You cannot bid on the contract until your documentation exists. That is the part most defense contractors discover late. The controls themselves are tractable: access control, logging, encryption, the kind of work a competent IT team can stand up. The blocker is the paperwork that proves it, and a prime contractor checks for that paperwork before a single line of your proposal gets read.
CMMC is the mechanism the Department of Defense uses to verify that its supply chain implements the security requirements already written into DFARS. If your contracts carry the DFARS 252.204-7012 clause and you handle Controlled Unclassified Information, you are in Level 2 territory, and Level 2 is assessed against documentation you are expected to produce, maintain, and hand to an assessor. This post walks the documents that decide the outcome, so you know what you are actually building before you start.
Level 1 versus Level 2, and which one you are
The two levels protect different information, and that distinction sets everything else.
Level 1 protects Federal Contract Information: the basic information you generate or handle under a federal contract that is not intended for public release. It maps to the fifteen basic safeguarding requirements in FAR 52.204-21, spread across six security domains, and you confirm it through an annual self-assessment. There is no System Security Plan requirement and no Plan of Action and Milestones at this level. If the only sensitive data you touch is FCI, your documentation burden is light.
Level 2 protects Controlled Unclassified Information, and it aligns to the full set of 110 security requirements in NIST SP 800-171 across fourteen control families. This is where the documentation work lives. You handle CUI, you implement 110 controls, and you produce artifacts that demonstrate each one is in place. The trap is assuming you handle only FCI when a contract actually flows CUI to you. Read your contract data flows before you scope your effort, because misjudging this sends you back to the start.
The System Security Plan is the first thing read
The System Security Plan is the blueprint of your security program. It describes, control by control, how your organization satisfies each of the 110 requirements: what the control is, how you implement it, which systems it applies to, and who owns it. An assessor opens the SSP before anything else, because it tells them what they are walking into and where the boundary of your CUI environment sits.
A vague SSP fails for a specific reason. If it states that you "have access controls" without describing the mechanism, the assessor has to interview your team to find out what is true, and every hour of that uncertainty is an hour you pay for. A precise SSP that names the control, the system, and the evidence shrinks the assessment. Scope it to where CUI actually lives. If you can keep CUI inside a defined enclave rather than letting it sprawl across your whole network, your SSP describes a smaller, defensible boundary, and the whole assessment gets cheaper and faster.
The POA&M is where honesty beats optimism
No organization implements all 110 controls perfectly on the first pass. The Plan of Action and Milestones is where you record the gaps: each unmet requirement, the remediation you plan, the owner, and the date you will close it. It is the document that lets you make progress without pretending you are finished.
There is a hard rule attached to it. Under 32 CFR Part 170, you can reach a Conditional Level 2 status by meeting at least 80% of the 110 requirements and placing the remainder on a POA&M, with 180 days to close those gaps before the conditional status converts. That 80% floor matters: certain higher-weight requirements cannot be deferred to a POA&M at all, so the gaps you carry have to be the ones the rules allow you to carry. A POA&M that tries to defer a control you were required to have on day one does not buy you time. It fails you.
Your SPRS score is a number, not a feeling
When you complete your NIST SP 800-171 self-assessment, you post a score to the Supplier Performance Risk System. The scoring starts at 110 and subtracts weighted points for each unmet requirement, so a clean implementation posts at or near 110 and a thin one posts well below it, sometimes negative. Prime contractors check SPRS before they award subcontracts, which means the score is doing sales work whether you think of it that way or not. A low number is a reason for a prime to choose someone else, and you rarely get told that is why.
The score is only as credible as the SSP and POA&M behind it. If you self-assess at 105 but your documentation cannot support it under examination, you have created a gap between what you claimed and what you can prove, and that gap is exactly what a third-party assessment exists to find.
Clean documentation is the cheapest control you will buy
Here is the economics that most contractors miss. A C3PAO bills by the hour, commonly around $300 an hour, and the assessment takes as long as it takes the assessor to understand your environment and confirm your controls. Disorganized documentation, an SSP that does not match reality, evidence scattered across inboxes and shared drives, all of it converts directly into billable hours and, worse, into findings. Clear, mapped, current documentation is the single largest lever you have over what the assessment costs.
The work itself is real. Writing an SSP that covers 110 controls, drafting the fourteen families of policies and procedures, and building a POA&M and evidence structure from a blank page typically runs to several hundred hours, which is why contractors either lose months to it internally or hand it to a consultant for a five-figure fee. The middle path is a documentation set that is already written to the requirements and structured the way an assessor expects, which you customize to your environment rather than author from nothing. That is the difference between starting at zero and starting at ninety percent, and it is where the time and the audit cost actually get saved.
Where to start
Begin with the boundary. Define where CUI lives and keep it as small as you defensibly can, because every system inside that boundary is a system you have to document and assess. Then write the SSP against that boundary, control by control, naming the implementation and the evidence rather than asserting capability. Build the POA&M honestly, with only the gaps the rules let you carry and real dates against them. Get the fourteen policy areas written and adopted, because a procedure with no policy behind it reads as improvisation to an assessor. Keep the evidence organized as you go, not the week before the assessment.
Do that, and the assessment stops being the thing you dread. You walk in with a boundary you can defend, an SSP that answers the questions before they are asked, a POA&M that shows control rather than panic, and an SPRS score your documentation can stand behind. The contract stops being blocked by paperwork, which was the only thing standing between you and the bid in the first place.