Free Interactive Assessment Tool
CMMC Level 2 Readiness Checker
Evaluate your organization across all 14 NIST SP 800-171 control families. Get your weighted readiness score, prioritized gap analysis, and downloadable PDF action plan.
✓ 41 Questions ✓ 110 Security Practices ✓ Instant Score
What Is CMMC Level 2?
The Cybersecurity Maturity Model Certification (CMMC) Level 2 requires defense contractors and subcontractors to implement all 110 security controls from NIST SP 800-171 to protect Controlled Unclassified Information (CUI). As of 2025, the Department of Defense began phased enforcement, with mandatory third-party C3PAO assessments required by November 2026.
Why it matters now: Phase 2 enforcement begins November 2026 — organizations that handle CUI must pass a third-party C3PAO assessment to remain eligible for DoD contracts. Assessment slots are filling up fast.
This tool provides a preliminary self-assessment only. It does not constitute an official CMMC certification or C3PAO audit. CMMC Level 2 certification requires assessment by an authorized C3PAO.
© On-Site Technology | www.on-sitetechnology.com | (973) 777-7227
How the CMMC Readiness Checker Works
Answer 41 questions mapped to NIST SP 800-171 controls. Rate each as Fully Implemented, Partial, Planned, or Not Addressed. Get a weighted readiness score across all 14 control families, a prioritized gap analysis, and a downloadable PDF action plan — no email required.
$150K-$400K
Total 3-Year Cost
Total 3-Year Cost
C3PAO assessment, technology remediation, and ongoing compliance maintenance combined.
6-18 Months
Preparation Timeline
Preparation Timeline
Above 75% on this tool? 3-6 months. Below 50%? Plan for 12-18 months of implementation.
Nov 2026
Phase 2 Deadline
Phase 2 Deadline
Mandatory C3PAO assessments for Level 2. Primes already requiring subcontractor compliance.
Why Defense Contractors Choose On-Site Technology
✓
Gap Assessments – All 110 Controls
Comprehensive NIST SP 800-171 analysis with prioritized roadmap.
Comprehensive NIST SP 800-171 analysis with prioritized roadmap.
✓
SSP & POA&M Development
We build the documentation your C3PAO assessment requires.
We build the documentation your C3PAO assessment requires.
✓
Technology Implementation & Monitoring
MFA, SIEM, EDR, encryption, segmentation – deployed and managed.
MFA, SIEM, EDR, encryption, segmentation – deployed and managed.
✓
NJ, NY, PA & FL Coverage
Serving Bergen, Passaic, Essex, Morris counties and the tri-state area.
Serving Bergen, Passaic, Essex, Morris counties and the tri-state area.
CMMC Readiness Tool FAQ
What is CMMC Level 2 and how is it different from Level 1?
CMMC Level 1 covers 17 basic cyber hygiene practices and allows self-assessment. CMMC Level 2 requires all 110 security controls from NIST SP 800-171 across 14 control families, with a mandatory third-party C3PAO assessment. Level 2 applies to organizations handling Controlled Unclassified Information (CUI).
How long does it take to prepare for CMMC Level 2?
Most organizations need 6 to 18 months. Companies scoring above 75% on this readiness tool typically need 3 to 6 months. Below 50%? Plan for 12 to 18 months to implement controls, build documentation, and establish evidence collection.
How much does CMMC Level 2 certification cost?
Total three-year costs range from $150,000 to $400,000. The C3PAO assessment runs $105,000–$118,000 over three years, remediation $35,000–$115,000, and ongoing maintenance $20,000–$50,000 annually.
What is a C3PAO and how do I find one?
A C3PAO (Certified Third Party Assessment Organization) is authorized by the Cyber AB to conduct official CMMC Level 2 assessments. Find authorized C3PAOs at cyberab.org. The organization that helps you prepare cannot also certify you.
Does my MSP need to be CMMC certified?
If your MSP processes, stores, or transmits CUI, they’re part of your CUI boundary and their systems fall within your assessment scope. Working with an MSP that understands CMMC — like On-Site Technology — simplifies your compliance path significantly.
Is this the same as an official CMMC assessment?
No. This is a preliminary self-assessment to understand your readiness and prioritize remediation. Official certification requires an authorized C3PAO. However, this tool covers the same 14 control families and is an effective starting point.
When is the CMMC Level 2 deadline?
Phase 2 takes effect November 2026, making C3PAO assessment mandatory for Level 2 contracts. Many primes are already requiring subcontractor compliance. Given limited C3PAO availability, start preparation now.
Managed IT Services
Proactive monitoring, helpdesk, patching, and strategic IT planning across NJ, NY, PA, and FL.
Cybersecurity Services
EDR, SIEM, vulnerability management, penetration testing, and 24/7 security monitoring.
IT Cost Calculator
Estimate your managed IT investment based on team size, infrastructure, and security requirements.
Ready to Close Your CMMC Gaps?
On-Site Technology helps defense contractors across NJ, NY, PA, and FL achieve CMMC Level 2 certification. Schedule a free gap assessment to start.
Schedule Free CMMC Consultation →
Or call: (973) 777-7227