CMMC Level 2 Requirements

Here are the requirements for CMMC Level 2. Get up to speed with the new regulations.
columns government compliance

The Cybersecurity Maturity Model Certification (CMMC) mandates specific practices for contractors working with the Department of Defense to protect Controlled Unclassified Information (CUI). CMMC 2.0 Level 2, often referred to as the “Advanced” level, ensures robust protection of CUI, especially for defense missions. This level incorporates detailed practices and requires companies to have documented processes in place.

Key Takeaways

  • Will soon be mandatory for bidding on Department of Defense contracts involving Controlled Unclassified Information (CUI).
  • Follows NIST SP 800-171 Rev. 3, requiring 110 security practices to protect CUI.
  • Verified through annual self-assessments, triennial third-party assessments, and government-led assessments for critical programs.
  • Requires a detailed plan documenting security practices and compliance with CMMC guidelines.
  • Contractors must submit annual affirmations and continually monitor security measures post-certification.

CMMC Level 2 Objectives

CMMC 2.0 Level 2 is designed to provide enhanced protection against advanced persistent threats (APTs) that target the defense industrial base. The standards set forth in Level 2 are essential for  keeping the supply chain secure which supports key defense programs. Meeting these standards will soon be a regulatory requirement, as well as a vital step in protecting our country’s safety.

Why is it Important to Government Contractors?

CMMC 2.0 Level 2 will be critical for eligibility to bid on DoD contracts, providing a competitive edge and opening up more opportunities. Without CMMC Level 2 certification, contractors may be ineligible to bid on certain contracts, particularly those involving sensitive information, making it a necessary qualification for participating in many defense-related projects.

Key Requirements and Compliance for CMMC Level 2

CMMC 2.0 Level 2 is designed to align with the security requirements of NIST SP 800-171 Rev. 3,  which includes 110 security practices. These practices are essential for protecting Controlled Unclassified Information (CUI) and ensuring the integrity and security of the defense supply chain.

Security Practices

The 110 security practices are categorized into several key areas:

  1. Access Control (AC): Ensures only authorized individuals can access systems and data.
  2. Awareness and Training (AT): Educates employees on cyber risks and response strategies.
  3. Audit and Accountability (AU): Maintains records of system activities to detect and respond to security incidents.
  4. Configuration Management (CM): Manages system configurations to prevent unauthorized changes.
  5. Identification and Authentication (IA): Verifies identities of users, devices, and systems before granting access.
  6. Incident Response (IR): Prepares for and mitigates the impact of cybersecurity incidents.
  7. Maintenance (MA): Ensures secure system maintenance procedures.
  8. Media Protection (MP): Protects digital and physical media containing CUI.
  9. Physical Protection (PE): Secures physical access to systems and data.
  10. Risk Assessment (RA): Identifies and assesses risks to organizational operations and assets.
  11. Security Assessment (CA): Evaluates the effectiveness of security controls.
  12. System and Communications Protection (SC): Protects the confidentiality and integrity of transmitted information.
  13. System and Information Integrity (SI): Ensures systems and data remain secure from unauthorized modifications.

Assessment and Certification

Compliance with these practices is verified through different types of assessments:

  1. Annual Self-Assessments: Required for contractors handling Federal Contract Information (FCI) that is not critical to national security. This helps ensure ongoing adherence to basic cybersecurity practices.
  2. Triennial Third-Party Assessments: Mandatory for more critical roles within the defense supply chain, conducted by certified CMMC Third Party Assessment Organizations (C3PAOs).
  3. Government-Led Assessments: Conducted every three years for the most crucial programs, ensuring the highest level of cybersecurity standards are met.

You can access the full details through this link: CMMC Assessments

System Security Plan

A key part of meeting CMMC 2.0 Level 2 rules is the development and maintenance of a System Security Plan (SSP). This document describes the security practices and policies in place to protect important data (CUI) and shows how the organization follows CMMC guidelines.

Steps to Achieve CMMC Level 2 Certification

  1. Initial Self-Assessment

Contractors start with a self-assessment against the NIST SP 800-171 standards, which include 110 security practices. This self-check is important for finding gaps in cybersecurity practices and planning how to fix them.

  1. Remediation and Plan of Action & Milestones (POA&M)

Following the self-assessment, contractors need to fix any security issues found. This step might include making a Plan of Action & Milestones which lists specific measures and timelines to fully meet the security standards.

  1. Third-Party Assessment

For Level 2, a third-party assessment done by an accredited Cybersecurity Maturity Model Certification Third Party Assessment Organization (C3PAO) is required. This assessment confirms that the necessary security steps and controls are in place.

  1. Government Validation

For contracts with highly sensitive CUI, a government run check may be required. This extra check makes sure that the highest standards of cybersecurity are maintained.

  1. Continuous Monitoring and Annual Affirmations

Once certified, contractors must submit annual affirmations of continued compliance through the Supplier Performance Risk System (SPRS). This includes updating any needed action plans and showing they are continuously meeting the security requirements.

