CMMC Level 2 and the Staff You Now Have to Hire: Assessors, ISSOs and Compliance Leads

Posted by Ashley Jones

On November 10, 2025, the Defense Federal Acquisition Regulation Supplement rule for the Cybersecurity Maturity Model Certification took effect. That date started Phase 1 of the rollout, and it is the moment CMMC stopped being a policy slide and became a clause in live Department of Defense solicitations. Level 2 language is already showing up in awards. A certification is not a document you purchase. It is a standing body of work, and work needs people who own it.

Key takeaways

  • CMMC Level 2 requires implementing all 110 security requirements of NIST SP 800-171 Revision 2, versus 15 basic safeguards at Level 1 (2024 rule).
  • DoD estimates 8,350 medium and large entities will need a Level 2 third-party certification, yet projects only 135 such assessments completed in year one (2024 analysis).
  • DoD’s own estimate to support one Level 2 (C3PAO) assessment and its first affirmation is about $112,345 for a non-small entity (2024 dollars).
  • A Conditional Level 2 status buys you 180 days to close out plan-of-action items, and the full assessment renews every 3 years.
  • The talent market you hire into is tight: BLS puts the median wage for information security analysts at $124,910 with 29% projected growth from 2024 to 2034.
For employers
Hiring cleared professionals?
Post your cleared req where security-cleared candidates already search.

Post a Cleared Job

For job seekers
Holding a clearance?
Browse cleared roles from employers hiring right now.

Browse Cleared Jobs

What changed on paper, and what changed for your hiring plan?

Two rules. The CMMC Program rule at 32 CFR Part 170 took effect December 16, 2024. The companion DFARS acquisition rule took effect November 10, 2025, and that second rule is the one that actually writes Level 2 into contracts. Phase 1 is live now. Phase 2, when a large share of applicable contracts require a third-party Level 2 certification rather than a self-assessment, begins one year after Phase 1 started, around November 2026.

The program rule sets the standard, defining the levels, the assessment types, and the affirmation duties. The CMMC Program final rule at 89 FR 83092 was published October 15, 2024 and became effective that December. The DFARS final rule at 90 FR 43560 is the mechanism that turns the standard into a condition of award. Neither rule hands you a staffing chart. Both hand you obligations that only staff can meet. For the broader contractor-versus-government hiring picture, see our breakdown of government contract jobs versus federal jobs.

Why does 110 controls translate into headcount?

Level 2 means implementing all 110 security requirements of NIST SP 800-171 Revision 2, and keeping them implemented across a three-year cycle. Level 1 covers 15 basic safeguarding requirements from the FAR clause. The jump from 15 to 110, held steady over years and affirmed annually, is the difference between a checkbox and a standing function somebody has to own.

A control is not implemented once. It is configured, monitored, evidenced, and re-evidenced. Access reviews recur. Logging has to keep logging. When an auditor or an assessor asks how you enforce a given requirement, someone on your side has to answer with a document and a demonstration, not a memory. Multiply that by 110 and the reason a compliance role appears on the org chart becomes obvious. The rule does not tell you to hire that person. The rule’s arithmetic does.

Level 2 also splits into two paths. A Level 2 (Self) assessment is one the company performs and submits to the Supplier Performance Risk System (SPRS). A Level 2 (C3PAO) assessment is a third-party certification submitted through the CMMC instance of eMASS, which then feeds SPRS. Both cover the same 110 requirements and renew every three years. The difference is who signs off, and that difference drives cost and schedule.

  Level 2 (Self) Level 2 (C3PAO)
Security requirements 110 (NIST SP 800-171 R2) 110 (NIST SP 800-171 R2)
Who assesses The contractor itself An accredited C3PAO
Where results go SPRS CMMC eMASS, then SPRS
Renewal cycle Every 3 years Every 3 years
Conditional POA&M closeout 180 days 180 days
DoD cost estimate to support (non-small) ~$43,403 ~$112,345

One more schedule fact matters for staffing. A Conditional status lets you proceed with an open plan of action and milestones, but you have 180 days from the status date to close it out. That is a hard clock, and meeting it is a job. The details on assessment mechanics sit in the eCFR text for the Level 2 self-assessment and the Level 2 certification assessment.

Which roles does the CMMC rule actually name?

One. The rule names a single contractor role by title: the Affirming Official, a senior company representative who affirms continuing compliance after every assessment, at POA&M closeout, and annually, submitted electronically in SPRS. Every other job the work implies is a role you create, not a title the rule mandates.

Vendors and job posts blur this, so guard it. The 32 CFR 170 text does not create a mandatory in-house “ISSO” or “compliance officer” position and it does not require you to employ an assessor. What it requires is a senior person with the authority to put their name behind the company’s continuing compliance. The affirmation requirement at 32 CFR 170.22 defines that Affirming Official as the senior-level representative responsible for the organization’s compliance. That is a signature with legal weight. Someone has to be willing to give it, repeatedly, on the record.

