The CMMC rollout is progressing. Contracts that require a CMMC Level 2 (Self) self-assessment have been circulating since the start of Phase 1 in November 2025, and contracts that require CMMC Level 2 (C3PAO) audits will start appearing with Phase 2 in November 2026.
Contractors and subcontractors struggling to implement the CMMC requirements may be pleasantly surprised to learn that they could be awarded CMMC Level 2 contracts even if they have not implemented all of the applicable requirements via the Conditional Status process.
This post collects the rules related to Conditional Status so contractors can determine if they are eligible and identify their obligations once they have achieved it.
Contractors and subcontractors can use systems with a Conditional Status to handle CUI under CMMC Level 2 and 3 contracts and subcontracts while they work toward full compliance with CMMC. Conditional Status cannot be used for systems that only need to meet CMMC Level 1 requirements.
To achieve a CMMC Level 2 or Level 3 Conditional Status, contractors and subcontractors must:
Once a contractor or subcontractor achieves a Conditional Status, all remaining CMMC requirements listed in the POA&M must be implemented and re-assessed within 180 days of the Conditional Status to achieve a Final Status.
A Final Status requires 100% of the CMMC Level 2 or 3 requirements to be Met and is what all contractors and subcontractors will eventually need to achieve if they are working on contracts and subcontracts that require CMMC Status. A Level 2 or Level 3 Final Status is valid for three (3) years.
The Conditional Status allows contractors and subcontractors that have not implemented all CMMC Level 2 or 3 requirements to work on contracts, just as they would with a Final Status, for up to 180 days. The contractor or subcontractor is expected to achieve Final Status by the end of that period.
Using a Conditional Status is allowed as per the DFARS 252.204-7021 contract clause that imposes CMMC Level 2 or 3 requirements on contractors:
Conditional Status is not valid for CMMC Level 1. Any system with a CMMC Level 1 obligation must implement all of the Level 1 requirements and achieve a Level 1 Final Status in order to handle FCI under a CMMC contract.
Unfortunately, some large defense contractors only seem to be willing to work with subcontractors that have a Final Status. This is frustrating because CMMC allows the use of a Conditional Status, but it is within a contractor’s rights to impose their own requirements on subcontractors that agree to their terms.
Subcontractors should confirm whether the upstream contractors will accept a Conditional Status before pursuing this path unnecessarily.
Certain requirements must be Met to achieve a Conditional Status:
CMMC requirement CA.L2-3.12.4 System Security Plan (SSP) is the single most important requirement in CMMC and should be implemented before any other requirement. The SSP describes each information system within the CMMC Assessment Scope and defines how each CMMC control is (or will be) implemented on the system.
As per 32 CFR 170.24(c)(2)(i)(B)(5), an SSP in accordance with CMMC requirement must be in place at the time of assessment. Any CMMC assessment conducted without an SSP in place will result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012’. This would leave the contractor without the assessment score necessary to achieve a Conditional Status.
An SSP template is available from NIST.
As per 32 CFR 170.24(c)(2)(i)(B)(6), a POA&M must be written for each Not Met requirement to achieve a Conditional Status.
The POA&M is a document that identifies:
For a contractor or subcontractor pursuing a Conditional Status, the POA&M must list the tasks that will be necessary to implement all of the Level 2 or Level 3 requirements that are currently Not Met.
A POA&M template is available from NIST.
While a Conditional Status is partially based on achieving a minimum assessment score, there are also specific requirements that must be Met to achieve a Conditional Status.
Each CMMC Level 2 requirement is assigned a point value of one (1), three (3), or five (5). All CMMC Level 2 requirements with a point value of three (3) or five (5) must be Met to achieve Level 2 Conditional Status (a full list of Level 2 requirement point values is included at the end of this post).
There is an exception where a Level 2 requirement with a value of more than one (1) point is allowed to be Not Met under a Conditional Status: SC.L2-3.13.11 CUI Encryption may be included in a POA&M if encryption is employed but not FIPS-validated, which would result in a point value of three (3) being deducted.
