CMMC LEVEL 2: AN EXPERT GUIDE TO LEVEL 2 REQUIREMENTS

EXECUTIVE BRIEF

Do you need to achieve CMMC Level 2 compliance?

If you’re a defense contractor preparing to comply with the latest Cybersecurity Maturity Model Certification (CMMC) from the Department of Defense (DoD), also referred to by the current administration as the Department of War (DoW), we’re here to help you crack the code. This guide provides a high-level overview of CMMC Level 2 requirements and helps you determine if it applies to your organization.

• Focuses on Contractors Handling CUI: Level 2 applies to defense contractors who handle Controlled Unclassified Information (CUI).
• Securing the Defense Supply Chain: If your prime contractor is certified at CMMC Levels 2 (C3PAO) or Level 3 (DIBCAC), you will need to be certified at Level 2 (C3PAO) at a minimum.
• Meets All NIST 800-171 Controls: Requires implementation of all 110 security controls outlined in NIST SP 800-171a Rev 2.

Dig deeper and continue reading below.

What Is CMMC Level 2?

CMMC Level 2 focuses on contractors who handle or have to demonstrate the ability to handle Controlled Unclassified Information (CUI). It is expected to apply to roughly 80,000 contractors within the defense supply chain.

Level 2 is divided into two separate levels: Level 2 (Self-Assessment) and Level 2 (CMMC 3rd-Party Assessment Organizations (C3PAO)). Both require the contractor to meet all 110 controls and 320 objectives outlined in NIST SP 800-171a Rev2. The critical difference between the two sub-levels is the method of verification. Level 2 (C3PAO) requires a third-party assessor to certify your organization’s compliance posture. 

The Difference Between CMMC Level 1 and Level 2

There are three critical differences between CMMC 2.0 Level 1 and Level 2. 

*  If your prime contractor is Level 2 (C3PAO) or Level 3 (DIBCAC) certified, you will need to be Level 2 (C3PAO) certified.

** Plan of Action & Milestones document.

How to Know If You Need to Achieve Level 2 Compliance

Beginning in the phased rollout of CMMC, the Request for Proposal will indicate which CMMC maturity level certification is needed to be awarded the contract. However, if you’re looking to get ahead of the phased rollout and position your business as an early adopter of CMMC, the three  best indicators of needing Level 2 compliance are: 

1. Does your organization process, store, or handle CUI?
2. Do your current contracts contain a DFARS 7012 clause?
3. Will your prime contractors be CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) certified?

If you answer yes to any of these questions, you will likely need to become CMMC Level 2 certified to win new contracts and continue working on current contracts. 

What Is CUI?

CUI is information created or processed by the Government or by an entity on behalf of the Government, which needs safeguarding or dissemination controls to permit agencies to handle this sensitive information. 

Documents considered CUI will have distinct CUI markings on them. The designating agency is in control of determining and marking documents as CUI. 

How Do I Know If I Handle CUI?

The easiest indicators that you handle CUI are in your contracts. Look for:

DFARS 252.204-7012, which requires contractors to safeguard Covered Defense Information (CDI), which includes CUI, in accordance with NIST SP 800-171

DFARS 252.204-7019, which requires you to report your compliance status in the DoD’s Supplier Performance Risk System (SPRS)

DFARS 252.204-7020, which gives DoD the right to assess that compliance

These clauses have been standard in most DoD contracts since 2017, so if they’re present, the government (or your prime) assumes you already have CUI in your environment and are safeguarding it. 

If you're unsure, assume it’s worth checking. Many contractors discover they’re handling CUI indirectly—through email attachments, supplier data, shared files, or workflows that include sensitive DoD information. A quick internal audit of your contracts, data flows, and customer deliverables can confirm it fast. CUI has a tendency to end up in places in your system that you might not realize need safeguarding.

CMMC Level 2 Security Requirements

Level 2 encompasses a comprehensive suite of 110 security controls grouped into 14 domains, each vital for a robust cybersecurity posture. Those domains are:

• Access Control (AC): Ensures only authorized users, processes, and devices can access systems and data.

• Awareness and Training (AT): Makes sure personnel are trained to recognize security risks and properly handle sensitive information.

• Audit and Accountability (AU): Captures, monitors, and reviews activity logs to detect and investigate security incidents .

• Configuration Management (CM): Manages system changes and settings to maintain secure, approved configurations .

• Identification and Authentication (IA): Verifies the identity of users and devices through multifactor authentication (MFA) and other processes before granting system access .

