Plain-English CMMC guide · primary sources
What is conditional CMMC Level 2 certification?
Conditional CMMC Level 2 status lets a contractor hold a contract award while remediating minor gaps. Requirements: a score of ≥ 88 of 110 at the C3PAO assessment; every open gap POA&M-eligible (generally 1-point items only — six requirements are never eligible, including 3.12.4, 3.1.20, 3.1.22, 3.10.3, 3.10.4, and 3.10.5). All POA&M items must close within 180 days of the conditional status date. Source: 32 CFR 170.21.
The 88-point threshold, explained
The score starts at 110 and only subtracts, so a score of at least 88 means no more than 22 points of deductions can remain open. And because only 1-point items may sit on a POA&M, that ceiling translates to at most 22 one-point requirements still open (plus the single 3.13.11 partial exception). The score is necessary but not sufficient: an 88 reached by leaving a 5-point gap or a never-eligible requirement open does not qualify, because those gaps cannot be deferred to a POA&M in the first place.
In short, two tests must both pass — the number (≥ 88) and the kind of gap (POA&M-eligible only). The kind of gap is what trips most contractors up. To see where you stand before you book an assessor, run the numbers in the SPRS calculator.
The six requirements that can never be on a POA&M
Six requirements are never POA&M-eligible under 32 CFR 170.21. If any one of them is open, a Conditional Level 2 is off the table — they must be fully met before the assessment. These render from the same validated dataset the Muster Score uses, so the ids and titles never drift:
| Requirement | What it covers |
|---|---|
| AC.L2-3.1.20 | Verify and limit external system connections |
| AC.L2-3.1.22 | Control CUI on publicly accessible systems |
| PE.L2-3.10.3 | Escort visitors and monitor visitor activity |
| PE.L2-3.10.4 | Maintain audit logs of physical access |
| PE.L2-3.10.5 | Control and manage physical access devices |
| CA.L2-3.12.4 | Develop and update system security plans |
Note that 3.12.4 (the SSP) is doubly binding: it is never POA&M-eligible, and without a current SSP no assessment can be completed at all (32 CFR 170.24). The full eligibility rules and a free blank template are in the POA&M template guide.
The 180-day closeout clock
Conditional is temporary by design. From the conditional status date you have 180 days to close every open POA&M item and pass a closeout assessment, which converts your status to Final Level 2. There is no grace period: if the items are not closed in time, the conditional status lapses — you lose the certification and must re-assess (32 CFR 170.21). Treat the 180 days as the real deadline and have remediation underway, with budget and vendors lined up, before the assessment rather than after it.
Conditional vs. Final Level 2
| Conditional Level 2 | Final Level 2 | |
|---|---|---|
| Score required | At least 88 of 110 | All requirements met, or every POA&M item closed |
| Open gaps allowed | Only POA&M-eligible (1-point items; 3.13.11 partial case) | None remaining |
| Contract eligibility | Can hold an award while remediating | Full eligibility, no open clock |
| Time pressure | 180-day closeout clock running | No closeout clock |
| If you miss the deadline | Conditional status lapses; certification is lost | N/A |
How to qualify for conditional status
- 1
Score at least 88 of 110
A Conditional Level 2 requires an assessment score of at least 88 out of 110. Because the score starts at 110 and only subtracts, that leaves room for at most 22 points of deductions to remain open — and they must all be the right kind of gap.
- 2
Keep only POA&M-eligible gaps open
Every remaining open gap must be POA&M-eligible: generally only 1-point items qualify, with one exception — 3.13.11 in its 3-point partial case (encryption deployed but not FIPS-validated). Any 5-point gap, or any of the six never-eligible requirements, must be closed before the assessment, not deferred.
- 3
Have a current SSP in place
Requirement 3.12.4 — the System Security Plan — is never POA&M-eligible and is the gate to the whole assessment: without a current SSP, no assessment can be completed at all (32 CFR 170.24). It cannot be the thing you defer.
- 4
Receive Conditional status and start the 180-day clock
If you meet the score and eligibility tests, the C3PAO can award a Conditional Level 2, which lets you hold a contract award while you finish remediation. The 180-day closeout clock starts on the conditional status date.
