CMMC Level 2 Requirements, Explained Clearly
- Eugene Arnold
- 4 days ago
- 6 min read
If you sell into the defense supply chain, you have probably already felt the pressure shift from “we should tighten security” to “we need proof.” CMMC Level 2 is where that pressure becomes measurable. It is not a checklist you skim the week before an audit. It is a set of security practices you operate every day, with evidence to back it up.
This article provides CMMC level 2 requirements explained in plain language for small and mid-sized organizations that need to protect Controlled Unclassified Information (CUI) and keep contract eligibility intact.
What CMMC Level 2 actually requires
CMMC Level 2 aligns to [NIST SP 800-171](https://www.marioncs.com/post/essential-steps-to-start-nist-800-171-compliance) Rev. 2 and is designed to ensure you can protect CUI in non-federal systems. In practical terms, Level 2 expects you to implement and sustain 110 security requirements across 14 control families.
Two realities matter for planning:
First, CMMC Level 2 is about operational discipline, not just tooling. A stack of security products will not pass an assessment if your processes are inconsistent or undocumented.
Second, “implemented” is not the same as “installed.” Assessors look for repeatable behavior: policies, configurations, tickets, logs, training records, access reviews, and proof that issues get found and fixed.
Self-assessment vs. third-party assessment (it depends)
Not every contract will require the same path. Some Level 2 environments are expected to be assessed by a Certified Third-Party Assessment Organization (C3PAO), while other scenarios may allow annual self-assessment with senior official affirmation. Which one applies depends on contract requirements and how CUI is handled.
Even when self-assessment is permitted, the standard of evidence does not get easier. The fastest way to fail a self-assessment is to treat it as “attestation only” without building an audit-ready trail.
The 14 control families, translated into operational terms
Below is how the 14 families show up in day-to-day IT and security operations. You do not need to memorize the family names to succeed, but you do need to run the behaviors consistently.
Access Control
You must control who can access CUI, systems, and services, and ensure access is limited to what people need. That usually means unique accounts, least privilege, strong authentication, session timeouts, and tight control of remote access.
Assessors commonly look for evidence like access reviews, group memberships, MFA enforcement, and proof that terminated users are removed quickly.
Awareness and Training
People are part of the control set. Level 2 expects security awareness training and role-based training where applicable. The goal is not a once-a-year video - it is a workforce that understands phishing, data handling, and escalation paths.
Training rosters, completion records, and policies that define frequency and scope tend to matter as much as the training content itself.
Audit and Accountability
You need logs that answer: who did what, when, and where, and you need to protect those logs from tampering. This includes enabling audit logging on key systems, centralizing logs where appropriate, reviewing them, and retaining them.
A common trade-off is balancing log volume and cost versus visibility. For CUI environments, you do not want “everything logged forever,” but you do need enough coverage and retention to investigate incidents and demonstrate oversight.
Configuration Management
This is where many small organizations struggle because it demands consistency. You must establish baselines, control changes, and reduce configuration drift across endpoints, servers, and network devices.
Assessors may ask how you approve changes, how you track them, and how you ensure secure configurations are maintained after updates, new deployments, or emergency fixes.
Identification and Authentication
This family focuses on verifying identity before granting access. Expect requirements around unique IDs, password policies, MFA for remote access, and controls around credential management.
One practical point: shared accounts are hard to defend in a CMMC Level 2 assessment. If you have them for legacy reasons, you will need a deliberate plan to eliminate or tightly control them.
Incident Response
You need a plan, and you need to prove you can execute it. Incident response under Level 2 typically includes documented procedures, defined roles, reporting, testing or tabletop exercises, and after-action improvements.
Assessors often ask for incident tickets, timelines, communications templates, and evidence that lessons learned turn into configuration changes or new safeguards.
Maintenance
Maintenance controls cover how systems are serviced - especially remotely - and how you prevent maintenance activity from becoming an access backdoor. That includes approvals, monitoring, and limiting tools and accounts used for maintenance.
Media Protection
CUI cannot leak through removable media, mis-handled drives, or untracked storage. Requirements generally involve controlling USB and removable media use, sanitization, labeling, and secure disposal.
If your CUI environment includes laptops, this tends to intersect with encryption, device control policies, and documented handling procedures.
Personnel Security
You must screen and manage personnel with access to systems and CUI, and ensure access is removed when roles change. This is where HR and IT need a reliable offboarding workflow.
Evidence often includes background check policy, onboarding approvals, and offboarding records tied to account disablement.
Physical Protection
Level 2 includes physical access controls for facilities and equipment. Depending on your footprint, this can include locks, access badges, visitor logs, and escort procedures.
The nuance here is scope. If only certain rooms contain CUI systems, your controls can be designed accordingly - but you need to be clear and consistent.
Risk Assessment
You are expected to assess risk and vulnerabilities and respond appropriately. Vulnerability scanning, patch status reporting, and risk registers often fall here.
Many organizations do scans but fail to show prioritization and closure. CMMC cares about the full loop: find issues, rank them, fix them, verify remediation.
Security Assessment
This family is about measuring your own controls. You need periodic assessments and plans of action where gaps exist. The Plan of Action and Milestones (POA&M) concept often enters the conversation here, but it is not a free pass. You cannot rely on POA&Ms to excuse missing core protections.
System and Communications Protection
This covers boundary protection, segmentation where appropriate, secure protocols, encryption, and controlling data flows. For many SMBs, this is where network design decisions start to matter more.
If your CUI is mixed into a flat network with broad access, you may face a bigger lift. Separating CUI systems or using a controlled enclave can reduce scope, but it must be managed carefully so you do not create shadow IT or new administration gaps.
System and Information Integrity
This is your prevention and detection layer: patching, malware protection, alerting, and timely remediation. It also includes identifying security flaws and applying updates.
Assessors tend to look for proof of patch cadence, endpoint protection coverage, alert handling, and records showing that critical vulnerabilities are addressed within defined timeframes.
What assessors usually mean by “evidence”
A Level 2 assessment is not won by saying “we do that.” You need to demonstrate it. Evidence typically comes in three forms: written policy and procedure, system configurations and screenshots or exports, and operational records like tickets and reports.
If you want a practical test, pick any requirement and ask, “Could we show this happened last month?” If the answer is unclear, you are not assessment-ready yet.
Common evidence gaps that slow teams down
Organizations often have good intentions but weak proof. The most frequent gaps include inconsistent offboarding, patching that happens but is not reported cleanly, missing access reviews, incomplete asset inventories, and log retention that is either nonexistent or unmanaged.
None of these are exotic security problems. They are operational consistency problems, and they are fixable once ownership is clear.
Preparing for CMMC Level 2 without disrupting operations
You can meet Level 2 and still keep the help desk from being overwhelmed, but you need to treat readiness as a program. Most teams get better results when they focus on scope, visibility, and repeatability.
Start by defining the boundary of where CUI lives, moves, and is processed. If you cannot draw that boundary, you cannot control it. Next, establish an asset inventory you trust - endpoints, servers, cloud services, and network equipment - and tie ownership to each category.
From there, prioritize controls that reduce risk quickly and generate clean evidence. Identity, patching, logging, and incident response are often high-leverage because they improve security while also creating documentation trails.
Finally, decide how you will sustain the controls. Level 2 is not a “project that ends.” If your internal team is small, a managed services model can help maintain continuous monitoring, patch compliance, and rapid response while you keep ownership of policy decisions and business workflows.
If you want outside support that blends operations and compliance, Computer Solutions (marioncs.com) typically starts with a score-based CyberScore assessment and a practical remediation plan that ties directly to NIST 800-171 and CMMC expectations.
The biggest mindset shift: CMMC is a performance standard
CMMC Level 2 rewards organizations that can show steady, accountable execution. That means you are not just buying security controls - you are building a system where controls are monitored, exceptions are handled, and leadership can see progress.
If you take one step this week, make it this: pick the part of your environment that touches CUI and begin collecting evidence like you already have an assessor scheduled. The discipline you build there tends to spread - and that is what Level 2 is really measuring.
📅 Book your time here:
🔐 You can also check your security standing anytime with CyberScore:
Comments