Cybersecurity Maturity Model Certification (CMMC) is a multi-tiered framework designed to enhance the security posture of organizations within the Defense Industrial Base (DIB). It’s split into three maturity levels of increasing complexity, with Level 1 focusing on basic cybersecurity and hygiene practices and Level 3 representing the most advanced measures.

While less complex than Level 3, Level 2 is a comprehensive certification program that encompasses a wide range of security requirements. Due to the number and complexity of these requirements, achieving CMMC Level 2 certification can be challenging without proper guidance.

This guide will discuss everything you should know to prepare for obtaining a CMMC Level 2 certificate, from defining in-scope assets to meeting the requirements and overcoming implementation challenges your organization might face.

Who needs CMMC Level 2 certification?

CMMC Level 2 certification is intended for Department of Defense (DoD) contractors and their subcontractors that collect, process, and share Federal Contract Information (FCI) and, more importantly, Controlled Unclassified Information (CUI).

FCI is information generated for or provided by the Government as part of a contract to provide a service or deliver a product. This can include information not intended for public release, such as:

  • Payment information
  • Employee data
  • Technical diagrams

CUI is unclassified information—and laws, regulations, or government-wide policies control the dissemination of such. CUI includes:

  • Personally Identifiable Information (PII)
  • Law Enforcement Sensitive (LES)
  • For Official Use Only (FOUO)

Depending on the criticality of CUI and your organization’s role in the supply chain, Level 2 CMMC certification might not be enough, and you may need Level 3.

In contrast, organizations that only handle FCI might not need to achieve Level 2 certification immediately unless they intend to pursue contracts that require it in the future. Until then, a CMMC Level 1 certificate should be sufficient.

The DoD intends to include certification requirements in future contracts and solicitations through Requests for Proposal (RFPs), making it easier to determine whether your organization needs CMMC Level 2.

 {{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

CMMC Level 2 scope

Determining your scope is an essential first step toward achieving compliance. CMMC Level 2 categorizes in-scope assets into five groups:

Asset category Definition Example
Controlled Unclassified Information Assets Assets that store, transmit, or process CUI
  • Communication devices
  • Laptops and workstations
  • Emails
  • Contracts
Security Protection Assets Assets that provide security functions or capabilities to the organization’s Assessment Scope
  • Firewalls
  • Intrusion detection systems
  • Encryption tools
  • Access management programs
Contractor Risk Managed Assets Assets that can but don’t store, transmit, or process CUI due to security policies, procedures, and practices
  • Shared workstations
  • Backup servers
  • Email servers
  • General purpose printers
Specialized Assets Assets that can store, transmit, or process CUI but are unable to be fully secured
  • Internet of Things (IoT) devices
  • Industrial Internet of Things (IIoT) devices
  • Test equipment
Out-of-Scope Assets Assets that don’t store, transmit, or process CUI and don’t provide security for CUI assets
  • Public email systems
  • Non-secure networks
  • Public-facing websites
  • Personal devices

Accurately scoping assets for the Level 2 assessment is imperative to ensure all in-scope assets are accounted for and reduce the risk of setbacks during certification.

While scoping assets, you can use two separation techniques to help distinguish those that process, store, or transmit CUI from those that don't:

  1. Physical separation: This means there is no wired or wireless connection between assets, and all data transfers must be done manually with tools such as USB drives
  2. Logical separation: This happens when data transfer between physically connected assets is blocked by non-physical methods, such as software or network tools

CMMC level 2: Advanced

CMMC Level 2 controls

CMMC Level 2 encompasses 110 practices across all 14 CMMC control areas based on NIST SP 800-171 R2. These areas are:

  1. Access Control (AC)
  2. Awareness and Training (AT)
  3. Audit & Accountability (AU)
  4. Configuration Management (CM)
  5. Identification and Authentication (IA)
  6. Incident Response (IR)
  7. Maintenance (MA)
  8. Media Protection (MP)
  9. Personnel Security (PS)
  10. Physical Protection (PE)
  11. Risk Assessment (RA)
  12. Security Assessment (CA)
  13. System and Communications Protection (SC)
  14. System and Information Integrity (SI)

Some of the specific requirements within these control areas include:

