CMMC Level 2 Requirements: Complete Guide

Quick Answer: CMMC Level 2 requirements include 110 security controls across 14 control families aligned with NIST SP 800-171. These requirements apply to defense contractors and subcontractors that handle controlled unclassified information (CUI) for the Department of Defense.

CMMC Level 2 requirements consist of 110 security practices organized across 14 control families, all drawn directly from NIST SP 800-171. If your organization handles Controlled Unclassified Information (CUI) and works with the Department of Defense, you need to meet these requirements before the end of 2026 or risk losing your contracts.

Meeting all 110 controls is not a weekend project. It requires policy development, technical implementation, staff training, and third-party assessment coordination across your entire organization. This guide covers what the requirements actually are, where companies get stuck, what it realistically takes to get compliant, and how to decide which approach makes sense for your situation.

Key Takeaways

• CMMC Level 2 requires 110 security practices across 14 control families aligned with NIST SP 800-171 for organizations handling CUI in the DoD supply chain.
• Scoping CUI is often the biggest challenge because many organizations do not realize how many systems and workflows handle controlled information.
• Achieving CMMC Level 2 compliance typically takes 8 to 18 months depending on your current security posture and available internal resources.
• Building an in-house compliance program can cost $84K to $132K+ per year for a single qualified hire before tooling, auditors, and onboarding costs.
• A managed compliance partner can handle implementation, tooling, and assessor coordination at a lower cost than building an internal compliance team.

What Are CMMC Level 2 Requirements?

CMMC 2.0 Level 2 requirements are 110 security practices that map directly to NIST SP 800-171. The DoD designed Level 2 specifically for organizations that process, store, or transmit CUI. If you're a defense contractor or subcontractor touching CUI, this is the tier that applies to you.

The 110 requirements are distributed across 14 control families. Here's the full breakdown:

Source: NIST SP 800-171 Rev. 2, as adopted by the DoD CMMC 2.0 model.

One thing worth understanding about CMMC 2.0 Level 2 requirements is the assessment path. Most organizations handling CUI will require a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) every three years. Some lower-priority programs may allow a self-assessment, but that determination comes from the specific contract language, not from you.

CMMC Level 2 sits between Level 1 (15 basic safeguarding requirements, annual self-assessment) and Level 3 (134 requirements pulling from both NIST SP 800-171 and NIST SP 800-172, government-led assessment). Level 2 is where the vast majority of the defense industrial base lands.

Challenges Companies Face When Getting CMMC Compliant

Most organizations that start a CMMC Level 2 compliance effort underestimate what's actually involved. The 110 controls look manageable on paper until you start mapping them to your actual environment.

Here are the most common places companies get stuck:

• Underestimating scope: The 110 CMMC 2.0 Level 2 requirements touch every part of your IT environment, including email, endpoints, cloud storage, and physical access. Most organizations discover gaps they didn't know existed.
• CUI scoping challenges: Before you can address any controls, you need to define your CUI boundary. That process alone can take weeks and often reveals that CUI is flowing through systems that weren't designed to handle it.
• No internal expertise: CMMC compliance spans IT, security, legal, and HR. Very few small and mid-sized defense contractors have staff covering all four areas at the depth CMMC requires.
• GCC High migration: Many organizations need to migrate from standard Microsoft 365 to GCC or GCC High to meet CMMC's data residency and access requirements. That migration is a significant technical project in its own right.
• Deadline pressure: The DoD is requiring CMMC compliance across contracts by the end of 2026. That timeline is fixed, and the gap between where most organizations are today and where they need to be is significant.
• Ongoing maintenance burden: Achieving compliance is only the start. Continuous monitoring, policy updates, training tracking, and vendor reviews are required to stay compliant between your three-year assessments.

What Does It Take to Meet CMMC Level 2 Requirements?

Getting to CMMC Level 2 compliance is a multi-workstream effort. You're not just checking boxes. You're building a security program that can withstand a formal third-party assessment and hold up over time. The sections below break down the four major areas of work involved.

Documentation and Policy Development

CMMC assessors don't just test your technical controls. They review your policies, procedures, and System Security Plan (SSP). You need documented policies covering every control family, and those policies need to reflect how your organization actually operates. BEMO creates 18+ IT policies during implementation as part of the compliance build.

Technical Controls and Tooling

The majority of the 110 CMMC Level 2 requirements have a direct technical component. Multi-factor authentication, endpoint protection, audit logging, encryption, and network segmentation all need to be deployed and configured correctly. Choosing and integrating the right tools is a project in itself, and the wrong choices can create gaps that surface during assessment.

Ongoing Monitoring and Maintenance

CMMC compliance isn't a one-time achievement. You need continuous monitoring of your environment, regular vulnerability assessments, and a process for tracking and remediating findings. A 24/7 SOC capability is part of meeting the audit and accountability requirements at Level 2.

Auditor Coordination and Evidence Collection

A C3PAO assessment involves submitting evidence for each of the 110 controls. That means logs, screenshots, policy documents, training records, and configuration exports. Preparing that evidence package and managing the back-and-forth with your assessor can add months to your timeline if you're not organized from the start.

Staff Training and Awareness

The Awareness and Training control family requires documented security awareness training for all users and role-based training for privileged users. You need a platform to deliver that training, track completion, and produce records for your assessor.

In-House vs. Managed: Approaches to CMMC Level 2 Compliance

There's no single right way to achieve CMMC Level 2 compliance requirements. Your best path depends on your internal capabilities, timeline, and budget. Here's an objective look at the three most common approaches.

