in ways that go far beyond checking a compliance box, and I want to share what we’ve learned along the way.
Why CMMC Level 2 Matters Beyond the Mandate
Let’s start with the obvious: without certification, you can’t compete. By October 2026, every new DoD contract involving CUI will require CMMC compliance at the appropriate level. If you’re not certified, you’re not bidding. Period.
But framing CMMC Level 2 purely as a gate to keep is selling it short. Here’s what the certification process actually delivered for us.
A genuinely stronger security posture. Walking through all 110 NIST SP 800-171 Rev 2 controls with the rigor that a third-party assessment demands forced us to address gaps we’d been tolerating. Self-attestation is comfortable. Having an assessor validate your controls is not, and that discomfort is productive. We came out the other side with a CUI enclave we have real confidence in.
Operational maturity. CMMC doesn’t just ask whether you have a firewall. It asks whether you have documented policies, whether your people are trained, whether your incident response plan has been tested, and whether you can prove all of it. That discipline permeates an organization. Our change management, access control procedures, and documentation practices all improved as a direct result of the certification process.
Competitive differentiation. The reality is that a significant portion of the Defense Industrial Base is not ready. Industry estimates suggest that more than half of contractors still aren’t prepared for Level 2 requirements. If you’re certified, especially early, you’re signaling to primes and to government customers that you take security seriously and that you’re a reliable partner. For a small business competing against larger firms, that signal matters enormously.
Client trust. We support federal civilian and Department of War agencies. Being able to tell those clients that our infrastructure has been independently validated against 110 security controls isn’t just marketing; it’s a meaningful assurance that their data is in responsible hands.
Lessons Learned
Every organization’s CMMC journey will look different, but here are the lessons we learned that I think are broadly applicable.
Start with honest scoping. One of the most consequential early decisions is defining your CUI boundary. The temptation is to scope broadly to be safe, but an overly broad boundary means more systems to harden, more documentation to maintain, and a larger attack surface to defend. We invested significant time upfront identifying exactly where CUI lives in our environment and architecting our enclave to minimize that boundary. If you can isolate your CUI processing into a well-defined environment (as we did with our GovCloud enclave), your life gets dramatically easier.
Your SSP is the backbone. Treat it that way. Your System Security Plan (SSP) isn’t a document you write once and file away. It’s the living artifact that an assessor will use to understand your environment, and any disconnect between what the SSP says and what your environment actually does will create problems. We learned to treat SSP maintenance as a continuous process, updating it as we made infrastructure changes rather than trying to reconcile everything before an assessment.
POA&Ms are a tool, not a loophole. Plans of Action and Milestones (POA&Ms) exist for a reason: not every control will be perfectly implemented on day one. But a POA&M with a credible remediation plan and a realistic timeline is very different from a POA&M that’s masking a fundamental gap you have no plan to address. Assessors know the difference, and the 180-day closure deadline for conditional certification means you need to be genuinely executing against your POA&Ms from the moment you submit them.
Don’t underestimate the people side. Technical controls get the most attention, but many of the 110 requirements touch policy, training, and personnel practices. Awareness training, acceptable use policies, role-based access reviews, personnel screening: these are areas where you need buy-in across the organization, not just from your IT team. We found that bringing our whole leadership team into the process early made implementation smoother and made the cultural shift stick.
Budget realistically. The assessment fee from your C3PAO is a fraction of the total cost. The real investment is in the infrastructure, tooling, policy development, training, and staff time required to actually implement and maintain the controls. For a small to mid-sized contractor, total three-year costs can run well into six figures. Plan for it, and make the case to leadership early. This is a cost of doing business in the defense market, not a discretionary spend.
Evidence collection is the silent time killer. You might have a control fully implemented, but if you can’t produce documentation proving it, an assessor can’t give you credit. Screenshots, configuration exports, policy documents with version history, training records, audit logs: start collecting and organizing evidence early and continuously. We built evidence collection into our operational workflows rather than treating it as a pre-assessment scramble, and it made an enormous difference.
Advice for Companies Starting the Journey
If you’re reading this and haven’t started your CMMC Level 2 preparation, the most important thing I can tell you is this: start now. The timeline is not forgiving. A realistic path from gap analysis to assessment-ready typically takes six to twelve months, and that assumes you have reasonable security practices in place already. If you’re starting from scratch, add three to six months.
Get a gap analysis done immediately. Whether you use an internal team or engage a Registered Provider Organization, you need an honest assessment of where you stand against the 110 controls. Don’t sugarcoat it. The gaps you identify now are problems you can solve on your own timeline. The gaps an assessor finds are problems that delay your certification.
Pick your enclave architecture early. Decide where CUI will live, how it will be processed, and how you’ll enforce the boundary. Cloud-based enclaves, whether in AWS GovCloud, Azure Government, or similar platforms, can simplify many technical controls, but they introduce their own complexity around shared responsibility models. Understand what your cloud provider covers and what you own.
Engage a C3PAO early, even if you’re not ready for assessment. Many C3PAOs offer pre-assessment readiness reviews. These aren’t formal assessments, but they give you a sense of how an assessor will evaluate your environment and where you’re likely to have findings. The insight is invaluable.
Don’t go it alone if you don’t have to. The CMMC ecosystem includes Registered Practitioners and Registered Provider Organizations that specialize in helping contractors prepare. If your internal team doesn’t have deep experience with NIST 800-171, bringing in outside expertise can save you months of trial and error.
Think beyond the certification. CMMC is a point-in-time assessment, but the security practices it requires are ongoing. Build your program to be sustainable. Automate evidence collection where you can. Schedule regular internal reviews. Keep your SSP current. The organizations that treat CMMC as a one-time hurdle will struggle with recertification. The ones that internalize the practices will find that maintaining compliance becomes part of how they operate.
Looking Ahead
The CMMC landscape continues to evolve. The DoD has locked requirements to NIST SP 800-171 Revision 2 for now, but Revision 3 is published and will likely factor into future iterations of the framework. The pool of accredited C3PAOs is still scaling up to meet demand, which means assessment slots will be competitive as Phase 2 deadlines approach. And the Department of Justice’s Civil Cyber-Fraud Initiative is making it clear that misrepresenting your compliance status carries real legal risk. This isn’t something you can fake your way through.
For companies like S2i2, CMMC Level 2 certification is more than a compliance requirement. It’s a commitment to the security of the information our government clients entrust to us, and it’s an investment in the operational maturity of our organization. The road isn’t easy, but it’s worth traveling, and the earlier you start, the smoother the journey will be.
If you’re navigating your own path to CMMC certification and want to compare notes, I’m always happy to connect. The defense industrial base is stronger when we help each other get this right.
James Scobey is the Chief Technology Officer at S2i2, Inc., an 8(a) certified IT integrator and federal contractor based in Fairfax, Virginia, specializing in cybersecurity, cloud technologies, and IT services for government agencies.
