CMMC L2 Pre-Assessment: What $15K Buys You

A 100-300-user defense contractor that needs CMMC Level 2 certification by November 2026 has a sequencing problem. The C3PAO assessment — the third-party assessment that actually grants the certification — is expensive, scheduled months out, and unforgiving. Going into one without a tight Statement of Security Posture (SSP), a drafted Plan of Action and Milestones (POA&M), and a clear answer on GCC High eligibility is the most expensive way to discover what you needed to know first.

Pro IT NW's CMMC Level 2 pre-assessment is a fixed-fee $15,000 engagement for a 100-300-user GovCon shop. It runs two weeks, is senior-engineer-led, and produces the documentation deliverables a C3PAO expects at kickoff. This post lists what's in scope, what isn't, and why the pre-assessment is the highest-leverage step in the sequence to certification.

Why $15K, why two weeks, why now

The pricing transparency is deliberate. Mid-market GovCon shops have been quoted everything from $5K "readiness checklists" that are barely more than a survey to $50K "readiness engagements" that include remediation work that should be scoped separately. The market is noisy. Pro IT NW publishes the price because the deliverables are well-defined and the work is bounded — two weeks of senior engineering time, against a standardized scope, producing five named documents.

The two-week timeline is a function of the scope. Larger pre-assessments are real (1,000+ user environments, classified-adjacent contracts, complex multi-environment topologies), but they're not the same engagement and they don't fit a fixed fee. The 100-300-user band is where the fixed-fee math works because the environment shape is predictable.

What's in the $15K — five deliverables

1. SSP (System Security Plan) draft

The System Security Plan is the foundational document a C3PAO assesses against. It describes the system, the boundary, the security controls in place, and the implementation status of each NIST SP 800-171 control. In the pre-assessment, we draft the SSP against the actual environment — not a template — and document the system boundary explicitly: which tenants, which networks, which apps, which users handle CUI.

The SSP draft is a first pass. The C3PAO will expect updates between pre-assessment and assessment as remediation closes gaps. What the draft eliminates is the most expensive C3PAO discovery — "your boundary is undefined" or "your control inheritance from Microsoft isn't documented." Both are common, both are remediable in advance, both cost time and money if discovered during the C3PAO engagement instead.

2. POA&M (Plan of Action and Milestones) draft

The POA&M lists the controls that aren't fully implemented, the remediation plan for each one, the owner, and the target completion date. CMMC Level 2 allows a limited POA&M at the time of assessment — not every control has to be fully implemented — but the rules around what can stay on the POA&M and for how long are specific. We draft the POA&M against the gap register (next deliverable), with realistic timelines and ownership clearly assigned.

The most common POA&M failure pattern we see in the pre-assessment phase is over-promising — every gap labeled "30 days to close" because the customer believes faster remediation looks better. C3PAOs don't reward optimism; they reward credibility. Realistic 60-180 day remediation timelines for substantive gaps land better than aspirational 30-day commitments that the team can't actually meet.

3. GCC High eligibility assessment

Not every CMMC Level 2 environment needs GCC High. The decision turns on the data classification — specifically, whether the customer's contracts handle Controlled Unclassified Information (CUI), Covered Defense Information (CDI), or ITAR-regulated technical data, and where that data lives today. The pre-assessment includes a written eligibility determination: yes/no for GCC High, with the rationale, the contracts cited, and the data types documented.

The eligibility question often gets answered backwards in the market — vendors recommend GCC High because they sell GCC High licensing, or recommend against it because they prefer commercial M365. Pro IT NW doesn't resell either, so the answer in any specific case is what the contracts and data require. For a 100-user CDI-handling aerospace supplier, GCC High is usually the right answer. For a 200-user services firm doing CUI-adjacent consulting work without ITAR exposure, commercial M365 with hardening is often defensible. The eligibility document names the answer, with the reasoning visible.

4. NIST 800-171 gap register, control by control

NIST SP 800-171 has 110 security requirements across 14 control families. The pre-assessment produces a complete gap register — every requirement, current implementation status, gap severity, and remediation owner. It's the workhorse document for the rest of the path to certification, and it's what the SSP and POA&M drafts are built against.

