Every CMMC Level 2 assessment comes down to 110 controls from NIST SP 800-171 Rev 2 evaluated not by whether you have a policy that mentions them, but by whether you can demonstrate implementation with documented evidence.
Most CMMC conversations focus on certification timelines and contract eligibility. What gets far less attention and arguably carries higher stakes is the legal exposure that comes with inaccurate compliance claims. The Department of Justice has made cybersecurity enforcement a priority, and the numbers are escalating fast.
Not all 110 controls carry equal weight. Each is assigned a point value 1, 3, or 5 based on security impact.
Your SPRS score starts at 110. Every unimplemented control subtracts its point value. The range runs from +110 (fully implemented) down to -203 (nothing implemented).
Here is what most contractors miss about how the scoring interacts with the assessment:
5 point and 3 point controls cannot be placed on a POA&M. They must be fully implemented before the assessor arrives. There is no conditional path for these. Fail a single 5-point control and you do not certify the period.
Only 1-point controls can be deferred via POA&M. There are 22 of them. If you defer any, you need a minimum SPRS score of 88 for conditional certification, and every deferred control must be remediated within 180 days or your certification expires.
The remediation priority is clear: 5-point controls first, 3-point controls second, 1-point controls last. This is not a suggestion it is the only sequence that protects you from an automatic fail.
NIST 800-171 organizes the 110 controls into 14 families. Here is what each family covers, how many controls it contains, and the specific failure pattern our Registered Practitioner sees most frequently during gap assessments.
Access Control — 22 controls. The largest family. Governs who accesses what, with what privilege, under what conditions. The most common failure is excessive privilege — organizations grant admin access broadly for convenience and cannot demonstrate least privilege enforcement during assessment. The second is undocumented remote access paths. If employees access CUI systems from home and that access is not documented in your SSP with corresponding controls, the assessor flags it immediately.
Awareness and Training — 3 controls. Small family, outsized failure rate. A generic annual cybersecurity video does not satisfy the role-based training requirement. Your system administrators need training specific to the security configurations they manage. Your CUI handlers need training on marking, handling, and incident reporting. Same training for everyone is a control failure.
Audit and Accountability — 9 controls. Determines whether you can track what happens on your systems and whether you would know if something went wrong. The gap is not logging — most contractors have some logging enabled. The gap is review. The assessor will ask who reviews logs, how often, what triggers a review, and what happens when an anomaly is found. A SIEM that nobody monitors is a failed control.
Configuration Management — 9 controls. Governs how systems are built, maintained, and changed. The number one failure is configuration drift — organizations establish a baseline during initial setup and never validate it again. By the time the assessor arrives, the running configuration does not match the documented baseline. The assessor compares documentation to reality. If they do not match, the control fails.
Identification and Authentication — 11 controls. MFA is the highest-visibility control here and still the most common gap. MFA must be enforced for all network access to CUI systems — not just VPN, not just email. The assessor tests application-layer MFA, remote desktop sessions, and privileged access to servers and network devices. Shared accounts are an automatic flag — every account must trace to an individual.
Incident Response — 3 controls. Having an incident response plan is not enough. The assessor evaluates whether the plan has been tested and whether personnel know their roles. If your IR plan names a security officer responsible for containment and that person cannot walk through what containment looks like in your specific environment, the control fails. An untested plan is almost as dangerous as no plan.
Maintenance — 6 controls. The most overlooked control in this family is third-party maintenance supervision. If a vendor remotes into a server that handles CUI and that vendor lacks appropriate access authorization, a cleared employee must supervise the entire session. If the answer to “how do you handle vendor maintenance on CUI systems” is “they remote in,” that is a failure without documented supervision.
Media Protection — 9 controls. USB drives are the single most common failure. Many organizations have a policy restricting removable media but no technical enforcement — USB ports are not disabled, endpoint management does not restrict device connections. A policy without enforcement is an unenforceable control. The assessor checks technical implementation, not policy language. Media destruction documentation is the second gap — decommissioned equipment that contained CUI needs a documented chain of sanitization or destruction.
Personnel Security — 2 controls. The smallest family. Both controls hinge on your termination process. How quickly is access revoked when someone leaves? Is there a checklist? Are credentials retrieved? If your process is informal — IT disables the account when HR remembers to tell them — and there is no documented timeline, the control fails even if no incident ever occurred.
Physical Protection — 6 controls. The most common gap is output device control. If a shared printer sits in an open area within your CUI boundary, anyone walking by can see CUI on printed output. The assessor evaluates whether printers, monitors, and output devices are positioned or controlled to prevent unauthorized viewing. Visitor escort documentation is the second gap — badges without documented escort records and area-access logs are insufficient.
Risk Assessment — 3 controls. Vulnerability scanning is where contractors lose points — not because they do not scan, but because they do not remediate. The assessor wants scan reports paired with remediation records and follow-up scans verifying the fix. The same critical vulnerabilities appearing across multiple scans with no documented remediation is evidence of a failed control.
Security Assessment — 4 controls. The SSP is the most scrutinized document in the entire assessment. It must map every control to your specific implementation — which system, which configuration, which personnel, which process. A generic SSP that says “access control is enforced through role-based policies” without naming the systems, roles, and technical enforcement mechanisms will be flagged as insufficient. The assessor has read hundreds of boilerplate SSPs. Yours cannot be one of them.
System and Communications Protection — 16 controls. The most technically demanding family. Governs network architecture, boundary protection, encryption, and data flow controls. The primary failure is flat network architecture — no segmentation between CUI and non-CUI systems. If everything runs on the same subnet with no logical or physical separation, the assessor cannot validate boundary protection. CUI in transit must be encrypted. CUI at rest must be encrypted. The assessor verifies both technically, not by reading your policy.
System and Information Integrity — 7 controls. Covers malicious code protection, system monitoring, flaw remediation, and security alert handling. The most common failure is patch management. The control requires timely identification and remediation of system flaws. “Timely” means defined — 14 days for critical, 30 days for high, whatever your policy states. The assessor compares your stated patching timeline to your actual patching records. If your policy says 14 days and your scan shows 90-day-old critical patches unresolved, the control fails.
Across all 14 families, the same three failure patterns repeat:
Documentation that does not match reality. Your SSP says one thing. Your systems show another. The assessor checks both.
Policies without technical enforcement. A written policy is not a control. A technically enforced configuration is a control. The assessor tests the system, not the binder.
One-time implementation without ongoing evidence. Controls must be continuously maintained — not implemented once and forgotten. The assessor asks for evidence of recurring activity: log reviews, access audits, vulnerability scans, training records, configuration checks. A single point-in-time artifact from six months ago does not demonstrate ongoing compliance.
If your organization has any of these patterns across multiple control families, your assessment risk is high. The time to identify and fix them is before the C3PAO arrives — not during the assessment.
The gap between knowing the 110 controls and demonstrating them to an assessor is where most contractors stall. The controls are publicly available. The implementation guidance is published. What is not published is how your specific environment maps to each requirement — which systems are in scope, which controls are already met, which gaps carry the highest point value, and what remediation sequence gets you to a passing score in the shortest timeline.
That is what a Registered Practitioner assessment delivers.
Rudram Engineering’s RP evaluates your environment against all 110 controls, scores your current SPRS position, identifies the highest-risk gaps by point value, and builds a remediation roadmap prioritized by assessment impact — not by alphabetical control family order.
One call. 30 minutes. You will know exactly where you stand.
Schedule Your Free CMMC Readiness Assessment
Rudram Engineering, Inc. | Rockledge, FL | Serving the Defense Industrial Base for 18+ years
