If you work anywhere in the Defense Industrial Base, you already know CMMC 2.0 Level 2 is coming faster than a reindeer on an espresso drip and, as of November 10, 2025, it is officially part of DoD acquisition rules. The DoD has begun phasing CMMC clauses into new solicitations over a three‑year period, with full enforcement expected by November 2028, so “we’ll get to it after the holidays” is now a real business risk.
So, in the spirit of seasonal cheer, here is a festive guide to help you laugh your way through the seriousness of CMMC Level 2. Grab some cocoa, tighten those MFA settings, and enjoy The 12 Days of CMMC.
The 12 Days of CMMC Level 2
On the first day of CMMC, my assessor gave to me…
A requirement for multi‑factor authen‑ti‑ty.
From privileged admin accounts to that “one laptop that never leaves the office,” strong MFA is now table stakes for protecting CUI under NIST SP 800‑171 and CMMC Level 2.
From privileged admin accounts to that “one laptop that never leaves the office,” strong MFA is now table stakes for protecting CUI under NIST SP 800‑171 and CMMC Level 2.
On the second day of CMMC, my assessor gave to me…
Two documented policies,
And MFA across my whole org‑a‑ni‑ty.
Level 2 expects real, written, and maintained policies and procedures—not the four bullet points someone drafted in 2018.
And MFA across my whole org‑a‑ni‑ty.
Level 2 expects real, written, and maintained policies and procedures—not the four bullet points someone drafted in 2018.
On the third day of CMMC, my assessor gave to me…
Three access reviews,
Two documented policies,
And MFA across my whole org‑a‑ni‑ty.
Periodic (at least annual, often quarterly) access reviews are essential to proving you control who can see CUI and why.
Two documented policies,
And MFA across my whole org‑a‑ni‑ty.
Periodic (at least annual, often quarterly) access reviews are essential to proving you control who can see CUI and why.
On the fourth day of CMMC, my assessor gave to me…
Four tightened firewalls…
Because “Any Any Allow” is not festive it is frightening and network segmentation is now a core expectation for protecting critical systems.
Because “Any Any Allow” is not festive it is frightening and network segmentation is now a core expectation for protecting critical systems.
On the fifth day of CMMC, my assessor gave to me…
FIVE GOLDEN CONTROLS.
Encryption, auditing, configuration management, incident response, and change control, all glittering at the center of NIST SP 800‑171’s 1100 requirements.
Encryption, auditing, configuration management, incident response, and change control, all glittering at the center of NIST SP 800‑171’s 1100 requirements.
On the sixth day of CMMC, my assessor gave to me…
Six logs a‑scrolling…
SIEM and log management tools light up like holiday decorations, but this time with correlated alerts, retention policies, and evidence for your assessment.
SIEM and log management tools light up like holiday decorations, but this time with correlated alerts, retention policies, and evidence for your assessment.
On the seventh day of CMMC, my assessor gave to me…
Seven scans a‑running…
Vulnerability management has moved from “once a year when someone finds the Nessus password” to continuous scanning and tracked remediation.
Vulnerability management has moved from “once a year when someone finds the Nessus password” to continuous scanning and tracked remediation.
On the eighth day of CMMC, my assessor gave to me…
Eight backups storing…
Offline, immutable, and tested backups are now non‑negotiable; ransomware loves the holidays as much as anyone else.
Offline, immutable, and tested backups are now non‑negotiable; ransomware loves the holidays as much as anyone else.
On the ninth day of CMMC, my assessor gave to me…
Nine staff training…
Because the best gift is an employee who does not click the fake shipping notification that would have taken down your entire environment.
Because the best gift is an employee who does not click the fake shipping notification that would have taken down your entire environment.
On the tenth day of CMMC, my assessor gave to me…
Ten vendor checks…
Supply chain risk is a headline issue; if your MSP, cloud provider, or SaaS vendor is on the naughty list, your CMMC status is at risk too.
Supply chain risk is a headline issue; if your MSP, cloud provider, or SaaS vendor is on the naughty list, your CMMC status is at risk too.
On the eleventh day of CMMC, my assessor gave to me…
Eleven forms for evidence…
Screenshots, configs, logs, sign‑offs, diagrams, inventories, and SSP updates—wrapping presents may be tedious, but a CMMC evidence package is a whole different level.
