CMMC Level 2 Requirements: What Small Defense Contractors Actually Need

CMMC Level 2 requires implementation of all 110 security controls from NIST SP 800-171 Rev 2, a documented System Security Plan (SSP), and either an annual self-assessment or a triennial third-party assessment by a Certified Third-Party Assessment Organization (C3PAO), depending on the contract. The assessment path — self or third-party — turns on whether the contract involves prioritized or critical CUI programs as determined by the DoD.

That is the answer most contractors are actually looking for. The rest of this article is the specifics.

If your company works defense contracts in Hampton Roads — whether that is shipbuilding support, base operations, engineering services, defense manufacturing, or IT work for a federal agency — and those contracts involve Controlled Unclassified Information, you are looking at Level 2. The full CMMC overview for Hampton Roads contractors covers the three-level structure. This article goes deep on what Level 2 actually requires.

What is CMMC Level 2?

CMMC Level 2 is the middle tier of the Cybersecurity Maturity Model Certification program. It exists specifically to protect Controlled Unclassified Information — the technical data, specifications, research, and sensitive government information that moves through contractor environments but does not rise to the level of classified material.

The DoD built Level 2 around NIST SP 800-171 Rev 2, which is a well-established federal standard. If you were already working toward NIST 800-171 compliance under DFARS 252.204-7012, CMMC Level 2 is the formalized, assessed version of that work. The controls are not new. The requirement to prove them — either through self-assessment with an affirmation or through a C3PAO audit — is what CMMC added.

The legal basis for CMMC flows from 32 CFR Part 170, published as the CMMC Program rule (finalized October 2024). DFARS 252.204-7021, once included in your contract, is the clause that makes CMMC Level 2 a hard requirement rather than a best-effort standard.

For more on what CUI is and why it drives these requirements, read the CUI explainer.

What are the CMMC Level 2 requirements?

The 110 requirements in CMMC Level 2 come directly from NIST SP 800-171 Rev 2, organized across 14 control families. Here is what each family covers:

Access Control (AC) — who can get into your systems, on what terms, and with what restrictions. Covers user account management, least privilege, remote access controls, and limiting system access to authorized functions. This is often where small contractors have the most obvious gaps: shared accounts, no session timeouts, admin access handed out without review.

Awareness and Training (AT) — security awareness for all users, role-based training for people with elevated responsibilities. Not a checkbox exercise; the requirement is that people actually understand the threats relevant to their work.

Audit and Accountability (AU) — logging user activity, system events, and security-relevant actions; retaining those logs long enough to be useful in an incident investigation; protecting logs from tampering.

Configuration Management (CM) — documented baselines for your systems, controls on what software can be installed, restrictions on the use of unauthorized components. A lot of small businesses run whatever software users want on whatever hardware they have. That ends here.

Identification and Authentication (IA) — unique identifiers for all users and devices, multi-factor authentication for privileged access and for all remote access to systems handling CUI. This one is hard to misread: MFA on remote access is not optional.

Incident Response (IR) — a documented incident response plan, defined roles for handling incidents, and a process for reporting covered cyber incidents to the DoD within 72 hours under DFARS 252.204-7012. Contractors who discover a breach and handle it quietly have a separate compliance problem.

Maintenance (MA) — controls over who does maintenance on your systems and how, especially for remote maintenance, which must be supervised and logged. Third-party vendors with admin access to systems that touch CUI fall into this family.

Media Protection (MP) — controls over portable media (USB drives, external hard drives, optical disks), including restrictions on use, sanitization before disposal, and physical protection of media containing CUI.

Personnel Security (PS) — screening individuals before they get access to systems containing CUI; rules for what happens when someone leaves the organization.

Physical Protection (PE) — access controls for the physical spaces where CUI systems live. For small businesses operating out of a shared office or home network, this one requires some honest evaluation.

Risk Assessment (RA) — periodic assessments of the risk to your organization from threats to CUI, including vulnerability scanning. You are required to know what your risk posture looks like, not just implement controls and hope.

Security Assessment (CA) — periodic assessment of your own security controls, a system security plan that reflects your actual environment, and a plan of action and milestones for anything that is not yet in place. This is the family that produces the SSP and POA&M.

System and Communications Protection (SC) — network segmentation, encryption of CUI in transit, architectural controls that limit what can flow between systems and to external parties. Flat networks where every device can talk to every other device fail this family almost immediately.

System and Information Integrity (SI) — malware protection, patching and update management, security alerts and monitoring, protection against malicious code. Antivirus alone is not the standard; the requirement is active protection with current signatures, prompt patching, and monitoring for anomalous activity.

How many controls are in CMMC Level 2?

110. All of them from NIST SP 800-171 Rev 2.

This is worth being specific about because CMMC Level 1 has 17 requirements — a manageable set of basic safeguarding practices that most small businesses can implement without a major program. Level 2 is 110. That is not just more controls; it is a qualitatively different undertaking that requires documented processes, active monitoring, and evidence of implementation.

The requirements are not all equally difficult. Some are configuration settings you can implement in an afternoon. Others — like building a comprehensive incident response capability, implementing network segmentation, or establishing a formal risk assessment process — require time, expertise, and often infrastructure investment.

No honest advisor will tell you 110 requirements are quick or cheap. What they can tell you is that the path is well-documented and that many small contractors successfully complete it with the right support.

