CMMC Level 2

Everything CMMC Level 2 Requires.
In One Place.

Here's the complete list of what your C3PAO needs to see — and which ones are included in your MyCMMC package.

The Deliverables

What the Assessment Requires

14 items. 10 handled by MyCMMC. 4 your team owns — technical work that only you can do.

System Security Plan (SSP) 322 assessment objectives, customized to your environment — not a generic template. ✓ Included
Plan of Action & Milestones (POA&M) Every gap with owners and target dates, formatted to C3PAO standards. ✓ Included
14 Security Policies Access Control through System Integrity — all 14 policy domains, tailored to your operations. ✓ Included
Gap Analysis & SPRS Score Control-by-control assessment with your estimated score and a clear remediation roadmap. ✓ Included
Asset Inventory CMMC-categorized: CUI assets, security assets, contractor risk managed — mapped to your environment. ✓ Included
CUI Data Flow Description Entry points, processing, storage, and exit points for all controlled unclassified information. ✓ Included
Shared Responsibility Matrix Your MSP and cloud provider responsibilities mapped and documented for assessor review. ✓ Included
Evidence Collection Guide What to capture for each control, where to find it, and how to format it for your C3PAO. ✓ Included
Pre-Assessment Verification Checklist 42-item dress rehearsal so nothing surprises you when your C3PAO shows up. ✓ Included
Mock Assessment & Interview Prep Practice questions and recommended responses — part of the Done-With-You package. ✓ Included
Network Architecture Diagram Visual diagram of your topology. We provide the description to draw from — your team creates the diagram. Your team
Technical Implementation Deploy MFA, SIEM, EDR, encryption, and patching on your actual systems. Requires hands-on IT work. Your team
Evidence Collection 90+ days of logs, screenshots, training records, and access reviews gathered from your live environment. Your team
C3PAO Assessment The formal assessment itself — a separate engagement at $20K–$50K with an accredited C3PAO. Your team

The Math

Same documents. One costs 75% less.

Traditional Consultant

$30K – $100K+

3–6 months

MyCMMC

$7,500

Same deliverables. Ready in days.

Both produce the same documents. One costs 75% less.

Ready to see what's in each package?

Compare tiers, see what's included, and pick the right fit for your timeline.

See Pricing & Packages → Or take the Free Readiness Check

Common Questions

FAQ

Yes. SSP, policies, POA&M, gap analysis — the same deliverables, built from your specific environment instead of generic templates.

Technical implementation (deploying tools) and evidence collection (running them over time) require your IT team or MSP. We handle the documentation that describes those controls.

Our Assessment-Ready Guarantee covers it. If any document we delivered is rejected, we remediate at no cost.