Training Courses →

CMMC L2 Compliance Pack

We'll help you walk into your Level 2 assessment ready

Level 2 means the 110 controls of NIST SP 800-171 and, for most CUI, a third-party C3PAO assessment where self-attestation no longer counts. We give you the System Security Plan and POA&M the assessment turns on, a policy and procedure for every control family, and the evidence and SPRS scoring a C3PAO expects to see.

$1,497 One-time purchase · Every future update included Free sample · real documents · no email required Instant download · Editable Word, Excel & PowerPoint · Single-organization license
CMMC Level 2NIST SP 800-171CUI
System Security Plan and POA&M, ready to complete
All 110 NIST 800-171 controls documented
Scoping, evidence, and SPRS scoring included

Level 2 is 110 controls and, for most CUI, a third-party assessment. Self-attestation is over.

If your systems handle Controlled Unclassified Information, Level 2 is your obligation: the 110 controls of NIST SP 800-171. From November 2026, most CUI contracts require an independent C3PAO assessment rather than a self-claim, with your score recorded in SPRS. The contractors who lose work are the ones who attested to compliance they could not evidence on the day. This pack is built to close that gap before an assessor arrives.

It is the full control set, the System Security Plan and POA&M an assessment turns on, and the scoping, evidence, and verification a C3PAO expects to see.

The artifacts a Level 2 assessment turns on

An assessor does not grade intentions. These are the documents that decide the result, and the pack ships every one.

SSP
System Security Plan
A complete SSP template and worked plan, the central document a C3PAO reads first and the one most failed assessments are missing.
POA&M
Plan of Action and Milestones
A POA&M template to record, schedule, and close the gaps you are allowed to remediate over time.
110
Policies and procedures for all 110 controls
A policy and procedure set spanning the 14 NIST SP 800-171 control families, so every control traces to a documented control owner and method.
SPRS
SPRS score calculator
A calculator to work out the score you submit to SPRS, with a gap analysis behind it so the number is honest and defensible.
EVID
Evidence and verification
An Evidence Collection Checklist and technical verification guidance so each control is backed by proof an assessor will accept.

Built across the full control standard

A policy and procedure for each NIST SP 800-171 family, plus the operational policies that make them real.

Control-family policies
Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Risk Assessment, Security Assessment, and the rest of the fourteen families.
Operational policies
The wider policy set that controls assume, from acceptable use through maintenance, media, and personnel security.
Processes and procedures
Risk assessment, vendor assessment, and the operational procedures that turn each policy into something an assessor can watch you do.
Forms and trackers
The registers, logs, and assessment workbooks that produce the running evidence a Level 2 assessment depends on.

From scope to assessment-ready

The pack is sequenced the way a real Level 2 engagement runs.

Step 1 · Scope

A CUI Boundary Scoping Guide to define what holds CUI and what is out of scope, the decision the whole assessment rests on.

Step 2 · Document

Build the System Security Plan and adopt the policies and procedures across all 110 controls.

Step 3 · Remediate

Run the gap analysis, capture the shortfalls in a POA&M, and calculate your SPRS score.

Step 4 · Prepare

Work the Assessment Readiness Checklist and preparation guide so the C3PAO finds evidence, not gaps.

What this looks like in practice

A prime flows down a Level 2 requirement

You have an SSP, a documented control set, and an SPRS score ready, so you stay eligible instead of dropping off the bid.

A C3PAO assessment is scheduled

You work the readiness checklist and hand the assessor a complete evidence set, rather than assembling it in the room.

You are not fully compliant yet

The POA&M records each open item with an owner and a date, the difference between a managed plan and a failed assessment.

Walk into a C3PAO assessment with the SSP, the controls, and the evidence already in hand.

Covers all 110 NIST SP 800-171 controls · SSP, POA&M, and SPRS scoring · Buy once, and we send you every future update

Who it's for

Defense contractors and subcontractors that process, store, or transmit Controlled Unclassified Information, firms that have had a Level 2 requirement flowed down by a prime, and organizations preparing for a C3PAO assessment that want the System Security Plan, control set, and evidence ready in advance. The independent assessment is performed by an authorized C3PAO and is not included. This pack is what gets you ready to pass it.

See inside

Real pages from the documents

A free sample from the CMMC L2 Compliance Pack. No email required, open it and judge the quality for yourself.

Sample page from the CMMC L2 Compliance PackSample page from the CMMC L2 Compliance PackSample page from the CMMC L2 Compliance Pack

Open the full sample

What is inside

Every document in the pack

115 documents, mapped to NIST SP 800-171 / CMMC Level 2 (CUI). Buy once, and every future update is included.