• Incident Response (IR): Establishes processes to detect, respond to, and recover from security incidents.

• Maintenance (MA): Ensures systems are properly maintained, updated, and serviced in a secure manner.

• Media Protection (MP): Safeguards physical and digital media containing sensitive information.

• Personnel Security (PS): Ensures individuals accessing systems are trustworthy and properly vetted.

• Physical Protection (PE): Controls physical access to facilities, equipment, and environments containing sensitive data.

• Risk Assessment (RA): Identifies and evaluates potential threats and vulnerabilities to systems and data.

• Security Assessment (CA): Reviews and validates the effectiveness of security controls and practices.

• System and Communications Protection (SC): Protects data during transmission and ensures systems communicate securely.
• System and Information Integrity (SI): Detects and addresses system flaws, malware, and unauthorized changes to maintain data integrity.

The table below outlines these controls and provides clarity, enabling contractors to focus on specific areas of improvement.

CMMC Level 2 and NIST SP 800-171

All three maturity levels of CMMC 2.0 are interconnected with NIST SP 800-171a Rev2. Level 2, in particular, focuses solely on standardizing defense contractors' adhering to all 110 controls of NIST SP 800-171a Rev2. To be certified at Level 2 (Self-Assessment) or Level 2 (C3PAO), contractors must demonstrate compliance with all 110 controls and 320 objectives listed in Rev2. 

The 32 CFR final rule provided the opportunity for conditional certification if the contractor:

• Satisfies the listed essential cybersecurity controls
• Achieves a score of at least 80% of the total compliance secure during their assessment
• Addresses any gaps in a POA&M document

Regarding conditional certification, it is essential to note this is a temporary solution. Upon receiving conditional certification, your organization has 180 days to remediate all controls and objectives listed on your POA&M document and pass a POA&M closeout assessment.

When Will CMMC Level 2 Requirements Be Enforced?

The government's phased rollout of CMMC began on November 10, 2025, the effective date of the CMMC Title 48 Rule. This means CMMC requirements are beginning to appear in new defense contracts and option years of existing contracts.

However, the new requirements will be applied incrementally in phases, not all at once. In the current phase, Level 1 and Level 2 self-assessment requirements are being included in applicable solicitations and contracts as a condition of award. Phase 2 starts on November 10, 2026. That’s when Level 2 third-party assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs) become a condition for contract awards

Challenges to Achieving CMMC Level 2

Achieving CMMC Level 2 compliance entails addressing complex challenges that demand strategic planning and resource allocation. Below, we delve deeper into organizations' primary hurdles in this rigorous process, emphasizing the need for a comprehensive and systematic approach.

The Complexity of CMMC Level 2’s Security Control Requirements

CMMC Level 2 introduces a robust framework of 110 security controls distributed across 14 categories. This breadth of requirements necessitates meticulous understanding and implementation, which can prove daunting for many organizations. You must interpret each control accurately and apply each consistently, ensuring compatibility with existing infrastructure and processes. The precise nature of these controls requires organizations to install and continuously manage a wide range of cybersecurity measures, a task often complicated by the ongoing evolution of cybersecurity threats and regulatory standards.

Developing and Maintaining Documentation

Organizations must establish comprehensive documentation that clearly outlines the implementation and risk management of each security control. This includes drafting detailed policies, procedures, audit logs, and system security plans that accurately reflect operational practices. Maintaining this documentation is resource-intensive and requires ongoing updates and precise storage to align with changing compliance requirements and audits. Such thorough documentation satisfies certification demands and empowers organizations to identify and address them systematically.

Ongoing Monitoring and Maintenance

Organizations must implement continuous monitoring systems capable of detecting, recording, and responding to threats in real time. This ongoing maintenance includes regular security audits, vulnerability assessments, and updating backups and security protocols, which are all vital in safeguarding sensitive data. The demand for continual oversight can strain operational resources, necessitating dedicated staff and sophisticated technologies to maintain a robust security posture efficiently.

Resource Constraints

Balancing CMMC Level 2 demands with existing operational responsibilities can be challenging for many organizations, especially smaller ones. Personnel may need additional training to effectively manage and execute compliance requirements, diverting valuable time from their regular duties. While financial constraints are a concern, it is often the human resource aspect—ensuring that skilled personnel are allocated efficiently—that poses a more significant challenge.