Does CMMC Level 2 require a third-party C3PAO assessment or self-assessment?

It depends on the contract, and this is one of the most commonly misunderstood aspects of the CMMC program.

Self-assessment applies to contracts where the CUI is not designated as part of a prioritized or critical acquisition program. The contractor completes the NIST SP 800-171 assessment, generates a score, submits an affirmation through the Supplier Performance Risk System (SPRS), and repeats annually. This is still a real assessment with real consequences — a false affirmation is a potential False Claims Act exposure — but it does not require a third party to come in and verify your controls.

C3PAO third-party assessment applies when the DoD has designated the acquisition as involving prioritized CUI. In that case, a Certified Third-Party Assessment Organization must conduct a triennial formal assessment of your environment. C3PAO assessors are credentialed through the CMMC Accreditation Body (CyberAB). The assessment produces a formal finding that must be submitted to the DoD’s CMMC Enterprise Mission Assurance Support Service (eMASS) system.

Your contracting officer or prime contractor should be able to tell you which path applies to your specific contracts. If they cannot or will not, that ambiguity is itself worth resolving before you invest in a compliance program built on the wrong assumption.

One practical note: even for contracts that currently allow self-assessment, building your program to C3PAO standards is worth considering. The DoD has signaled that more contracts will require third-party assessment over time, and a program that can withstand external scrutiny gives you more competitive flexibility.

What’s the difference between CMMC Level 1 and Level 2?

The short version: Level 1 covers basic cyber hygiene for companies handling Federal Contract Information (FCI). Level 2 covers the full NIST SP 800-171 security posture for companies handling CUI.

The substantive differences:

The SSP requirement at Level 2 is significant. A System Security Plan is a formal document that describes your system boundary, the CUI in scope, the people and roles involved, and how each of the 110 requirements is addressed. Writing an honest SSP is how most organizations discover that their actual controls do not match what they thought they had.

The POA&M (Plan of Action and Milestones) allows contractors to document open findings and demonstrate a remediation plan. The CMMC Program rule limits which controls can be on a POA&M at the time of assessment — high-severity controls cannot remain open indefinitely — but the existence of a POA&M is not itself a disqualifier. It is evidence of a mature process for tracking and closing gaps.

How long does CMMC Level 2 take and what does it cost?

Timeline and cost vary more than almost any vendor will admit upfront. The honest range:

Timeline: 6 to 12 months for organizations with reasonably mature IT practices, existing documentation, and no major infrastructure gaps. 12 to 24 months for organizations starting from scratch — no SSP, significant control gaps, aging hardware, no monitoring in place.

The phases that consume the most time are usually gap assessment (finding out where you actually are), SSP development (documenting it), and remediation (fixing the gaps). Organizations often underestimate the remediation phase, especially when it involves network changes, identity infrastructure, or replacing end-of-life systems.

Cost: Highly variable based on your size, starting point, and whether you pursue self-assessment or C3PAO assessment. Expect to spend on gap assessment, SSP writing, tools (logging, endpoint protection, MFA, patching), remediation labor, and — if required — C3PAO assessment fees. Third-party assessments alone can run from $30,000 into six figures depending on the size and complexity of your environment.

What tends to be underestimated: the ongoing operational cost. CMMC Level 2 is not a one-time project. It requires annual re-affirmation, continuous monitoring, and a security program that holds up over time. That is a different operating model than most small contractors have run before.

How do you prepare for CMMC Level 2?

Start with an honest assessment of where you are. Not where you think you are — where you actually are.

That means a formal gap assessment against NIST SP 800-171 that produces a scored SPRS score. (The SPRS score is not a grade you shoot for; it is a diagnostic. A score of -203, the theoretical minimum, means every control is missing. A score of 110 means every control is fully implemented. Most organizations fall somewhere in between.) Read the cybersecurity fundamentals guide for the baseline controls that should already be in place before you start a formal CMMC program.

From the gap assessment, you build the SSP. The SSP is not just a compliance document — it forces you to define your system boundary with precision. What systems process CUI? Which personnel access those systems? What does your network look like? Where does CUI enter, live, and exit your environment? Answering those questions honestly is harder than it sounds.

Then you remediate. Prioritize based on the CMMC assessment methodology, which weights certain controls more heavily than others. High-weight controls that are not implemented should be addressed before lower-weight gaps. If you have a finite budget and timeline, knowing which controls move the needle most is the kind of guidance worth getting from someone who has done this before.

If your contract path leads to a C3PAO assessment, the C3PAO will evaluate your SSP, interview your people, and test your controls. Preparation for that process looks a lot like preparation for an audit: your documentation should match your actual practice, your people should be able to speak to their roles in the security program, and your evidence should be organized and accessible.

The work is real. But for Hampton Roads contractors competing for DoD work, the alternative — remaining out of compliance as CMMC clauses appear in contracts — is a competitive disadvantage that only grows over time.

Helix Stax works with small Hampton Roads defense contractors on cybersecurity compliance — NIST 800-171 gap assessments, SSP development, and practical CMMC readiness planning. If you are not sure where to start, the free Helix Score gives you a directional read in about three minutes. If you want a full gap picture before committing to a compliance program, book the free 60-minute assessment — you walk out with a clearer view of where you stand before any prime asks for proof.

No pressure. Just a starting point — before your prime asks for proof or the contract clause becomes a deadline.