Skip to Main Content
June 02, 2026

CMMC Conditional Status - Contracting Without Compliance

Written by Chris Camejo
CMMC Information Security Compliance Privacy Compliance Risk Assessment

Table of contents

The CMMC rollout is progressing. Contracts that require a CMMC Level 2 (Self) self-assessment have been circulating since the start of Phase 1 in November 2025, and contracts that require CMMC Level 2 (C3PAO) audits will start appearing with Phase 2 in November 2026.

Contractors and subcontractors struggling to implement the CMMC requirements may be pleasantly surprised to learn that they could be awarded CMMC Level 2 contracts even if they have not implemented all of the applicable requirements via the Conditional Status process.

This post collects the rules related to Conditional Status so contractors can determine if they are eligible and identify their obligations once they have achieved it.

Overview

Contractors and subcontractors can use systems with a Conditional Status to handle CUI under CMMC Level 2 and 3 contracts and subcontracts while they work toward full compliance with CMMC. Conditional Status cannot be used for systems that only need to meet CMMC Level 1 requirements.

To achieve a CMMC Level 2 or Level 3 Conditional Status, contractors and subcontractors must:

  • Complete a System Security Plan (SSP) that describes the system and its security controls
  • Write a Plan of Action and Milestones (POA&M) for each CMMC requirement that is Not Met (yet)
  • Implement certain mandatory CMMC requirements that cannot be included in a Conditional Status (listed below)
  • Conduct a CMMC assessment of the appropriate level and type as required by the contract (self or C3PAO for Level 2, DIBCAC for Level 3)
  • Achieve a minimum assessment score equal to or greater than 80% of the number of CMMC requirements in the CMMC Level being assessed
  • Submit the self-assessment result via SPRS (the C3PAO or DIBCAC submit results for assessments they conduct)

Once a contractor or subcontractor achieves a Conditional Status, all remaining CMMC requirements listed in the POA&M must be implemented and re-assessed within 180 days of the Conditional Status to achieve a Final Status.

What is a Conditional Status?

A Final Status requires 100% of the CMMC Level 2 or 3 requirements to be Met and is what all contractors and subcontractors will eventually need to achieve if they are working on contracts and subcontracts that require CMMC Status. A Level 2 or Level 3 Final Status is valid for three (3) years.

The Conditional Status allows contractors and subcontractors that have not implemented all CMMC Level 2 or 3 requirements to work on contracts, just as they would with a Final Status, for up to 180 days. The contractor or subcontractor is expected to achieve Final Status by the end of that period.

Using a Conditional Status is allowed as per the DFARS 252.204-7021 contract clause that imposes CMMC Level 2 or 3 requirements on contractors:

  • Paragraph (d)(1)(i) of the contract requires contractors and subcontractors to have a “current” CMMC Status at the indicated level.
  • Paragraph (a) of the clause defines “current” for Level 2 and 3 to include both Conditional Status and Final Status, regardless of whether the contract specifies a self-assessment or C3PAO audit requirement.

Conditional Status is not valid for CMMC Level 1. Any system with a CMMC Level 1 obligation must implement all of the Level 1 requirements and achieve a Level 1 Final Status in order to handle FCI under a CMMC contract.

The Catch

Unfortunately, some large defense contractors only seem to be willing to work with subcontractors that have a Final Status. This is frustrating because CMMC allows the use of a Conditional Status, but it is within a contractor’s rights to impose their own requirements on subcontractors that agree to their terms.

Subcontractors should confirm whether the upstream contractors will accept a Conditional Status before pursuing this path unnecessarily.

Conditional Status Requirements

Certain requirements must be Met to achieve a Conditional Status:

  • An SSP must be in place.
  • A POA&M must be written for each Level 2 and/or Level 3 requirement that is Not Met (yet).
  • Certain specific controls must be in place.
  • The assessment score must be at least 80% of the total number of Level 2 or Level 3 requirements (depending on the required CMMC Level).