Lack of Cybersecurity Expertise

The intricacy of CMMC Level 2’s requirements underscores the need for specialized cybersecurity knowledge, which is not readily available within all organizations. This gap impedes the ability to effectively interpret, implement, and manage security controls. Organizations may need to seek external expertise or invest in upskilling their workforce, both of which require careful planning and possibly significant financial outlay. Building a proficient in-house cybersecurity team or engaging third-party consultants are viable strategies, each offering distinct advantages and challenges.

Integration of Security Practices

The requirements for new cybersecurity practices can disrupt existing workflows and systems, necessitating adjustments that may affect productivity in the short term. Embedding these security measures into the organizational fabric necessitates a cultural shift, aligning everyone from executives to front-line staff with the new security ethos while maintaining business output. Effective change management strategies are essential to minimize operational disruption and ensure a smooth transition to compliance.

CMMC Level 2 Compliance Costs

Compliance with CMMC Level 2 obligations incurs significant costs, encompassing assessment fees, remediation efforts, and ongoing monitoring. While initial assessment costs vary, they are necessary to ensure comprehensive compliance. Remediation efforts may involve upgrading cybersecurity infrastructure, training staff, or hiring consultants, which further add to expenses.

Despite the costs, these investments are crucial for maintaining an organization's competitive standing, particularly in initiatives involving the DoD. Integrating compliance costs into future proposals can offset some financial pressures, helping organizations adapt to the industry's tighter cybersecurity standards and remain attractive to potential DoD partners. The importance of these investments cannot be overstated, as they lay the foundation for a secure, compliant, and competitive enterprise.

A Checklist to Prepare for CMMC Level 2 Assessment

A structured approach is vital to successful certification. Follow this checklist to streamline your preparation.

Perform a NIST 800-171A Self-Assessment

Perform a self-assessment based on NIST SP 800-171A, which outlines methods and procedures for evaluating the implementation of security requirements. This risk assessment is to identify gaps and establish compliance baselines. Although NIST 800-171 and CMMC are complementary standards, they differ in compliance requirements: NIST 800-171 compliance can be achieved through self-assessment, whereas CMMC requires a third-party audit for certification. By completing the NIST 800-171 self-assessment first, you can identify gaps in your current cybersecurity practices in relation to CMMC requirements.

Conduct a Gap Analysis

After completing your NIST 800-171A self-assessment, a gap analysis helps you clearly identify which controls are fully implemented, partially implemented, or missing. This step turns your assessment results into an actionable roadmap by highlighting exactly where your environment, documentation, or processes fall short of CMMC Level 2 expectations. It also helps you prioritize remediation work based on risk, effort, and assessment impact.

Establish a System Security Plan

A System Security Plan (SSP) outlines an information system’s security requirements and lays out a plan for meeting those requirements. To stay on track for CMMC compliance, develop your business SSP plan to formally document your organization’s cybersecurity practices, policies, and procedures. The SSP should detail how your organization implements the required CMMC practices and controls so you have a detailed account and comprehensive overview of your cybersecurity framework. 

Create Your Plan of Action and Milestones (POA&M)

As mentioned before, CMMC Level 2 will allow your organization to achieve conditional certification with a POA&M document. However, there are six key cybersecurity requirements that CMMC 2.0 does not allow to be put onto a POA&M. These include: 

1. AC.L2-3.1.20 External Connections (CUI Data)
2. AC.L2-3.1.22 Control Public Information (CUI Data)
3. CA.L2-3.12.4 System Security Plan
4. PE.L2-3.10.3 Escort Visitors (CUI Data)
5. PE.L2-3.10.4 Physical Access Logs (CUI Data)
6. PE.L2-3.10.5 Manage Physical Access (CUI Data)

Your organization will then have 180 days to remediate any gaps in your compliance posturing and pass a POA&M closeout assessment before achieving Final Level 2 certification.

Review DoD Assessment and Scoping Guides

Thoroughly examine the DoD's CMMC Assessment Guide and Scoping Guide. These documents provide an authoritative blueprint for understanding the evaluation criteria and scoping boundaries that define the assessment process. Ensure your team comprehensively reviews these guides to pinpoint the specific controls applicable to your organization.

Schedule a C3PAO Assessment

Once your documentation, controls, and remediation plans are in place, the final step is securing time with an authorized C3PAO, the third-party assessor organization responsible for conducting your formal CMMC Level 2 assessment. Demand can be high, so scheduling early ensures you secure a spot that aligns with your contract timelines and avoids last-minute delays.

