Quick answer: CMMC Level 2 requires defense contractors handling Controlled Unclassified Information (CUI) to implement all 110 security controls from NIST SP 800-171, evaluated across 320 assessment objectives. Depending on contract sensitivity, companies complete either an annual self-assessment submitted through SPRS or a triennial third-party audit by a C3PAO.
If your company holds or expects DoD contracts that touch CUI, CMMC Level 2 is the tier that decides eligibility. The requirements are specific, the assessment stakes are high, and the deadline pressure is real for contractors without a dedicated compliance team.
This CMMC Level 2 assessment guide discussed the 110 controls, the 14 domains, the two assessment paths, and the documentation auditors expect. Use it to decide whether your team can execute internally or needs support to reach certification before contract cutoffs.
So what is CMMC Level 2 in practical terms?
It is the intermediate certification tier in the CMMC 2.0 framework, designed to protect Controlled Unclassified Information inside the defense supply chain. Any contractor that processes, stores, or transmits CUI falls under its scope.
CMMC Level 2 aligns directly with NIST SP 800-171 and applies to roughly 80,000 companies across the DoD ecosystem. It sits between Level 1 (17 basic practices for Federal Contract Information) and Level 3 (expert tier, with additional NIST SP 800-172 controls).
The 110 CMMC Level 2 controls are grouped into 14 domains from NIST SP 800-171. Assessors do not just confirm each control exists. They evaluate 320 assessment objectives that break each practice into specific implementation details, which is why shallow documentation fails during review.
|
Domain |
Controls |
Focus Area |
|
Access Control (AC) |
22 |
Limiting system and data access to authorized users |
|
Audit and Accountability (AU) |
9 |
Logging and reviewing system activity |
|
Awareness and Training (AT) |
3 |
Security training for personnel |
|
Configuration Management (CM) |
9 |
Managing system settings and changes |
|
Identification and Authentication (IA) |
11 |
Verifying user identity (MFA, passwords) |
|
Incident Response (IR) |
3 |
Detecting and responding to security incidents |
|
Maintenance (MA) |
6 |
Secure system maintenance procedures |
|
Media Protection (MP) |
9 |
Protecting digital and physical media |
|
Personnel Security (PS) |
2 |
Screening and managing personnel access |
|
Physical Protection (PE) |
6 |
Securing physical access to systems |
|
Risk Assessment (RA) |
3 |
Identifying and mitigating security risks |
|
Security Assessment (CA) |
4 |
Evaluating security controls effectiveness |
|
System and Communications Protection (SC) |
16 |
Protecting data in transit and at rest |
|
System and Information Integrity (SI) |
7 |
Detecting flaws and malicious code |
A few domains carry most of the weight.
Getting these four domains right resolves a large share of audit findings before an assessor walks in.
CMMC Level 2 certification applies to any contractor that handles CUI on behalf of the Department of Defense. If your contracts reference DFARS 252.204-7012, you are almost certainly in scope.
Three quick indicators help confirm whether Level 2 applies to your company:
If your organization only touches Federal Contract Information (FCI) and never handles CUI, Level 1 may be sufficient. Read our CMMC Level 1 vs. Level 2 comparison to confirm which tier matches your contracts, then validate against your prime's security requirements.
CMMC Level 2 splits into two sub-paths based on a contract's sensitivity to national security. The path you fall into determines your timeline, cost, and evidence burden.
Self-Assessment Path: For contracts handling non-critical CUI, you perform an annual CMMC Level 2 self assessment scored against all 110 controls. Results are submitted through the Supplier Performance Risk System (SPRS), with a senior official affirming accuracy each year.
C3PAO Assessment Path: For contracts handling CUI critical to national security, a Cyber-AB accredited C3PAO performs a formal audit every three years. Assessor capacity is limited, so contractors should book 6 to 12 months ahead of a contract deadline.
Here is the part that catches contractors off guard: even when the DoD permits self-assessment for your contract, your prime contractor can contractually require C3PAO certification. Check your prime's flow-down terms before assuming the lighter path applies.
Documentation gaps are the single most common cause of failed Level 2 assessments. Most contractors build enough technical controls. Very few build documentation that maps to the 320 assessment objectives at the level of detail assessors expect.
