A Deep-Dive Guide to CMMC Level 2

CMMC Level 2 is a pivotal stage in the Cybersecurity Maturity Model Certification (CMMC) framework, designed for Department of Defense (DoD) contractors that handle Controlled Unclassified Information (CUI). Often referred to as the “intermediate” level, CMMC Level 2 builds on foundational cybersecurity practices with a stronger emphasis on safeguarding sensitive data across the Defense Industrial Base (DIB).

Unlike CMMC Level 1, which only applies to contractors working with Federal Contract Information (FCI), CMMC Level 2 introduces a higher set of expectations, drawing directly from NIST SP 800-171—a widely accepted standard for protecting CUI.

As organizations prepare for the upcoming implementation of CMMC 2.0, aligning your cybersecurity practices with CMMC 2.0 standards is a great way to protect current contracts and ensure you’re well positioned to maintain eligibility for future DoD bids.

What Controls Are Required for CMMC Level 2?

CMMC Level 2 requires organizations to implement 110 security controls, all of which align with NIST SP 800-171. These controls are divided across 14 control families:

• Access Control (AC): Controls how users access systems and data. AC includes measures like limiting access to authorized users, enforcing least privilege, using session timeouts, and restricting remote access.
• Awareness and Training (AT): Ensures personnel are trained to recognize and respond to security risks. AT includes security awareness training and role-based cybersecurity training.
• Audit and Accountability (AU): Involves tracking user activities and maintaining logs. AU covers logging events, protecting audit records, and reviewing audit logs regularly.
• Configuration Management (CM): Maintains the integrity of IT systems through secure configurations. CM includes establishing baseline configurations, controlling and monitoring changes, and managing software and hardware inventories.
• Identification and Authentication (IA): Ensures users and devices are properly authenticated before access is granted. IA covers enforcing strong passwords, multi-factor authentication (MFA), and unique user identification.
• Incident Response (IR): Prepares organizations to respond to security events effectively. IR includes creating and testing incident response plans, reporting and documenting incidents, and lessons learned analysis.
• Maintenance (MA): Manages system maintenance activities to avoid introducing vulnerabilities. MA covers authorizing maintenance tools, performing controlled remote maintenance, and logging maintenance actions.
• Media Protection (MP): Safeguards sensitive data stored on digital or physical media. MP includes marking and labeling media, encrypting or securely wiping media before reuse/disposal, and controlling access to media.
• Personnel Security (PS): Ensures personnel are properly vetted and aware of their responsibilities. PS covers screening before access to CUI and managing personnel transfers and terminations.
• Physical Protection (PE): Secures physical access to facilities and systems. PE includes limiting physical access, escorting visitors, and monitoring physical entry and exit.
• Risk Assessment (RA): Identifies and evaluates risks to CUI and systems. RA includes conducting regular risk assessments, identifying vulnerabilities, and remediating known risks.
• Security Assessment (CA): Ensures security policies and controls are effectively implemented. CA includes regular system assessments, developing and managing Plans of Action & Milestones (POA&Ms), and continuous monitoring activities.
• System and Communications Protection (SC): Protects data in transit and system communications. SC covers enforcing encryption, separating user and system functions, and denying unauthorized connections.
• System and Information Integrity (SI): Maintains the accuracy and trustworthiness of data and systems. SI includes monitoring for malicious code, applying security patches, and alerting for system failures.

Each family includes specific CMMC controls that organizations must document, implement, and maintain to ensure they can adequately protect CUI.

The CMMC Level 2 Compliance Process

Becoming CMMC Level 2 compliant requires a structured and disciplined approach. Here’s a high-level overview of the steps involved:

1. Conduct a Readiness Assessment: Start by evaluating your current security posture against the 110 CMMC Level 2 controls. Identify any gaps in documentation, implementation, or enforcement.
2. Develop a SSP: An SSP outlines how your organization meets each CMMC control and is a key requirement for both internal preparations and third-party assessments.
3. Create and Maintain a POA&M: For any unmet requirements, a POA&M must outline corrective actions and a timeline for resolution. POA&Ms are limited in use and must meet specific criteria for Level 2 compliance.
4. Implement Required Controls: This includes deploying technical safeguards (e.g., multi-factor authentication, encryption) and operational processes (e.g., incident response procedures, security training).
5. Engage an Authorized C3PAO: CMMC Level 2 assessments must be performed by a C3PAO authorized by the Cyber AB. The C3PAO will evaluate your implementation of CMMC controls, review documentation, and conduct interviews to verify compliance.

Why Work with an Authorized C3PAO?

Partnering with an Authorized C3PAO provides credibility, guidance, and assurance to the CMMC Level 2 assessment and certification process. They understand the nuances of CMMC controls and can help you interpret, prepare for, and meet each requirement. Additionally, Authorized C3PAOs can identify common stumbling blocks early and help you align internal controls with CMMC Level 2 standards before beginning the formal assessment process—reducing the risk of delays, failed audits, or unexpected costs.

IS Partners is an Authorized C3PAO, delivering thorough CMMC assessment services and helping DoD contractors and subcontractors navigate audit readiness and compliance with ease. We bring more than 20 years of cross-industry compliance experience to the table, creating a tailored approach to audit preparation and certification that’s resulted in a 95% client retention rate. Our expert team conducts gap assessments, refines policies, and aligns processes to meet CMMC requirements. Explore our CMMC compliance services page to learn how we can help your organization enhance security, trust, and confidence through CMMC compliance.

CMMC Level 2 is not just a cybersecurity checkbox—it’s a strategic investment in protecting national security, securing valuable contract opportunities, and strengthening your organization’s cyber resilience. With 110 CMMC controls to meet, a clear path to compliance, and a trusted Authorized C3PAO at your side, your organization can confidently take the next step toward DoD readiness.

FAQs

About The Author

Jena Andrews

Jena is a senior auditor and security consultant since 2021. She is specialized in compliance management, cybersecurity, IT security, and risk management. Jena is a certified information systems auditor (CISA) and project manager.

With a decade-long history in Project Management, Jena has focused the past five years on Compliance, IT and Operations auditing, Information Security, and Cybersecurity. She has conducted a plethora of compliance audits and security assessments in accordance with standards including SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, and NIST 800-53, 800-171.

Jena is a proud B.S. graduate in Criminal Justice from West Chester University and holds esteemed CISA, PMP, and CCP certifications, further highlighting her expertise and commitment to professionalism.