Before the assessment date, confirm the scope, provide your SSP and supporting evidence, and clarify any prerequisites your C3PAO may need. Locking in your assessment early keeps you on track and gives you a clear milestone to work toward as you finalize your readiness.

How ISI Helps You Achieve CMMC Level 2 Compliance

At ISI, we are dedicated to guiding defense contractors in the Defense Industrial Base (DIB) through CMMC Level 2 compliance complexities. Our expert team provides tailored solutions, ensuring you remain competitive and compliant. Contact us today for comprehensive support in navigating this critical certification process.

FAQs about CMMC Level 2 RequirEMENTS

Is CMMC only for DoD contractors?

Yes, as of now, CMMC only applies to DoD contractors and subcontractors. 

If I only handle FCI, do I still need to meet CMMC Level 2?

No. However, prime contractors can pass additional cybersecurity requirements to their subcontractors. Reviewing your current federal contract information and looking for a DFARS 7012 clause is imperative, as this DFARS clause could be a good indication of what your current primes will be looking for in the future. 

Do I need a System Security Plan for CMMC Level 2?

Yes! Not only is an SSP required for Level 2 certification, but it is also one of the six key cyber security requirements not allowed on the POA&M document. Having a well-documented SSP is critically vital to your CMMC assessment. 

What is the difference between CMMC Level 2 and Level 3?

There are three key differences between CMMC Level 2 and Level 3: 

1. CMMC Level 3 primarily applies to prime contractors, as the DoD only expects 600 companies to fall into the Level 3 category
2. In addition to satisfying all 110 controls and 320 objectives of NIST SP 800-171A Rev2, Level 3 requires contractors to implement an additional 24 cybersecurity requirements from NIST SP 800-172.
3. Level 3 assessments are conducted by the government compared to third-party assessment organizations described in Level 2.

Level 3 also includes significantly stronger safeguards designed to counter advanced persistent threats, including enhanced monitoring, rapid incident reporting expectations, and protective measures tied to national security. These requirements go beyond standard CUI protection and help ensure contractors can detect, resist, and recover from highly sophisticated cyberattacks.

As mentioned, Level 3 is mainly for prime contractors—most defense contractors will fall into either Level 1 or 2 of the CMMC Program. 

How long is CMMC Level 2 certification good for?

CMMC Level 2 certification is valid for three years. However, during those three years, an Affirming Official from your organization must provide a yearly affirmation of continuing compliance with the specified security assessment requirements. 

The 32 CFR final rule defines the Affirming Official as “a senior representative from your organization who is responsible for ensuring the Organization’s Seeking Assessment (OSA’s) compliance with the CMMC Program requirements and has the authority to affirm the OSA's continuing compliance with the specified security requirements for their respective organizations.”  

What are the consequences of failing a CMMC Level 2 assessment?

The most immediate consequence of failing a CMMC Level 2 assessment is that your organization will be unable to accept the award of a covered defense contract, which can mean losing current or future work. CMMC requirements are being phased into contracts over time. Phase 1 began on November 10, 2025, and DoD is already adding Level 1 and Level 2 self-assessment requirements to applicable solicitations as a condition of award. Phase 2 begins on November 10, 2026, when Level 2 third-party assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs) become a condition of award for applicable contracts.

Failing your assessment can also hurt your organization’s reputation with prime contractors. Compliance is much more than a box-checking exercise; CMMC makes compliance a vital component of a contractor’s overall business goals. 

While CMMC contract requirements are approaching, our best advice is to take your time and be intentional about identifying and addressing any gaps in your cybersecurity program before going through an audit.

How to find a C3PAO for your CMMC assessment? 

C3PAOs are accredited by the CMMC Accreditation Body CyberAB. All accredited C3PAOs are listed on their website (cyberab.org). 

Two things to note about C3PAOs:

1. Give yourself time to interview at least three C3PAOs. Finding a C3PAO with whom you can build rapport and communicate effectively is important. The audit can be a long process, and having a C3PAO with whom you can work will be worth the time you spend researching.
2. A C3PAO’s default position is not to pass or fail any organization. They are there simply to verify cybersecurity practices align with the CMMC program and ensure the behavior of these practices matches your documented policies and procedures. The assessment is not punitive in nature, but it is crucial to prepare and have your ducks in a row. 

Schedule a call with an advisor to learn how ISI can support your organization’s compliance journey.