CMMC Level 2 Requirements

What Are CMMC Level 2 Requirements?

CMMC Level 2 requirements define the cybersecurity practices an organization must implement to protect Controlled Unclassified Information (CUI) when performing work for the U.S. Department of Defense. These requirements are based directly on NIST SP 800-171 Rev. 2 and consist of 110 security practices designed to safeguard CUI across systems, users, and supporting processes.

At Level 2, organizations are expected to demonstrate that required security practices are implemented, documented, and operating effectively within their environment. This goes beyond having written policies alone. Organizations must be able to show that controls are actively in use, consistently followed, and supported by evidence that reflects day-to-day operations.

CMMC Level 2 does not introduce new or proprietary security controls beyond NIST SP 800-171. Instead, it establishes a formal framework for verifying compliance by requiring objective evidence that each requirement has been met. The emphasis is on consistency, accountability, and the ability to validate how CUI is protected throughout the organization.

Organizations that store, process, or transmit CUI as part of DoD contracts must meet CMMC Level 2 requirements to remain eligible for certain contract awards. While assessment methods may vary based on contract language, the underlying security requirements remain the same for all organizations operating at Level 2.

Who Must Meet CMMC Level 2 Requirements?

CMMC Level 2 requirements apply to organizations within the defense industrial base that store, process, or transmit Controlled Unclassified Information (CUI) as part of their work with the U.S. Department of Defense. This includes both prime contractors and subcontractors, regardless of company size.

An organization does not need to be a large defense contractor to fall under CMMC Level 2. Small businesses, niche manufacturers, engineering firms, professional services providers, and IT support organizations may all be required to meet Level 2 requirements if CUI is present in their environment. The determining factor is not revenue or headcount, but whether CUI is handled in support of a DoD contract.

CMMC Level 2 requirements also apply across the supply chain. When a prime contractor receives CUI and shares it with subcontractors or service providers, those downstream organizations are typically required to implement the same security controls. This flow-down requirement is intended to ensure consistent protection of sensitive information throughout the defense ecosystem.

The specific requirement to meet CMMC Level 2—and the method used to assess compliance—is defined by contract language and Department of Defense guidance. Some contracts may allow organizations to perform a self-assessment, while others require an independent third-party assessment. Regardless of assessment type, the underlying security requirements remain the same and must be fully implemented and supported by evidence.

Organizations that are uncertain whether they handle CUI should not assume they are exempt. Properly identifying CUI and understanding how it enters, moves through, and exits the environment is a critical first step in determining CMMC Level 2 applicability.

How CMMC Level 2 Maps to NIST SP 800-171

CMMC Level 2 requirements align directly with the security requirements defined in NIST Special Publication 800-171 Rev. 2. Each of the 110 CMMC Level 2 practices corresponds one-to-one with a specific NIST SP 800-171 requirement. There are no additional technical controls introduced at Level 2 beyond those already established by NIST.

The primary purpose of CMMC Level 2 is not to change what security controls are required, but to standardize how compliance with those controls is verified. Under CMMC, organizations must demonstrate that NIST SP 800-171 requirements are fully implemented and supported by objective evidence, rather than relying solely on written policies or self-attestations without validation.

This direct mapping allows organizations that have already implemented NIST SP 800-171 to use that work as the foundation for CMMC Level 2 compliance. However, organizations should not assume that partial implementation or informal practices are sufficient. CMMC assessments focus on whether each requirement is implemented consistently and operates as described within the organization’s documented processes.

CMMC Level 2 also places increased emphasis on documentation accuracy and environmental alignment. Policies, procedures, and system descriptions must reflect how controls are actually implemented in practice. Discrepancies between documentation and real-world operations are commonly identified during assessments and can result in compliance gaps, even when technical controls exist.

Understanding this relationship between CMMC Level 2 and NIST SP 800-171 is critical. Organizations that approach CMMC as a documentation-only exercise often struggle during assessment, while those that treat it as a verification of existing security practices are better positioned for successful outcomes.

The 14 CMMC Level 2 Control Families

CMMC Level 2 requirements are organized into 14 control families, mirroring the structure of NIST SP 800-171 Rev. 2. Each family groups related security practices together to address a specific area of information protection. Understanding these families helps organizations assess coverage, identify gaps, and ensure controls are implemented consistently across their environment.

Below is an overview of the 14 CMMC Level 2 control families and the types of security practices each one addresses.

Access Control (AC)
Defines how access to systems and CUI is authorized, limited, and enforced. This includes user permissions, least privilege, session control, and restrictions on remote access.

