Why CMMC Level 2 Failures Keep Happening
After working with dozens of defense contractors preparing for third-party assessments, I can tell you with confidence that most CMMC Level 2 compliance failures are not random. They cluster around the same control families, year after year. Organizations invest in firewalls and antivirus software, then get blindsided by an assessor who flags their audit log gaps or their inability to demonstrate a working incident response plan.
CMMC Level 2 maps directly to the 110 practices in NIST SP 800-171. Every one of those practices requires both implementation and evidence. That dual burden is where most contractors stumble. Below are the ten controls that generate the most findings—and what you can do about each one before a C3PAO walks through your door.
The 10 Most Commonly Failed Controls
1. Access Control — Limiting CUI to Authorized Users (AC.1.001, AC.2.006)
Overly permissive access rights are the single most cited deficiency in CMMC assessments. Contractors frequently grant broad network access without enforcing least privilege. Fix this by auditing every user account, removing or restricting accounts that do not require access to Controlled Unclassified Information, and documenting your access control policy. Role-based access control is not optional—it is a foundational requirement.
2. Identification and Authentication — Multi-Factor Authentication (IA.3.083)
MFA requirements catch organizations off guard more often than almost any other control. If any user—including administrators—can access systems containing CUI with only a password, you will receive a finding. Implement MFA across all remote access pathways and privileged accounts immediately, and make sure your System Security Plan documents the configuration. Assessors will test this, not just read your policy.
3. Audit and Accountability — Log Collection and Review (AU.2.041, AU.2.042)
Many contractors have logging enabled somewhere, but cannot demonstrate that logs are collected, protected, retained, and reviewed. Assessors want to see a defensible audit trail. Establish centralized log management, set a documented retention period of at least 90 days accessible and three years archived, and implement a process for regular log review. Gaps in audit logs are among the fastest ways to fail an assessment.
4. Configuration Management — Baseline Configurations (CM.2.061, CM.2.064)
You need documented, approved baseline configurations for every system that processes, stores, or transmits CUI. Organizations routinely lack formal baselines or allow configuration drift without a change management process. Build your baselines using industry benchmarks such as CIS Controls, document deviations, and enforce a change control workflow. This control family is tightly linked to your overall System Security Plan and POA&M discipline.
5. Incident Response — Plan Development and Testing (IR.2.092, IR.2.093)
Having a written incident response plan is necessary. Being able to demonstrate that you have tested it is what separates a passing organization from a failing one. Tabletop exercises must be conducted and documented. Your plan must address CUI-specific breach scenarios and define reporting timelines consistent with DFARS 252.204-7012 obligations. If your plan lives in a shared drive untouched since 2021, it will not survive scrutiny.
6. Risk Assessment — Periodic Assessments and Vulnerability Scanning (RA.2.141, RA.2.142)
Risk assessments cannot be a one-time event. CMMC Level 2 compliance requires periodic reassessment and documented vulnerability scanning results. Many contractors perform a scan, remediate the critical findings, and consider the work complete. Assessors look for a repeatable process with documented results, remediation timelines, and evidence that findings feed back into your risk register. Learn more about building this capability through our Federal and SLED Risk Assessment services.
7. System and Communications Protection — CUI in Transit (SC.3.177, SC.3.187)
Encrypting CUI in transit is required, but contractors regularly fail to demonstrate that encryption is applied consistently across all pathways—including email, file transfers, and collaboration tools. Audit every data flow where CUI moves between systems or users. Confirm that FIPS-validated encryption is in use, and document the controls in your SSP. If you are using commercial Microsoft 365 instead of a compliant government cloud environment, this is frequently where findings emerge.
8. Media Protection — Sanitization and Disposal (MP.2.119, MP.3.122)
Physical media containing CUI must be sanitized before disposal or reuse, using methods that meet NIST SP 800-88 standards. Many organizations lack documented procedures or cannot produce records showing that sanitization actually occurred. Establish a formal media sanitization log, train the personnel responsible, and ensure your policy covers both electronic and physical media including printed CUI. Physical security controls like this one are easy to overlook when your focus is on network security.
9. Personnel Security — Screening and Termination (PS.2.127, PS.3.128)
Pre-employment screening appropriate to the sensitivity of roles involving CUI is required, and so is a documented termination process that revokes access immediately upon separation. Contractors often have informal processes here—verbal confirmations and manual IT tickets with no audit trail. Formalize your onboarding and offboarding checklists, integrate HR and IT workflows, and document every step. Access that lingers after an employee departs is both a compliance finding and a material security risk.
10. System and Information Integrity — Malware Protection and Security Alerts (SI.1.210, SI.2.214)
Malware protection software is almost universally deployed, but the control requires more than installation. Assessors evaluate whether your protection mechanisms are current, whether scan schedules are enforced, and whether your organization receives and acts on security alerts from authoritative sources. Establish a process for subscribing to threat intelligence feeds, documenting alert triage, and updating protection mechanisms on a defined schedule. Endpoint security is the operational layer that keeps this control alive between assessments.
Cross-Cutting Themes Behind Most Failures
Looking across all ten areas, three themes drive the majority of findings. First, organizations confuse intent with evidence. A policy says something should happen, but no one can produce proof that it did. Second, CUI scope is undefined or too narrow. If you have not rigorously identified where CUI lives, you cannot protect it consistently. Review our guidance on Controlled Unclassified Information if your CUI boundaries are unclear. Third, compliance is treated as a project rather than a program. CMMC Level 2 compliance requires ongoing operation, not a one-time sprint to the assessment date.
Building a Program That Sustains Compliance
Addressing individual control gaps matters, but the organizations that pass assessments with the fewest findings are the ones that have built compliance into their daily operations. That means documented procedures people actually follow, regular internal reviews, and executive visibility into the compliance posture. Our CMMC, CUI, and DFARS compliance services are designed to help defense contractors move from reactive gap remediation to a sustainable compliance program.
If you want to build that foundation properly, our Compliance Program Development service provides the structured approach contractors need to operationalize controls across the organization—not just check boxes before an audit.
For contractors who benefit from ongoing expert guidance without adding full-time headcount, embedded compliance leadership through our Regulatory vCISO services keeps your program on track between assessments and ensures your team is ready when the C3PAO arrives.
If you are preparing for an upcoming assessment and want to know exactly where you stand, request a quote and our team will scope a readiness engagement tailored to your timeline and your specific control gaps. The contractors who wait until the contract award notice to start this work are the ones who lose the most time and money. Start now.