CMMC 2.0 Level 2: What Defense Contractors Actually Need to Do
A practitioner's guide to the real requirements behind CMMC Level 2 — what the documentation says, what auditors actually check, and where organizations consistently fall short.
CMMC 2.0 Level 2 is now a contractual reality for most organizations handling Controlled Unclassified Information (CUI) in the Defense Industrial Base. After years of delays, rulemaking, and revision, the program is operational — and organizations that have been waiting are now behind.
This post covers the practical requirements, common failure points, and what a realistic readiness program looks like.
What Level 2 Actually Requires
Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Rev 2. There are no additions or subtractions — if you are compliant with 800-171, you are aligned with CMMC Level 2.
The requirements span 14 domains:
- Access Control (22 requirements)
- Awareness and Training (3)
- Audit and Accountability (9)
- Configuration Management (9)
- Identification and Authentication (11)
- Incident Response (3)
- Maintenance (6)
- Media Protection (9)
- Personnel Security (2)
- Physical Protection (6)
- Risk Assessment (3)
- Security Assessment (4)
- System and Communications Protection (16)
- System and Information Integrity (7)
The domains that trip up most organizations are Access Control, Configuration Management, and Audit and Accountability — particularly the depth of implementation evidence required.
The Self-Assessment vs. Third-Party Divide
Not all Level 2 contracts require a C3PAO (Certified Third-Party Assessment Organization) assessment. The rule distinguishes:
- Contracts with "critical" CUI programs: C3PAO assessment required, results submitted to SPRS
- All other Level 2 contracts: Annual self-assessment permitted, with affirmation submitted by a senior company official
The distinction matters significantly for cost and timeline. A C3PAO assessment for a mid-size organization typically runs $50,000–$150,000 and takes 6–12 months to prepare for properly.
Where Organizations Consistently Fall Short
After working with multiple DIB organizations through 800-171 readiness, the same gaps appear repeatedly:
System Security Plan quality. The SSP is required to cover every 800-171 requirement — not just the ones you meet. Most organizations have an SSP that documents implemented controls but glosses over partially implemented or planned controls. Assessors check depth.
CUI boundary definition. Organizations often define their CUI boundary too broadly (which means more systems in scope) or too narrowly (which means CUI is flowing outside the assessed boundary without controls). Getting this right is the most consequential scoping decision in the program.
Multi-factor authentication gaps. 3.5.3 requires MFA for all privileged accounts and all remote access. "All privileged accounts" is broader than most organizations initially assume — it includes local administrator accounts, service accounts with elevated permissions, and cloud console access.
Audit log coverage and retention. 3.3.1 requires audit records for a specific list of events. 3.3.2 requires review. Most organizations have centralized logging but haven't mapped their log sources to the required event types, and many lack a documented review process with evidence of execution.
Incident response plan testing. 3.6.2 requires testing the IR plan. "We have a plan" is not the same as "we have tested the plan and have evidence of the test."
A Realistic Readiness Timeline
Assuming you are starting from a reasonable IT security baseline (not from scratch):
| Phase | Duration | Key Activities |
|---|---|---|
| Gap assessment | 4–6 weeks | Map current state to all 110 requirements, score each |
| CUI scoping | 2–4 weeks | Define boundary, data flows, system inventory |
| Remediation planning | 2 weeks | Prioritize by impact and difficulty, assign owners |
| Remediation execution | 3–9 months | Depends heavily on gap depth |
| Documentation | Ongoing | SSP, policies, evidence collection |
| Assessment prep | 4–6 weeks | Mock assessment, evidence package review |
The organizations that underestimate this program most severely are those that conflate "we have security controls" with "we can evidence compliance." They are related but distinct problems.
The POA&M Question
A Plan of Actions & Milestones (POA&M) documents requirements you have not yet met. CMMC allows organizations to achieve certification with open POA&M items under specific conditions — the item must have a remediation plan with a credible timeline, and high-priority requirements (certain access control and multi-factor authentication requirements) cannot be on a POA&M at assessment time.
This is nuanced enough that it warrants its own post, but the short version: a well-managed POA&M is a legitimate part of a compliance program, not an admission of failure.
If you are a DIB organization working through CMMC readiness and want a direct conversation about where you stand, get in touch.
Questions about this topic?
We are happy to discuss how it applies to your environment.