Security Foundation

CMMC L1 and L2 Readiness Assessment

Genesis Solutions helps DoD contractors and subcontractors prepare for CMMC Level 1 self-attestation and Level 2 C3PAO assessment — gap analysis against NIST SP 800-171, System Security Plan drafting, POA&M setup, and remediation roadmaps scoped to your assessment window.

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense’s framework for verifying that defense contractors and subcontractors meet specific cybersecurity requirements when handling federal information. It rolls up multiple prior efforts — NIST SP 800-171, DFARS clauses, the older DoD self-attestation regime — into one tiered model with formal assessment.

L1 vs L2 — What Applies to You

Level 1 (Foundational) protects Federal Contract Information (FCI). It covers 15 basic safeguarding practices drawn from FAR 52.204-21. Contractors at this level can self-attest annually through the Supplier Performance Risk System (SPRS).

Level 2 (Advanced) protects Controlled Unclassified Information (CUI). It aligns with the 110 controls in NIST SP 800-171 and requires a triennial assessment by a Certified Third-Party Assessor Organization (C3PAO) for prime contractors handling CUI.

Most defense subcontractors land at Level 2 the moment any CUI flows through their environment — including engineering drawings, source code, supply chain data, or program documentation. The scoping conversation often reveals more CUI than the team realized.

What Genesis Delivers

Genesis does the readiness work that gets you to certification — not the official C3PAO assessment itself. That separation matters: under the CMMC ecosystem, the assessor and the consultant cannot be the same entity.

  • Scope discovery — identifying every system, location, and data flow that handles FCI or CUI
  • Gap assessment — every applicable practice evaluated against your environment, with evidence
  • System Security Plan (SSP) — drafted or updated to your environment, in formats your C3PAO will recognize
  • Plan of Action & Milestones (POA&M) — sequenced remediation items with owners and target dates
  • Remediation roadmap — prioritized work, mapped to your assessment window
  • Pre-assessment review — a mock C3PAO walkthrough before the real thing

Frameworks We Map Against

  • NIST SP 800-171 Rev. 2 — the 110 controls that drive L2
  • NIST SP 800-172 — enhanced security requirements for high-value CUI (relevant if L3 ever applies to your environment)
  • CMMC Assessment Guide L1 and L2 — the official scoring methodology used by C3PAOs
  • FAR 52.204-21 — the basic safeguarding clause underpinning L1

Timeline

  • Level 1 readiness: typically 2-3 weeks from kickoff to roadmap delivery
  • Level 2 readiness: typically 4-8 weeks, depending on environment complexity, scope of CUI handling, and how much existing documentation can be reused

White-label engagements available for MSPs serving defense-industrial-base clients.


Need to be CMMC-ready before your next contract cycle? Schedule a scoping call.

How it works

Step by step

  1. 01
    Scoping Call
    We confirm which level applies, identify your CUI/FCI boundaries, and inventory the environments and contracts that drive the assessment scope.
  2. 02
    Documentation Review
    We review existing security policies, your System Security Plan (SSP), and any prior NIST SP 800-171 self-assessment to baseline the gap.
  3. 03
    Control-by-Control Gap Assessment
    Every applicable practice (15 for L1, 110 for L2) is evaluated against your environment with supporting evidence — Pass, Fail, or Partial — and a target remediation date.
  4. 04
    SSP and POA&M Drafting
    We produce or update your System Security Plan and Plan of Action & Milestones in formats your C3PAO will recognize, ready to submit.
  5. 05
    Remediation Roadmap
    You receive a prioritized roadmap with effort estimates, sequenced to your assessment window, plus optional hands-on remediation support.
FAQ

Frequently asked

What is CMMC?
CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) meet specified cybersecurity practices. Level 1 covers basic safeguarding (15 practices). Level 2 aligns with NIST SP 800-171 (110 controls).
What's the difference between CMMC L1 and L2?
Level 1 (Foundational) protects FCI and allows annual self-attestation. Level 2 (Advanced) protects CUI, requires a triennial assessment by a Certified Third-Party Assessor Organization (C3PAO), and aligns with all 110 controls in NIST SP 800-171.
Does Genesis perform the official CMMC certification?
No — official Level 2 certification must be performed by a C3PAO. Genesis delivers the readiness work that gets you to certification: gap assessment, SSP and POA&M drafting, remediation roadmap, and pre-assessment review. We can coordinate with your selected C3PAO.
How long does a CMMC readiness assessment take?
A focused Level 1 readiness assessment typically takes 2-3 weeks. A full Level 2 readiness assessment runs 4-8 weeks depending on environment complexity, scope of CUI handling, and how much existing documentation can be reused.
Ready to start?

Let's scope the cmmc l1 and l2 readiness assessment.

A short scoping conversation, then a written proposal naming the scope, deliverables, and engagement pricing together.