What is CMMC 2.0 and who does it apply to?

CMMC 2.0 is the Cybersecurity Maturity Model Certification program codified in 32 CFR Part 170 and implemented through DFARS 252.204-7012, 7019, 7020, and 7021. It applies to Department of Defense contractors and subcontractors processing Federal Contract Information (FCI) at Level 1 or Controlled Unclassified Information (CUI) at Level 2 or Level 3. Level 1 requires FAR 52.204-21 compliance (17 controls, annual self-assessment). Level 2 requires NIST SP 800-171 Rev 3 compliance (110 controls, triennial C3PAO assessment for most contracts). Level 3 requires Level 2 plus NIST SP 800-172 enhanced requirements (24 additional controls, triennial government assessment). Any 300 to 1,500 employee PE-backed defense contractor with CUI-processing contracts is in scope.

When does CMMC 2.0 phased implementation affect mid-market defense contractors?

Phased implementation runs from October 2025 through October 2028. Phase 1 (October 2025 forward) covered new contracts under $500K with CMMC requirements. Phase 2 (October 2026 forward) expanded to full new-contract scope. Phase 3 (October 2027) begins renewal contract coverage. Phase 4 (October 2028) reaches all remaining DoD contracts. A 300 to 1,500 employee PE-backed defense contractor is squarely in Phase 2 scope as of 2026, meaning the next competitive procurement in CUI-processing space requires CMMC 2.0 Level 2 certification in hand. Contractors without certification cannot win or renew CUI-processing contracts starting in Phase 2.

How many controls does CMMC 2.0 Level 2 require?

CMMC 2.0 Level 2 requires compliance with NIST SP 800-171 Rev 3, which specifies 110 security requirements across 14 families: Access Control (22 requirements), Audit and Accountability (12), Awareness and Training (3), Configuration Management (9), Identification and Authentication (11), Incident Response (6), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (15), and System and Information Integrity (7). Level 3 adds 24 enhanced requirements from NIST SP 800-172 on top of the Level 2 baseline.

How much does CMMC 2.0 Level 2 assessment cost for a mid-market company?

C3PAO engagement fees for 300 to 1,500 employee contractors in 2026 run $75,000 to $180,000 per assessment cycle, varying with CUI scope complexity, network segmentation, and number of locations. A single-site 650 employee contractor on a well-segmented CUI enclave typically runs $95,000 to $130,000. A multi-site 1,200 employee contractor with CUI flowing through multiple divisions typically runs $150,000 to $220,000. Assessments run triennially. Pre-assessment readiness preparation typically costs $50,000 to $150,000 of external consulting plus 400 to 1,000 hours of internal time. Ongoing maintenance runs 800 to 1,600 internal compliance hours per year plus $50,000 to $150,000 of continuous monitoring platform spend. Aggregate 3-year cost for a single 650 emp portco clearing Level 2: $350,000 to $750,000.

Which CMMC 2.0 controls overlap with SOX ITGC?

Approximately 58 percent of CMMC 2.0 Level 2's 110 controls overlap with SOX ITGC under PCAOB AS 2201 paragraphs .39, .42, and .46-.50. The overlap is concentrated in Access Control family (22 controls mapping to SOX access review), Configuration Management family (9 controls mapping to SOX ITGC change management), Identification and Authentication family (11 controls mapping to SOX access review), Audit and Accountability family (12 controls mapping to SOX ITGC logging), and Personnel Security family (2 controls mapping to SOX ITGC terminated-user access). A single continuous-testing stream with framework-tag mappings produces evidence for both CMMC 2.0 Level 2 and SOX ITGC simultaneously, saving approximately 800 to 1,600 hours of parallel testing per year.

How do CMMC 2.0 controls overlap with SOC 2 Trust Services Criteria?