The gap register is also the document that surfaces the unhappy surprises. A customer who believed they were "mostly there on CMMC" usually discovers one of three patterns: (a) identity controls are stronger than expected, (b) physical and personnel controls are weaker than expected, or (c) audit logging and incident response documentation is missing entirely. None of those are unrecoverable, but all of them are easier to address in a pre-assessment than in a C3PAO finding.

5. Third-party app compatibility check

The third-party app conversation is where mid-market CMMC programs commonly stall. Power Platform, Salesforce, ServiceNow, common LOB apps, line-of-business CAD tools, ERP systems, accounting integrations — each one has a different posture in GCC High vs commercial vs sovereign. The pre-assessment produces a compatibility matrix: every business-critical app, its CMMC-relevant data exposure, its GCC High availability or workaround, and its posture against the system boundary defined in the SSP.

The most common app-compatibility surprises:

• Power Platform connectors — many third-party connectors are not GCC High-available; the LOB workflow that depends on them needs a workaround or a different tool.
• Salesforce instances — commercial Salesforce is not authorized for CUI; Salesforce Government Cloud is the GovCon path and migration is non-trivial.
• ServiceNow — ServiceNow Government Community Cloud (GCC) availability and authorization status need to be confirmed against the specific data classes in scope.
• CAD and engineering tools — ITAR-regulated technical data in CAD packages drives both the GCC High decision and the workstation hardening posture.
• Accounting and ERP integrations — Microsoft Dynamics has GCC High posture; many third-party accounting systems do not. Integration paths need explicit documentation in the SSP.

What's not in the $15K

The pre-assessment is bounded. Specifically, it does not include:

• Remediation work. Closing gaps, deploying Conditional Access, configuring DLP, implementing logging — all valid follow-on engagements, scoped separately, priced against the actual gap register.
• The C3PAO engagement. The pre-assessment is preparation. The C3PAO is a separate contracted relationship with a registered third-party assessor.
• GCC High migration. If the eligibility assessment lands at "yes, GCC High is required," the migration is its own project. Realistic GCC High migration costs are documented in our GCC High before CMMC Phase 2 post.
• Ongoing operations. Continuous monitoring, periodic SSP updates, POA&M closure tracking, audit log review — all part of sustained CMMC operations, separate from the pre-assessment.
• Hardware and licensing procurement. Pro IT NW is labor-only. Tenant licensing, hardware, and any third-party tooling required for remediation are procured separately.

The two-week timeline

The schedule is tight by design. Pre-assessment is not a research project — the customer has limited windows for interviews and walkthroughs, and the deliverables are standardized. The senior-engineer-led structure is what makes the two-week timeline realistic; junior-led pre-assessments typically take four to six weeks because the NIST 800-171 control language has a learning curve that compounds.

Why pre-assessment matters before C3PAO engagement

C3PAO assessments are expensive and scheduled months out

The market for registered C3PAOs is thin in 2026. Lead times to schedule an assessment for a 100-300-user environment routinely run 90-180 days. Once scheduled, the assessment itself is a 6-12 week engagement at $30K-$80K+ of C3PAO fees, plus internal time. Going into that engagement without a drafted SSP and POA&M is the most expensive way to discover the gaps.

Failing means re-scoping with the Phase 2 clock running

CMMC Phase 2 enforcement begins November 10, 2026. Contracts written after that date will require third-party assessment for Level 2 — not self-attestation. A failed C3PAO assessment means re-scoping, remediating, and re-engaging, all while the enforcement clock runs. For shops that need the certification to bid on contracts in Q1 2027, the pre-assessment is the cheapest insurance against schedule slippage.

The pre-assessment de-risks the C3PAO engagement

A C3PAO doesn't audit the pre-assessment work — they audit the customer's environment against the SSP. But a drafted SSP, a credible POA&M, and a defined system boundary are the deliverables a C3PAO uses as the kickoff artifact. Showing up to a C3PAO engagement with those documents in hand reduces the C3PAO's discovery time, sharpens the assessment scope, and surfaces fewer surprises during the engagement itself. It's not a guarantee of certification — but it's the most leverage available before the higher-cost work starts.