Some CMMC requirements must be Met to receive a Conditional Status at Level 2 regardless of point value, and some requirements must be Met to receive a Conditional Status at Level 3. These requirements are as follows:
CMMC Level 2 - 32 CFR 170.21(a)(2) | CMMC Level 3 - 32 CFR 170.21(a)(3) |
|---|---|
AC.L2-3.1.20 External Connections (CUI Data) | IR.L3-3.6.1e Security Operations Center |
AC.L2-3.1.22 Control Public Information (CUI Data) | IR.L3-3.6.2e Cyber Incident Response Team |
PE.L2-3.10.3 Escort Visitors (CUI Data) | RA.L3-3.11.1e Threat-Informed Risk Assessment |
PE.L2-3.10.4 Physical Access Logs (CUI Data) | RA.L3-3.11.6e Supply Chain Risk Response |
PE.L2-3.10.5 Manage Physical Access (CUI Data) | RA.L3-3.11.7e Supply Chain Risk Plan |
CA.L2-3.12.4 System Security Plan | RA.L3-3.11.4e Security Solution Rationale |
SI.L3-3.14.3e Specialized Asset Security |
The maximum possible score is 110, which is equal to the number of CMMC Level 2 requirements.
A minimum assessment score of 88 is required for Level 2 Conditional Status, which is equal to 80% of the maximum possible score.
Points are deducted from the maximum score for each requirement that is Not Met. This may result in a negative score. No points are deducted from the score for requirements that are Met or Not Applicable.
As described above, each Level 2 requirement is assigned a point value (listed at the end of this post), but this is almost irrelevant for a Conditional Status because, other than the exception described above, a Conditional Status is not allowed if requirements with a value of more than one (1) point are Not Met.
The maximum possible score is 24, which is equal to the number of CMMC Level 3 requirements.
A minimum assessment score of 20 is required for Level 3 Conditional Status, which is slightly more than 80% of the maximum possible score.
As with Level 2, points are deducted from the maximum for requirements that are Not Met.
All Level 3 requirements are assigned a point value of one (1).
A Conditional Status must be closed out within 180 days of its CMMC Status Date.
All of the following must occur within the 180-day window to close out a Conditional Status:
If the POA&M is not successfully closed out within the 180-day timeframe:
Two (2) special Level 2 requirements have variable point values:
The point values for the remaining CMMC Level 2 requirements are as follows (from 32 CFR 170.24(c)(2)(i)(B)); mandatory requirements are indicated with italics:
Five (5) Points | Three (3) Points | One (1) Point |
|---|---|---|
AC.L2-3.1.1 - Authorized Access Control [CUI Data] | AC.L2-3.1.5 - Least Privilege | AC.L2-3.1.3 - Control CUI Flow |
AC.L2-3.1.2 - Transaction & Function Control | AC.L2-3.1.19 - Encrypt CUI on Mobile | AC.L2-3.1.4 - Separation of Duties |
AC.L2-3.1.12 - Control Remote Access | AU.L2-3.3.2 - User Accountability | AC.L2-3.1.6 - Non-Privileged Account Use |
AC.L2-3.1.13 - Remote Access Confidentiality | MA.L2-3.7.1 - Perform Maintenance | AC.L2-3.1.7 - Privileged Functions |
AC.L2-3.1.16 - Wireless Access Authorization | MA.L2-3.7.4 - Media Inspection | AC.L2-3.1.8 - Unsuccessful Logon Attempts |
AC.L2-3.1.17 - Wireless Access Protection | MP.L2-3.8.1 - Media Protection | AC.L2-3.1.9 - Privacy & Security Notices |
AC.L2-3.1.18 - Mobile Device Connection | MP.L2-3.8.2 - Media Access | AC.L2-3.1.10 - Session Lock |
AT.L2-3.2.1 - Role-Based Risk Awareness | MP.L2-3.8.8 - Shared Media | AC.L2-3.1.11 - Session Termination |
