Skip to main content

Plain-English CMMC guide · primary sources

What is conditional CMMC Level 2 certification?

Conditional CMMC Level 2 status lets a contractor hold a contract award while remediating minor gaps. Requirements: a score of ≥ 88 of 110 at the C3PAO assessment; every open gap POA&M-eligible (generally 1-point items only — six requirements are never eligible, including 3.12.4, 3.1.20, 3.1.22, 3.10.3, 3.10.4, and 3.10.5). All POA&M items must close within 180 days of the conditional status date. Source: 32 CFR 170.21.

The 88-point threshold, explained

The score starts at 110 and only subtracts, so a score of at least 88 means no more than 22 points of deductions can remain open. And because only 1-point items may sit on a POA&M, that ceiling translates to at most 22 one-point requirements still open (plus the single 3.13.11 partial exception). The score is necessary but not sufficient: an 88 reached by leaving a 5-point gap or a never-eligible requirement open does not qualify, because those gaps cannot be deferred to a POA&M in the first place.

In short, two tests must both pass — the number (≥ 88) and the kind of gap (POA&M-eligible only). The kind of gap is what trips most contractors up. To see where you stand before you book an assessor, run the numbers in the SPRS calculator.

The six requirements that can never be on a POA&M

Six requirements are never POA&M-eligible under 32 CFR 170.21. If any one of them is open, a Conditional Level 2 is off the table — they must be fully met before the assessment. These render from the same validated dataset the Muster Score uses, so the ids and titles never drift:

RequirementWhat it covers
AC.L2-3.1.20Verify and limit external system connections
AC.L2-3.1.22Control CUI on publicly accessible systems
PE.L2-3.10.3Escort visitors and monitor visitor activity
PE.L2-3.10.4Maintain audit logs of physical access
PE.L2-3.10.5Control and manage physical access devices
CA.L2-3.12.4Develop and update system security plans

Note that 3.12.4 (the SSP) is doubly binding: it is never POA&M-eligible, and without a current SSP no assessment can be completed at all (32 CFR 170.24). The full eligibility rules and a free blank template are in the POA&M template guide.

The 180-day closeout clock

Conditional is temporary by design. From the conditional status date you have 180 days to close every open POA&M item and pass a closeout assessment, which converts your status to Final Level 2. There is no grace period: if the items are not closed in time, the conditional status lapses — you lose the certification and must re-assess (32 CFR 170.21). Treat the 180 days as the real deadline and have remediation underway, with budget and vendors lined up, before the assessment rather than after it.

Conditional vs. Final Level 2

Conditional Level 2Final Level 2
Score requiredAt least 88 of 110All requirements met, or every POA&M item closed
Open gaps allowedOnly POA&M-eligible (1-point items; 3.13.11 partial case)None remaining
Contract eligibilityCan hold an award while remediatingFull eligibility, no open clock
Time pressure180-day closeout clock runningNo closeout clock
If you miss the deadlineConditional status lapses; certification is lostN/A

How to qualify for conditional status

  1. 1

    Score at least 88 of 110

    A Conditional Level 2 requires an assessment score of at least 88 out of 110. Because the score starts at 110 and only subtracts, that leaves room for at most 22 points of deductions to remain open — and they must all be the right kind of gap.

  2. 2

    Keep only POA&M-eligible gaps open

    Every remaining open gap must be POA&M-eligible: generally only 1-point items qualify, with one exception — 3.13.11 in its 3-point partial case (encryption deployed but not FIPS-validated). Any 5-point gap, or any of the six never-eligible requirements, must be closed before the assessment, not deferred.

  3. 3

    Have a current SSP in place

    Requirement 3.12.4 — the System Security Plan — is never POA&M-eligible and is the gate to the whole assessment: without a current SSP, no assessment can be completed at all (32 CFR 170.24). It cannot be the thing you defer.

  4. 4

    Receive Conditional status and start the 180-day clock

    If you meet the score and eligibility tests, the C3PAO can award a Conditional Level 2, which lets you hold a contract award while you finish remediation. The 180-day closeout clock starts on the conditional status date.

  5. 5

    Close the POA&M within 180 days for Final status

    Close every open POA&M item within 180 days and pass a closeout assessment to convert Conditional to Final Level 2. Miss the window and the conditional status lapses (32 CFR 170.21) — you lose the certification and must re-assess.

Sources: 32 CFR 170.21 (Conditional Level 2 score floor, POA&M eligibility, the never-eligible six, and the 180-day closeout); 32 CFR 170.24 (the 3.12.4 SSP gate); DoD Assessment Methodology v1.2.1 (the 5/3/1 weighting and the 3.13.11 partial case). For budgeting the remediation and the separate C3PAO fee, see the CMMC Level 2 cost guide.

Straight answers

Can 3-point or 5-point controls go on a CMMC POA&M?

Almost never. POA&M eligibility under 32 CFR 170.21 is generally limited to 1-point requirements. There is exactly one exception: 3.13.11 (CUI encryption) in its 3-point partial case, where encryption is deployed but not FIPS-validated. Every 5-point gap, and every other 3-point gap, must be fully remediated before the assessment — it cannot be deferred to a POA&M.

What is the 88-point SPRS score minimum?

Eighty-eight of 110 is the minimum assessment score for a Conditional Level 2 (32 CFR 170.21). Because the score starts at 110 and only deducts, an 88 means at most 22 points of deductions remain open — and since only 1-point items may sit on a POA&M, that is at most 22 one-point requirements (plus the single 3.13.11 partial exception). An 88 reached the wrong way — with a 5-point gap or a never-eligible requirement open — still fails.

How long is conditional CMMC status valid?

You have 180 days from the conditional status date to close every open POA&M item and pass a closeout assessment, which converts Conditional to Final Level 2. If the items are not closed within 180 days, the conditional status lapses — the certification is lost and you must re-assess (32 CFR 170.21).

What is the 3.13.11 exception?

3.13.11 requires FIPS-validated cryptography to protect CUI. It is normally a 5-point requirement, which would make it ineligible for a POA&M. But the methodology gives it a 3-point partial deduction when cryptography is deployed but not yet FIPS-validated, and in that specific partial case it is the one non-1-point requirement that may sit on a POA&M for conditional status.

Which requirements can never be on a CMMC POA&M?

Six requirements are never POA&M-eligible under 32 CFR 170.21: 3.1.20 and 3.1.22 (external connections and publicly posted content), 3.10.3, 3.10.4, and 3.10.5 (escorting visitors, physical access logs, and managing physical access devices), and 3.12.4 (the System Security Plan itself, which is also the gate to the entire assessment). If any of these is open, you cannot earn a Conditional Level 2 — they must be fully met.

This is compliance information, not legal advice. Only an authorized C3PAO can award a Conditional or Final Level 2; Muster helps you prepare and drafts the documentation you review and attest to. Score honestly — an inflated self-assessment is False Claims Act exposure. For contract-eligibility questions, consult qualified counsel.

Would you qualify for conditional status?

The free Muster Score computes your number with the exact DoD methodology and flags which gaps are POA&M-eligible and which you must fix before an assessor will pass you.

Get your free Muster Score

The free score is live now. Join the waitlist for early access to the done-for-you Level 2 Readiness Sprint and founding-cohort pricing.