CMMC 2.0 Requirements: Complete Guide

Quick Answer: CMMC 2.0 requirements are organized across three levels. Level 2, which applies to most defense contractors handling Controlled Unclassified Information, requires 110 security practices across 14 control families, all aligned with NIST SP 800-171. Meeting these requirements demands technical controls, documented policies, and a third-party assessment every three years.

CMMC 2.0 restructured the original five-level model into three streamlined levels, but the compliance burden for most defense contractors did not get lighter. Level 2 alone covers 110 requirements across 14 control families, and the US federal government is requiring CMMC compliance by the end of 2026. This page covers what each level requires, where organizations typically struggle, and what it realistically takes to get there.

Key Takeaways

• CMMC 2.0 has three levels: Level 1 requires 15 practices, Level 2 requires 110 practices aligned with NIST SP 800-171, and Level 3 requires 134 practices drawn from both NIST SP 800-171 and 800-172.
• CUI boundary scoping is the single most consequential decision in your CMMC preparation, and getting it wrong means rebuilding documentation from scratch.
• Most organizations should plan for 6 to 12 months of preparation before assessment readiness, depending on their starting security posture.
• Treating CMMC as an IT-only project is one of the most common reasons organizations fail assessments, since the requirements touch HR, operations, legal, and leadership.
• A managed compliance partner can reduce implementation time and distribute the workload across a dedicated team rather than your internal staff.

What Are CMMC 2.0 Requirements?

CMMC 2.0 is the Department of Defense's cybersecurity certification program for the Defense Industrial Base. It replaced the original five-level model with three levels, each calibrated to the sensitivity of the information a contractor handles.

Level 1: Foundational

Level 1 applies to contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It requires 15 practices drawn from FAR 52.204-21 and is satisfied through an annual self-assessment. The controls focus on basic cyber hygiene: limiting system access, scanning for vulnerabilities, and protecting media.

Level 2: Advanced

Level 2 is where most defense contractors land. It applies to organizations that handle CUI and requires 110 security practices across 14 control families, fully aligned with NIST SP 800-171. A third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is required every three years for contracts involving prioritized acquisitions. Some organizations may qualify for annual self-assessment depending on the sensitivity of the contract.

Level 3: Expert

Level 3 applies to contractors working on the most sensitive DoD programs. It requires 134 practices drawn from both NIST SP 800-171 and NIST SP 800-172. Government-led assessments are required, and the bar for implementation evidence is significantly higher.

For a deeper look at how the levels compare, see CMMC Level 1 vs Level 2.

Challenges Companies Face When Getting CMMC Compliant

Most organizations underestimate what CMMC 2.0 compliance actually involves until they start working through the requirements. The gap between where a typical defense contractor starts and where they need to be is wider than it looks on paper.

• Underestimating scope: 110 requirements across 14 control families means technical changes, policy rewrites, training programs, and vendor reviews, not just a security tool deployment.
• CUI boundary confusion: Organizations frequently define a CUI enclave without fully understanding where CUI actually travels. Email, shared drives, and collaboration tools often carry CUI outside the intended boundary without anyone realizing it.
• No internal expertise: CMMC touches IT, HR, legal, facilities, and leadership. Most small and mid-sized defense contractors do not have staff with deep expertise across all of those domains simultaneously.
• Deadline pressure: The federal government is requiring CMMC compliance by end of 2026. That timeline is real, and it does not accommodate a slow start or multiple rounds of rework.
• Documentation gaps: An SSP that looks complete on paper is not the same as a compliant environment. Assessors test whether controls are actually operating, not just described.
• GCC or GCC High migration: Depending on your CUI classification, you may need to migrate your Microsoft 365 environment to GCC or GCC High before your assessment, which is a significant technical project on its own.

What Does It Take to Meet CMMC 2.0 Requirements?

Getting from your current security posture to Level 2 certification involves work across several distinct areas. Each one requires real effort, and none of them can be skipped.

CUI Scoping and Environment Architecture

Before you write a single policy or deploy a single tool, you need to define exactly where CUI lives and how it moves through your organization. This scoping decision determines everything downstream: what goes in your SSP, which systems are in scope for assessment, and which technical controls you need to implement.

If CUI is flowing through a standard Microsoft 365 commercial tenant, you likely need to migrate to a GCC environment before your assessment. That migration is a project in itself and needs to happen early.

Documentation and Policy Development

CMMC Level 2 requires a System Security Plan (SSP) that accurately describes every control in scope, how it is implemented, and who owns it. You also need Plans of Action and Milestones (POA&Ms) for any gaps identified during your readiness review.

Policies need to be specific enough that a newer team member could read them and act on them. Vague documentation is one of the most common reasons assessments get halted or require months of rework before restarting.

Technical Controls and Tooling

The 14 control families require a range of technical implementations: multi-factor authentication, endpoint detection and response, audit logging, vulnerability management, data loss prevention, and more. Selecting the right tools, configuring them correctly, and integrating them into a coherent security stack takes significant time.

BEMO builds this stack on Microsoft 365, Entra ID, Purview, Sentinel, Intune, and Defender, with GRC automation running through Drata.

Staff Training and Awareness

Awareness and Training is its own CMMC control family, and it requires more than a one-time orientation. You need documented training records, role-based training for personnel who handle CUI, and a program that runs on a defined schedule.

The risk of skipping this is real. A single employee who forwards a sensitive email outside the CUI boundary can invalidate your entire enclave definition and halt an assessment in progress.