SSP

CMMC requirement CA.L2-3.12.4 System Security Plan (SSP) is the single most important requirement in CMMC and should be implemented before any other requirement. The SSP describes each information system within the CMMC Assessment Scope and defines how each CMMC control is (or will be) implemented on the system.

As per 32 CFR 170.24(c)(2)(i)(B)(5), an SSP in accordance with CMMC requirement must be in place at the time of assessment. Any CMMC assessment conducted without an SSP in place will result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012’. This would leave the contractor without the assessment score necessary to achieve a Conditional Status.

An SSP template is available from NIST.

POA&M

As per 32 CFR 170.24(c)(2)(i)(B)(6), a POA&M must be written for each Not Met requirement to achieve a Conditional Status.

The POA&M is a document that identifies:

  • Tasks that must be accomplished
  • Resources required to accomplish the elements of the plan
  • Any milestones in meeting the tasks
  • Scheduled completion dates for the milestones

For a contractor or subcontractor pursuing a Conditional Status, the POA&M must list the tasks that will be necessary to implement all of the Level 2 or Level 3 requirements that are currently Not Met.

A POA&M template is available from NIST.

Mandatory Requirements

While a Conditional Status is partially based on achieving a minimum assessment score, there are also specific requirements that must be Met to achieve a Conditional Status.

Each CMMC Level 2 requirement is assigned a point value of one (1), three (3), or five (5). All CMMC Level 2 requirements with a point value of three (3) or five (5) must be Met to achieve Level 2 Conditional Status (a full list of Level 2 requirement point values is included at the end of this post).

There is an exception where a Level 2 requirement with a value of more than one (1) point is allowed to be Not Met under a Conditional Status: SC.L2-3.13.11 CUI Encryption may be included in a POA&M if encryption is employed but not FIPS-validated, which would result in a point value of three (3) being deducted. 

Some CMMC requirements must be Met to receive a Conditional Status at Level 2 regardless of point value, and some requirements must be Met to receive a Conditional Status at Level 3. These requirements are as follows:

CMMC Level 2 - 32 CFR 170.21(a)(2)

CMMC Level 3 - 32 CFR 170.21(a)(3)

AC.L2-3.1.20 External Connections (CUI Data)

IR.L3-3.6.1e Security Operations Center

AC.L2-3.1.22 Control Public Information (CUI Data)

IR.L3-3.6.2e Cyber Incident Response Team

PE.L2-3.10.3 Escort Visitors (CUI Data)

RA.L3-3.11.1e Threat-Informed Risk Assessment

PE.L2-3.10.4 Physical Access Logs (CUI Data)

RA.L3-3.11.6e Supply Chain Risk Response

PE.L2-3.10.5 Manage Physical Access (CUI Data)

RA.L3-3.11.7e Supply Chain Risk Plan

CA.L2-3.12.4 System Security Plan

RA.L3-3.11.4e Security Solution Rationale

 

SI.L3-3.14.3e Specialized Asset Security

Level 2 Scoring

The maximum possible score is 110, which is equal to the number of CMMC Level 2 requirements.

A minimum assessment score of 88 is required for Level 2 Conditional Status, which is equal to 80% of the maximum possible score.

Points are deducted from the maximum score for each requirement that is Not Met. This may result in a negative score. No points are deducted from the score for requirements that are Met or Not Applicable.

As described above, each Level 2 requirement is assigned a point value (listed at the end of this post), but this is almost irrelevant for a Conditional Status because, other than the exception described above, a Conditional Status is not allowed if requirements with a value of more than one (1) point are Not Met.

Level 3 Scoring

The maximum possible score is 24, which is equal to the number of CMMC Level 3 requirements.

A minimum assessment score of 20 is required for Level 3 Conditional Status, which is slightly more than 80% of the maximum possible score.

As with Level 2, points are deducted from the maximum for requirements that are Not Met.

All Level 3 requirements are assigned a point value of one (1).

Closing Out a Conditional Status

A Conditional Status must be closed out within 180 days of its CMMC Status Date.