The pre-assessment surfaces the GCC High question early

GCC High migration is a 6-12 month project for a 100-300-user environment. If the eligibility assessment lands at "yes, GCC High is required," the migration has to start months before the C3PAO engagement. Discovering that requirement during the C3PAO assessment instead of during pre-assessment is the most common reason mid-market GovCon shops miss the Phase 2 deadline.

Common mistakes we see right now

Buying a "readiness checklist" instead of a pre-assessment

A $5K survey-driven checklist is not a pre-assessment. The deliverables a C3PAO expects — SSP, POA&M, gap register, eligibility memo, app compatibility matrix — are documents that take engineering time to author against the actual environment, not boilerplate. The cheap survey often produces "you're 60% there" outputs that don't translate into anything a C3PAO can use.

Engaging the C3PAO before the SSP is drafted

The C3PAO needs the SSP at kickoff. Showing up without one means the first weeks of the C3PAO engagement get spent helping the customer draft the document — at C3PAO rates. The pre-assessment exists specifically so the customer arrives at the C3PAO engagement with the SSP in hand.

Treating GCC High as a foregone conclusion

Some 100-300-user GovCon shops genuinely don't need GCC High — their data classes don't require it, and commercial M365 with hardening meets the controls. Defaulting to GCC High because "everyone in defense uses it" is expensive when the contracts in scope don't actually require it. The eligibility assessment is the document that names the right answer.

Delaying because "we'll do it next quarter"

With Phase 2 enforcement starting November 10, 2026, a 100-300-user shop that hasn't started in mid-2026 has a realistic problem. Pre-assessment now, remediation through Q3-Q4, C3PAO engagement scheduled for Q4-Q1 — that sequence still works. Pre-assessment in Q4 with a January C3PAO engagement and surprise GCC High requirement is the sequence that misses the deadline.

What we recommend doing this week

1. Inventory in-scope contracts. Which existing or pipeline contracts will require CMMC Level 2 after November 2026? Get the contracting officer's confirmation in writing where possible.
2. Classify the data. CUI, CDI, ITAR-regulated technical data — which of these does the organization handle, and where does that data live today? This drives the GCC High eligibility question.
3. Confirm tenant posture. Are you on commercial M365 today? Have you started any GCC High evaluation? What's the current Conditional Access, DLP, and audit logging posture? These inputs scope the gap register.
4. Engage scope. Whether with Pro IT NW or another consultancy, get a written pre-assessment scope on paper with named deliverables, a timeline, and a fixed fee. Anyone offering CMMC pre-assessment without naming the SSP and POA&M deliverables is offering something else.

Related reading

• The 6-12 month GCC High migration timeline before Phase 2: GCC High before CMMC Phase 2 (Nov 2026).
• Service detail: GCC High Migration & CMMC Level 2 Readiness.
• Industry detail: Defense Contractors.

Sources and further reading

• DoD CIO — Cybersecurity Maturity Model Certification
• NIST SP 800-171 r2 — Protecting Controlled Unclassified Information
• NIST SP 800-172 — Enhanced security requirements
• Microsoft Learn — Microsoft 365 government environments overview
• The Cyber AB — CMMC accreditation body and C3PAO directory

The 30-second version

Pro IT NW's CMMC Level 2 pre-assessment is a fixed-fee $15,000 engagement for a 100-300-user GovCon shop. Two weeks, senior-engineer-led, five deliverables: SSP draft, POA&M draft, GCC High eligibility assessment, NIST 800-171 gap register, third-party app compatibility check. It's the cheapest, highest-leverage step on the path to a C3PAO engagement that costs $30K-$80K+ and is scheduled months out. Skipping it almost always costs more than running it.

With Phase 2 enforcement on November 10, 2026, the pre-assessment-to-certification sequence still works if it starts in mid-2026 — but the runway is closing. The project intake form takes about three minutes; we respond within two business days with scope.

Pro IT NW handles GCC High migration and CMMC Level 1 / 2 / 3 readiness. Vendor-neutral, labor-only. We don't resell GCC High licensing, C3PAO assessments, or any of the third-party tools referenced in this post. The pre-assessment is the documentation engagement; remediation and migration are scoped separately.