AT.L2-3.2.2 - Role-Based Training | PS.L2-3.9.1 - Screen Individuals | AC.L2-3.1.14 - Remote Access Routing |
AU.L2-3.3.1 - System Auditing | RA.L2-3.11.1 - Risk Assessments | AC.L2-3.1.15 - Privileged Remote Access |
AU.L2-3.3.5 - Audit Correlation | CA.L2-3.12.2 - Operational Plan of Action | AC.L2-3.1.20 - External Connections [CUI Data] |
CM.L2-3.4.1 - System Baselining | SC.L2-3.13.8 - Data in Transit | AC.L2-3.1.21 - Portable Storage Use |
CM.L2-3.4.2 - Security Configuration Enforcement | SI.L2-3.14.5 - System & File Scanning [CUI Data] | AC.L2-3.1.22 - Control Public Information [CUI Data] |
CM.L2-3.4.5 - Access Restrictions for Change | SI.L2-3.14.7 - Identify Unauthorized Use | AT.L2-3.2.3 - Insider Threat Awareness |
CM.L2-3.4.6 - Least Functionality | AU.L2-3.3.3 - Event Review | |
CM.L2-3.4.7 - Nonessential Functionality | AU.L2-3.3.4 - Audit Failure Alerting | |
CM.L2-3.4.8 - Application Execution Policy | AU.L2-3.3.6 - Reduction & Reporting | |
IA.L2-3.5.1 - Identification [CUI Data] | AU.L2-3.3.7 - Authoritative Time Source | |
IA.L2-3.5.2 - Authentication [CUI Data] | AU.L2-3.3.8 - Audit Protection | |
IA.L2-3.5.10 - Cryptographically-Protected Passwords | AU.L2-3.3.9 - Audit Management | |
IR.L2-3.6.1 - Incident Handling | CM.L2-3.4.3 - System Change Management | |
IR.L2-3.6.2 - Incident Reporting | CM.L2-3.4.4 - Security Impact Analysis | |
MA.L2-3.7.2 - System Maintenance Control | CM.L2-3.4.9 - User-Installed Software | |
MA.L2-3.7.5 - Nonlocal Maintenance | IA.L2-3.5.4 - Replay-Resistant Authentication | |
MP.L2-3.8.3 - Media Disposal [CUI Data] | IA.L2-3.5.5 - Identifier Reuse | |
MP.L2-3.8.7 - Removeable Media | IA.L2-3.5.6 - Identifier Handling | |
PE.L2-3.10.1 - Limit Physical Access [CUI Data] | IA.L2-3.5.7 - Password Complexity | |
PE.L2-3.10.2 - Monitor Facility | IA.L2-3.5.8 - Password Reuse | |
PS.L2-3.9.2 - Personnel Actions | IA.L2-3.5.9 - Temporary Passwords | |
RA.L2-3.11.2 - Vulnerability Scan | IA.L2-3.5.11 - Obscure Feedback | |
CA.L2-3.12.1 - Security Control Assessment | IR.L2-3.6.3 - Incident Response Testing | |
CA.L2-3.12.3 - Security Control Monitoring | MA.L2-3.7.3 - Equipment Sanitization | |
SC.L2-3.13.1 - Boundary Protection [CUI Data] | MA.L2-3.7.6 - Maintenance Personnel | |
SC.L2-3.13.2 - Security Engineering | MP.L2-3.8.4 - Media Markings | |
SC.L2-3.13.5 - Public-Access System Separation [CUI Data] | MP.L2-3.8.5 - Media Accountability | |
SC.L2-3.13.6 - Network Communication by Exception | MP.L2-3.8.6 - Portable Storage Encryption | |
SC.L2-3.13.15 - Communications Authenticity | MP.L2-3.8.9 - Protect Backups | |
SI.L2-3.14.1 - Flaw Remediation [CUI Data] | PE.L2-3.10.3 - Escort Visitors [CUI Data] | |
SI.L2-3.14.2 - Malicious Code Protection [CUI Data] | PE.L2-3.10.4 - Physical Access Logs [CUI Data] | |
SI.L2-3.14.3 - Security Alerts & Advisories | PE.L2-3.10.5 - Manage Physical Access [CUI Data] | |
SI.L2-3.14.4 - Update Malicious Code Protection [CUI Data] | PE.L2-3.10.6 - Alternative Work Sites | |
SI.L2-3.14.6 - Monitor Communications for Attacks | RA.L2-3.11.3 - Vulnerability Remediation | |
CA.L2-3.12.4 - System Security Plan | ||
SC.L2-3.13.3 - Role Separation | ||
SC.L2-3.13.4 - Shared Resource Control | ||
SC.L2-3.13.7 - Split Tunneling | ||
SC.L2-3.13.9 - Connections Termination | ||
SC.L2-3.13.10 - Key Management | ||
SC.L2-3.13.12 - Collaborative Device Control | ||
SC.L2-3.13.13 - Mobile Code | ||
SC.L2-3.13.14 - Voice over Internet Protocol | ||
SC.L2-3.13.16 - Data at Rest |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。