Protect Controlled Unclassified Information. Score 110 on SPRS. Pass your C3PAO assessment. palmiq delivers end-to-end CMMC Level 2 readiness — CUI scoping, NIST 800-171 implementation across all 110 controls and 320 assessment objectives, SSP development, and full audit preparation.
CMMC Level 2 (Advanced) is the middle tier of the Department of Defense’s Cybersecurity Maturity Model Certification program. It requires defense contractors and subcontractors to implement all 110 security controls from NIST SP 800-171 Revision 2 across 14 control families to protect Controlled Unclassified Information (CUI).
CUI includes technical drawings, engineering data, manufacturing processes, export-controlled information, and any data marked with CUI designators under DFARS 252.204-7012. If your contracts involve CUI, Level 2 is your compliance target.
Unlike Level 1’s pass/fail self-assessment, Level 2 uses a weighted scoring system with a maximum SPRS score of 110. Most contracts require a triennial C3PAO assessment by a certified third-party organization, though some lower-risk contracts allow self-assessments. POA&Ms are permitted under specific conditions: you must score at least 80% and meet all essential controls to achieve conditional certification, with 180 days to close remaining gaps.
110
Security Controls NIST 800-171 Rev. 2
320
Assessment Objectives NIST 800-171A
14
Control Families Across All Domains
3 yr
Certification Validity C3PAO Assessment
Sound Familiar?
These are the problems defense contractors bring to palmiq when preparing for CMMC Level 2.
“Our SPRS Score Is Negative and We Don’t Know Where to Start.”
palmiq conducts a comprehensive gap analysis against all 110 controls and 320 assessment objectives, calculates your current SPRS score, and delivers a prioritized remediation plan that shows exactly which controls to address first for maximum score improvement.
“We Don’t Have an SSP, POA&M, or Any Documentation.”
Our team develops your complete System Security Plan, network diagrams, data flow maps, CUI asset inventory, POA&M with milestones and completion dates, and all supporting policies and procedures that C3PAO assessors expect to review.
“We Need Someone to Actually Implement the Controls.”
As a full-stack MSP, palmiq deploys and manages the technical controls: MFA, SIEM, EDR, encryption, network segmentation, FIPS-validated cryptography, audit logging, vulnerability scanning, and every other technical requirement across all 14 families.
“We’re Not Ready for a C3PAO Assessment.”
palmiq runs a full mock assessment using the same methodology C3PAOs use: examination, interview, and testing against every assessment objective. We identify and close every finding before you schedule your official assessment.
14 Control Families · 110 Controls · 320 Objectives
CMMC Level 2 requires implementation of every control across all 14 NIST 800-171 families. palmiq implements and manages them all.
Access Control
22 Controls
Awareness & Training
3 Controls
Audit & Accountability
9 Controls
Configuration Mgmt
9 Controls
Identification & Auth
11 Controls
Incident Response
3 Controls
Maintenance
6 Controls
Media Protection
9 Controls
Personnel Security
2 Controls
Physical Protection
6 Controls
Risk Assessment
3 Controls
Security Assessment
4 Controls
System & Comms Protection
22 Controls
System & Info Integrity
7 Controls
What palmiq’s CMMC Level 2 Services Include
End-to-end compliance services from gap analysis through C3PAO certification and ongoing maintenance.
1. CUI Scoping & Gap Analysis
-
Identify and classify CUI across contracts and data flows
-
Inventory all CUI assets, security protection assets, and specialized assets
-
Evaluate all 110 controls against 320 assessment objectives
-
Calculate current SPRS score with weighted point values
-
Deliver prioritized remediation roadmap by control family
2. SSP, POA&M & Documentation
-
System Security Plan with system boundaries and architecture
-
Network diagrams and CUI data flow documentation
-
POA&M with milestones, responsible parties, and completion dates
-
CUI handling procedures, marking, and destruction policies
-
All 14-family security policies and operating procedures
-
Incident response plan aligned with DFARS 7012 72-hour reporting
3. Technical Control Implementation
-
MFA for all privileged and network accounts (Entra ID, Duo, Okta)
-
SIEM deployment and centralized audit logging (Sentinel, Splunk)
FIPS 140-2 validated encryption for CUI at rest and in transit
-
Network segmentation and CUI enclave architecture
-
Vulnerability scanning, patch management, and baseline configs
-
Encrypted backup and disaster recovery (Acronis, Datto)
4. Mock Assessment & C3PAO Preparation
-
Full mock assessment using C3PAO methodology (examine, interview, test)
-
Evidence package compilation for all 320 assessment objectives
-
Staff preparation and interview coaching
-
POA&M closeout and final remediation before scheduling
-
C3PAO coordination and assessment logistics support
-
SPRS score submission and annual affirmation process
Two Paths to CMMC Level 2 Compliance
Your contract determines the required assessment type. palmiq prepares you for both.
Level 2 (Self-Assessment)
For contracts involving lower-risk CUI where the DoD has determined a self-assessment is sufficient.
- Triennial self-assessment against 110 controls - Scored assessment submitted to SPRS - Annual senior official affirmation - POA&Ms allowed with 80% minimum score - Self-managed POA&M closeout within 180 days - No third-party audit required
Level 2 (C3PAO Assessment)
For contracts involving critical programs or high-value CUI requiring independent third-party verification.
- Triennial assessment by accredited C3PAO - Results posted to eMASS by assessor - Annual senior official affirmation - Conditional certification with 80% + essential controls - C3PAO-verified POA&M closeout within 180 days - 3-year certification validity
Most Contracts
From Gap Analysis to C3PAO Certification
A proven process built from years of guiding defense contractors through NIST 800-171 and CMMC compliance.
CUI Identification & Scoping: We review DFARS clauses in your contracts, identify CUI categories, map data flows, inventory all assets (CUI, security protection, contractor risk managed, specialized), and define the assessment boundary to minimize scope without gaps.
Gap Analysis & SPRS Scoring: palmiq evaluates all 110 controls against 320 assessment objectives using NIST 800-171A methodology. We calculate your current SPRS score, identify every NOT MET control, and produce a prioritized remediation plan organized by control family and point value.
SSP Development & Documentation: Our team builds your complete System Security Plan, network architecture diagrams, CUI data flow maps, POA&M with milestones, and all required security policies and procedures. This documentation package forms the foundation of your C3PAO assessment.
Technical Control Implementation: palmiq engineers deploy and configure every technical control: MFA, SIEM, EDR, FIPS encryption, network segmentation, vulnerability scanning, patch management, audit logging, backup, and incident response tooling. We operate them as part of your managed services.
Mock Assessment & Remediation: We conduct a full mock assessment using C3PAO methodology: examining documentation, interviewing staff, and testing controls. Every finding is remediated, POA&M items are closed, and evidence packages are finalized before you engage your C3PAO.
C3PAO Assessment & Ongoing Compliance: palmiq supports you through the formal C3PAO assessment, coordinates evidence submission, addresses any findings, and provides ongoing compliance management including continuous monitoring, annual affirmations, and triennial recertification preparation.
Your CMMC Level 2 Partner from Assessment to Certification
Assess + Implement + Operate
We don’t just write documentation — we deploy and manage every technical control as part of your ongoing managed services. One partner, end to end.
Government & DIB Expertise
Based in Ashburn, Virginia with deep experience serving defense contractors, government agencies, and regulated industries. We understand CUI, DFARS, and CMMC inside and out.
GCC High & Sentinel
Expert deployment of Microsoft 365 GCC/GCC High, Entra ID, Sentinel SIEM, Defender for Endpoint, and Intune for CMMC-compliant environments.
FIPS Backup & DR
Enterprise-grade encrypted backup and disaster recovery that satisfies media protection, system integrity, and availability controls across all 14 families.
Certified Small Business
Certified women-owned small business serving the defense supply chain. No long-term contracts required. Built for the DIB.
English & Spanish
Full service delivery in English and Spanish, supporting defense contractors and subcontractors across the Americas.
"palmiq took us from a SPRS score of -47 to a perfect 110 in under nine months. They rebuilt our SSP, implemented every technical control, ran our mock assessment, and we passed our C3PAO audit with zero findings. We couldn’t have done it without their team."
— CISO, Defense Manufacturing Contractor
ISO 27001 as the Foundation for Multi-Standard Compliance
ISO 27001’s Annex SL structure and Annex A controls map directly to other security and privacy frameworks, reducing duplication and accelerating additional compliance programs.
NIST 800-171 & CMMC
ISO 27001 Annex A controls map extensively to NIST 800-171 families. Organizations pursuing both can share risk assessments, policies, and technical implementations.
SOC 2 Type II
The Trust Services Criteria align closely with ISO 27001. A certified ISMS provides a strong foundation for SOC 2 readiness, sharing evidence across both programs.
HIPAA
ISO 27001 Annex A controls cover administrative, physical, and technical safeguards that align with HIPAA Security Rule requirements for covered entities and business associates.
GDPR
Article 32 of GDPR requires appropriate technical and organizational measures. ISO 27001 certification demonstrates a systematic approach to data protection compliance.
ISO 27701 (Privacy)
ISO 27701 extends ISO 27001 with privacy-specific requirements. A certified ISMS is a prerequisite, making ISO 27001 the gateway to privacy management certification.
NIST Cybersecurity Framework
NIST CSF’s five functions (Identify, Protect, Detect, Respond, Recover) align naturally with ISO 27001 clause structure and Annex A control themes.
Frequently Asked Questions
What is the difference between CMMC Level 1 and Level 2?
What is the difference between CMMC Level 1 and Level 2?
Do we need a C3PAO assessment or can we self-assess?
Do we need a C3PAO assessment or can we self-assess?
What is a SPRS score and what score do we need?
What is a SPRS score and what score do we need?
Are POA&Ms allowed at CMMC Level 2?
Are POA&Ms allowed at CMMC Level 2?
How long does CMMC Level 2 compliance take?
How long does CMMC Level 2 compliance take?
What is the cost of CMMC Level 2 certification?
What is the cost of CMMC Level 2 certification?
Don’t Let a Low SPRS Score Cost You Your Next Contract
CMMC Level 2 enforcement is live. palmiq gives you a clear, managed path from gap analysis to a perfect SPRS score and C3PAO certification.