Approximately 72 percent of CMMC 2.0 Level 2's 110 controls overlap with SOC 2 Trust Services Criteria CC6 (Logical and Physical Access), CC7 (System Operations), CC8 (Change Management), and CC9 (Risk Mitigation). CC6 maps to CMMC AC (Access Control), IA (Identification and Authentication), PS (Personnel Security), and PE (Physical Protection) families. CC7 maps to CMMC AU (Audit and Accountability), IR (Incident Response), and SI (System and Information Integrity) families. CC8 maps to CMMC CM (Configuration Management) family. CC9 maps to CMMC RA (Risk Assessment) family. The SOC 2-plus-CMMC overlap is the highest of any framework pair in the defense-contractor stack, which is why companies running both benefit disproportionately from evidence consolidation.

Which CMMC controls can be tested by AI agents versus requiring human assessment?

Approximately 55 to 65 percent of CMMC 2.0 Level 2's 110 controls are agent-testable today at a defensible evidence bar for C3PAO assessment. High-confidence agent-testable families: Access Control (AC), Identification and Authentication (IA), Audit and Accountability (AU), Configuration Management (CM), Personnel Security (PS). Medium-confidence partially agent-testable: Incident Response (IR) monitoring portion, System and Information Integrity (SI) scanning portion. Human-assessed families: Awareness and Training (AT) efficacy, Physical Protection (PE) physical safeguards, Maintenance (MA), Security Assessment (CA) methodology, Risk Assessment (RA) methodology. The architecture is hybrid: agents cover deterministic deployment-frequency families; humans cover judgmental and physical families.

What is a System Security Plan (SSP) under NIST SP 800-171 Rev 3?

The System Security Plan is the foundational assessment document required under NIST SP 800-171 Rev 3 paragraph 2.2. The SSP documents how a non-Federal system meets each of the 110 security requirements, including the system boundary, CUI data flows, control implementation details, and responsible personnel. C3PAO assessors review the SSP as the first step of Level 2 certification assessment. The SSP is a living document updated as controls evolve and is paired with the Plan of Action and Milestones (POAM) under paragraph 3.12.2 for any controls not fully implemented. Platforms that produce SSP documentation alongside evidence collection reduce the assessment preparation burden by approximately 200 to 400 hours per cycle.

What is a Plan of Action and Milestones (POAM) in CMMC 2.0?

The Plan of Action and Milestones is the tracking artifact for remediation of control implementation gaps, required under NIST SP 800-171 Rev 3 paragraph 3.12.2. The POAM lists each control not fully implemented, the planned remediation action, the responsible party, the scheduled completion date, and the current status. C3PAO assessors review the POAM during Level 2 assessment; a well-maintained POAM with specific milestones and evidence of progress signals mature compliance. An outdated or generic POAM signals weak compliance posture and increases assessment risk. Platforms that treat POAMs as dynamic artifacts integrated with evidence collection reduce manual POAM maintenance burden by approximately 100 to 200 hours per year.

CMMC 2.0 Phased Implementation for Defense Contractor PE Portcos in 2026: The Honest Mid-Market Playbook

The short answer: CMMC 2.0 (32 CFR Part 170, 48 CFR Subpart 204.75) phased implementation runs from 2025 through 2028, and a 300–1,500 emp PE-backed defense contractor is squarely in Phase 2 scope as of 2026. Level 1 (FAR 52.204-21, 17 basic safeguarding requirements) applies to contracts processing Federal Contract Information (FCI); Level 2 (NIST SP 800-171 Rev 3, 110 security requirements) applies to contracts processing Controlled Unclassified Information (CUI); Level 3 (NIST SP 800-172 enhanced requirements, 24 additional controls on top of Level 2) applies to the highest-sensitivity DoD programs. Approximately 58 percent of Level 2's 110 controls overlap with SOX ITGC under PCAOB AS 2201 §.39, and approximately 72 percent overlap with SOC 2 Trust Services Criteria CC6 (logical access), CC7 (system operations), and CC8 (change management). C3PAO assessment economics at Level 2 run $75,000–$180,000 per assessment cycle for 300–1,500 emp contractors, plus 800–1,600 internal compliance hours per year to maintain evidence. The correct architecture consolidates CMMC evidence with existing SOX ITGC and SOC 2 continuous testing; platforms that force parallel stacks burn the PE portco G&A envelope fast. This is the playbook.

