How to Meet CMMC Level 2 Requirements

Understanding CMMC Level 2 Requirements

If you’re planning on winning DoD contracts, mastering the CMMC 2.0 is likely part of your 2025 roadmap.

What does CMMC Level 2 entail? How does it differ from Level 1, and what’s the roadmap to compliance? In this guide, we’ll demystify the 17 domains, 110 practices, and offer a CMMC 2 assessment guide to bring you up to par. 

CMMC Level 2 is the intermediate cyber hygiene level for organizations handling CUI. Unlike Level 1 of the CMMC, which focuses on basic safeguards, Level 2 aligns closely with the National Institute of Standards and Technology (NIST) SP 800-171 framework.

Achieving Level 2 compliance is about proving your organization’s commitment to security, paving the way for greater trust and lucrative government contracts.

How to Meet CMMC Level 2 Requirements

Key Requirements: What You Need to Know

CMMC Level 2 introduces 110 practices grouped into 17 domains, including but not limited to:

  1. Access Control (AC): Limiting access to authorized users and preventing unauthorized access.
  2. Audit and Accountability (AU): Keeping a record of activities and ensuring you can trace back any security events.
  3. Incident Response (IR): Establishing a robust plan to detect, report, and recover from incidents.
  4. Risk Management (RM): Identifying and mitigating risks before they become costly breaches.

Each of these practices builds on NIST SP 800-171 controls, ensuring contractors meet DoD security expectations while reducing risks across the defense industrial base. We’ll explore the rest of the requirements soon.

Spotlight: Preparing for a Third-Party Assessment

Level 2 is unique because it usually requires an external audit by a certified CMMC Third-Party Assessor Organization (C3PAO). This step ensures your compliance isn’t just theoretical but actionable. Here’s how to prepare:

  • Documentation: Ensure all policies, procedures, and plans are up to date and accurately reflect your practices.
  • Gap Analysis: Identify areas where your existing controls fall short of CMMC Level 2 requirements.
  • Training: Educate your team on CMMC standards and the importance of their role in compliance.

Four-Phase Implementation Plan of the CMMC 2.0

The CMMC 2.0 implementation follows a four-phased approach designed to ensure a smooth transition for organizations in the Defense Industrial Base (DIB). This phased rollout accounts for assessor availability and contractor preparedness.

Phase 1: Adaptation Period

  • Timeline: Begins December 16, 2024, and extends for six months due to an amendment.
  • Purpose: Provides contractors and organizations within the DIB additional time to align internal cybersecurity processes with the updated requirements under CMMC 2.0.
  • Key Action Items:
    • Organizations should familiarize themselves with the final rule and perform a gap analysis.
    • Preparation includes addressing Controlled Unclassified Information (CUI) environments, updating internal processes, and starting NIST 800-171 alignment where applicable.

Organizations preparing for third-party assessments can simplify their readiness process using tools like Centraleyes, which aligns CMMC requirements with NIST and ISO frameworks for seamless gap analysis.

Phase 2: Third-Party Assessments

  • Timeline: Commences one year after Phase 1 begins, approximately mid-FY2026.
  • Focus: Contractors managing CUI in most contracts will need to undergo an assessment conducted by a certified Third-Party Assessment Organization (C3PAO).
  • Details:
    • Certified C3PAOs are authorized under the CMMC Accreditation Body (CyberAB).
    • Organizations are assessed against the CMMC Level 2 framework, which mirrors the 110 controls outlined in NIST 800-171.

Phase 3: DoD-Led Level 3 Assessments

  • Timeline: Begins one year after Phase 2 starts (expected FY2027).
  • Scope: Applies to contracts involving the most sensitive CUI, which require a Level 3 assessment directly performed by the DoD.
  • Significance: Level 3 introduces additional, stringent requirements beyond Level 2, focusing on advanced threat detection and response capabilities.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about CMMC Level 2 Requirements

Phase 4: Full Implementation

  • Timeline: Scheduled to begin one year after Phase 3 (FY2028) and span across seven years.
  • Objective: Enforces full CMMC compliance across all DoD contractors handling CUI or Federal Contract Information (FCI). By this stage, all contractors within the DIB must either meet the applicable CMMC level or demonstrate alternative means of compliance.

CMMC Level 2 Controls: A Comprehensive Guide

CMMC Level 2 is a significant step up from Level 1, requiring compliance with 110 controls derived from the NIST SP 800-171 framework. These controls are grouped into 17 domains, each addressing a specific area of cybersecurity. Here’s a more in-depth overview of the domains and their key practices

1. Access Control (AC)

Focused on restricting access to authorized users, devices, and processes.

  • Implement role-based access control.
  • Use multifactor authentication (MFA) for sensitive systems.
  • Limit access based on the principle of least privilege.

2. Awareness and Training (AT)

Ensures personnel are aware of cybersecurity risks and responsibilities.

  • Conduct regular security training.
  • Reinforce training for handling Controlled Unclassified Information (CUI).

3. Audit and Accountability (AU)

Tracks and monitors user activities for security events.

  • Enable logging of all system activities.
  • Retain logs for analysis and compliance.

4. Configuration Management (CM)

Focuses on maintaining secure system configurations.

  • Develop and enforce baseline configurations.
  • Implement change control processes.

5. Identification and Authentication (IA)

Ensures only authenticated users and devices gain access.

  • Use unique identifiers for all users and devices.
  • Enforce strong password policies.

6. Incident Response (IR)

Prepares organizations to detect, respond to, and recover from incidents.

