Quick Answer: CMMC 2.0 requirements are organized across three levels. Level 2, which applies to most defense contractors handling Controlled Unclassified Information, requires 110 security practices across 14 control families, all aligned with NIST SP 800-171. Meeting these requirements demands technical controls, documented policies, and a third-party assessment every three years.
CMMC 2.0 restructured the original five-level model into three streamlined levels, but the compliance burden for most defense contractors did not get lighter. Level 2 alone covers 110 requirements across 14 control families, and the US federal government is requiring CMMC compliance by the end of 2026. This page covers what each level requires, where organizations typically struggle, and what it realistically takes to get there.
CMMC 2.0 is the Department of Defense's cybersecurity certification program for the Defense Industrial Base. It replaced the original five-level model with three levels, each calibrated to the sensitivity of the information a contractor handles.
Level 1 applies to contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It requires 15 practices drawn from FAR 52.204-21 and is satisfied through an annual self-assessment. The controls focus on basic cyber hygiene: limiting system access, scanning for vulnerabilities, and protecting media.
Level 2 is where most defense contractors land. It applies to organizations that handle CUI and requires 110 security practices across 14 control families, fully aligned with NIST SP 800-171. A third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is required every three years for contracts involving prioritized acquisitions. Some organizations may qualify for annual self-assessment depending on the sensitivity of the contract.
|
Control Family |
Abbreviation |
Practice Count |
|
Access Control |
AC |
22 |
|
Audit and Accountability |
AU |
9 |
|
Awareness and Training |
AT |
3 |
|
Configuration Management |
CM |
9 |
|
Identification and Authentication |
IA |
11 |
|
Incident Response |
IR |
3 |
|
Maintenance |
MA |
6 |
|
Media Protection |
MP |
9 |
|
Personnel Security |
PS |
2 |
|
Physical Protection |
PE |
6 |
|
Risk Assessment |
RA |
3 |
|
Security Assessment |
CA |
4 |
|
System and Communications Protection |
SC |
16 |
|
System and Information Integrity |
SI |
7 |
Level 3 applies to contractors working on the most sensitive DoD programs. It requires 134 practices drawn from both NIST SP 800-171 and NIST SP 800-172. Government-led assessments are required, and the bar for implementation evidence is significantly higher.
For a deeper look at how the levels compare, see CMMC Level 1 vs Level 2.
Most organizations underestimate what CMMC 2.0 compliance actually involves until they start working through the requirements. The gap between where a typical defense contractor starts and where they need to be is wider than it looks on paper.
Getting from your current security posture to Level 2 certification involves work across several distinct areas. Each one requires real effort, and none of them can be skipped.
Before you write a single policy or deploy a single tool, you need to define exactly where CUI lives and how it moves through your organization. This scoping decision determines everything downstream: what goes in your SSP, which systems are in scope for assessment, and which technical controls you need to implement.
If CUI is flowing through a standard Microsoft 365 commercial tenant, you likely need to migrate to a GCC environment before your assessment. That migration is a project in itself and needs to happen early.
CMMC Level 2 requires a System Security Plan (SSP) that accurately describes every control in scope, how it is implemented, and who owns it. You also need Plans of Action and Milestones (POA&Ms) for any gaps identified during your readiness review.
Policies need to be specific enough that a newer team member could read them and act on them. Vague documentation is one of the most common reasons assessments get halted or require months of rework before restarting.
The 14 control families require a range of technical implementations: multi-factor authentication, endpoint detection and response, audit logging, vulnerability management, data loss prevention, and more. Selecting the right tools, configuring them correctly, and integrating them into a coherent security stack takes significant time.
BEMO builds this stack on Microsoft 365, Entra ID, Purview, Sentinel, Intune, and Defender, with GRC automation running through Drata.
Awareness and Training is its own CMMC control family, and it requires more than a one-time orientation. You need documented training records, role-based training for personnel who handle CUI, and a program that runs on a defined schedule.