This post is written for the Controller, Internal Audit Director, CISO, or Chief Compliance Officer at a 300–1,500 emp PE-backed defense contractor or prime/sub with DoD exposure, facing CMMC 2.0 Level 2 assessment in the 2026–2028 window. The reader is assumed SOX-fluent and NIST-aware but not necessarily CMMC-specialized.

What is CMMC 2.0 and when does it actually bite?

CMMC 2.0 is the Cybersecurity Maturity Model Certification program, codified in 32 CFR Part 170 and referenced in DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021, with contract-level implementation in 48 CFR Subpart 204.75. The program replaces the earlier CMMC 1.0 (2020) with a three-tier model aligned to NIST standards.

Level 1 requires compliance with FAR 52.204-21 (basic safeguarding of covered contractor information systems) — 17 controls covering basic cyber hygiene (access control, media protection, physical protection, awareness training, identification and authentication). Annual self-assessment; required for any DoD contract or subcontract that processes Federal Contract Information (FCI), which is information "provided by or generated for the Government under a contract" that is not intended for public release.

Level 2 requires compliance with NIST SP 800-171 Rev 3 — 110 security requirements across 14 families (access control AC, audit and accountability AU, awareness and training AT, configuration management CM, identification and authentication IA, incident response IR, maintenance MA, media protection MP, personnel security PS, physical protection PE, risk assessment RA, security assessment CA, system and communications protection SC, system and information integrity SI). Triennial third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) for most contracts processing Controlled Unclassified Information (CUI); annual self-assessment for a narrow subset explicitly identified by the DoD.

Level 3 requires Level 2 plus NIST SP 800-172 enhanced security requirements — 24 additional controls on top of Level 2. Triennial government assessment (not C3PAO). Required for the highest-sensitivity DoD programs involving CUI at elevated confidentiality risk or Advanced Persistent Threat exposure.

The phased implementation timeline: Phase 1 began October 2025 with new contracts under $500K containing CMMC requirements. Phase 2 began October 2026 expanding to the full new-contract scope. Phase 3 begins October 2027 with renewal contracts. Phase 4 begins October 2028 with all remaining DoD contracts. A 300–1,500 emp PE-backed defense contractor is squarely in Phase 2 scope as of 2026, meaning the next competitive procurement in CUI-processing space requires CMMC 2.0 Level 2 certification in hand, not in progress.

The consequence at the mid-market: a PE portco defense contractor without CMMC 2.0 Level 2 certification cannot win or renew CUI-processing contracts starting in Phase 2. This is existential, not optional. The alternative — subcontracting through a Level 2-certified prime — works only if the prime accepts the sub's lack of certification and passes through the CUI-flow-down restrictions, which increasingly they do not.

What does NIST SP 800-171 Rev 3 actually require at 110 controls?

NIST SP 800-171 Rev 3 (published May 2024, finalized with updates through 2025) organizes 110 security requirements across 14 control families. The requirements address how a non-Federal system protects CUI confidentiality. This post summarizes the families relevant to mid-market PE portco evaluation.

Access Control (AC) — 22 requirements. Authorized access only; separation of duties; principle of least privilege; unsuccessful logon attempts lockout; remote access monitoring; wireless access authorization; mobile device authorization. Maps heavily to SOX ITGC access review and SOC 2 TSC CC6.1, CC6.2, CC6.3.

Audit and Accountability (AU) — 12 requirements. System audit logs; retention; protection of audit information; audit review, analysis, and reporting; system-generated audit records for CUI access. Maps to SOX ITGC logging and SOC 2 TSC CC7.2 (monitoring).

