by Nestor Soto

CMMC Level 2 Documentation: What You Actually Need

Defense contractors preparing for CMMC Level 2 need more than a template. Here's what assessors expect in your System Security Plan, POA&M, and evidence packages.

CMMCDefenseNIST 800-171

CMMC Level 2 Documentation: What Small Defense Contractors Actually Need

Small defense contractors and subcontractors face a daunting requirement: CMMC Level 2. The Cybersecurity Maturity Model Certification 2.0 framework requires 110 security controls aligned with NIST SP 800-171, documented proof for every control, and a third-party assessment.

Here is the good news: you do not need an enterprise security team or a six-figure budget. You need accurate, organized, audit-ready documentation. After helping dozens of small defense contractors pass their CMMC assessments, I know documentation is where most companies stumble—and where focused effort delivers the biggest return.

This guide breaks down exactly what CMMC Level 2 documentation small defense contractors need, where to cut complexity, and how to build your documentation library without hiring a dozen consultants.

Need a head start? Download the Free CMMC SSP Template (Word/Google Docs).

What Is CMMC Level 2?

CMMC 2.0 is the Department of Defense’s framework for protecting Controlled Unclassified Information (CUI) within the defense industrial base (DIB). Level 2 is the tier required for any contractor that handles CUI.

Level 2 aligns directly with the 110 security requirements in NIST SP 800-171 Rev. 2. The DoD’s official CMMC program information is available through the DoD CIO’s CMMC page.

Unlike Level 1 (self-assessment only), Level 2 requires a third-party assessment by a C3PAO (Certified Third-Party Assessment Organization). An assessor will review your documentation, interview your staff, and test your controls. You cannot fake it, and you cannot wing it.

Small contractors have an advantage: simpler systems, fewer users, and less organizational baggage. The key is translating that simplicity into clear, concise documentation.

The Core CMMC Level 2 Documentation Requirements

When a C3PAO shows up—or logs into your virtual assessment—they expect four categories of documentation. Lock these down and you are 80% of the way there.

1. System Security Plan (SSP)

The SSP is the crown jewel of CMMC documentation. It describes your system boundary, the CUI environment, and how you satisfy each of the 110 NIST 800-171 requirements.

Your SSP must include:

  • System boundary — what is in scope and what is not
  • Network diagram — with CUI flows clearly marked
  • Hardware and software inventory — every asset that touches CUI
  • System topology — how data moves between systems
  • Control mappings — how each of the 110 requirements is implemented
  • Roles and responsibilities — who owns security, IT, and compliance
  • Authorization boundary — signed by leadership

The SSP is not a one-and-done document. Update it whenever your system changes. Most small contractors maintain an SSP between 30 and 60 pages. Enterprise SSPs can run 200+ pages, but small contractors do not need that bloat.

If you are also building a SOC 2 documentation library, there is significant overlap between NIST 800-171 and the SOC 2 Security criteria. My SOC 2 Documentation Checklist breaks down how to reuse policies across frameworks.

2. Policies and Procedures

For every NIST 800-171 requirement that calls for a policy or procedure, you need a written document. That typically translates to 15–20 core policies.

  • Access Control Policy — AC-1, AC-2, AC-3, AC-17
  • Audit and Accountability Policy — AU-1 through AU-12
  • Identification and Authentication Policy — IA-1 through IA-5
  • Incident Response Policy — IR-1 through IR-8
  • Media Protection Policy — MP-1 through MP-7
  • Physical Protection Policy — PE-1 through PE-8
  • Risk Assessment Policy — RA-1 through RA-5
  • System and Communications Protection Policy — SC-1 through SC-45
  • System and Information Integrity Policy — SI-1 through SI-7
  • Configuration Management Policy — CM-1 through CM-11
  • Contingency Planning Policy — CP-1 through CP-13
  • Maintenance Policy — MA-1 through MA-7
  • Personnel Security Policy — PS-1 through PS-8
  • Security Assessment Policy — CA-1 through CA-8

NIST 800-171 explicitly prefixes controls with policy requirements (e.g., AC-1). Without the policy, you cannot satisfy the control—regardless of how well you are doing the work.

3. Plan of Action and Milestones (POA&M)

Here is a secret: you do not have to be 100% compliant on day one of your assessment. You must document every gap and have a credible plan to close it.