The SSP describes how your organization implements each of the 110 CMMC Level 2 controls. It must map to the 320 assessment objectives, not just the 110 practices. Generic policy language copied from a template will not pass a C3PAO review.
Level 2 allows conditional certification with a POA&M for select minor gaps. Items must be remediated within 180 days of the assessment.
Six controls cannot be placed on a POA&M under any circumstances:
These must be fully implemented before certification. A single missing non-deferrable control blocks the entire audit.
Every control requires evidence: screenshots, configuration exports, policy documents, training records, and system logs. Collect evidence as you implement controls, not in the final weeks before an audit, or you will spend those weeks reconstructing proof instead of fixing gaps.
Meeting CMMC Level 2 requirements is a sequenced project, not a single deliverable. The path below reflects how assessments actually unfold.
Score your current environment against all 110 CMMC Level 2 controls. Classify each one as fully implemented, partially implemented, or missing. Calculate your SPRS score; the ceiling is 110, and negative scoring penalizes every unmet control.
A baseline score tells you how far from certification you really are and where to spend remediation budget first.
Book a Gap assessment with BEMO
Map every system, application, network path, and user role that touches CUI. The wider your boundary, the larger your assessment scope and cost. Tightening this boundary through enclaves, GCC High, or network segmentation often cuts control implementation work by 30 to 50 percent.
Prioritize high-impact areas first:
Address the six non-deferrable controls before anything else. These block certification entirely if left unresolved at assessment time.
Most defense contractors run Microsoft 365 environments. The tenant configuration you choose determines whether you can meet Level 2 controls at all. GCC High is typically required for CUI storage and processing, and it carries its own licensing, migration, and identity setup.
Identity controls (Entra ID), logging (Purview, Sentinel), device policies (Intune), and conditional access all map directly to Level 2 domains. Our managed compliance team configures these environments as part of the certification process.
Create or update your SSP with objective-level detail. Develop policies and procedures for each of the 14 domains. Store evidence in an organized, version-controlled structure that an assessor can review without reconstruction.
For self-assessment, complete the evaluation internally and submit your score through SPRS with senior official affirmation. For C3PAO assessment, book early. Assessor capacity is limited, and rescheduling a missed slot can push certification out six months or more.
Most contractors attempting CMMC Level 2 compliance alone hit the same failure pattern. The controls are implementable with enough time and budget. The documentation, evidence, and audit sequencing are where lean teams break.
The most common failure points:
Companies trying to run compliance alongside daily IT operations usually run out of runway before the contract deadline. This is where a managed partner changes the math. For a deeper breakdown of the process, see our guide to CMMC compliance for small business.
Meeting 110 controls across 14 domains is heavy work for any team, especially without dedicated compliance staff. Start with a gap assessment to understand your baseline, define your CUI boundary early to keep scope manageable, and build documentation alongside implementation rather than after.
BEMO handles the full process: gap assessment, control implementation, Microsoft 365 and GCC High configuration, SSP and POA&M development, evidence collection, and C3PAO coordination. Contractors work with a dedicated compliance engineer from day one through certification and maintenance.
Book a meeting with our compliance team to protect your contract eligibility and compress your certification timeline. You can also visit BEMO to see the full managed compliance offering.
CMMC Level 2 requires all 110 security controls from NIST SP 800-171, evaluated across 320 assessment objectives. Every control must be addressed in your System Security Plan with supporting evidence.
Level 1 covers 17 basic practices for protecting Federal Contract Information and allows annual self-assessment. Level 2 covers 110 controls for protecting Controlled Unclassified Information, with either self-assessment or C3PAO third-party assessment based on contract criticality.
A C3PAO CMMC Level 2 certification is valid for three years, with an annual affirmation from a senior official required each year. Self-assessments must be completed annually and resubmitted through SPRS.
You cannot be awarded or continue DoD contracts requiring Level 2 until the gaps are closed. Minor deficiencies in specific controls can be remediated under a POA&M within 180 days. Major gaps or any missing non-deferrable control require a full reassessment.
Costs vary by environment size, scope, and existing security maturity. For small contractors, DoD estimates place Level 2 well over $100,000 when counting assessment, preparation, and control implementation. Our CMMC certification cost breakdown walks through the full cost structure.