Awareness and Training (AT) — 3 requirements. Security awareness training; insider threat awareness; role-based security training. Maps to SOC 2 CC1.4 (entity commitment).

Configuration Management (CM) — 9 requirements. Baseline configurations; configuration change control; security impact analysis; access restrictions for change; least functionality; software installation restrictions. Maps to SOX ITGC change management under PCAOB AS 2201 §.39 and SOC 2 CC8.1 (change management).

Identification and Authentication (IA) — 11 requirements. Unique identification; multi-factor authentication; replay-resistant authentication; password complexity. Maps to SOX ITGC access review and SOC 2 CC6.1.

Incident Response (IR) — 6 requirements. Incident handling capability; incident monitoring; incident reporting to US-CERT; incident response testing; incident response training. Maps to SOC 2 CC7.3, CC7.4.

Maintenance (MA) — 6 requirements. System maintenance; maintenance personnel authorization; maintenance tools and diagnostic tools. Limited SOX overlap.

Media Protection (MP) — 9 requirements. Media access restrictions; media sanitization; media marking. Maps to SOC 2 CC6.7 (data protection in transit and at rest).

Personnel Security (PS) — 2 requirements. Personnel screening; personnel termination and access revocation. Maps to SOX ITGC terminated-user access.

Physical Protection (PE) — 6 requirements. Physical access authorization; visitor control; monitoring physical access. Limited direct SOX overlap.

Risk Assessment (RA) — 3 requirements. Risk assessments; vulnerability scanning. Maps to SOC 2 CC3.2, CC7.1.

Security Assessment (CA) — 4 requirements. Security assessment; plan of action and milestones (POAM); system security plan (SSP); continuous monitoring. Maps to SOC 2 CC4.1 (monitoring activities).

System and Communications Protection (SC) — 15 requirements. Boundary protection; cryptographic key management; collaborative computing devices; transmission confidentiality; network disconnection; remote access. Maps to SOC 2 CC6.6 (network security).

System and Information Integrity (SI) — 7 requirements. Flaw remediation; malicious code protection; security alerts and advisories; information input validation; spam protection; non-persistent content sessions. Maps to SOC 2 CC7.1 (monitoring).

The overlap mapping: approximately 58 percent of Level 2's 110 controls overlap with SOX ITGC under PCAOB AS 2201 §.39, concentrated in Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), and Personnel Security (PS). Approximately 72 percent overlap with SOC 2 Trust Services Criteria CC6, CC7, and CC8 — the highest of any common framework pair in the defense-contractor stack.

What does C3PAO assessment economics actually cost a 300–1,500 emp portco?

C3PAO assessment is the Level 2 certification mechanism. A Certified Third-Party Assessment Organization (accredited by the Cyber AB) conducts a 3-phase assessment — planning, conduct, and reporting — against the 110 NIST SP 800-171 Rev 3 controls. Assessment runs triennially (every 3 years) once certified.

Assessment economics for 300–1,500 emp contractors in 2026: C3PAO engagement fees run $75,000–$180,000 per assessment cycle, varying with CUI scope complexity, network segmentation, and number of locations. A single-site 650-emp contractor processing CUI on a well-segmented enclave typically runs $95,000–$130,000. A multi-site 1,200-emp contractor with CUI flowing through multiple divisions typically runs $150,000–$220,000.

Assessment timeline: 4–8 weeks planning, 2–4 weeks on-site assessment, 4–8 weeks reporting. Total cycle 10–20 weeks. Remediation of identified deficiencies adds 6–16 weeks before final certification issuance if the initial assessment does not clear.

Pre-assessment readiness preparation: typical 300–1,500 emp contractors allocate 400–1,000 hours of internal time plus $50,000–$150,000 of external consulting engagement before scheduling the C3PAO assessment. Companies that skip structured readiness preparation often fail first-attempt assessment, which creates a second assessment cycle and burns an additional $75,000–$180,000.