All of the following must occur within the 180-day window to close out a Conditional Status:

  • Remediate any Not Met requirements
  • Undergo a POA&M closeout assessment of the same level and type as the original assessment that resulted in the Conditional Status
  • Post the compliance results into SPRS
    • This is handled by the C3PAO for Level 2 C3PAO assessments and by DIBCAC for Level 3 DIBCAC assessments.

If the POA&M is not successfully closed out within the 180-day timeframe:

  • The Conditional Status will expire.
  • Standard contractual remedies will apply (e.g., enforcement of the False Claims Act).
  • The contractor or subcontractor will be ineligible for additional awards with a requirement until a new CMMC Status is achieved.

CMMC Level 2 Requirement Points

Two (2) special Level 2 requirements have variable point values:

  • IA.L2-3.5.3 Multi-factor authentication (MFA):
    • Three (3) points are subtracted from the maximum score if MFA is implemented only for remote and privileged users.
    • Five (5) points are subtracted from the maximum score if MFA is not implemented for any users.
  • SC.L2-3.13.11 FIPS-validated encryption:
    • Three (3) points are subtracted from the maximum score if encryption is employed but is not FIPS-validated .
    • Five (5) points are subtracted from the maximum score if encryption is not employed.

The point values for the remaining CMMC Level 2 requirements are as follows (from 32 CFR 170.24(c)(2)(i)(B)); mandatory requirements are indicated with italics:

Five (5) Points

Three (3) Points

One (1) Point

AC.L2-3.1.1 - Authorized Access Control [CUI Data]

AC.L2-3.1.5 - Least Privilege

AC.L2-3.1.3 - Control CUI Flow

AC.L2-3.1.2 - Transaction & Function Control

AC.L2-3.1.19 - Encrypt CUI on Mobile

AC.L2-3.1.4 - Separation of Duties

AC.L2-3.1.12 - Control Remote Access

AU.L2-3.3.2 - User Accountability

AC.L2-3.1.6 - Non-Privileged Account Use

AC.L2-3.1.13 - Remote Access Confidentiality

MA.L2-3.7.1 - Perform Maintenance

AC.L2-3.1.7 - Privileged Functions

AC.L2-3.1.16 - Wireless Access Authorization

MA.L2-3.7.4 - Media Inspection

AC.L2-3.1.8 - Unsuccessful Logon Attempts

AC.L2-3.1.17 - Wireless Access Protection

MP.L2-3.8.1 - Media Protection

AC.L2-3.1.9 - Privacy & Security Notices

AC.L2-3.1.18 - Mobile Device Connection

MP.L2-3.8.2 - Media Access

AC.L2-3.1.10 - Session Lock

AT.L2-3.2.1 - Role-Based Risk Awareness

MP.L2-3.8.8 - Shared Media

AC.L2-3.1.11 - Session Termination

AT.L2-3.2.2 - Role-Based Training

PS.L2-3.9.1 - Screen Individuals

AC.L2-3.1.14 - Remote Access Routing

AU.L2-3.3.1 - System Auditing

RA.L2-3.11.1 - Risk Assessments

AC.L2-3.1.15 - Privileged Remote Access

AU.L2-3.3.5 - Audit Correlation

CA.L2-3.12.2 - Operational Plan of Action

AC.L2-3.1.20 - External Connections [CUI Data]

CM.L2-3.4.1 - System Baselining

SC.L2-3.13.8 - Data in Transit

AC.L2-3.1.21 - Portable Storage Use

CM.L2-3.4.2 - Security Configuration Enforcement

SI.L2-3.14.5 - System & File Scanning [CUI Data]

AC.L2-3.1.22 - Control Public Information [CUI Data]

CM.L2-3.4.5 - Access Restrictions for Change

SI.L2-3.14.7 - Identify Unauthorized Use

AT.L2-3.2.3 - Insider Threat Awareness

CM.L2-3.4.6 - Least Functionality

 