The POA&M tracks:

  • Deficiency description — what is missing or inadequate
  • NIST 800-171 reference — which requirement is affected
  • Date identified — when the gap was discovered
  • Remediation actions — specific steps to fix the gap
  • Milestone dates — when each step will be completed
  • Responsible party — who owns the remediation
  • Resources required — budget, tools, or personnel needed
  • Completion date — when the gap is closed

The DoD expects POA&M items to be closed within 180 days for critical findings and 365 days for less severe items. A stale POA&M—overdue items with no progress—is a red flag for assessors.

4. Evidence and Artifacts

Policies and plans are promises. Evidence proves you keep them. For CMMC Level 2, you need artifacts like:

  • User access lists and quarterly access reviews
  • System configuration baselines and hardening checklists
  • Vulnerability scan results (monthly or quarterly)
  • Security awareness training records
  • Incident response logs and after-action reports
  • Backup and restoration test results
  • Multi-factor authentication (MFA) enrollment records
  • Encryption verification for data at rest and in transit
  • Visitor logs and physical access records
  • Change management tickets and approval chains

NIST SP 800-171 and CMMC 2.0 Mapping

One of the most common questions I get: “If I am already NIST 800-171 compliant, am I CMMC Level 2 ready?”

The answer: mostly, but not automatically.

CMMC 2.0 Level 2 adds an assessment layer on top of NIST 800-171. The controls themselves are the same 110 requirements, but CMMC requires a third party to validate them. Your documentation needs to be assessor-ready—not just internal-reference-ready.

Key differences:

  • CMMC requires objective evidence for every control, not just self-attestation
  • CMMC assessments include interviews with personnel; your team needs to know the policies
  • CMMC has scoring based on the number of deficiencies; some findings carry heavier weight
  • CMMC requires a current POA&M with realistic timelines

If you are starting from zero, download the official NIST SP 800-171 Rev. 2 document and use it as your control checklist. Map each requirement to your existing practices, identify gaps, and document everything.

Common Mistakes Small Contractors Make

Small defense contractors face unique challenges: limited IT staff, tight budgets, and systems that evolved organically rather than by design. Here are the mistakes I see most often:

1. Over-scoping the environment. Do not include your entire corporate network in the CUI boundary if only one segment handles CUI. A smaller, well-defined boundary is easier to document and assess.

2. Using enterprise templates blindly. A 50-person machine shop does not need the same policy depth as Lockheed Martin. Templates are starting points, not finished products. Adapt them to your size and risk profile.

3. Neglecting the POA&M. Some contractors treat the POA&M like a confession they want to hide. The opposite is true: a well-maintained POA&M shows maturity. Assessors prefer an honest POA&M to a facade of perfection.

4. Forgetting about subcontractors. If you share CUI with subcontractors, you need flow-down clauses and evidence that they also meet NIST 800-171. Document your due diligence.

5. Waiting until the last minute. Documentation takes time. Start at least 6 months before your target assessment date. If you need a crash course, I offer a 4-week documentation sprint for small contractors.

Building Your Documentation on a Budget

You do not need a GRC platform to pass CMMC Level 2. Here is a realistic toolkit for small contractors:

ToolPurposeCost
Microsoft Word / Google DocsPolicies and SSPFree–$12/mo
Microsoft Excel / Google SheetsPOA&M and asset inventoryFree–$12/mo
Draw.io / LucidchartNetwork diagramsFree–$10/mo
Shared Drive (Google/OneDrive)Evidence storageFree–$6/mo/user
Vulnerability scanner (OpenVAS / Nessus Essentials)Scanning and reportsFree–$3k/yr

The most expensive part of CMMC is not software—it is labor. Someone has to write the documents, collect the evidence, and maintain the library. If your team lacks bandwidth, outside help pays for itself.

Free CMMC SSP Template

I have built a CMMC SSP template specifically for small defense contractors. It is not a 200-page enterprise monster. It is a lean, practical template that covers all 110 NIST 800-171 requirements with clear instructions for filling in your details.

Download the Free CMMC SSP Template →

Let’s Get You Assessment-Ready

CMMC Level 2 is not going away. Every defense contractor handling CUI will eventually need it. Contractors who start documenting now will win contracts while competitors scramble to catch up.

I help small defense contractors build CMMC documentation that passes C3PAO assessments on the first try. Whether you need a full SSP, a POA&M cleanup, or a pre-assessment documentation review, I can scope the work to your budget.

Schedule a free CMMC documentation consultation →

Nestor Soto is a compliance documentation consultant with 15+ years of experience helping defense contractors, B2B SaaS companies, and cosmetics brands build audit-ready documentation. He specializes in CMMC, SOC 2, MoCRA, and HIPAA compliance. Read more at gogosoto.com.