CMMC Level 2 in 30 Days: A Defense Contractor's Compliance Playbook
The CMMC Level 2 deadline is November 10, 2026. A week-by-week playbook to get from gap analysis to assessment-ready in 30 days, with tooling to automate most of it.
Understanding Your SPRS Score
Before diving into the playbook, you need to understand the scoring system. Your SPRS score ranges from -203 to 110.
Each of the 110 practices carries a point value of 1, 3, or 5 depending on its security impact. Your SPRS score starts at 110 and is reduced by the value of each unimplemented practice. The DoD already requires you to submit your SPRS score to the SPRS portal — CMMC Level 2 formalizes the assessment behind that number.
For most contracts, you need a score of 110 (all practices met) or a documented POAM for every gap, with milestones and deadlines for closing them.
Week 1: Scoping and Gap Analysis
Day 1-2: Define Your CUI Boundary
Before scanning anything, you need to know what systems handle CUI. This is the scoping step that most contractors get wrong — they either scope too broadly (every system in the company) or too narrowly (just the file share).
Your CUI boundary includes:
Document this boundary. It becomes part of your SSP.
Day 3-4: Run Your Initial Scan
Point your scanner at everything inside the CUI boundary. You need visibility into:
npx @cveriskpilot/scan --preset defense
This command runs three scanners in parallel — SBOM analysis (CVE/EPSS/KEV enrichment), IaC configuration checks, and secrets detection — then maps every finding to NIST 800-171 control families.
The output gives you a starting point: how many findings across which NIST 800-171 families, and which are critical vs. informational.
Day 5-7: Categorize Findings by Control Family
NIST 800-171 organizes its 110 practices into 14 control families:
| Family | Practices | What It Covers |
|---|---|---|
| Access Control (AC) | 22 | Who can access what, least privilege, remote access |
| Awareness & Training (AT) | 3 | Security training for personnel |
| Audit & Accountability (AU) | 9 | Logging, monitoring, audit trail protection |
| Configuration Management (CM) | 9 | Baseline configs, change control, least functionality |
| Identification & Authentication (IA) | 11 | User identity, MFA, password policies |
| Incident Response (IR) | 3 | Incident handling, reporting, testing |
| Maintenance (MA) | 6 | System maintenance controls |
| Media Protection (MP) | 9 | CUI on removable media, sanitization |
| Personnel Security (PS) | 2 | Screening, termination procedures |
| Physical Protection (PE) | 6 | Physical access controls, monitoring |
| Risk Assessment (RA) | 2 | Vulnerability scanning, risk assessments |
| Security Assessment (CA) | 4 | System security plans, assessments |
| System & Communications Protection (SC) | 16 | Encryption, boundary protection, session management |
| System & Information Integrity (SI) | 7 | Flaw remediation, monitoring, alerts |
Map each finding to the control family it affects. CVERiskPilot does this automatically using its CWE-to-NIST mapping engine — every vulnerability with a CWE identifier gets mapped to the specific 800-171 practices it threatens.
By the end of Week 1, you should have:
Week 2: Remediate Critical Findings
Priority 1: KEV Items (Days 8-9)
If any of your findings appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, those are your top priority. KEV items are actively exploited in the wild. They represent immediate risk to your CUI, and assessors will flag them instantly.
CVERiskPilot enriches every CVE with KEV status automatically. Filter your findings by KEV = true, and patch or mitigate every one.
Priority 2: High-EPSS Vulnerabilities (Days 10-11)
After KEV items, focus on vulnerabilities with high Exploit Prediction Scoring System (EPSS) scores. EPSS predicts the probability of exploitation in the next 30 days. A CVE with EPSS > 0.7 has a 70% chance of being exploited within a month — even if its CVSS score is only "Medium."
This is the intelligence layer that separates prioritized remediation from "fix everything at once" panic. Address the findings most likely to be exploited first.
Priority 3: Secrets and Credential Exposure (Day 12)
Any secrets detected in your codebase — API keys, tokens, private keys, connection strings — need immediate rotation. This affects multiple NIST 800-171 families:
Rotate every exposed secret. Update your secret management practices to prevent recurrence. Use a vault or secrets manager, never hardcode credentials.