Control areas Requirements
Access Control
  • Limiting system access
  • Controlling the flow of CUI
  • Employing the principle of least privilege
Audit and Accountability
  • Creating system audit logs and records
  • Ensuring that the actions of unique users can be traced back to them
  • Alerting in the event of an audit logging failure
Incident Response
  • Creating an incident response plan
  • Tracking and reporting incidents to relevant authorities
  • Testing the incident response plan regularly
Media Protection
  • Protecting physical and digital system media that contain CUI
  • Destroying or sanitizing media containing CUI before disposal or reuse
  • Marking media with CUI markings and distribution limitations
Risk Assessment
  • Performing periodical risk assessments for all assets
  • Scanning for vulnerabilities at set intervals and when new ones are identified
  • Remediating vulnerabilities according to assessments

Although the high number and diversity of requirements enable a strong security posture for organizations, implementing them fully is also the main challenge of CMMC Level 2 compliance.

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

CMMC Level 2 requirements

Depending on the sensitivity of the CUI your organization handles and the provisions of your contract, you’ll need to pass one of two types of assessments against CMMC L2 requirements:

  1. Self-assessment
  2. Assessment by a certified third-party assessor organization (C3PAO)

Although a self-assessment might be more straightforward, a C3PAO assessment offers an objective review of how well your organization has implemented the required practices, providing additional assurance and confidence in your security posture. 

As with Level 1, self-assessment results for Level 2 are entered into the Supplier Performance Risk System (SPRS), while C3PAO assessment results are submitted through the CMMC Enterprise Mission Assurance Support Service (eMASS) by the C3PAO.

Regardless of the assessment type, the preferred methodology is based on NIST Special Publication (SP) 800-171A Section 2.1 and involves three groups of activities:

  1. Examination
  2. Interviews
  3. Testing

Depending on the degree of implementation and applicability of assessed assets, practices can result in one of three findings: MET, NOT MET, or N/A.

If your organization meets at least 80 percent of the requirements but still has security gaps, you can obtain a Conditional Certificate by submitting a Plan of Actions and Milestones (POA&M) along with the assessment results. The POA&M needs to include the following details:

  1. Identified gaps and associated risks
  2. Remediation plans
  3. Responsible parties
  4. Timelines and milestones
  5. Required resources

After submitting the POA&M, you’ll have 180 days to remediate the remaining gaps. Successfully addressing the gaps and submitting proof makes your organization eligible for the Final Certificate.

CMMC Level 2 compliance process breakdown

A structured approach is essential when pursuing CMMC Level 2 compliance. You can ensure the certification process runs more smoothly and efficiently by breaking it down into the following five steps:

  1. Scope the audit: Determine which assets are considered in scope for CMMC Level 2. This will allow you to allocate resources more efficiently, focusing only on the assets relevant to certification audits.
  2. Identify compliance gaps: Perform a gap analysis to identify technical gaps and administrative processes that need to be addressed. Without the gap analysis, it’s difficult to evaluate the level of effort needed to balance technical and administrative gaps, possibly leading to inefficient resource distribution.
  3. Develop a gap remediation plan: After identifying security gaps, prepare a remediation plan. The plan needs to include the specific actions, resources, responsibilities, and timelines needed for remediation workflows. Prioritize the most critical gaps first, especially if they are related to handling CUI.
  4. Undergo the chosen assessment type: Once you’ve addressed all identified gaps, choose an assessment type depending on the kind of information you handle and the contract requirements. When the assessment is completed, the results need to be submitted to the SPRS or eMASS, depending on the type of assessment performed.
  5. Maintain your certificate: Achieving CMMC certification is not the final step of the process. The CMMC Level 2 certificate lasts for three years, but you must submit annual reaffirmations confirming your organization still meets the requirements. 

Once a business meets Level 2 requirements, it’s important to implement a robust continuous monitoring program for high-risk controls. This helps to ensure the business can maintain Level 2 compliance.”

Tim Blair

 {{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

Common CMMC Level 2 certification challenges

The program’s comprehensive nature presents the most significant challenge for CMMC Level 2 certification. The extensive workflows required during the compliance process may put considerable pressure on security and compliance teams, as well as other departments, which can strain resources, reduce productivity, and lead to delays.

Small and medium businesses (SMBs) may find certification particularly challenging because they often lack the necessary headcount and in-house expertise. Examples of bottlenecks include the gap analysis and the System Security Plan (SSP), which can be remedied by using a risk-based strategy to assess controls, helping organizations establish a strong foundation for their CMMC efforts.