Start Here · 1 document
Ridgeline CMMC User GuideWord
Core Assessment · 9 documents
CMMC-ASSESS-001Practice Assessment WorkbookExcel
CMMC-ASSESS-002Evidence Collection ChecklistExcel
CMMC-ASSESS-003Gap Analysis TemplateExcel
CMMC-ASSESS-004Compliance Score CalculatorExcel
POAM TemplateExcel
SPRS Score CalculatorExcel
SSP-001System Security PlanWord
SSP System Security Plan TemplateWord
Self Assessment WorkbookExcel
Policies Control Family · 14 documents
POL AC Access Control PolicyWord
POL AT Awareness Training PolicyWord
POL AU Audit Accountability PolicyWord
POL CA Security Assessment PolicyWord
POL CM Configuration Management PolicyWord
POL IA Identification Authentication PolicyWord
POL IR Incident Response PolicyWord
POL MA Maintenance PolicyWord
POL MP Media Protection PolicyWord
POL PE Physical Protection PolicyWord
POL PS Personnel Security PolicyWord
POL RA Risk Assessment PolicyWord
POL SC System Communications Protection PolicyWord
POL SI System Information Integrity PolicyWord
Policies Operational · 19 documents
CMMC-POL-001-FCIProtection PolicyWord
POL-001Information Security PolicyWord
POL-002Acceptable Use PolicyWord
POL-003Access Control PolicyWord
POL-004Data Classification Handling PolicyWord
POL-005Incident Response PolicyWord
POL-006Business Continuity DR PolicyWord
POL-007Risk Management PolicyWord
POL-008Network Security PolicyWord
POL-009Physical Security PolicyWord
POL-010Third Party Vendor Management PolicyWord
POL-011Change Management PolicyWord
POL-012Audit Compliance PolicyWord
POL-013Encryption Cryptographic Controls PolicyWord
POL-014Human Resources Security PolicyWord
POL-015Asset Management PolicyWord
POL-016Vulnerability Management PolicyWord
POL-017Wireless Security PolicyWord
POL-018Cloud Security PolicyWord
Processes · 10 documents
PRC-001Risk Assessment ProcessWord
PRC-002Incident Response ProcessWord
PRC-003Change Management ProcessWord
PRC-004Vulnerability Management ProcessWord
PRC-005Access Management ProcessWord
PRC-006Vendor Assessment ProcessWord
PRC-007Business Impact Analysis ProcessWord
PRC-008Security Awareness Training ProcessWord
PRC-009Audit Review ProcessWord
PRC-010Asset Lifecycle Management ProcessWord
Procedures · 18 documents
PROC-001Firewall Rule ChangeWord
PROC-002Account ProvisioningWord
PROC-003Backup VerificationWord
PROC-004Patch DeploymentWord
PROC-005Security Incident TriageWord
PROC-006Malware ContainmentWord
PROC-007Evidence PreservationWord
PROC-008System HardeningWord
PROC-009Vulnerability ScanningWord
PROC-010Log ReviewWord
PROC-011Physical Access ManagementWord
PROC-012Media SanitizationWord
PROC-013-DRFailover TestingWord
PROC-014Security Tool DeploymentWord
PROC-015Certificate ManagementWord
PROC-016Network Segmentation ChangesWord
PROC-017Wireless Security AuditWord
PROC-018Cloud Resource ProvisioningWord
Forms Trackers · 24 documents
ASM-001Self Assessment WorkbookExcel
CMMC-FRM-003External Connections InventoryExcel
CMMC-FRM-007Visitor LogExcel
CMMC-FRM-008Physical Access Device RegisterExcel
FRM-001Risk Assessment FormExcel
FRM-002Security Incident ReportWord
FRM-003Change Request FormWord
FRM-004User Access RequestWord
FRM-005Vendor Security AssessmentExcel
FRM-006Business Impact AnalysisExcel
FRM-007Security Exception RequestWord
FRM-008Asset RegisterExcel
FRM-009Training RecordExcel
FRM-010Audit Finding TrackerExcel
FRM-011Backup Verification LogExcel
FRM-012Patch Management TrackerExcel
FRM-013Vulnerability TrackerExcel
FRM-014Physical Access LogExcel
FRM-015Security Metrics DashboardExcel
FRM-016Compliance Status RegisterExcel
FRM-017Incident Post Mortem TemplateWord
FRM-018-DRTest Report TemplateWord
FRM-019Data Processing RegisterExcel
FRM-020Security Project CharterWord
Guides · 17 documents
CMC-GUIDE-003Rev2 to Rev3 Transition GuideWord
CMC-UG-001Ridgeline CMMC User GuideWord
CMMC-GUIDE-001Quick Start GuideWord
Evidence Mapping GuideWord
SUB-001Subcontractor Flow Down GuideWord
CMMC-GUIDE-002-FCIScoping GuideWord
COST-001Cost Estimation WorksheetWord
DIAG-001Network Diagram TemplateWord
SCOPE-001-CUIBoundary Scoping GuideWord
C3PAO 001 Selection GuideWord
CLOUD-001FedRAMP Cloud ComparisonWord
SSP-001System Security PlanWord
CHK-001Assessment Readiness ChecklistWord
CMMC-GUIDE-003Self Assessment Preparation GuideWord
EVD-002Sample Evidence PackageWord
QW-001Control Implementation Quick WinsWord
FAQ-001-CMMCLevel 2 FAQWord
Technical Verification · 3 documents
CMMC-VERIFY-001Practice Verification ChecklistWord
CMMC-VERIFY-002Evidence Screenshot GuideWord
CMMC-VERIFY-003PowerShell Command ReferenceWord

Want to see the quality behind the titles? Preview a sample document →

Works well with

CMMC L1 Compliance Pack

CMMC L1 Compliance Pack

$399
CMMC Level 1FAR 52.204-21FCI
SME Security Program Pack

SME Security Program Pack

$497
NIST CSF 2.0ISO 27001CIS Controls v8

Document Customization

Need this customized to your organization?

Complete an intake form. We customize every document: industry context, regulatory mapping, calibrated parameters. Delivered in 7-10 business days.

Learn More →

Need the skills to operate the program? Our training platform builds the capability. Explore courses →

Related products

CMMC L1 Compliance Pack

CMMC L1 Compliance Pack

$399
CMMC Level 1FAR 52.204-21FCI
SME Security Program Pack

SME Security Program Pack

$497
NIST CSF 2.0ISO 27001CIS Controls v8
Cyber Essentials Pack

Cyber Essentials Pack

$200
Cyber EssentialsNCSC Five ControlsIASME

Ready to strengthen your security program?

Get started with professional, audit-ready documentation today.

Buy Now · $1,497 View All Products
CMMC L2 Compliance Pack $1,497 Preview Buy Now