Awareness and Training (AT)
Ensures personnel are trained to understand security risks, recognize threats, and follow organizational security policies and procedures related to CUI protection.

Audit and Accountability (AU)
Covers logging, monitoring, and reviewing system activity to detect unauthorized actions and support accountability. This includes audit log generation, retention, and review.

Configuration Management (CM)
Focuses on establishing and maintaining secure system configurations. This includes baseline configurations, change control, and managing unauthorized system changes.

Identification and Authentication (IA)
Addresses how users and devices are uniquely identified and authenticated before accessing systems. This includes password management, multi-factor authentication where required, and credential protection.

Incident Response (IR)
Defines how security incidents are detected, reported, analyzed, and handled. This includes incident response planning, testing, and documentation of response activities.

Maintenance (MA)
Covers the secure performance of system maintenance, including controls over tools, personnel, and activities that could impact system security.

Media Protection (MP)
Addresses the protection of physical and digital media containing CUI. This includes storage, transport, sanitization, and disposal of media.

Personnel Security (PS)
Focuses on ensuring individuals with access to CUI are appropriately vetted and that access is removed when no longer authorized.

Physical Protection (PE)
Covers physical access controls to facilities, systems, and environments where CUI is processed or stored, including visitor controls and monitoring.

Risk Assessment (RA)
Addresses identifying, analyzing, and responding to risks to organizational operations and CUI, including vulnerability identification and risk mitigation planning.

Security Assessment (CA)
Defines requirements for assessing the effectiveness of security controls, maintaining assessment results, and tracking remediation actions.

System and Communications Protection (SC)
Focuses on protecting system boundaries and communications paths. This includes network segmentation, encryption, and protections for data in transit.

System and Information Integrity (SI)
Addresses detecting and correcting system flaws, protecting against malicious code, and monitoring system integrity to ensure ongoing protection of CUI.

Together, these control families form a comprehensive framework for protecting Controlled Unclassified Information. Compliance at CMMC Level 2 requires that applicable practices across all 14 families are implemented, documented, and supported by evidence that reflects how systems and processes operate in practice.

What “Meeting a CMMC Level 2 Requirement” Actually Means

Meeting a CMMC Level 2 requirement involves more than stating that a security control exists. Organizations must be able to demonstrate that each required practice is implemented, documented, and operating consistently within their environment. All three elements are evaluated during an assessment.

An implemented control means the technical or administrative safeguard is actually in place. For example, access restrictions must be enforced through system configuration, not merely described in a policy. A documented control means the organization has policies, procedures, or plans that accurately describe how the requirement is addressed. These documents must reflect real operational practices, not aspirational or generic statements.

Operating consistently means the control is being followed in day-to-day activities and produces observable evidence. Assessors evaluate whether controls are applied uniformly, whether exceptions are managed appropriately, and whether supporting records demonstrate ongoing use over time. Controls that exist but are applied inconsistently or only during preparation periods may be identified as gaps.

CMMC assessments rely on objective evidence to validate compliance. This evidence can include system configurations, screenshots, logs, tickets, records, diagrams, and other artifacts that demonstrate how a requirement is met. Policies alone are not sufficient without corroborating evidence that supports their implementation.

Organizations often underestimate the importance of alignment between documentation and actual practices. When documentation describes controls that are not implemented as written, or when technical implementations differ from documented processes, assessors may determine that requirements are not met. Successful organizations approach CMMC Level 2 as a verification of how security is truly managed, rather than a paperwork exercise.

Documentation Required to Support CMMC Level 2

Meeting CMMC Level 2 requirements requires more than implementing technical controls. Organizations must maintain documentation that clearly demonstrates how security practices are defined, applied, and sustained across their environment. Documentation serves as the foundation for explaining how requirements are met and for supporting the evidence presented during an assessment.

At a minimum, organizations are expected to maintain written policies that establish security expectations and procedures that describe how those expectations are carried out in practice. These documents must accurately reflect the organization’s systems, workflows, and responsibilities. Generic or mismatched documentation that does not align with actual operations can create gaps during assessment, even when technical controls are in place.

In addition to policies and procedures, organizations typically rely on supporting artifacts to demonstrate ongoing compliance. These may include system security plans, network and data flow diagrams, access reviews, incident response records, configuration baselines, vulnerability management records, and audit logs. Together, these materials provide assessors with a clear picture of how CUI is protected across people, processes, and technology.

Documentation must also remain current. Changes to systems, personnel, service providers, or workflows can impact how requirements are implemented and may require updates to policies, procedures, and supporting records. Maintaining alignment between documentation and the operational environment is critical for sustaining compliance over time.

