CMMC Level 2: requirements, controls, and certification process
CMMC Level 2 is the tier most defense contractors discuss when they handle Controlled Unclassified Information (CUI). It aligns with NIST SP 800-171 Rev. 2 and is the foundation for most DoD cybersecurity contract flow-down.
This guide covers:
- Level 2 requirements and control families
- Self-assessment vs. C3PAO certification paths
- A practical end-to-end certification process
Related guides:
GIF via GIPHY
Key takeaways
- Level 2 implements 110 NIST SP 800-171 requirements across 14 families for CUI environments.
- Contracts specify whether self-assessment or C3PAO certification is required.
- SSP, POA&M, and SPRS are central artifacts—not optional paperwork.
- Conditional Level 2 may be available with limited POA&M items and defined closure timelines.
What CMMC Level 2 requires
Level 2 expects organizations to:
- Protect CUI across people, process, and technology in scoped systems
- Demonstrate operating effectiveness with evidence (not policies alone)
- Maintain annual affirmation and periodic reassessment per level rules
NIST 800-171 control families
| Family | Focus areas |
|---|---|
| Access Control | Least privilege, remote access, wireless |
| Awareness & Training | Role-based security training |
| Audit & Accountability | Logging, review, time sync |
| Configuration Management | Baselines, least functionality |
| Identification & Authentication | MFA for privileged and remote |
| Incident Response | IR plan, reporting, exercises |
| Maintenance | Controlled maintenance, tools |
| Media Protection | Encrypt CUI at rest on mobile media |
| Personnel Security | Screening, termination |
| Physical Protection | Facility access, monitoring |
| Risk Assessment | Periodic risk assessments |
| Security Assessment | Assess controls, POA&M, SSP |
| System & Communications Protection | Boundary protection, encryption in transit |
| System & Information Integrity | Flaw remediation, malicious code |
See CMMC vs NIST 800-171.
Self-assessment vs C3PAO
| Path | When used | Outcome |
|---|---|---|
| Self-assessment | Permitted by contract for some Level 2 awards | Organization attests; SPRS updated |
| C3PAO certification | Required for many Level 2 contracts | Independent validation; final or conditional |
Misreading contract language here is a common eligibility mistake—validate each solicitation.
Level 2 certification process
- Scope & SSP — Boundaries, assets, data flows, shared responsibility.
- Gap assessment — Score practices; build prioritized POA&M.
- Remediation — Close gaps; collect operating evidence.
- Pre-assessment — Mock interviews; evidence index.
- Assessment — Self or C3PAO per contract.
- SPRS & maintenance — Submit scores; annual affirmation; triennial reassessment.
Typical calendar: 6–12+ months depending on maturity and C3PAO queue.
Operationalize Level 2 in SecureSlate
SecureSlate maps 800-171 practices to evidence, owners, and POA&M workflows for continuous readiness.
FAQ
What SPRS score do we need?
Contracts and assessors focus on meeting practices and assessment outcomes—not a single universal “passing number.” Treat SPRS as reporting, not the whole program.
Can POA&M items remain open?
Limited POA&M use may be allowed for conditional status; closure timelines are typically 180 days where permitted.
Disclaimer (legal note)
Assessment rules and contract clauses vary. Engage qualified assessors and counsel for your award.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