Ongoing Monitoring and Maintenance

CMMC is not a one-time project. After your initial certification, you need continuous monitoring, annual self-assessments or triennial third-party assessments depending on your level, and a process for handling changes to your environment. Any significant system change can affect your compliance posture.

In-House vs Managed: Approaches to CMMC Compliance

There is no single right way to approach CMMC 2.0 compliance. The right path depends on your team's existing capabilities, your timeline, and how much of this work you want to own internally. Here is how the three main approaches compare.

DIY gives you the most control but requires hiring or retraining staff across IT, security, legal, and HR. GRC platforms like Drata or Vanta provide structure and automation, but you still own every implementation and evidence collection task. A managed compliance partner takes on the build, the tooling, and the auditor coordination, so your team is not carrying the full weight of the program. You can read more about how to choose a compliance provider to weigh the tradeoffs in more detail.

Getting Started With CMMC Compliance

If you are starting your CMMC 2.0 journey, the path from gap to certification follows four stages.

1. Book a GAP Assessment: Evaluate your current security posture against all 110 CMMC Level 2 requirements and identify exactly where you stand. This step defines your CUI boundary, surfaces your highest-risk gaps, and sets the scope for everything that follows.

1. Get Your Implementation Roadmap: Translate the GAP Assessment findings into a prioritized plan that covers controls, tooling, policy development, environment changes, and timelines. This roadmap is what keeps the program on track.

1. Deploy Controls: Implement the technical controls, configure your environment, build out your GRC automation, and develop the documentation your assessor will review. This is the heaviest phase of the work.

1. Achieve and Maintain Compliance: Coordinate with your C3PAO for the formal assessment, address any findings, and transition into ongoing managed compliance to maintain your certification between assessment cycles.

Why Choose BEMO for CMMC Compliance

The challenges covered in this article, CUI scoping, documentation depth, GCC migration, cross-functional ownership, are exactly what make CMMC hard to manage without dedicated expertise. BEMO was built to handle this work on your behalf.

Here is what that looks like in practice:

• Dedicated team assigned to your account: Every BEMO client gets a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO.
• Microsoft-native security stack: BEMO builds on M365, Entra ID, Purview, Sentinel, Intune, and Defender, the same tools most defense contractors already use.
• BEMO is certified themselves: BEMO holds SOC 2 Type 2 and ISO 27001 certifications and is a Cyber AB Registered Practitioner Organization (RPO).
• GRC automation with hands-on management: BEMO runs Drata on your behalf, so you get automation without having to manage the platform yourself.
• Full auditor coordination: BEMO works directly with auditors including Sensiba, A-LIGN, and Johanson Group, so you are not navigating that process alone.
• 8-month implementation timeline: Bi-weekly status meetings and a 72-hour SLA for remediation keep the program moving.
• 24/7 SOC coverage: BEMO's SOC reviews over 100,000 monthly logs using AI, with approximately 100 incidents per month escalated for human review.

BEMO is a 2023 Microsoft US Partner of the Year winner, has appeared on the Inc. 5000 list four consecutive years, and was featured by Satya Nadella at the Microsoft Secure 2024 Summit.

Ready to Meet CMMC Level 2 Requirements?

BEMO owns the outcome of your compliance program from gap assessment through certification and beyond. You get a dedicated eight-person team, a Microsoft-native security stack, and full auditor coordination under one engagement.

Book a meeting with BEMO to start your CMMC compliance journey.

Frequently Asked Questions About CMMC 2.0 Requirements

How many requirements does CMMC 2.0 Level 2 have?

CMMC 2.0 Level 2 requires 110 security practices organized across 14 control families. These practices are directly aligned with NIST SP 800-171 and cover everything from access control and incident response to physical protection and media handling. If you are a defense contractor handling CUI, Level 2 is almost certainly the tier that applies to you.

What is the difference between CMMC Level 1 and Level 2?

Level 1 covers 15 basic practices and applies to contractors handling Federal Contract Information. Level 2 covers 110 practices and applies to contractors handling Controlled Unclassified Information. The assessment process also differs: Level 1 uses an annual self-assessment, while Level 2 typically requires a third-party assessment by a C3PAO every three years for prioritized contracts. See the full CMMC Level 1 vs Level 2 breakdown for more detail.

How long does it take to become CMMC compliant?

Most organizations should plan for 6 to 12 months from the start of their compliance journey to assessment readiness. The timeline depends heavily on your starting security posture, whether a GCC migration is needed, and how quickly your team can move through documentation and control implementation. Working with a managed compliance partner can compress this timeline significantly.

What does a CMMC GAP assessment include?

A GAP assessment evaluates your current environment against all applicable CMMC requirements and identifies which controls are implemented, partially implemented, or missing. It also defines your CUI boundary, surfaces your highest-risk gaps, and produces the prioritized roadmap that drives your implementation plan. This is the starting point for any serious CMMC preparation effort.

Why should I work with a managed compliance partner for CMMC?

CMMC 2.0 requirements span IT, HR, legal, facilities, and leadership. Most defense contractors do not have staff with deep expertise across all of those areas, and building that capacity in-house takes months before any compliance work even begins. A managed compliance partner brings a full team, a proven process, and direct auditor relationships, so you are not figuring it out as you go with a hard deadline approaching.

What team does BEMO assign for CMMC compliance?

Every BEMO client gets a dedicated team that includes a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO. This team owns the implementation, manages the tooling, and coordinates directly with your assessor. You are not handed a platform and left to manage it yourself.