Back to resourcesCompliance

A practical guide to CMMC Level 2 readiness

May 4, 2026 · 9 min read

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for ensuring that contractors protect Controlled Unclassified Information (CUI). If your organization handles CUI as part of a DoD contract, CMMC Level 2 certification is on your horizon.

CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Rev 2. If you have been working toward NIST 800-171 compliance, you are already on the right path. Here is what you need to know to prepare.

Who needs CMMC Level 2

CMMC Level 2 applies to any organization that processes, stores, or transmits CUI on behalf of the Department of Defense. This includes prime contractors, subcontractors, and any organization in the defense supply chain that handles CUI. If your contract includes DFARS clause 252.204-7012, you are likely in scope.

Some contracts will require a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). Others will allow self-assessment. The determination depends on the sensitivity of the CUI and the specific contract requirements.

Understanding the NIST 800-171 mapping

CMMC Level 2 is essentially NIST 800-171 Rev 2 with a formal assessment mechanism. The 110 requirements are organized into 14 control families.

  • Access Control (AC). 22 requirements covering user access, session management, and least privilege.
  • Audit and Accountability (AU). 9 requirements for logging, monitoring, and audit trail protection.
  • Awareness and Training (AT). 3 requirements for security awareness and role-based training.
  • Configuration Management (CM). 9 requirements for system baselines, change control, and least functionality.
  • Identification and Authentication (IA). 11 requirements for multi-factor authentication, password policies, and identity management.
  • Incident Response (IR). 3 requirements for incident handling, reporting, and testing.
  • Maintenance (MA). 6 requirements for system maintenance controls.
  • Media Protection (MP). 9 requirements for media handling, sanitization, and transport.
  • Personnel Security (PE/PS). Requirements for screening and access management for personnel.
  • Physical Protection (PE). 6 requirements for physical access controls and monitoring.
  • Risk Assessment (RA). 3 requirements for vulnerability scanning and risk management.
  • Security Assessment (CA). 4 requirements for internal assessments and plans of action.
  • System and Communications Protection (SC). 16 requirements for encryption, boundary protection, and data handling.
  • System and Information Integrity (SI). 7 requirements for flaw remediation, monitoring, and malicious code protection.

Scoping: defining your CUI boundaries

Scoping is the most critical step in CMMC preparation, and the one that organizations most often get wrong. You need to identify exactly where CUI lives in your environment, including where it is stored, processed, transmitted, and who has access to it.

The goal is to minimize the scope of your assessment. Every system, application, and network segment that touches CUI is in scope. Isolating CUI into a defined enclave reduces the number of systems you need to harden and the evidence you need to produce.

  • Map CUI data flows from receipt through processing to storage and disposal.
  • Identify all systems, services, and personnel that touch CUI.
  • Segment your network so CUI systems are isolated from general corporate IT.
  • Document your scope boundary clearly. Assessors will examine this first.

Evidence collection

CMMC assessments are evidence-based. For each of the 110 requirements, you need to demonstrate implementation through documentation, configuration screenshots, policy documents, and system artifacts.

Start collecting evidence early. Common evidence types include:

  • System Security Plan (SSP) documenting how each requirement is implemented.
  • Policy and procedure documents for each control family.
  • Configuration screenshots showing hardened settings.
  • Audit logs demonstrating monitoring and review activities.
  • Training records showing security awareness completion.
  • Incident response plans and test results.
  • Vulnerability scan reports and remediation records.

Common gaps

After working with dozens of organizations preparing for CMMC assessments, these are the gaps that appear most frequently.

  • Multi-factor authentication. MFA must be enforced for all remote access and all privileged accounts. Many organizations still have exceptions or legacy systems that do not support MFA.
  • Audit log review. It is not enough to collect logs. You must regularly review them for anomalies and document that review process.
  • FIPS-validated encryption. CUI must be encrypted in transit and at rest using FIPS 140-2 validated cryptographic modules. Standard TLS is not sufficient unless the implementation uses FIPS-validated libraries.
  • Incident response testing. Many organizations have an incident response plan but have never tested it. Assessors will ask for evidence of tabletop exercises or simulated incidents.
  • Plan of Action and Milestones (POA&M). Any requirement that is not fully implemented must be documented in a POA&M with specific milestones, responsible parties, and completion dates.

Assessment preparation tips

  • Start with a gap assessment. Score yourself against all 110 requirements using the DoD assessment methodology. Be honest. An accurate baseline is more valuable than an optimistic one.
  • Build your SSP early. The System Security Plan is the backbone of your assessment. Assessors use it as a roadmap. A well-written SSP accelerates the assessment process significantly.
  • Organize evidence by control family. Create a folder structure that maps to the 14 control families. For each requirement, include the policy, the procedure, and the evidence of implementation.
  • Conduct a mock assessment. Walk through the assessment process internally before engaging a C3PAO. Identify questions you cannot answer and evidence you cannot produce.
  • Engage your C3PAO early. Build a relationship before the formal assessment. Many C3PAOs offer readiness reviews that help you identify gaps without starting the formal assessment clock.

Getting started

CMMC Level 2 readiness is not a weekend project. Most organizations need 6 to 18 months of preparation depending on their starting maturity level. The key is to start now, scope tightly, and build evidence collection into your daily operations rather than treating it as a separate project.

If you are handling CUI and have not yet begun your CMMC preparation, the clock is already running. The sooner you scope your environment and assess your gaps, the more time you have to remediate before assessments become contractually required.

Ready to make security a build step?

Schedule a Free Audit