The risk of skipping this is real. A single employee who forwards a sensitive email outside the CUI boundary can invalidate your entire enclave definition and halt an assessment in progress.
CMMC is not a one-time project. After your initial certification, you need continuous monitoring, annual self-assessments or triennial third-party assessments depending on your level, and a process for handling changes to your environment. Any significant system change can affect your compliance posture.
There is no single right way to approach CMMC 2.0 compliance. The right path depends on your team's existing capabilities, your timeline, and how much of this work you want to own internally. Here is how the three main approaches compare.
|
DIY / In-House |
GRC Platform Only (Drata, Vanta) |
Managed Compliance Partner |
|
|
Implementation |
Your team builds it |
Platform guides you, you do the work |
Partner builds it for you |
|
Ongoing maintenance |
Your team |
Your team + automation |
Partner's team + automation |
|
Auditor coordination |
You manage it |
Limited support |
Managed end-to-end |
|
Tech stack |
You select and configure |
Integrations only |
Full security stack deployed |
|
Dedicated team |
Your hires |
None |
Multi-role team assigned to your account |
|
Typical timeline |
12-18+ months |
6-12 months |
~8 months initial implementation |
DIY gives you the most control but requires hiring or retraining staff across IT, security, legal, and HR. GRC platforms like Drata or Vanta provide structure and automation, but you still own every implementation and evidence collection task. A managed compliance partner takes on the build, the tooling, and the auditor coordination, so your team is not carrying the full weight of the program. You can read more about how to choose a compliance provider to weigh the tradeoffs in more detail.
If you are starting your CMMC 2.0 journey, the path from gap to certification follows four stages.
The challenges covered in this article, CUI scoping, documentation depth, GCC migration, cross-functional ownership, are exactly what make CMMC hard to manage without dedicated expertise. BEMO was built to handle this work on your behalf.
Here is what that looks like in practice:
BEMO is a 2023 Microsoft US Partner of the Year winner, has appeared on the Inc. 5000 list four consecutive years, and was featured by Satya Nadella at the Microsoft Secure 2024 Summit.
BEMO owns the outcome of your compliance program from gap assessment through certification and beyond. You get a dedicated eight-person team, a Microsoft-native security stack, and full auditor coordination under one engagement.
Book a meeting with BEMO to start your CMMC compliance journey.
CMMC 2.0 Level 2 requires 110 security practices organized across 14 control families. These practices are directly aligned with NIST SP 800-171 and cover everything from access control and incident response to physical protection and media handling. If you are a defense contractor handling CUI, Level 2 is almost certainly the tier that applies to you.
Level 1 covers 15 basic practices and applies to contractors handling Federal Contract Information. Level 2 covers 110 practices and applies to contractors handling Controlled Unclassified Information. The assessment process also differs: Level 1 uses an annual self-assessment, while Level 2 typically requires a third-party assessment by a C3PAO every three years for prioritized contracts. See the full CMMC Level 1 vs Level 2 breakdown for more detail.
Most organizations should plan for 6 to 12 months from the start of their compliance journey to assessment readiness. The timeline depends heavily on your starting security posture, whether a GCC migration is needed, and how quickly your team can move through documentation and control implementation. Working with a managed compliance partner can compress this timeline significantly.
A GAP assessment evaluates your current environment against all applicable CMMC requirements and identifies which controls are implemented, partially implemented, or missing. It also defines your CUI boundary, surfaces your highest-risk gaps, and produces the prioritized roadmap that drives your implementation plan. This is the starting point for any serious CMMC preparation effort.
CMMC 2.0 requirements span IT, HR, legal, facilities, and leadership. Most defense contractors do not have staff with deep expertise across all of those areas, and building that capacity in-house takes months before any compliance work even begins. A managed compliance partner brings a full team, a proven process, and direct auditor relationships, so you are not figuring it out as you go with a hard deadline approaching.
Every BEMO client gets a dedicated team that includes a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO. This team owns the implementation, manages the tooling, and coordinates directly with your assessor. You are not handed a platform and left to manage it yourself.