  • Develop and test an incident response plan (IRP).
  • Report incidents to the appropriate DoD channels.

7. Maintenance (MA)

Covers secure system maintenance processes.

  • Perform maintenance under supervision or using vetted tools.
  • Restrict and monitor remote maintenance.

8. Media Protection (MP)

Protects data stored on digital and physical media.

  • Encrypt CUI when stored on removable media.
  • Implement media disposal procedures to prevent data leaks.

9. Personnel Security (PS)

Ensures trusted personnel handle sensitive information.

  • Screen employees before granting access to CUI.
  • Remove access immediately when personnel leave.

10. Physical Protection (PE)

Secures physical access to facilities and systems.

  • Limit facility access to authorized individuals.
  • Monitor and control physical entry points.

11. Risk Management (RM)

Establishes processes for identifying and mitigating risks.

  • Conduct regular risk assessments.
  • Implement a risk management strategy.

12. Security Assessment (CA)

Validates the effectiveness of security controls.

  • Perform regular security assessments.
  • Document and remediate any deficiencies.

13. System and Communications Protection (SC)

Ensures secure data transmission and communication.

  • Encrypt CUI during transmission.
  • Monitor and control external communications.

14. System and Information Integrity (SI)

Focuses on identifying and responding to system vulnerabilities.

  • Deploy antivirus and anti-malware tools.
  • Monitor systems for unauthorized changes.

15. Asset Management (AM)

(New domain in CMMC 2.0) Identifies and tracks assets that process CUI.

  • Maintain an up-to-date inventory of hardware and software.

16. Recovery (RE)

(New domain in CMMC 2.0) Focuses on maintaining resilience.

  • Implement backup and disaster recovery procedures.

17. Situational Awareness (SA)

(New domain in CMMC 2.0) Strengthens threat monitoring.

  • Use threat intelligence to bolster defenses.

The Relationship Between DFARS and CMMC 2.0

To fully understand the role of CMMC 2.0 in the defense contracting landscape, it’s essential to discuss its connection to the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS is the set of regulations that govern the acquisition process for the Department of Defense (DoD). It provides the legal and contractual framework within which CMMC 2.0 operates.

DFARS Clause 252.204-7012

One of the key DFARS clauses, 252.204-7012, requires contractors to implement the security requirements outlined in NIST SP 800-171 to protect Controlled Unclassified Information (CUI).

This clause has been a foundational element of cybersecurity compliance for DoD contractors since 2017. Contractors must:

  • Report Cyber Incidents: Report any cyber incidents to the DoD within 72 hours.
  • Provide Media for Analysis: Share affected systems or data with the DoD for forensic analysis when required.

However, enforcement of these requirements has historically been inconsistent, as many contractors self-attested without verification of their compliance with the NIST SP 800-171.

DFARS Clause 252.204-7020

DFARS introduced clause 252.204-7020 to address enforcement issues, which requires contractors to undergo assessments of their implementation of NIST SP 800-171. These assessments use the DoD Assessment Methodology, which assigns a score to reflect the contractor’s compliance level. This scoring system ties directly to the Supplier Performance Risk System (SPRS), where scores are submitted and used to evaluate a contractor’s eligibility for DoD contracts.

How CMMC 2.0 Builds on DFARS

CMMC 2.0 was introduced to bolster the existing DFARS framework by adding a CMMC level 2 certification process, not just an assessment. While DFARS relies on self-assessments and spot checks, CMMC 2.0 formalizes and verifies compliance through the following mechanisms:

  1. Three Levels of Certification: CMMC 2.0 introduces a tiered model that aligns with DFARS requirements:
  • Level 1 (Foundational): Basic Federal Contract Information (FCI) safeguards, similar to FAR Clause 52.204-21.
  • Level 2 (Advanced): Intermediate cyber hygiene practices aligned with NIST SP 800-171 for protecting CUI.
  • Level 3 (Expert): Advanced cybersecurity requirements aligned with NIST SP 800-172 for contractors handling the most sensitive information.
  1. Independent Verification: For contracts requiring CMMC Level 2 or Level 3, third-party assessments by Certified Third-Party Assessor Organizations (C3PAOs) are required to verify CMMC level 2 compliance. This goes beyond DFARS’ self-assessment model, ensuring greater accountability.
  1. Integration with SPRS: CMMC 2.0 ties directly to the DFARS requirements for reporting NIST SP 800-171 scores to SPRS. For non-priority contracts at Level 2, contractors may self-assess and upload their scores to SPRS. For priority contracts, third-party audits ensure compliance.

Centraleyes: Your CMMC 2.0 Accelerator

Centraleyes is your partner in tackling CMMC 2.0 complexities, whether you’re a contractor, MSP, or compliance team leader. From multi-tenant management to cross mappings, we make compliance efficient and scalable.

  • Multi-Tenant Management: For MSPs and MSSPs, Centraleyes offers a centralized dashboard to oversee multiple clients simultaneously. Track compliance progress, identify gaps, and ensure consistent adherence to CMMC standards across clients without juggling multiple systems.
  • Comprehensive Framework Integration: Centraleyes aligns CMMC requirements with other key frameworks, enabling seamless gap analyses and actionable insights.
  • Efficiency and Scalability: With automation-driven processes, you save time and resources.

By partnering with Centraleyes, MSPs and MSSPs can elevate their offerings, providing clients with proactive compliance solutions while maintaining operational efficiency. 

Ready to accelerate your CMMC journey? Schedule a demo.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Looking to learn more about CMMC Level 2 Requirements?
Skip to content