AU.L2-3.3.3 - Event Review

CM.L2-3.4.7 - Nonessential Functionality

 

AU.L2-3.3.4 - Audit Failure Alerting

CM.L2-3.4.8 - Application Execution Policy

 

AU.L2-3.3.6 - Reduction & Reporting

IA.L2-3.5.1 - Identification [CUI Data]

 

AU.L2-3.3.7 - Authoritative Time Source

IA.L2-3.5.2 - Authentication [CUI Data]

 

AU.L2-3.3.8 - Audit Protection

IA.L2-3.5.10 - Cryptographically-Protected Passwords

 

AU.L2-3.3.9 - Audit Management

IR.L2-3.6.1 - Incident Handling

 

CM.L2-3.4.3 - System Change Management

IR.L2-3.6.2 - Incident Reporting

 

CM.L2-3.4.4 - Security Impact Analysis

MA.L2-3.7.2 - System Maintenance Control

 

CM.L2-3.4.9 - User-Installed Software

MA.L2-3.7.5 - Nonlocal Maintenance

 

IA.L2-3.5.4 - Replay-Resistant Authentication

MP.L2-3.8.3 - Media Disposal [CUI Data]

 

IA.L2-3.5.5 - Identifier Reuse

MP.L2-3.8.7 - Removeable Media

 

IA.L2-3.5.6 - Identifier Handling

PE.L2-3.10.1 - Limit Physical Access [CUI Data]

 

IA.L2-3.5.7 - Password Complexity

PE.L2-3.10.2 - Monitor Facility

 

IA.L2-3.5.8 - Password Reuse

PS.L2-3.9.2 - Personnel Actions

 

IA.L2-3.5.9 - Temporary Passwords

RA.L2-3.11.2 - Vulnerability Scan

 

IA.L2-3.5.11 - Obscure Feedback

CA.L2-3.12.1 - Security Control Assessment

 

IR.L2-3.6.3 - Incident Response Testing

CA.L2-3.12.3 - Security Control Monitoring

 

MA.L2-3.7.3 - Equipment Sanitization

SC.L2-3.13.1 - Boundary Protection [CUI Data]

 

MA.L2-3.7.6 - Maintenance Personnel

SC.L2-3.13.2 - Security Engineering

 

MP.L2-3.8.4 - Media Markings

SC.L2-3.13.5 - Public-Access System Separation [CUI Data]

 

MP.L2-3.8.5 - Media Accountability

SC.L2-3.13.6 - Network Communication by Exception

 

MP.L2-3.8.6 - Portable Storage Encryption

SC.L2-3.13.15 - Communications Authenticity

 

MP.L2-3.8.9 - Protect Backups

SI.L2-3.14.1 - Flaw Remediation [CUI Data]

 

PE.L2-3.10.3 - Escort Visitors [CUI Data]

SI.L2-3.14.2 - Malicious Code Protection [CUI Data]

 

PE.L2-3.10.4 - Physical Access Logs [CUI Data]

SI.L2-3.14.3 - Security Alerts & Advisories

 

PE.L2-3.10.5 - Manage Physical Access [CUI Data]

SI.L2-3.14.4 - Update Malicious Code Protection [CUI Data]

 

PE.L2-3.10.6 - Alternative Work Sites

SI.L2-3.14.6 - Monitor Communications for Attacks

 

RA.L2-3.11.3 - Vulnerability Remediation

 

 

CA.L2-3.12.4 - System Security Plan

 

 

SC.L2-3.13.3 - Role Separation

 

 

SC.L2-3.13.4 - Shared Resource Control

 

 

SC.L2-3.13.7 - Split Tunneling

 

 

SC.L2-3.13.9 - Connections Termination

 

 

SC.L2-3.13.10 - Key Management

 

 

SC.L2-3.13.12 - Collaborative Device Control

 

 

SC.L2-3.13.13 - Mobile Code

 

 

SC.L2-3.13.14 - Voice over Internet Protocol

 

 

SC.L2-3.13.16 - Data at Rest