The Cybersecurity Maturity Model Certification (CMMC) Level 2 is a critical step for Department of Defense (DoD) contractors who handle Controlled Unclassified Information (CUI). Unlike Level 1, which covers basic safeguarding of Federal Contract Information (FCI), Level 2 builds a comprehensive cybersecurity program, aligning with NIST SP 800-171 Rev 2.
Level 2 is the foundation for advanced security practices and is often required for prime contractors and subcontractors managing sensitive DoD information. Compliance ensures that your organization is protected against cyber threats while maintaining eligibility for defense contracts.
Scope of CMMC Level 2
Applies to: Organizations handling CUI, which includes sensitive but unclassified information like technical data, engineering drawings, or contract-sensitive information.
Assessment: Level 2 may require either self-assessment or a third-party assessment depending on contract requirements.
Goal: Implement 110 security practices derived from NIST SP 800-171, ensuring comprehensive data protection across all systems handling CUI.
Plan of Action & Milestones (POA&M): Allowed under certain conditions but must be tracked and actively remediated.
Official guidance is published by the DoD CIO CMMC Office: CMMC Level 2 Overview.
The 110 Security Requirements
The 110 practices are organized across 17 domains. Here’s a summary:
1. Access Control (AC)
Limit access to CUI based on roles.
Implement least privilege and separation of duties.
Control remote and mobile access.
2. Awareness and Training (AT)
Train personnel on cybersecurity policies and practices.
Conduct periodic refresher training.
3. Audit and Accountability (AU)
Generate audit logs for system activity.
Protect audit information and retain it according to policy.
Review logs regularly for suspicious activity.
4. Configuration Management (CM)
Establish baselines for system configurations.
Manage changes to prevent unauthorized modifications.
5. Identification and Authentication (IA)
Ensure all users and devices are uniquely identified.
Implement multifactor authentication (MFA) for privileged access.
6. Incident Response (IR)
Develop and maintain an incident response plan.
Test response procedures regularly.
Report incidents as required by DoD and CISA guidance.
7. Maintenance (MA)
Perform controlled maintenance on systems.
Monitor and record maintenance activities.
8. Media Protection (MP)
Protect CUI on digital and physical media.
Encrypt and securely dispose of sensitive media.
9. Personnel Security (PS)
Screen personnel with access to CUI.
Remove access promptly when employees leave or change roles.
10. Physical Protection (PE)
Limit physical access to facilities and systems storing CUI.
Escort and monitor visitors, maintain access logs.
11. Risk Assessment (RA)
Conduct regular risk assessments.
Identify vulnerabilities and prioritize mitigation efforts.
12. Security Assessment (CA)
Periodically assess security controls.
Remediate deficiencies and update documentation.
13. System and Communications Protection (SC)
Encrypt CUI in transit and at rest.
Segment networks and monitor communications for unauthorized activity.
14. System and Information Integrity (SI)
Detect and respond to malware and other threats.
Apply timely updates and patches.
15. Program Management (PM)
Establish policies and procedures supporting CMMC compliance.
Track compliance activities, responsibilities, and performance.
16. Situational Awareness / Monitoring
Monitor networks and endpoints for anomalous activity.
Implement alerts for suspicious behavior.
17. Supply Chain Risk Management (SR)
Ensure subcontractors meet applicable CMMC requirements.
Track third-party compliance and enforce contractual obligations.
Note: The full mapping of the 110 practices to the 17 domains is detailed in the official CMMC Level 2 Assessment Guide.
Steps to Achieve CMMC Level 2 Compliance
Conduct a Gap Analysis
Compare current cybersecurity controls to the 110 CMMC Level 2 practices.
Identify missing or partially implemented controls.
Develop a System Security Plan (SSP)
Document how each of the 110 practices is implemented.
Reference policies, procedures, and technical controls.
Create a Plan of Action & Milestones (POA&M)
For controls not yet fully implemented, outline remediation steps.
Assign owners, deadlines, and resources for each control.
Implement Technical and Administrative Controls
Deploy tools like MFA, endpoint detection, encryption, logging, and monitoring.
Train staff regularly on security policies and incident response procedures.
Conduct Internal Testing & Assessment
Run vulnerability scans, penetration tests, and tabletop exercises.
Correct deficiencies before formal assessment.
Engage with a Third-Party Assessment Organization (C3PAO) if Required
Submit documentation and evidence for formal audit.
Complete any corrective actions identified during the assessment.
Submit Self-Affirmation or Certification in SPRS
Update your compliance status in the Supplier Performance Risk System (SPRS).
Tips for Maintaining Level 2 Compliance
Regularly update policies and technical controls to stay aligned with NIST SP 800-171 and DoD guidance.
Train employees continuously on security threats like phishing, malware, and social engineering.
Monitor subcontractor compliance to ensure supply chain integrity.
Document everything — logs, reports, evidence — as auditors will require full traceability.
Official References
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
NIST SP 800-171 Revision 2
CISA Cybersecurity Best Practices
REGISTER FOR OUR WEBINAR ON NOV 6:
How to Meet New CMMC Requirements Webinar 11/6 @ 11 AM EST
Click on the link: Join event
👉 Request your customized cyber vulnerability report today and stay ahead of threats.
👉 Gain insights into your unique cybersecurity vulnerabilities with a custom report.
👉 Train your team to be your first line of defense