- 5
Close the POA&M within 180 days for Final status
Close every open POA&M item within 180 days and pass a closeout assessment to convert Conditional to Final Level 2. Miss the window and the conditional status lapses (32 CFR 170.21) — you lose the certification and must re-assess.
Sources: 32 CFR 170.21 (Conditional Level 2 score floor, POA&M eligibility, the never-eligible six, and the 180-day closeout); 32 CFR 170.24 (the 3.12.4 SSP gate); DoD Assessment Methodology v1.2.1 (the 5/3/1 weighting and the 3.13.11 partial case). For budgeting the remediation and the separate C3PAO fee, see the CMMC Level 2 cost guide.
Straight answers
Can 3-point or 5-point controls go on a CMMC POA&M?
Almost never. POA&M eligibility under 32 CFR 170.21 is generally limited to 1-point requirements. There is exactly one exception: 3.13.11 (CUI encryption) in its 3-point partial case, where encryption is deployed but not FIPS-validated. Every 5-point gap, and every other 3-point gap, must be fully remediated before the assessment — it cannot be deferred to a POA&M.
What is the 88-point SPRS score minimum?
Eighty-eight of 110 is the minimum assessment score for a Conditional Level 2 (32 CFR 170.21). Because the score starts at 110 and only deducts, an 88 means at most 22 points of deductions remain open — and since only 1-point items may sit on a POA&M, that is at most 22 one-point requirements (plus the single 3.13.11 partial exception). An 88 reached the wrong way — with a 5-point gap or a never-eligible requirement open — still fails.
How long is conditional CMMC status valid?
You have 180 days from the conditional status date to close every open POA&M item and pass a closeout assessment, which converts Conditional to Final Level 2. If the items are not closed within 180 days, the conditional status lapses — the certification is lost and you must re-assess (32 CFR 170.21).
What is the 3.13.11 exception?
3.13.11 requires FIPS-validated cryptography to protect CUI. It is normally a 5-point requirement, which would make it ineligible for a POA&M. But the methodology gives it a 3-point partial deduction when cryptography is deployed but not yet FIPS-validated, and in that specific partial case it is the one non-1-point requirement that may sit on a POA&M for conditional status.
Which requirements can never be on a CMMC POA&M?
Six requirements are never POA&M-eligible under 32 CFR 170.21: 3.1.20 and 3.1.22 (external connections and publicly posted content), 3.10.3, 3.10.4, and 3.10.5 (escorting visitors, physical access logs, and managing physical access devices), and 3.12.4 (the System Security Plan itself, which is also the gate to the entire assessment). If any of these is open, you cannot earn a Conditional Level 2 — they must be fully met.
This is compliance information, not legal advice. Only an authorized C3PAO can award a Conditional or Final Level 2; Muster helps you prepare and drafts the documentation you review and attest to. Score honestly — an inflated self-assessment is False Claims Act exposure. For contract-eligibility questions, consult qualified counsel.
Related guides
How much does a C3PAO assessment cost?
The assessor fee by organization size ($30K–75K small, more for larger), what it does and doesn’t include, the levers that shrink it (scope), and how many C3PAOs there are (103) against ~78,000 obligated contractors.
NIST 800-171 SSP template
What an SSP must contain per 3.12.4, what assessors flag first, and a free blank template (Markdown or Word) — no email gate.
POA&M template (NIST 800-171)
The 32 CFR 170.21 eligibility rules — 88-point minimum, the never-eligible six, the 180-day clock — plus a worked example and a free blank template.
CMMC Level 2 cost
Real price bands by path — self-serve software, consultant-led, enclave route — with the C3PAO assessment fee separated out honestly.
Tools: SPRS score calculator · scoring methodology · CMMC Phase 2 deadline
Would you qualify for conditional status?
The free Muster Score computes your number with the exact DoD methodology and flags which gaps are POA&M-eligible and which you must fix before an assessor will pass you.
Get your free Muster ScoreThe free score is live now. Join the waitlist for early access to the done-for-you Level 2 Readiness Sprint and founding-cohort pricing.