CMMC Level 2 Requirements and Checklist

May 21, 2024

Any organization seeking a contract from the United States Department of Defense that requires handling certain types of sensitive information will need Level 2 Cybersecurity Maturity Model Certification. Learn more about meeting the requirements for CMMC Level 2, making an assessment checklist and implementing a continuous monitoring platform to stay compliant with this model.

Find more information on CMMC Level 1 compliance here.

What is CMMC Level 2 Compliance?

A checklist of CMMC Level 2 requirements can help you prepare.

The first version of CMMC framed Level 2 as an intermediate transition level for organizations working towards compliance with Level 3. In CMMC 2.0, Level 2 corresponds to advanced security measures for handling several types of sensitive information:

  • Controlled Unclassified Information: CUI is a general term used to describe sensitive information that the federal government creates or possesses or that organizations create or possess on behalf of the government.
  • Covered Defense Information: The DoD uses this term and the acronym CDI to refer to CUI pertaining to defense.
  • Controlled Technical Information: CTI is information with military or space applications that is not classified but is subject to controls.
  • Export-Controlled Information: ECI relates to national security, foreign policy, anti-terrorism or non-proliferation.

Organizations that access, use or store any of these types of information on non-federal systems are subject to Level 2 requirements as a condition of contract award. This level of compliance is also applicable for any contracts that include the Defense Federal Acquisition Regulation Supplement or DFARS 252.204-7012 requirement for safeguarding covered defense information and cyber incident reporting.

How Does CMMC Level 2 Compare With Other Levels?

CMMC level 2 differs from other levels.

In CMMC 1.0, Level 2 was a transitional level that did not cover access and use of controlled information. Contracts involving CUI required Level 3 certification, which covered 130 practices, 3 processes and required third-party assessments. In CMMC 2.0, Level 2 covers advanced security controls for handling CUI. 

In the second version of CMMC, Level 2 has 110 requirements that align with the National Institute of Standards and Technology Special Publication 100-171 Rev. 2 for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The main distinction between Level 2 and Level 3 in CMMC 2.0 is the addition of enhanced security requirements from the NIST SP 800-172 supplement to SP 800-171 for Level 3 certification.

How Many Controls Are in CMMC Level 2?

In CMMC 1.0, Level 2 included 72 practices and two maturity processes. An assessment was not required, as this transitional level prepared organizations for Level 3. In the second version of this model, Level 2 includes 14 domains that cover all 110 requirements and 320 objectives from NIST SP 800-171. If your organization is seeking Level 2 certification, you can reference SP 800-171 to learn more about the controls in this level. 

Every domain includes more than one practice, but several domains account for the majority of practices. Taken together, these four domains account for 58 practices. This is more than half of the requirements for CMMC Level 2 certification under the second version of this model:

  • Access Control: 22 practices for providing access and securing public networks and mobile devices.
  • System and Communications Protection: 16 practices for protecting boundaries, security engineering, partitioning applications and segmenting networks.
  • Identification and Authentication: 11 practices for registering and deregistering users, authentication and password management.
  • Audit and Accountability: nine practices for logging events, reporting security events and collecting evidence.

The Configuration Management and Media Protection domains also include nine practices each. The stakeholders of your organization should review all of the requirements for this level of certification. An all-in-one information security platform can be helpful for implementing controls to prepare for an assessment. It’s also helpful for promoting continuous compliance with this model.

Can You Self-Certify for CMMC Level 2?

Organizations seeking contracts for non-prioritized acquisitions that are not critical to national security can self-certify for Level 2 compliance. At this level, your organization must conduct a self-assessment every three years and submit affirmations on an annual basis. An affirmation is an attestation made by a senior official. It states that an organization will continue to comply with the requirements of an assessment.

A Level 2 organization with a contract for priority acquisitions that are critical to national security must undergo triennial third-party assessments. They should also submit annual affirmations. The type of contract that your organization is seeking and the level of CUI, CDI or other controlled information that this work will involve can determine whether a contract falls under the category of priority or non-priority acquisitions.

What Should a Checklist for CMMC Level 2 Compliance Cover?

Your CMMC level 2 compliance checklist should cover multiple aspects.
Businessman touch on digital screen check correct sign mark in checkbox for quality document control checklist for business approve.

An organization pursuing Level 2 certification can make one or more compliance checklists in preparation for a triennial internal or third-party assessment. Here are a few things to consider before, during and after a Level 2 assessment.

Before an Assessment

Senior management should decide which version of this model to use. This determines CMMC Level 2 requirements for controls and assessments. Under CMMC 2.0, self-assessments are sufficient for most contracts involving non-prioritized acquisitions. Contracts for prioritized acquisitions require an accredited CMMC Third Party Assessment Organization or C3PAO to conduct triennial assessments. 

During an Assessment

The CMMC Level 2 assessment phase typically starts with a review of the scope, schedule and process for determining compliance. Internal stakeholders or external assessors develop a plan for examining the security posture of an organization. Then they will examine documentation, interview stakeholders, conduct a security walkthrough and test systems.

After an Assessment

A review of findings concludes an assessment and internal or external assessors will prepare a Security Assessment Report. At this stage, a checklist could cover any necessary remediation measures. An Level 2 assessment concludes with either a final report and certification recommendation from a C3PAO or the registration of a self-assessment along with an affirmation.

How Can Compyl Support CMMC Level 2 Compliance?

A continuous compliance platform can strengthen the security posture of your organization in preparation for CMMC Level 2 assessments. Using Compyl to monitor internal systems makes it easier to maintain the practices mandated for DoD contracts that involve handling CUI. Request a demo to find out how Compyl can help your organization meet requirements for the most relevant version and level of CMMC.

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies