CMMC Level 2: The Complete Guide for Defense Contractors
Everything you need to understand about CMMC Level 2 certification — the 110 security practices, all 14 domains, realistic cost and timeline expectations, and a step-by-step preparation framework.
CMMC Level 2 is the certification tier that most defense contractors will need. It applies to any organization that processes, stores, or transmits Controlled Unclassified Information on behalf of the Department of Defense. With 110 security practices across 14 domains, Level 2 is a substantial undertaking — but it is also a clearly defined one. This guide breaks down exactly what Level 2 requires, what it costs, how long it takes, and how to prepare systematically.
What Is CMMC Level 2?
CMMC Level 2, designated "Advanced" under the CMMC 2.0 framework, requires full implementation of all 110 security requirements defined in NIST Special Publication 800-171 Revision 2. These requirements establish the baseline cybersecurity posture that the Department of Defense considers necessary for organizations handling CUI.
Unlike Level 1, which covers only Federal Contract Information and allows annual self-assessment against 17 basic practices, Level 2 addresses the more sensitive category of Controlled Unclassified Information. CUI includes technical drawings, specifications, test data, performance information, and other information that, while not classified, requires protection from unauthorized disclosure.
The assessment model for Level 2 depends on the criticality of the CUI involved. Some contracts allow self-assessment with a senior official's affirmation. Others — specifically those involving CUI critical to national security — require a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). The specific requirement will be stated in the contract solicitation. Regardless of the assessment method, all 110 controls must be fully implemented.
CMMC Level 2 certification is valid for three years, after which a reassessment is required. During the certification period, organizations must submit annual affirmations confirming continued compliance and maintain all controls continuously.
CMMC Level 1 vs Level 2: Key Differences
Understanding the differences between Level 1 and Level 2 is critical for determining which certification your organization needs and for scoping your preparation effort appropriately.
Number of practices: Level 1 requires 17 basic cybersecurity practices derived from FAR 52.204-21. Level 2 requires all 110 security requirements from NIST SP 800-171 Rev 2. The jump from 17 to 110 practices represents a significant increase in technical complexity, documentation requirements, and operational overhead.
Assessment method: Level 1 uses annual self-assessment exclusively. Level 2 uses either self-assessment or third-party C3PAO assessment, depending on the contract. Third-party assessments are substantially more rigorous, involving multi-day on-site evaluations with evidence review, personnel interviews, and technical validation.
Information type: Level 1 applies to organizations handling only Federal Contract Information (FCI) — information provided by or generated for the government under contract that is not public. Level 2 applies to organizations handling Controlled Unclassified Information (CUI), which requires specific safeguarding controls under executive order and applicable CUI registries.
Cost range: Level 1 compliance can typically be achieved for $5,000 to $15,000 in consulting and tooling costs, as the controls are basic and most organizations already have many in place. Level 2 compliance ranges from $25,000 to $100,000 or more, depending on organization size, current posture, and whether managed services or new tooling is required.
Documentation depth: Level 1 requires basic policy documentation and evidence of control implementation. Level 2 requires a comprehensive System Security Plan, Plan of Action and Milestones, network diagrams, data flow diagrams, detailed policies for each domain, and evidence artifacts for every control. The documentation package for a Level 2 assessment can span hundreds of pages.
The 14 CMMC Domains
CMMC Level 2 organizes its 110 practices across 14 security domains. Each domain addresses a specific area of cybersecurity, and together they form a comprehensive security program. Here is what each domain covers and why it matters for your assessment.
Access Control (AC)
Access Control is the largest domain with 22 requirements. It governs who can access your systems, what they can do, and how those permissions are managed. Key requirements include limiting system access to authorized users, controlling the flow of CUI within your network and to external systems, enforcing separation of duties, using the principle of least privilege, and controlling remote access sessions. This domain also requires encrypting CUI on mobile devices and controlling access through wireless networks. For most organizations, Access Control drives the most remediation work because it touches user management, network architecture, and data flow simultaneously.
Awareness and Training (AT)
This domain requires that your workforce understands their security responsibilities. It includes security awareness training for all users, role-based training for personnel with significant security responsibilities, and training on recognizing and reporting insider threats. Training must be documented, and records must show that personnel complete required training before accessing CUI systems.
Audit and Accountability (AU)
Audit and Accountability requires creating, protecting, and retaining system audit logs. You must log user actions, system events, and security-relevant activities at sufficient detail for after-the-fact investigation. Logs must be protected from unauthorized modification, reviewed regularly, and retained according to defined policies. This domain also requires alerting on audit processing failures and correlating audit records across systems for analysis.