Another notable issue is manual workflows. By manually tracking and documenting compliance efforts, generating reports, and monitoring security controls across siloed technologies, you may increase the odds of human error and inefficiencies, slowing down compliance efforts.

However, most of the challenges of CMMC compliance can be reduced by leveraging automated compliance solutions. These programs allow you to automate the most repetitive workflows, centralize documentation, and monitor CMMC practices in real time, improving efficiency and conserving resources over the long term.

Streamline CMMC compliance with Vanta

Vanta is a trust management platform that accelerates the path to CMMC compliance by providing clear guidance, automation, and resources during every step of the process.

The platform’s dedicated CMMC solution comes with multiple features that automate up to 50 percent of related workflows, including: 

  • Out-of-the-box support for all CMMC certification levels
  • Automated evidence collection supported by 375+ integrations
  • Automated gap assessments
  • Centralized real-time tracking and monitoring of CMMC practices
  • Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172

When you're ready for assessment, you can find a reputable C3PAO through Vanta’s partner network. Partnering with the right organization ensures support throughout the compliance and assessment process, helping you secure your Level 2 certificate and build a foundation for Level 3.

See first-hand how Vanta can make your CMMC compliance efforts more efficient by scheduling a custom demo.

{{cta_simple33="/cta-blocks"}} | CMMC product page

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney. 

CMMC Level 2: Requirements, controls, and certification process

Written by
Vanta
Written by
Vanta
Reviewed by
Tim Blair
Sr. Manager, GTM GRC SMEs

Cybersecurity Maturity Model Certification (CMMC) is a multi-tiered framework designed to enhance the security posture of organizations within the Defense Industrial Base (DIB). It’s split into three maturity levels of increasing complexity, with Level 1 focusing on basic cybersecurity and hygiene practices and Level 3 representing the most advanced measures.

While less complex than Level 3, Level 2 is a comprehensive certification program that encompasses a wide range of security requirements. Due to the number and complexity of these requirements, achieving CMMC Level 2 certification can be challenging without proper guidance.

This guide will discuss everything you should know to prepare for obtaining a CMMC Level 2 certificate, from defining in-scope assets to meeting the requirements and overcoming implementation challenges your organization might face.

Who needs CMMC Level 2 certification?

CMMC Level 2 certification is intended for Department of Defense (DoD) contractors and their subcontractors that collect, process, and share Federal Contract Information (FCI) and, more importantly, Controlled Unclassified Information (CUI).

FCI is information generated for or provided by the Government as part of a contract to provide a service or deliver a product. This can include information not intended for public release, such as:

  • Payment information
  • Employee data
  • Technical diagrams

CUI is unclassified information—and laws, regulations, or government-wide policies control the dissemination of such. CUI includes:

  • Personally Identifiable Information (PII)
  • Law Enforcement Sensitive (LES)
  • For Official Use Only (FOUO)

Depending on the criticality of CUI and your organization’s role in the supply chain, Level 2 CMMC certification might not be enough, and you may need Level 3.

In contrast, organizations that only handle FCI might not need to achieve Level 2 certification immediately unless they intend to pursue contracts that require it in the future. Until then, a CMMC Level 1 certificate should be sufficient.

The DoD intends to include certification requirements in future contracts and solicitations through Requests for Proposal (RFPs), making it easier to determine whether your organization needs CMMC Level 2.

 {{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

CMMC Level 2 scope

Determining your scope is an essential first step toward achieving compliance. CMMC Level 2 categorizes in-scope assets into five groups:

Asset category Definition Example
Controlled Unclassified Information Assets Assets that store, transmit, or process CUI
  • Communication devices
  • Laptops and workstations
  • Emails
  • Contracts
Security Protection Assets Assets that provide security functions or capabilities to the organization’s Assessment Scope
  • Firewalls
  • Intrusion detection systems
  • Encryption tools
  • Access management programs
Contractor Risk Managed Assets Assets that can but don’t store, transmit, or process CUI due to security policies, procedures, and practices
  • Shared workstations
  • Backup servers
  • Email servers
  • General purpose printers
Specialized Assets Assets that can store, transmit, or process CUI but are unable to be fully secured
  • Internet of Things (IoT) devices
  • Industrial Internet of Things (IIoT) devices
  • Test equipment
Out-of-Scope Assets Assets that don’t store, transmit, or process CUI and don’t provide security for CUI assets
  • Public email systems
  • Non-secure networks
  • Public-facing websites
  • Personal devices

Accurately scoping assets for the Level 2 assessment is imperative to ensure all in-scope assets are accounted for and reduce the risk of setbacks during certification.