Screenshots, configs, logs, sign‑offs, diagrams, inventories, and SSP updates—wrapping presents may be tedious, but a CMMC evidence package is a whole different level.
On the twelfth day of CMMC, my assessor gave to me…
Twelve months of prep‑work…
Because Level 2 is not a stocking stuffer; for many organizations, achieving full implementation and a strong SPRS score is a 9–18 month journey of planning, documentation, and remediation.
Because Level 2 is not a stocking stuffer; for many organizations, achieving full implementation and a strong SPRS score is a 9–18 month journey of planning, documentation, and remediation.
What Makes Level 2 Different Now
CMMC 2.0 Level 2 is where the DoD moves from “trust us” to “prove it,” aligning directly with the 110 requirements of NIST SP 800‑171. Unlike legacy self‑attestation, CMMC Level 2 adds formal assessments, tighter rules on POA&Ms, and ongoing affirmation obligations.
Key realities as of 2025:
-
Level 2 maps one‑to‑one with the 110 NIST SP 800‑171 controls; you must fully implement and be able to evidence them to achieve a final status.
- Assessment type depends on the contract: many Level 2 contracts will initially rely on self‑assessments and executive affirmation, while “prioritized” CUI contracts can require a third‑party C3PAO certification.
- You must score to 110 or close remaining gaps rapidly with constrained POA&Ms, and maintain your status through annual self‑assessments and affirmations recorded in SPRS.
In other words, Level 1 is the basic holiday lights you toss over the porch; Level 2 is the synchronized, music‑powered, neighborhood‑stopping production with a scoreboard.
CMMC Timeline: From Now Through 2028
The rulemaking phase is over; implementation has begun. The DoD’s CMMC program and the DFARS rule are now effective and moving through a structured rollout. Understanding this timeline is critical if you want to stay on the DoD “nice list.”
- Phase 1 (starting November 10, 2025): Many new contracts include Level 1 or Level 2 self‑assessment requirements as a condition of award, with limited use of third‑party Level 2 assessments for certain high‑priority programs.
- Through November 2028: CMMC requirements expand across more contracts and options, culminating in full enforcement where applicable DoD contracts require the appropriate CMMC level at time of award and throughout performance.
Waiting until a solicitation drops is now a losing strategy; the lead time to remediate and document 110 controls simply does not fit into a last‑minute sprint.
Why You Want iCorps in the Sleigh
CMMC compliance is a long winter journey, and navigating it alone with a cracked map and flickering flashlight is not a winning approach. A partner like iCorps can help you translate regulatory language into concrete security architecture, processes, and evidence that will stand up to CMMC assessments.
What iCorps brings to the sleigh:
- Identify your gaps
- iCorps maps your environment against NIST SP 800‑171 and the CMMC Level 2 assessment guide, building a clear, prioritized POA&M and target SPRS score that make sense to both executives and assessors.
- iCorps maps your environment against NIST SP 800‑171 and the CMMC Level 2 assessment guide, building a clear, prioritized POA&M and target SPRS score that make sense to both executives and assessors.
-
Build real documentation
-
From system security plans and policies to procedures, diagrams, and inventories, iCorps helps create and maintain the documentation set your CMMC self‑assessment or C3PAO audit will expect to see.
-
-
Implement the required controls
-
MFA everywhere, hardened configurations, logging and SIEM integration, Intune and endpoint baselines, conditional access, backup and recovery, and incident response plans—implemented with an eye toward both security and evidence.
-
-
Prepare for your assessment
-
Mock CMMC Level 2 self‑assessments or C3PAO‑style readiness reviews, evidence walkthroughs, coaching for leadership affirmations, and support in aligning your SPRS reporting with your real posture.
-
-
Keep you compliant all year long
-
CMMC is not one‑and‑done; iCorps supports ongoing monitoring, periodic reassessments, and control maintenance so your annual self‑assessment, affirmation, and contract renewals do not turn into a seasonal panic.
-
Why You Want iCorps in the Sleigh
CMMC Level 2 does not have to ruin the season. With the right expertise, a clear roadmap, and a partner who can keep the reindeer fed and the paperwork organized, your organization can move through CMMC’s phased rollout with confidence instead of dread.
If you want help preparing for CMMC or validating that your current posture will stand up under the 2025–2028 rollout reach out to the iCorps team. May your logs be bright, your controls be tight, and your auditor's delight.
