If your company handles Controlled Unclassified Information (CUI) for the Department of Defense — or subcontracts to someone who does — CMMC Level 2 is the compliance standard you need to understand. The DoD began phasing it into contracts in 2025, and most contractors in the defense supply chain will need a formal assessment by the end of 2026.

This guide explains what CMMC Level 2 actually requires, who it applies to, and what steps you can take right now to start closing your gaps.

What CMMC Level 2 Is — and What It Isn't

The Cybersecurity Maturity Model Certification (CMMC) is the DoD's framework for verifying that contractors protect sensitive government information. There are three levels:

  • Level 1 — 17 basic practices. Self-attestation. Applies to contractors handling Federal Contract Information (FCI) only.
  • Level 2 — 110 practices aligned to NIST SP 800-171. Applies to contractors handling CUI. Some contracts allow self-attestation; high-priority ones require a third-party assessment (C3PAO).
  • Level 3 — 134+ practices. Government-led assessment. Reserved for the most sensitive programs.

The vast majority of defense subcontractors — prime contractor suppliers, IT service providers, manufacturers — fall into Level 2. If your contract requires a DD Form 254 and references CUI, you're almost certainly in scope.

The 110 Controls: What They Actually Mean

CMMC Level 2 maps 1:1 to NIST SP 800-171, which organizes 110 security requirements across 14 domains:

  • Access Control (22 requirements)
  • Audit and Accountability (9)
  • Configuration Management (11)
  • Identification and Authentication (11)
  • Incident Response (3)
  • Maintenance (6)
  • Media Protection (9)
  • Personnel Security (2)
  • Physical Protection (6)
  • Risk Assessment (3)
  • Security Assessment (4)
  • System and Communications Protection (16)
  • System and Information Integrity (7)
  • Program Management (1)

Each requirement has a specific assessment objective. "Access Control 1.1" isn't just "have a firewall" — it means you must be able to demonstrate that only authorized users can access systems that process CUI, with documented evidence of how that access is provisioned and reviewed.

Do You Need a Third-Party Assessment?

It depends on your contract. Under the final CMMC rule (32 CFR Part 170), contracts are classified as:

  • Self-Attestation — You affirm compliance annually in the Supplier Performance Risk System (SPRS). No external auditor required.
  • C3PAO Assessment — A CMMC Third-Party Assessment Organization audits your environment and certifies compliance. Required for "prioritized acquisitions" — typically contracts with higher CUI sensitivity.

Your contracting officer or prime contractor's flow-down requirements will specify which applies. When in doubt, assume C3PAO — it's better to be prepared for a harder standard than to fail a contract due to an attestation error.

The Three Biggest Gaps Most Contractors Have

Based on CMMC assessment data, these domains generate the most findings for first-time assessees:

  1. System and Communications Protection (3.13) — Multi-factor authentication, encrypted transmission of CUI, network segmentation between CUI systems and corporate networks.
  2. Audit and Accountability (3.3) — Most small contractors don't have centralized log management. You need to capture, retain, and review audit logs from every system that touches CUI.
  3. Configuration Management (3.4) — Baseline configurations, change control processes, and documented system inventory. Often undone by "shadow IT" and personal devices.

How to Get Started

The fastest path to readiness is knowing where you stand. Start with a gap assessment against NIST 800-171 — map each of the 110 requirements to what you have today (implemented, partially implemented, or not implemented). That gap list becomes your remediation roadmap.

From there, prioritize by contract timing and criticality of the gap. Access control and identification/authentication gaps (MFA, least privilege) can often be closed in weeks. Incident response and audit logging gaps typically take months to build out properly.

Don't try to do this in a spreadsheet if you can avoid it. The documentation requirements alone — System Security Plan (SSP), Plan of Action and Milestones (POA&M), evidence packages — are substantial. Purpose-built tooling pays for itself in audit prep time alone.