Configuration Management (CM)
Configuration Management establishes requirements for maintaining secure baseline configurations of your systems. It includes documenting and controlling changes to hardware, software, and firmware, restricting nonessential programs and functions, applying the principle of least functionality, and controlling and monitoring user-installed software. Baseline configurations must be maintained, and deviations must be documented and approved.
Identification and Authentication (IA)
This domain governs how users and devices prove their identity before gaining access. Requirements include uniquely identifying all users and devices, authenticating identities before granting access, using multi-factor authentication for network and remote access, employing replay-resistant authentication mechanisms, and managing passwords according to complexity and rotation policies. Multi-factor authentication for all privileged and remote access is one of the most commonly failed requirements in this domain.
Incident Response (IR)
Incident Response requires establishing, maintaining, and testing an incident response capability. You must have a documented incident response plan, train personnel on their roles during an incident, test the plan at defined intervals, track and report incidents, and preserve evidence for analysis. For defense contractors, this domain also intersects with the DFARS 252.204-7012 requirement to report cyber incidents to the DoD within 72 hours.
Maintenance (MA)
The Maintenance domain addresses how you maintain your information systems securely. Requirements include performing maintenance according to documented procedures, using approved and controlled maintenance tools, sanitizing equipment before off-site maintenance, and verifying that maintenance personnel are authorized. Remote maintenance activities require additional controls including session logging and access termination when complete.
Media Protection (MP)
Media Protection governs how you handle physical and digital media containing CUI. This includes protecting, controlling, and labeling media, limiting access to CUI media to authorized personnel, sanitizing media before disposal or reuse, and controlling the transport of media outside controlled areas. Encryption requirements apply to digital media containing CUI that leaves the physical boundary of your facility.
Personnel Security (PE)
Personnel Security requires screening individuals before granting access to systems containing CUI and managing access throughout the employment lifecycle. This includes background screening commensurate with the risk of the position, protecting CUI during personnel transitions such as termination or transfer, and ensuring that access is revoked promptly when an individual's authorization changes.
Physical Protection (PP)
Physical Protection establishes requirements for controlling physical access to your facilities, equipment, and operating environments. Key requirements include limiting physical access to authorized individuals, protecting and monitoring the physical facility, escorting visitors, maintaining audit logs of physical access, and managing physical access devices such as keys, badges, and combinations.
Risk Assessment (RA)
The Risk Assessment domain requires periodically assessing the risk to organizational operations, assets, and individuals from the operation of your information systems. This includes conducting vulnerability scanning at defined intervals, remediating identified vulnerabilities based on risk prioritization, and sharing threat intelligence with designated personnel. Risk assessments should inform your security priorities and resource allocation.
Security Assessment (CA)
Security Assessment requires periodically evaluating whether your security controls are implemented correctly, operating as intended, and producing the desired outcome. This includes developing and implementing plans of action to correct deficiencies, monitoring security controls on an ongoing basis, and conducting system-level assessments as part of authorization decisions. This domain essentially requires you to audit your own compliance program continuously.
System and Communications Protection (SC)
This domain addresses protecting the confidentiality and integrity of CUI as it is transmitted and processed. Requirements include monitoring and controlling communications at system boundaries, employing architectural designs and software engineering techniques that promote effective security, separating user functionality from system management functionality, and implementing cryptographic mechanisms to protect CUI during transmission. FIPS 140-2 validated encryption is required for CUI in transit.
System and Information Integrity (SI)
System and Information Integrity requires identifying, reporting, and correcting information system flaws in a timely manner. This includes implementing malicious code protection, monitoring system security alerts and advisories, updating protection mechanisms when new releases are available, performing periodic and real-time scans of the information system, and monitoring inbound and outbound communications for attacks or indicators of compromise.
How to Prepare for CMMC Level 2
Preparation for CMMC Level 2 is a structured, multi-phase effort. The following eight steps represent the approach that consistently produces successful assessment outcomes.
Step 1: Scope Your CUI Environment
Before you implement a single control, you need to define exactly where CUI exists in your environment. Map every system, application, network segment, and storage location where CUI enters, is processed, is stored, or exits your organization. The goal is to establish the smallest defensible CUI boundary, because every system inside that boundary must implement all 110 controls. Effective scoping can reduce your compliance surface by 30 to 50 percent compared to treating your entire network as in-scope. This step often involves network segmentation to isolate CUI processing from general business systems.
Step 2: Conduct a Gap Assessment
With your CUI boundary defined, evaluate each of the 110 NIST SP 800-171 requirements against your current environment. For each requirement, document whether the control is fully implemented, partially implemented, or not implemented. Partial implementations should include detailed notes on what is present and what is missing. The gap assessment is your baseline — it tells you exactly how far you are from compliance and informs every subsequent decision about priorities, timeline, and budget.
Step 3: Build Your System Security Plan (SSP)
Your System Security Plan is the foundational document for your CMMC compliance program. It describes your system boundary, your environment architecture, and how each of the 110 controls is implemented. Assessors use the SSP as their primary reference during the evaluation. Start building your SSP early and update it as you implement controls. A mature SSP for a Level 2 assessment typically runs 200 to 400 pages and includes network diagrams, data flow diagrams, system inventories, and detailed control implementation descriptions.
Step 4: Develop Your Plan of Action and Milestones (POA&M)
The POA&M documents every gap identified in your assessment along with the specific remediation actions, responsible parties, and target completion dates. Under CMMC 2.0, limited POA&Ms are allowed for Level 2 assessments — meaning you can have some open items at assessment time — but only for non-critical controls, and all POA&M items must be closed within 180 days. Structure your POA&M so that each item traces to a specific NIST 800-171 requirement and includes measurable completion criteria.
Step 5: Implement Technical Controls
This is the remediation phase where you deploy the technical solutions needed to close your gaps. Common implementations include deploying or upgrading endpoint detection and response (EDR) solutions, implementing FIPS 140-2 validated encryption for data at rest and in transit, configuring multi-factor authentication across all CUI-touching systems, establishing centralized log collection and SIEM capabilities, deploying vulnerability scanning tools, configuring network segmentation and boundary protections, and hardening system configurations against CIS benchmarks. Prioritize controls that address the highest risk gaps first, and document each implementation for your SSP evidence package.
Step 6: Train Your Team
CMMC is not just a technical exercise. Multiple domains require that your personnel understand their security responsibilities, can recognize threats, and follow documented procedures. Conduct security awareness training for all employees with access to CUI systems. Provide role-based training for IT staff, security personnel, and system administrators. Document all training with attendance records and completion certificates. During your assessment, assessors will interview personnel to verify that training has been effective — your team needs to be able to articulate security procedures, not just check a box.
Step 7: Conduct a Pre-Audit and Mock Assessment
Before scheduling your C3PAO assessment, conduct a thorough pre-audit that simulates the actual evaluation process. This includes reviewing all documentation for completeness and accuracy, validating that technical controls are implemented and producing evidence as expected, interviewing key personnel to ensure they can explain and demonstrate controls, and identifying any remaining gaps that could result in findings. A well-executed mock assessment reveals issues you can fix before they become assessment findings. This step alone can mean the difference between passing and failing your C3PAO evaluation.
Step 8: Select and Schedule Your C3PAO
If your contract requires a third-party assessment, research and select your C3PAO well in advance. C3PAO capacity is limited, and wait times for assessment scheduling can extend to several months. The Cyber AB (formerly the CMMC Accreditation Body) maintains a marketplace of authorized C3PAOs. When selecting your assessor, consider their experience with organizations similar to yours, their availability, and their communication style. Schedule your assessment only after your pre-audit confirms you are ready — a premature assessment wastes money and delays your certification.
Common Mistakes That Derail CMMC Preparation
After guiding multiple organizations through the CMMC preparation process, we consistently see the same mistakes causing delays, budget overruns, and assessment failures. Avoiding these pitfalls can save you months of rework.
Underestimating the scope of CUI. Many organizations assume CUI is limited to a few specific files or systems. In practice, CUI often flows through email, collaboration platforms, file shares, backup systems, and employee devices in ways that are not immediately obvious. A thorough CUI scoping exercise is essential before any control implementation begins. Discovering new CUI repositories mid-assessment is one of the most disruptive scenarios you can face.
Neglecting documentation. Organizations that focus exclusively on technical controls and leave documentation for later almost always run into trouble. Assessors evaluate your documentation as heavily as your technical implementation. An undocumented control is, from an assessment perspective, an unimplemented control. Build your SSP, policies, and procedures in parallel with your technical remediation — not after.
Attempting DIY without qualified guidance. The NIST 800-171 requirements are publicly available, and many IT professionals are capable of implementing individual controls. But the compliance architecture — proper scoping, documentation structure, evidence methodology, and assessment preparation — requires specialized expertise. Organizations that self-prepare without experienced guidance commonly make scoping errors, produce inadequate documentation, or implement controls that satisfy the letter of a requirement but miss the intent assessors are looking for.
Ignoring supply chain requirements. Your CMMC compliance extends to your subcontractors and service providers who handle CUI on your behalf. If you flow CUI to subcontractors, they must also be compliant. If you use cloud services for CUI processing, those services must meet FedRAMP Moderate or equivalent requirements. Failing to account for supply chain dependencies can create compliance gaps that you discover too late to remediate before your assessment.
Not budgeting for ongoing compliance. CMMC certification is not a one-time project. It requires continuous monitoring, regular control reviews, documentation updates, annual affirmations, and reassessment every three years. Organizations that budget only for initial certification and neglect ongoing compliance costs find themselves scrambling when reassessment approaches with a degraded security posture.
Costs and Timeline
One of the most common questions from defense contractors considering CMMC Level 2 is how much it costs and how long it takes. The honest answer is that both depend heavily on your starting point, but here are realistic ranges based on typical engagements.
Cost Breakdown
Consulting and gap analysis: $15,000 to $60,000. This covers the initial CUI scoping, control-by-control gap assessment, SSP development, POA&M creation, and pre-audit services. The range depends on the size of your environment and the depth of support you need. Organizations with mature IT environments and existing documentation land toward the lower end. Those starting from scratch or with complex multi-site environments trend higher.
Technical remediation and tooling: $5,000 to $30,000+. This covers the cost of deploying or upgrading the technical solutions needed to close your gaps. Common costs include SIEM or log management platforms, EDR solutions, MFA deployment, encryption tools, and vulnerability scanning software. If you already have enterprise-grade security tooling, this cost may be minimal. If you are running a basic antivirus and consumer-grade firewall, expect to invest more significantly.
C3PAO assessment fee: $20,000 to $50,000+. This is the cost of the third-party assessment itself. Pricing varies by C3PAO and by the size and complexity of the organization being assessed. Multi-site assessments, large user populations, and complex system architectures increase the assessment cost.
Ongoing annual costs: $10,000 to $30,000. Maintaining compliance requires continuous monitoring tools, periodic control reviews, documentation updates, and annual affirmation preparation. Budget for ongoing compliance as an annual operating cost, not a one-time project cost.
The primary cost drivers are the size of your CUI environment (more systems means more controls to implement and document), the maturity of your current security posture (larger gaps mean more remediation), and whether you use managed services or implement controls with internal staff.
Timeline
A realistic timeline for CMMC Level 2 preparation breaks down as follows:
- CUI scoping and gap analysis: 4 to 6 weeks
- Remediation planning and prioritization: 2 to 4 weeks
- Technical control implementation: 3 to 6 months
- Documentation development (parallel with implementation): 3 to 6 months
- Employee training: 2 to 4 weeks
- Pre-audit and mock assessment: 2 to 4 weeks
- C3PAO scheduling and assessment: 4 to 8 weeks
Total timeline: 6 to 12 months for most small to mid-size defense contractors. Organizations with an existing NIST 800-171 compliance program and mature documentation may compress this to 3 to 6 months. Those starting from scratch should plan for 9 to 12 months or longer.
Pro Tip
Do not wait until a contract requires CMMC certification to start your preparation. The 6 to 12 month timeline does not include the time to find and engage a consultant or the increasing wait times for C3PAO assessment slots. Organizations that begin preparation proactively are positioned to respond immediately when CMMC requirements appear in contract solicitations.
Consultant vs DIY: When You Need Help
Some organizations consider preparing for CMMC Level 2 internally. This can work if you have qualified security professionals on staff with specific NIST 800-171 and CMMC experience, if your environment is relatively simple with a well-defined CUI boundary, and if you have the bandwidth to dedicate significant staff time over 6 to 12 months without impacting other business operations.
For most small and mid-size defense contractors, working with a qualified CMMC consultant is the more efficient path. A consultant brings specialized assessment preparation experience, established documentation templates and methodologies, knowledge of how C3PAO assessors evaluate organizations, and the ability to identify and address issues before they become assessment findings.
The cost of a consultant is substantial, but the cost of failing an assessment — including the assessment fee, the remediation time, the reassessment fee, and the potential loss of contract eligibility — is typically far higher. If you are evaluating consultants, our guide on how to choose a CMMC compliance consultant covers the specific criteria and questions to use in your evaluation.