Ongoing maintenance: 800–1,600 internal compliance hours per year between triennial assessments, plus ~$50,000–$150,000 of continuous monitoring platform spend. Companies that underbudget maintenance hours often arrive at the triennial assessment with drift between their documented System Security Plan (SSP) and operational reality, which creates additional remediation cost.

Aggregate 3-year cost for a single 650-emp portco clearing Level 2 Certification: $350,000–$750,000, depending on readiness, C3PAO selection, and maintenance architecture. Consolidating CMMC evidence with existing SOX ITGC and SOC 2 continuous testing can reduce maintenance hours by 400–800 per year, returning approximately $40,000–$120,000 per year to the portco G&A envelope.

How does CMMC 2.0 overlap with SOX ITGC, SOC 2, DORA, and ISO 42001?

Multi-framework overlap is the defining economic variable for a PE-backed defense contractor. A portco running SOX + SOC 2 + CMMC 2.0 Level 2 simultaneously without evidence consolidation duplicates approximately 55 percent of control-testing work across frameworks.

SOX ITGC (PCAOB AS 2201 §.39, .42, .46–.50): approximately 58 percent of Level 2's 110 controls map to SOX ITGC control families. Access Control (AC) family (22 controls) maps directly to SOX access review. Configuration Management (CM) family maps to SOX ITGC change management. Identification and Authentication (IA) family maps to SOX ITGC access review. Audit and Accountability (AU) family maps to SOX ITGC logging.

SOC 2 TSC: approximately 72 percent overlap. CC6 (Logical and Physical Access) maps to CMMC AC, IA, PS, PE. CC7 (System Operations) maps to CMMC AU, IR, SI. CC8 (Change Management) maps to CMMC CM. CC9 (Risk Mitigation) maps to CMMC RA.

DORA (EU digital operational resilience): approximately 45 percent overlap, concentrated on access control, incident response, and third-party risk. A defense contractor with EU exposure can produce evidence for both CMMC 2.0 and DORA from a single continuous-testing stream.

ISO 42001 (AI management systems): limited direct overlap. Indirect overlap where the continuous monitoring agent itself falls within ISO 42001 AI governance scope.

EU AI Act: limited direct overlap. CMMC 2.0 Level 3 enhanced requirements (NIST SP 800-172) include AI/ML system security that indirectly maps to EU AI Act Article 15 (accuracy, robustness, cybersecurity).

The practical aggregate: a single well-designed continuous testing stream with framework-tag mappings can produce evidence for CMMC 2.0 Level 2, SOX ITGC, SOC 2, and DORA simultaneously for a defense-contractor PE portco. The evidence consolidation saves approximately $80,000–$200,000 per year at 650-emp scale and 1,200–2,000 internal compliance hours per year.

Which CMMC controls can agents test continuously, and which require human assessment?

The agent-testability mapping for CMMC 2.0 Level 2 parallels the SOX ITGC mapping closely because the overlapping control families are the same deterministic deployment-frequency populations.

High-confidence agent-testable families (continuous monitoring with agent reasoning): Access Control (AC) — unique user identification, account management, access enforcement, separation of duties, least privilege, session lock, remote access, wireless access, mobile device access. Identification and Authentication (IA) — unique identification, multi-factor authentication, replay-resistant authentication. Audit and Accountability (AU) — log generation, content of audit records, audit retention, audit review. Configuration Management (CM) — baseline configurations, configuration change control, access restrictions for change, least functionality, software installation restrictions. Personnel Security (PS) — personnel termination and access revocation.

Medium-confidence partially agent-testable families: Incident Response (IR) — incident monitoring and detection (agent-testable); incident handling and reporting (human-anchored judgment); incident response testing (human-executed exercise). System and Information Integrity (SI) — flaw remediation scanning (agent-testable); vulnerability disposition (human-judged); security alerts and advisories (hybrid).

