Top 12 CMMC Level 2 Requirements Explained: Gap Assessments, Scope, SSP, and POA&M

Show Notes

In this episode of the CMMC Compliance Guide Podcast, Stacey and Austin from Justice IT Consulting walk through the top 12 essentials every contractor needs to achieve CMMC Level 2 compliance especially small and mid-sized defense manufacturers.

You’ll learn how to start compliance the right way with a formal gap assessment, define and shrink your CUI scope, and build a System Security Plan (SSP) that maps to all 110 NIST 800-171 controls. We break down how to write an actionable Plan of Action & Milestones (POA&M), implement MFA correctly, enforce least-privilege access control, and deploy proper device protection across your environment.

We also cover commonly misunderstood requirements around FIPS-validated encryption, centralized logging/SIEM, removable media, CNC/OT assets, data handling, and ongoing vulnerability + risk assessments.

Finally, we answer a listener question on secure data transfer and why customer portals or GCC/GCC High environments are often superior to “secure links” inside commercial Microsoft 365 tenants.

Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap