CMMC Level 2 Requirements

CMMC Level 2 requirements: all 110 controls in plain English

CMMC Level 2 is the certification level most defense contractors who touch CUI need. It maps to all 110 controls of NIST SP 800-171 Revision 2, organized into 14 families. Here is what each family covers and what meeting a control actually means.

The short answer

CMMC Level 2 requires you to meet all 110 controls of NIST Special Publication 800-171 Revision 2. The controls are organized into 14 families covering everything from who can log in to your systems to how you respond when something goes wrong. Most defense contractors handling Controlled Unclassified Information (CUI) need Level 2. If your contract includes a CMMC clause and you touch CUI, this is your bar.

Who needs CMMC Level 2

You need Level 2 if your prime or government contract requires it. Two indicators that almost always mean Level 2:

  • Your contract includes a CMMC Level 2 clause or DFARS 252.204-7012 with a CUI handling requirement.
  • You receive, store, process, or transmit Controlled Unclassified Information at any point during contract performance.

Level 1 is the lower bar (17 basic safeguarding requirements, self attested) and applies when you only handle Federal Contract Information (FCI), not CUI. More on what counts as CUI.

The 14 control families

NIST SP 800-171 Rev 2 organizes the 110 controls into 14 families. Each family covers one specific risk area. Here is what each one is really asking you to do.

FamilyCodeWhat it covers
Access ControlACWho can use your systems, what they can do, and what gets logged. The largest family by control count.
Awareness and TrainingATYour people are trained on security risks and their role in protecting CUI.
Audit and AccountabilityAUYou log security relevant events, you review the logs, and you can tie actions to specific users.
Configuration ManagementCMYour systems have a known baseline. Changes are tracked and approved.
Identification and AuthenticationIAYou know who is on your systems. MFA is required for privileged and remote access.
Incident ResponseIRYou can detect an incident, contain it, recover from it, and report it.
MaintenanceMAMaintenance on your systems happens in a controlled way that does not leak CUI.
Media ProtectionMPRemovable media, paper documents, and old hardware that touched CUI are controlled and destroyed properly.
Personnel SecurityPSBackground checks where required, and removal of access when people leave.
Physical ProtectionPEYour facility, server room, and devices are physically protected from unauthorized access.
Risk AssessmentRAYou actively identify risks to your systems and act on them.
Security AssessmentCAYou assess your security controls, write the SSP, and maintain a POA&M.
System and Communications ProtectionSCYour network is segmented, encrypted, and isolates CUI from where it does not belong.
System and Information IntegritySIYou patch quickly, monitor for malicious code, and protect against threats in motion.

What "meeting" a control actually means

The DoD does not grade on intent. A control is either met, partially met, not met, or not applicable, and your SPRS score reflects exactly that. To call a control met you generally need three things in place:

  1. A documented policy or procedure describing how you do it.
  2. An actual implementation visible in the system (configuration, tooling, process).
  3. Evidence a C3PAO can review, such as screenshots, configuration exports, training records, or log samples.

If you have one of these but not the others, the control is partial. Partial controls deduct fractional points from your SPRS score. More on SPRS scoring.

Partial credit and the SPRS deduction

Each control carries a weight of 1, 3, or 5 points that you lose if it is not met. The DoD methodology has one special rule worth knowing: two controls (3.5.3 multi factor authentication and 3.13.11 FIPS validated cryptography) only deduct 3 points instead of 5 when partially implemented, because partial coverage of those two has measurable value.

Scoping: what's in scope?

The scope of your CMMC assessment is "every system that processes, stores, or transmits CUI, plus everything that supports those systems." The art is in narrowing it.

  • In scope: CUI workstations, CUI file shares, CUI email, the network those live on, the people with access, the security tools watching them.
  • Often in scope: backup systems, identity providers, MDM, anything an attacker could pivot through.
  • Out of scope: systems that demonstrably never see CUI, isolated environments, public marketing infrastructure.

Narrowing scope is the single biggest cost lever. A 30 employee shop with 6 people in a CUI enclave will pay a much smaller C3PAO fee than a 30 employee shop where CUI is on every laptop.

Common gaps that fail assessments

  • MFA missing or partial. 3.5.3 is the most commonly failed control. MFA must cover privileged and remote access at minimum.
  • FIPS validated encryption missing. Using TLS is not enough. The cryptographic module itself must be FIPS validated.
  • No documented incident response process. Many small contractors have a vague plan in someone's head. Write it down.
  • No CUI marking discipline. CUI must be identifiable. Unmarked CUI is a finding.
  • Logs that no one reads. Generating logs is not the same as reviewing them.
  • Stale baselines. If your CM baseline says you run Windows 10 and you actually run Windows 11, that is a finding.

How long it takes to meet all 110

For a small contractor starting from a typical office IT setup, expect 3 to 9 months of focused work to close real gaps and produce a defensible SSP. Compliance software shortens the documentation half significantly, but the remediation half (actually buying and configuring the tools) is real engineering time you cannot shortcut.

Frequently asked questions

How many controls are in CMMC Level 2?

110. They come from NIST Special Publication 800-171 Revision 2 and are organized into 14 families. CMMC Level 2 requires all 110 to be met (or formally accepted as not applicable with written justification) for full compliance.

Do I need every one of the 110 controls?

Yes, unless a control genuinely does not apply to your environment. For example, if you operate no wireless networks, wireless related controls can be marked Not Applicable with written justification. A C3PAO assessor will review that justification. Marking applicable controls as not applicable to inflate a score is a finding.

What are the 14 NIST 800-171 control families?

Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI).

Is CMMC Level 2 the same as NIST 800-171?

CMMC Level 2 directly inherits the 110 controls of NIST SP 800-171 Rev 2. The difference is that NIST 800-171 alone has historically been self attested under DFARS, while CMMC Level 2 requires a Certified Third Party Assessment Organization (C3PAO) to perform a formal assessment and issue certification for most contracts handling CUI.

What is the difference between CMMC Level 2 and Level 3?

Level 2 covers all 110 controls of NIST 800-171. Level 3 adds a subset of NIST 800-172 enhanced security requirements designed to defend against advanced persistent threats, and only applies to contractors handling the most sensitive CUI for the most sensitive programs. The overwhelming majority of contractors with a CMMC requirement need Level 2, not Level 3.

Get started

Ready to build your System Security Plan?

Verdiex walks you through the questionnaire, generates your SSP, calculates your SPRS score, and tracks your POA&M. Get on the early access list and we will notify you when it opens.

Get early access Free readiness checklist

Verdiex prepares you for assessment. A C3PAO performs the assessment and issues certification.