Low-confidence or human-required families: Awareness and Training (AT) — training execution and tracking (agent-trackable); training efficacy (human-assessed). Physical Protection (PE) — physical access authorization and monitoring (often agent-testable for electronic systems); physical safeguarding and visitor control (human-assessed and site-specific). Maintenance (MA) — maintenance personnel authorization (agent-trackable); maintenance tool control (human-assessed). Security Assessment (CA) — security assessment execution (human-led); plan of action and milestones (human-maintained); continuous monitoring (agent-anchored). Risk Assessment (RA) — risk assessment methodology (human-led); vulnerability scanning execution (agent-executable).

The aggregate agent-coverage: approximately 55–65 percent of CMMC 2.0 Level 2's 110 controls are agent-testable today at a defensible evidence bar for C3PAO assessment. This matches closely with SOX ITGC agent coverage (30–45 percent of full ICFR, but 55–65 percent of ITGC-specific controls). The architecture is hybrid: agents cover the deterministic deployment-frequency families; humans cover the judgmental and physical families.

What does CMMC 2.0 readiness actually look like for a 650-emp PE portco?

A typical 12–18 month CMMC 2.0 Level 2 readiness program for a 650-emp PE-backed defense contractor runs through five phases.

Phase 1 (months 1–2): CUI scoping and system security plan (SSP) drafting. Identify which systems process CUI. Draft the SSP under NIST SP 800-171 Rev 3 §2.2 covering all 110 controls. Build the asset inventory and CUI data flow diagram.

Phase 2 (months 2–4): gap analysis. Assess current control implementation against the 110 requirements. Identify Level 2 deficiencies. Prioritize remediation. Build the Plan of Action and Milestones (POAM) under NIST SP 800-171 Rev 3 §3.12.2.

Phase 3 (months 4–10): remediation. Close high-priority deficiencies. Implement technical controls (MFA, encryption, logging, change management). Implement administrative controls (policy, procedure, training). Establish continuous monitoring infrastructure. This is where continuous testing platforms earn their keep — evidence collection infrastructure built in this phase reduces ongoing maintenance burden by 40–60 percent.

Phase 4 (months 10–14): pre-assessment. Internal dry-run against the 110 controls. Evidence collection verification. Document package preparation. Typically engage a C3PAO for a formal pre-assessment review at month 12 before scheduling the certification assessment at month 14.

Phase 5 (months 14–18): C3PAO certification assessment. 4–8 week planning, 2–4 week on-site, 4–8 week reporting. Remediation of any findings. Final certification issuance.

Ongoing (post-certification, year 2 and beyond): continuous evidence maintenance. Annual self-assessment for most contracts. Triennial C3PAO re-assessment. Continuous monitoring infrastructure operation. POAM maintenance for any long-running remediation items.

A PE portco that skips structured readiness and attempts direct C3PAO assessment after superficial preparation typically fails first-attempt at rates of 60–75 percent, requiring a second assessment cycle. The disciplined readiness pathway saves $75,000–$180,000 in assessment re-do costs.

How should mid-market defense contractors evaluate continuous-testing platforms for CMMC 2.0?

Six questions separate CMMC-capable platforms from SOX-only platforms with a CMMC tag.

First, does the platform produce evidence that maps to all 110 NIST SP 800-171 Rev 3 controls? Platforms designed for SOC 2 or SOX alone cover only 60–75 percent of the control population; the gap requires parallel evidence collection.

Second, does the platform support Plan of Action and Milestones (POAM) maintenance under NIST SP 800-171 Rev 3 §3.12.2? The POAM is a living artifact that C3PAO assessors review; platforms that treat POAMs as static documents force manual maintenance overhead.

Third, does the platform produce System Security Plan (SSP) documentation under NIST SP 800-171 Rev 3 §2.2 alongside the evidence? The SSP is the foundational assessment document; evidence that does not cross-reference back to the SSP creates reconciliation work at every assessment cycle.