While the specific documents and artifacts required will vary based on an organization’s size, complexity, and architecture, the underlying expectation remains consistent: documentation must clearly and accurately demonstrate how each applicable CMMC Level 2 requirement is implemented and supported by evidence.

Common Misunderstandings About CMMC Level 2 Requirements

There is widespread confusion around CMMC Level 2 requirements, often driven by outdated guidance, marketing claims, or assumptions carried over from earlier versions of the program. Understanding what CMMC Level 2 does—and does not—require can help organizations avoid unnecessary effort and focus on what actually matters for compliance.

One common misunderstanding is that CMMC Level 2 introduces new security controls beyond NIST SP 800-171. In reality, Level 2 requirements map directly to the 110 NIST SP 800-171 Rev. 2 requirements. CMMC does not add new technical controls; it formalizes how compliance with existing requirements is assessed and verified.

Another misconception is that CMMC compliance can be achieved through documentation alone. While documentation is essential, assessors evaluate whether controls are implemented and operating in practice. Policies and procedures that are not supported by evidence or real-world implementation do not satisfy Level 2 requirements.

Some organizations believe that small businesses or subcontractors are exempt from CMMC Level 2. Company size does not determine applicability. If an organization stores, processes, or transmits Controlled Unclassified Information in support of a DoD contract, Level 2 requirements may apply regardless of headcount or revenue.

There is also confusion around tools and technology. CMMC Level 2 does not mandate specific security products, platforms, or vendors. Organizations are expected to implement controls appropriate to their environment and risk profile, not purchase predefined toolsets to “check a box.”

Finally, many organizations underestimate the importance of alignment between documentation and operations. Even well-designed security controls can fail an assessment if documentation does not accurately reflect how those controls are implemented. Successful compliance efforts focus on consistency between people, processes, technology, and evidence.

How to Validate You Meet CMMC Level 2 Requirements

Validating compliance with CMMC Level 2 requirements involves confirming that required security practices are fully implemented, documented, and operating as intended. Organizations should approach validation as an internal readiness activity rather than waiting until an assessment to identify gaps.

A common first step is conducting a structured review of applicable NIST SP 800-171 requirements to determine whether controls are implemented consistently across the environment. This includes reviewing technical configurations, verifying documented procedures, and confirming that responsibilities are clearly assigned and understood by personnel.

Organizations should also evaluate the quality and completeness of their supporting documentation. Policies, procedures, and plans should accurately describe how controls are implemented in practice, and supporting records should demonstrate that those controls are operating over time. Inconsistent, outdated, or incomplete documentation is a frequent source of compliance gaps.

Internal reviews, tabletop exercises, and evidence collection activities can help organizations identify weaknesses before an assessment occurs. These activities provide an opportunity to address deficiencies, update documentation, and strengthen processes in a controlled manner rather than under assessment pressure.

For organizations preparing for a formal CMMC assessment, readiness validation is critical. Understanding where gaps exist—and addressing them before engaging assessors—reduces risk, shortens remediation timelines, and increases confidence going into the assessment process.

How CMMC Level 2 Requirements Fit Into the Certification Process

CMMC Level 2 requirements form the foundation of the certification process. Certification is not a separate set of controls or activities; it is the formal validation that an organization has implemented and can demonstrate compliance with the required NIST SP 800-171 practices.

The certification process typically begins after an organization has implemented applicable controls and validated readiness. During assessment, each requirement is evaluated to determine whether it is implemented, documented, and operating as intended. Assessors review objective evidence, interview personnel, and examine system configurations to confirm compliance.

Documentation plays a central role throughout the certification process. Policies, procedures, plans, and supporting artifacts are used to explain how controls are implemented and to support the evidence presented during assessment. Gaps between documentation and actual operations are commonly identified during this phase and may require remediation before certification can be achieved.

CMMC Level 2 certification is contract-driven. The specific assessment method, assessment scope, and certification requirements are defined by Department of Defense contract language. While assessment approaches may vary, the underlying requirements remain consistent across organizations operating at Level 2.

Understanding how CMMC Level 2 requirements fit into the broader certification process helps organizations prepare effectively, reduce assessment risk, and avoid unnecessary delays. Organizations that treat certification as a validation of existing security practices, rather than a last-minute compliance exercise, are better positioned for successful outcomes.

For an overview of required CMMC Level 2 documentation, see our CMMC Level 2 documentation guide.

For a step-by-step explanation of assessments and certification, see our CMMC Level 2 certification process overview.