Challenges and Best Practices in the CMMC Compliance Journey

Addressing Compliance Costs

A big challenge in meeting CMMC 2.0 standards is the cost of setting up and keeping up the required cybersecurity measures. This can be especially tough for smaller businesses. But, the framework is flexible, making it possible to implement cost-effective security solutions for less mature levels while allowing larger organizations to reach higher security levels.

Leveraging Technology and Expertise

Using advanced cybersecurity technology and working with security experts can make the compliance process much smoother. These resources can provide the necessary insights and tools to effectively handle and reduce security risks.

Ensuring Comprehensive Documentation

Maintaining comprehensive documentation, including the plan for system security (SSP) and any associated POA&Ms, is crucial. These documents not only support compliance efforts but also play a critical role during assessments, to show that the security measures have been properly put in place.

Detailed Implementation Guidance for CMMC Level 2

Scoping and Preparation for CMMC Level 2

The first important step in setting up CMMC 2.0 Level 2 is understanding the scope of the assessment. According to the CMMC Assessment Scope guidelines, organizations should prepare by identifying the systems, processes, and information that will be looked at. This scoping involves a detailed analysis of where CUI is stored, processed, and transmitted within the organization’s network.

System and Process Identification

Organizations must map out all systems and processes that handle CUI. This includes both digital environments and physical storage locations, making sure all possible security risks are covered.

Information Flow Analysis

Analyzing the flow of CUI  within and outside the organization is vital. This analysis helps in understanding how information moves between systems , which is important for putting the right security measures in place.

Implementing Required Security Controls

Once the scope is defined, the next step is to implement the specific security controls required by NIST SP 800-171 Rev. 2. These controls are designed to protect the confidentiality, integrity, and availability of CUI across various domains, including access control, incident response, and media protection.

Access Control Measures

Setting up strong access control measures ensures that only authorized personnel can access CUI. This includes employing least privilege principles, multi factor authentication, and careful management of user identities.

Media Protection Strategies

Protection of digital and physical media containing CUI is crucial. Strategies include encryption, secure storage, and proper disposal methods to prevent unauthorized access and data leaks.

Incident Response Plans

Developing and testing incident response plans equip organizations to quickly respond to and recover from security incidents. These plans should outline roles, responsibilities, and procedures for addressing potential security breaches.

Continuous Monitoring and Improvement

Getting CMMC 2.0 Level 2 certification is just the beginning; you need to keep working to stay compliant and enhance your cybersecurity measures. Continuously checking the security measures you have in place and regularly updating your practices are crucial to keep up with changing cybersecurity threats.

Regular Security Assessments

Regular security checks help identify weaknesses and gaps in your security setup.  These assessments should be both internal and external, involving periodic third-party audits.

Updating Security Measures

As technology and cyber threats evolve, so must the security measures. Staying updated with the latest security technologies and practices is necessary to protect against advanced threats and other new risks.

Training and Awareness Programs

Continuous education and training for all employees regarding cybersecurity best practices and threat awareness are fundamental.  Regular training helps lessen the chance of security problems caused by human error.

Future Outlook

Please see the Further Research section on this page for links to official documentation and other information.


Achieving CMMC 2.0 Level 2 compliance will soon be essential for contractors aiming to bid on Department of Defense contracts that handle Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), and ITAR or export-controlled data. Compliance means enhanced security controls, better business opportunities, and a competitive edge in the defense sector. It ensures contractors meet current regulatory requirements and are prepared for future growth and digital transformation challenges. By adhering to CMMC 2.0 Level 2 standards, contractors can demonstrate compliance and support national security.


What does the CMMC Accreditation Body do for CMMC compliance?

The CMMC Accreditation Body checks that the certification process meets all needed compliance standards.

How do companies show they meet CMMC standards?

Companies show they meet CMMC standards by passing assessments carried out by approved assessors.

What happens in the CMMC certification process?

During the CMMC certification process, a certified body checks to make sure a company is following the required cybersecurity practices.

Who does the CMMC assessment and why?

Certified third-party organizations do CMMC assessments to check if a contractor meets the required cybersecurity rules.

How can a company get ready for a CMMC certification check?

A company can get ready for a CMMC certification check by reviewing its cybersecurity practices to ensure they follow CMMC standards.

What are the CMMC Level 2 requirements?

CMMC Level 2 compliance means implementing the 110 security practices outlined in NIST SP 800-171, which cover areas such as access control, incident response, and media protection to secure Controlled Unclassified Information (CUI).

How does the CMMC framework support national security?

The CMMC framework supports national security by ensuring that contractors handling sensitive information implement robust cybersecurity measures, thereby protecting defense-related data from cyber threats and enhancing the overall security of the defense supply chain.

Picture of Relevant Compliance

Relevant Compliance

Apply for Beta

Please fill in your details below to get early access to Relevant Compliance.  

Contact Us