Priority 4: Configuration Gaps (Days 13-14)
IaC scanner findings typically map to Configuration Management (CM) and System & Communications Protection (SC) families. Common issues:
Fix these systematically. Each fix improves your SPRS score.
Week 3: Build Evidence Packages
Days 15-17: Generate POAMs
A Plan of Action and Milestones (POAM) documents every gap between your current state and full compliance. For each unmet practice, a POAM includes:
CVERiskPilot generates POAMs in FedRAMP Appendix A format, which is accepted by C3PAOs and DIBCAC assessors. Each POAM entry links back to the specific findings that triggered it, with the CWE-to-NIST mapping as evidence.
# In the CVERiskPilot dashboard:
Days 18-19: Document Your SSP Excerpts
Your System Security Plan (SSP) describes how you implement each of the 110 practices. For practices backed by scan evidence, your SSP excerpts can reference:
Days 20-21: Compile Audit Trail Evidence
Assessors want to see that your security practices are ongoing, not one-time activities. Export your:
CVERiskPilot maintains a hash-chain audit log for all security-relevant actions. Every triage decision, approval, and remediation is recorded with timestamps and user attribution. This is exactly the evidence package assessors expect.
Week 4: Mock Assessment and Final Remediation
Days 22-24: Self-Assess Against All 110 Practices
Walk through each of the 110 practices one by one. For each practice, you should be able to answer:
Use the NIST 800-171A assessment objectives as your checklist. Each practice has specific assessment objectives that define what "implemented" means.
Days 25-27: Close Remaining Gaps
By now, your POAM should be shrinking. Focus on closing any gaps that can be resolved before the assessment:
Days 28-29: Recalculate SPRS Score
Run a fresh scan. Compare your current findings to the Week 1 baseline:
npx @cveriskpilot/scan --preset defense
Your SPRS score should be significantly higher. Any remaining gaps should have POAMs with realistic milestones.
Day 30: Package and Submit
Compile your assessment package:
If you are pursuing a self-assessment (Level 2, for select contracts), this package is your deliverable. If you need a C3PAO assessment, this package is what you hand to your assessor on day one.
How CVERiskPilot Automates Each Step
| Week | Manual Approach | With CVERiskPilot |
|---|---|---|
| Week 1: Gap Analysis | Spreadsheets, manual control mapping, consultant interviews | CLI scan maps findings to 110 practices automatically, calculates SPRS estimate |
| Week 2: Remediation | CVSS-only prioritization, no exploit intelligence | AI triage with EPSS + KEV + compliance impact prioritization |
| Week 3: Evidence | Manual PDF assembly, screenshots, email trails | One-click POAM export, hash-chain audit trail, dashboard evidence |
| Week 4: Assessment | Paper-based checklist, re-scan and hope | Automated re-scan, score comparison, assessment-ready export |
The CLI: Free, Offline, Zero-Config
Start with the free CLI scanner. No account required, no data leaves your machine:
npx @cveriskpilot/scan --preset defense
This gives you:
The Platform: Collaboration, AI Triage, Evidence Export
When you are ready for team collaboration, AI-powered triage, and audit evidence export, the platform adds:
The Bottom Line
CMMC Level 2 compliance is not a mystery. It is 110 well-documented security practices. The challenge is mapping your current security posture to those practices, closing the gaps systematically, and documenting everything for an assessor.
The contractors who start now — with 7+ months before the deadline — have time to do this methodically. The contractors who wait until September will be scrambling, overpaying consultants, and cutting corners.
Run the scan. Know your score. Close the gaps. Document everything.
npx @cveriskpilot/scan --preset defense
CVERiskPilot is a 100% veteran-owned compliance intelligence platform. Built by people who have lived the mission. Start your CMMC assessment now.
Ready to close the compliance gap?
Run your first compliance scan in 90 seconds. No account needed.
npx @cveriskpilot/scan@latest --preset startup