The DIY path gives you full control but requires significant internal investment. You'll need staff who understand NIST SP 800-171 deeply, can configure a full security stack, and can manage an assessor relationship. That's typically a team of people, not one hire.

GRC platforms like Drata or Vanta provide structure and automation, but they don't implement controls for you. Someone on your team still has to do the technical work, write the policies, and manage the assessor.

A managed compliance partner handles the full build, from gap assessment through assessor coordination, with a dedicated team assigned to your account. The tradeoff is less direct control over day-to-day decisions, with the benefit of faster timelines and predictable costs.

Getting Started With CMMC Level 2 Compliance

If you're facing a CMMC Level 2 requirement, here's the four-step path to getting there:

1. Book a GAP Assessment: Evaluate your current security posture against all 110 CMMC Level 2 requirements and identify exactly where your gaps are. This is the only way to know your real starting point.
2. Get Your Implementation Roadmap: Receive a prioritized plan covering which controls to address first, what tools you need, what policies to build, and a realistic timeline to assessment-ready.
3. Deploy Controls: Implement the technical security controls, configure your environment, stand up GRC automation, and complete your documentation including your System Security Plan.
4. Achieve and Maintain Compliance: Coordinate with your C3PAO assessor, submit your evidence package, and transition into ongoing managed compliance to stay current between assessments.

Why Choose BEMO for CMMC Level 2 Compliance

The challenges covered above (CUI scoping, GCC migration, 110 controls, assessor coordination) represent months of specialized work. BEMO was built specifically to manage that work on your behalf.

Here's what you get when you work with BEMO on CMMC Level 2 compliance requirements:

• Dedicated multi-role team: Every client gets a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO assigned to their account.
• Microsoft-native security stack: BEMO deploys and manages Microsoft 365, Entra ID, Purview, Sentinel, Intune, and Defender as the core of your CMMC environment, including GCC and GCC High migrations.
• BEMO is certified themselves: BEMO holds SOC 2 Type 2 and ISO 27001 certifications and is a Cyber AB Registered Practitioner Organization (RPO), meaning they operate under the same standards they help clients achieve.
• GRC automation plus hands-on management: BEMO uses Drata for GRC automation and assigns compliance engineers who actively manage it, rather than leaving you to run the platform yourself.
• Full assessor coordination: BEMO works directly with C3PAO partners including Sensiba, A-LIGN, and Johanson Group on your behalf throughout the assessment process.
• 24/7 SOC coverage: BEMO's SOC reviews 100,000+ monthly logs using AI, with approximately 100 human-verified incidents per month, supporting your continuous monitoring requirements.
• Proven track record: BEMO was named 2023 Microsoft US Partner of the Year, has appeared on the Inc. 5000 four consecutive years, and was featured by Satya Nadella at the Microsoft Secure 2024 Summit.

If you're also subject to other compliance requirements like SOC 2 or ISO 27001, BEMO can manage multiple frameworks simultaneously from a single team.

Ready to Meet CMMC Level 2 Requirements?

BEMO owns the outcome of your compliance program from gap assessment through certification. You get a dedicated team, a Microsoft-native security stack, and assessor coordination managed end-to-end.

Book a meeting with BEMO to start your CMMC Level 2 gap assessment.

Prefer to talk first? Reach out through bemopro.com to connect with a compliance specialist.

Frequently Asked Questions About CMMC Level 2 Requirements

What Are the CMMC Level 2 Requirements?

CMMC Level 2 requirements are 110 security practices drawn from NIST SP 800-171, organized across 14 control families. They cover areas including access control, incident response, audit logging, configuration management, and system integrity. Every organization handling CUI in the DoD supply chain must meet all 110 practices to achieve Level 2 certification.

How Do CMMC Level 1 vs Level 2 Requirements Differ?

CMMC Level 1 covers 15 basic safeguarding requirements from FAR 52.204-21, focused on protecting Federal Contract Information (FCI). Level 2 expands to 110 requirements and adds the full NIST SP 800-171 control set, which is designed for organizations handling CUI. Level 2 also requires a third-party assessment for most organizations rather than an annual self-assessment.

Is CMMC Level 2 a Self-Assessment or Third-Party Assessment?

Most organizations subject to CMMC 2.0 Level 2 requirements will need a third-party assessment by a C3PAO every three years. A limited subset of contracts may permit a self-assessment, but that determination comes from the specific contract requirements set by the DoD program office. You cannot choose the self-assessment path on your own.

How Long Does It Take to Become CMMC Level 2 Compliant?

Timeline depends heavily on your starting security posture. Organizations working with a managed compliance partner typically complete initial implementation in around 8 months. DIY approaches more commonly run 12-18 months or longer, especially when GCC or GCC High migration is required. Given the end-of-2026 DoD deadline, starting your gap assessment now is the most important first step.

What Does a CMMC GAP Assessment Include?

A CMMC gap assessment maps your current environment against all 110 CMMC Level 2 requirements to identify which controls you've already met, which are partially in place, and which are missing entirely. It should produce a scored baseline, a prioritized remediation plan, and a realistic timeline to assessment-ready. This is the starting point for any credible CMMC compliance effort.

What Team Is Typically Assigned for CMMC Compliance at BEMO?

BEMO assigns a dedicated team to every client account. That team includes a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO. Each role covers a specific part of the compliance build, and the team stays with you through implementation and ongoing maintenance.