Underneath the Affirming Official sits the practical need. Somebody has to keep the 110 controls implemented, assemble the evidence, run the self-assessment, and prepare the company for a C3PAO if the contract calls for one. Call that person a security compliance lead, a control owner, an ISSO-style role. The title is yours; the workload is not optional. Filling it fast is its own challenge, which is why our guide to optimizing time-to-hire for GovCon recruiters is relevant the moment a Level 2 clause lands.

Who runs the assessment, and why aren’t they your employees?

The people who grant a Level 2 (C3PAO) certification work for an accredited third party, not for you. A CMMC Third-Party Assessment Organization fields an Assessment Team of CMMC Certified Assessors and CMMC Certified Professionals. Hiring a CCA onto your payroll does not certify your company. Independence is the point of the design.

The credential bar is specific. Under the rule, a CCA must already be a CCP with at least 3 years of cybersecurity experience, at least 1 year of assessment or audit experience, and at least one foundational qualification aligned to the Intermediate proficiency of the DoD Cyberspace Workforce Framework’s Security Control Assessor (612) work role from DoD Manual 8140.03. On the team itself, a CCP may only participate under CCA oversight, and the CCA makes all final determinations. You can read the assessor qualifications in 32 CFR 170.11, and the underlying work role at the DCWF Security Control Assessor (612) page.

There is a vetting layer too, and it is easy to misread. Both CCAs and CCPs must complete a Tier 3 background investigation, initiated on the SF-86, with the position designated non-critical sensitive at a Moderate Risk level. That investigation does not produce a security clearance and is not run for government employment. The certification from the accreditation body is valid for three years. Our explainer on public trust positions, tiers, and investigations covers the same Tier 3 vocabulary, and the contrast with a full clearance is spelled out in our TS/SCI clearance guide. This is the pool you recruit from to prepare for a C3PAO, and it competes hard for the same candidates. Employers fighting that competition should see how to win the recruitment game for contingent GovCon positions.

How is CMMC different from the NISPOM security staff you may already have?

Two regimes, two systems, and the temptation to conflate them is the expensive mistake. NISPOM, at 32 CFR Part 117, governs classified information on classified systems. CMMC, at 32 CFR Part 170, governs controlled unclassified information on ordinary business systems. Same company can fall under both. Staffing one does not cover the other.

NISPOM requires a contractor processing classified information on an information system to appoint an employee Information System Security Manager, the ISSM. NISPOM also requires cleared contractors to appoint, in writing, a Facility Security Officer and an Insider Threat Program Senior Official. Those are mandated in-house roles, the closest thing in the cleared world to a named security position. They protect classified material, not the CUI that CMMC is about. The FSO obligations sit in the same rule and are worth a separate read in our post on FSO requirements for a cleared contractor, and the statutory text lives in 32 CFR Part 117.

  NISPOM (32 CFR 117) CMMC (32 CFR 170)
Protects Classified information Controlled unclassified information
System type Classified information systems Unclassified contractor systems
Core standard NISPOM security requirements NIST SP 800-171 R2 (110 requirements)
Named in-house role ISSM, FSO, ITPSO (employees) Affirming Official (senior representative)
How compliance is checked Government oversight Self-assessment or accredited C3PAO

What does the workload cost, and why hire ahead of the assessor queue?

DoD’s own estimate of what it costs a company to support a single Level 2 (C3PAO) assessment and its first affirmation, counting internal labor plus the assessor’s fee rather than any one salary, is about $112,345 for a non-small entity and $101,752 for a small one. The self-assessment path runs about $43,403 and $34,277. Those figures repeat on a three-year cycle. Against a recurring bill like that, a dedicated compliance hire stops looking expensive.

The rule priced the internal share of that work at fully loaded in-house labor rates: a director at $190.52 an hour and a manager at $95.96 an hour, each figure including fringe and employee-related expenses. Between assessments there is also an annual reaffirmation, estimated at $2,712 for a non-small entity and $1,459 for a small one. None of that money buys a permanent capability. It buys one cycle. A standing hire, by contrast, compounds into readiness you keep.