Fourth, does the evidence format support C3PAO assessor access patterns? Assessors need structured evidence, audit logs, and control-implementation narratives in formats they can consume efficiently. Platforms optimized for internal auditor consumption may not match C3PAO workflows.

Fifth, does the platform handle CUI data appropriately itself? The platform is part of the CUI-processing system environment under FedRAMP Moderate or equivalent if it stores CUI. Self-hosted or FedRAMP-authorized options matter here.

Sixth, does the evidence map to SOX ITGC, SOC 2 TSC, and DORA simultaneously? Without multi-framework mapping, a defense-contractor PE portco with multiple compliance obligations duplicates approximately 55 percent of control-testing work.

When does outsourced CMMC consulting make sense versus in-house?

Three conditions favor outsourced consulting, and three conditions favor in-house capability build.

Outsourced consulting favors: first-time CMMC assessment with no prior NIST SP 800-171 capability; narrow CUI scope (single contract, single system, single location) where the long-term maintenance burden is low; and compressed timeline (less than 9 months to required certification) where internal capability build is not feasible.

In-house capability favors: multi-contract defense business where CMMC obligations recur across the portfolio; broad CUI scope across multiple systems or locations where ongoing maintenance dominates total cost; and strategic PE thesis of compliance as a margin advantage (defense-focused portco funds with expected defense-contract growth).

Typical 650-emp PE portco decision: hybrid architecture. Engage consulting for initial scoping, gap analysis, and SSP drafting (months 1–4), then internalize continuous monitoring and evidence maintenance (months 4 onward) with a platform partner. Consulting engagement runs $75,000–$200,000; platform spend runs $30,000–$80,000 per year; internal compliance FTE runs $120,000–$200,000 per year. Total first-year cost $225,000–$480,000; ongoing annual $180,000–$350,000.

The all-outsourced alternative — engaging consulting for initial readiness, triennial assessment support, and ongoing maintenance — runs $300,000–$500,000 per year on average across the triennial cycle. Hybrid typically returns 35–45 percent G&A advantage over fully outsourced.

The takeaway

CMMC 2.0 is not optional for defense-contractor PE portcos in the 2026–2028 window. A 300–1,500 emp portco with CUI-processing contracts must clear Level 2 assessment to win or renew those contracts. The financial exposure is existential for contract-dependent portcos.

The correct architecture consolidates CMMC evidence with existing SOX ITGC and SOC 2 continuous testing. Approximately 58 percent overlap with SOX ITGC and 72 percent overlap with SOC 2 TSC means a single well-designed continuous-testing platform with framework-tag mappings produces evidence for multiple frameworks simultaneously. Parallel stacks burn 1,200–2,000 hours per year and $80,000–$200,000 in platform and consulting spend unnecessarily.

Agent-driven continuous testing covers approximately 55–65 percent of CMMC 2.0 Level 2's 110 controls at a defensible evidence bar for C3PAO assessment. The agent-testable families (AC, IA, AU, CM, PS) are the highest-labor families in manual testing, which is where automation returns the most maintenance hours.

The readiness pathway is structured: 12–18 month phased program with CUI scoping, gap analysis, remediation, pre-assessment, and C3PAO certification. Skipping structured readiness produces first-attempt failure at 60–75 percent rates.

If you are the Controller, CISO, or Chief Compliance Officer at a PE-backed defense contractor portco facing Phase 2 CMMC 2.0 Level 2 assessment, the next step is concrete: run the CUI scoping assessment first to determine Level 1 vs Level 2 vs Level 3 scope, then evaluate whether your current SOX and SOC 2 platforms produce CMMC-shaped evidence or force parallel stacks. Request a design partner slot to walk through the multi-framework mapping. Related reading: SOX automation for PE portfolio companies, DORA for mid-market US finance teams, and continuous control testing primer.