CMMC 2.0 Level 2 Readiness | Security Guide

Introduction#

CMMC 2.0 is the Department of Defense's framework for ensuring contractors adequately protect Controlled Unclassified Information (CUI).

Detail Level

Level 2 certification will be required for most defense contractors handling CUI. This guide walks through all 110 practices and provides practical implementation guidance.

CMMC 2.0 Structure#

CMMC 2.0 simplified the model to three levels, each with clear requirements and assessment mechanisms.

❗

Assessment Requirements

Level 2 requires third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). Self-assessment is only permitted for select contracts.

Level 1: Foundational

17 practices for FCI protection. Self-assessment permitted. Required for contracts with Federal Contract Information only.

Level 2: Advanced

110 practices aligned with NIST SP 800-171. Third-party assessment required. Required for CUI handling.

Level 3: Expert

110+ practices including subset of NIST SP 800-172. Government-led assessment. Required for highest-priority programs.

Scoping Your CUI Environment#

Proper scoping dramatically reduces compliance burden. Smaller scope means fewer systems to protect and assess.

Identify CUI Sources

Review contracts for CUI markings and DFARS clauses. Not all government data is CUI—only information marked as such or meeting CUI registry categories.

Map Data Flows

Document where CUI enters, is processed, is stored, and exits your organization. Include all systems, applications, and storage locations.

Define Boundaries

Create clear boundaries around CUI-handling systems. Consider enclave strategies to minimize scope by isolating CUI into dedicated environments.

Document Scope

Create a formal scope document for assessor review. Include network diagrams, data flow diagrams, and asset inventories.

Practice Families Overview#

The 110 Level 2 practices are organized into 14 families aligned with NIST SP 800-171. Each family addresses a specific security domain.

💡

Implementation Tip

Don't tackle all 14 families simultaneously. Start with Access Control, Identification & Authentication, and Media Protection—these impact scope and enable other controls.

AC: Access Control (22)

AT: Awareness & Training (3)

AU: Audit & Accountability (9)

CM: Configuration Management (9)

IA: Identification & Authentication (11)

IR: Incident Response (3)

MA: Maintenance (6)

MP: Media Protection (9)

PE: Physical Protection (6)

PS: Personnel Security (2)

RA: Risk Assessment (3)

CA: Security Assessment (4)

SC: System & Communications Protection (16)

SI: System & Information Integrity (7)

Critical Practices#

These practices frequently cause assessment failures. Pay special attention to implementation and evidence.

System Security Plan#

The System Security Plan is your primary compliance artifact. It documents how you implement each of the 110 practices.

Use DoD Template

Start with the NIST SP 800-171A assessment template or CMMC assessment guide. Assessors expect familiar formats.

Be Specific

Describe exactly how you implement each practice in your environment. Generic statements like "we use MFA" are insufficient—specify what systems, which users, and what methods.

Link to Evidence

Reference specific evidence artifacts for each practice. This makes assessment walkthroughs efficient and demonstrates thoroughness.

Track POA&Ms

Document Plan of Action & Milestones for any incomplete implementations. Assessors may accept POA&Ms for partial credit if remediation timelines are reasonable.

Assessment Preparation#

Prepare thoroughly before engaging a C3PAO. Assessment readiness directly impacts assessment duration and success.

⚠️

Common Failure Point

Many organizations fail their first assessment due to inadequate evidence, not inadequate controls. If you can't prove a control exists, it doesn't exist for assessment purposes.

Next Steps#

CMMC compliance requires sustained effort. Start your journey now to be ready when requirements take effect.

Gap Assessment

Evaluate your current state against all 110 practices. Use our gap assessment template to identify remediation priorities.

Scope Definition

Define your CUI boundary. Consider enclave strategies to minimize scope and reduce compliance burden.

SSP Development

Begin documenting your System Security Plan. This is a living document that evolves as you implement controls.

✓

Get Expert Help

Defense compliance has unique requirements. Our team has helped contractors from startups to primes achieve CMMC certification. Schedule a consultation to discuss your assessment timeline.