DoD estimated cost to support (2024 dollars) Non-small entity Small entity
Level 2 (C3PAO) assessment + initial affirmation $112,345 $101,752
Level 2 (Self) assessment + initial affirmation $43,403 $34,277
Annual reaffirmation between assessments $2,712 $1,459

Then there is the queue, and it is the strongest argument for hiring now. DoD is trying to raise the security floor across a defense industrial base of roughly 220,000 companies. It estimates 8,350 medium and large entities will need a Level 2 third-party certification. It also projects the assessor pipeline ramps slowly: about 135 C3PAO-led certification assessments completed in the first year, 673 in year two, 2,252 in year three, and 4,452 in year four. Thousands need a slot; a few hundred open in the early going. Companies that reach the assessor’s calendar already at 110 controls, with evidence assembled and a compliance owner who has run a dry run, clear that bottleneck. Those that start prepping when the clause arrives wait.

The last cost is the talent itself. BLS puts the median annual wage for information security analysts, SOC code 15-1212, at $124,910 as of May 2024, and projects 29% employment growth from 2024 to 2034, much faster than average. Treat that occupation as a proxy for the ISSO-style and compliance-analyst roles CMMC work implies, not as a CMMC-specific title. The people who can own 110 controls are the same people every other contractor now wants, and demand is climbing this decade. Where that talent comes from is its own recruiting question, which is why our complete career guide for cleared professionals is a useful anchor for building the bench.

ClearedJobs.NET connects cleared talent with the employers who need it.
Whether you are hiring for a cleared req or holding a clearance and looking, start here.

Post a Cleared JobBrowse Cleared Jobs

Frequently Asked Questions

Does the CMMC rule require me to hire an ISSO?

No. The rule at 32 CFR 170 names only one contractor role by title, the Affirming Official, a senior representative who affirms continuing compliance. It does not mandate an in-house ISSO or compliance officer. What creates the practical need for that person is the work of implementing and maintaining the 110 NIST SP 800-171 controls, plus the 180-day clock on any conditional status.

Can I just hire a CMMC Certified Assessor to certify my own company?

No. CCAs and CCPs perform certification assessments as part of an accredited C3PAO’s Assessment Team, and independence is the design. Putting a CCA on your payroll does not produce a Level 2 (C3PAO) certification for your organization. You can hire that expertise to prepare for an assessment, but the certifying assessment still comes from an outside, accredited C3PAO.

What is the difference between Level 2 (Self) and Level 2 (C3PAO)?

Both cover the same 110 requirements of NIST SP 800-171 Revision 2 and both renew every three years. A Level 2 (Self) assessment is performed by the contractor and submitted to SPRS. A Level 2 (C3PAO) assessment is a third-party certification submitted through the CMMC instance of eMASS, which then feeds SPRS. Your contract dictates which one applies.

Is CMMC the same as my NISPOM and FSO obligations?

No, and conflating them is a costly error. NISPOM at 32 CFR 117 protects classified information on classified systems and requires an employee ISSM, plus an FSO and an insider-threat official. CMMC at 32 CFR 170 protects controlled unclassified information on unclassified systems. A single company can be subject to both regimes at once, and each needs its own staffing.

How long do I have to fix gaps found during a Level 2 assessment?

If your assessment yields a Conditional Level 2 status with an open plan of action and milestones, you have 180 days from the CMMC Status Date to remediate the not-met requirements, perform a closeout assessment, and post the results. Miss that window and the conditional status does not convert to final, which can affect your eligibility on the contract.

The bottom line for 2026 hiring

Phase 2 arrives around November 2026, and with it a wave of contracts that require a third-party Level 2 certification rather than a self-attestation. When that date lands, two kinds of contractors will show up. One treated compliance as a hire in 2025 and walks in with 110 controls implemented, evidence filed, and an Affirming Official ready to sign. The other treated it as paperwork and joins a queue that clears a few hundred assessments a year against thousands waiting. The rule does not name the person who keeps you in the first group. Your org chart does. Put that role on it before the clause sets the date for you.

Author

  • Ashley Jones is ClearedJobs.Net's blog Editor and a cleared job search expert, dedicated to helping security-cleared job seekers and employers navigate job search and recruitment challenges. With in-depth experience assisting cleared job seekers and transitioning military personnel at in-person and virtual Cleared Job Fairs and military base hiring events, Ashley has a deep understanding of the unique needs of the cleared community. She is also the Editor of ClearedJobs.Net's job search podcast, Security Cleared Jobs: Who's Hiring & How.

    View all posts

Comment

Notify me of updates to this conversation

Author

  • Ashley Jones is ClearedJobs.Net's blog Editor and a cleared job search expert, dedicated to helping security-cleared job seekers and employers navigate job search and recruitment challenges. With in-depth experience assisting cleared job seekers and transitioning military personnel at in-person and virtual Cleared Job Fairs and military base hiring events, Ashley has a deep understanding of the unique needs of the cleared community. She is also the Editor of ClearedJobs.Net's job search podcast, Security Cleared Jobs: Who's Hiring & How.

    View all posts
This entry was posted on Tuesday, July 14, 2026 12:59 pm