While scoping assets, you can use two separation techniques to help distinguish those that process, store, or transmit CUI from those that don't:

  1. Physical separation: This means there is no wired or wireless connection between assets, and all data transfers must be done manually with tools such as USB drives
  2. Logical separation: This happens when data transfer between physically connected assets is blocked by non-physical methods, such as software or network tools

CMMC level 2: Advanced

CMMC Level 2 controls

CMMC Level 2 encompasses 110 practices across all 14 CMMC control areas based on NIST SP 800-171 R2. These areas are:

  1. Access Control (AC)
  2. Awareness and Training (AT)
  3. Audit & Accountability (AU)
  4. Configuration Management (CM)
  5. Identification and Authentication (IA)
  6. Incident Response (IR)
  7. Maintenance (MA)
  8. Media Protection (MP)
  9. Personnel Security (PS)
  10. Physical Protection (PE)
  11. Risk Assessment (RA)
  12. Security Assessment (CA)
  13. System and Communications Protection (SC)
  14. System and Information Integrity (SI)

Some of the specific requirements within these control areas include:

Control areas Requirements
Access Control
  • Limiting system access
  • Controlling the flow of CUI
  • Employing the principle of least privilege
Audit and Accountability
  • Creating system audit logs and records
  • Ensuring that the actions of unique users can be traced back to them
  • Alerting in the event of an audit logging failure
Incident Response
  • Creating an incident response plan
  • Tracking and reporting incidents to relevant authorities
  • Testing the incident response plan regularly
Media Protection
  • Protecting physical and digital system media that contain CUI
  • Destroying or sanitizing media containing CUI before disposal or reuse
  • Marking media with CUI markings and distribution limitations
Risk Assessment
  • Performing periodical risk assessments for all assets
  • Scanning for vulnerabilities at set intervals and when new ones are identified
  • Remediating vulnerabilities according to assessments

Although the high number and diversity of requirements enable a strong security posture for organizations, implementing them fully is also the main challenge of CMMC Level 2 compliance.

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

CMMC Level 2 requirements

Depending on the sensitivity of the CUI your organization handles and the provisions of your contract, you’ll need to pass one of two types of assessments against CMMC L2 requirements:

  1. Self-assessment
  2. Assessment by a certified third-party assessor organization (C3PAO)

Although a self-assessment might be more straightforward, a C3PAO assessment offers an objective review of how well your organization has implemented the required practices, providing additional assurance and confidence in your security posture. 

As with Level 1, self-assessment results for Level 2 are entered into the Supplier Performance Risk System (SPRS), while C3PAO assessment results are submitted through the CMMC Enterprise Mission Assurance Support Service (eMASS) by the C3PAO.

Regardless of the assessment type, the preferred methodology is based on NIST Special Publication (SP) 800-171A Section 2.1 and involves three groups of activities:

  1. Examination
  2. Interviews
  3. Testing

Depending on the degree of implementation and applicability of assessed assets, practices can result in one of three findings: MET, NOT MET, or N/A.

If your organization meets at least 80 percent of the requirements but still has security gaps, you can obtain a Conditional Certificate by submitting a Plan of Actions and Milestones (POA&M) along with the assessment results. The POA&M needs to include the following details:

  1. Identified gaps and associated risks
  2. Remediation plans
  3. Responsible parties
  4. Timelines and milestones
  5. Required resources

After submitting the POA&M, you’ll have 180 days to remediate the remaining gaps. Successfully addressing the gaps and submitting proof makes your organization eligible for the Final Certificate.

CMMC Level 2 compliance process breakdown

A structured approach is essential when pursuing CMMC Level 2 compliance. You can ensure the certification process runs more smoothly and efficiently by breaking it down into the following five steps:

  1. Scope the audit: Determine which assets are considered in scope for CMMC Level 2. This will allow you to allocate resources more efficiently, focusing only on the assets relevant to certification audits.
  2. Identify compliance gaps: Perform a gap analysis to identify technical gaps and administrative processes that need to be addressed. Without the gap analysis, it’s difficult to evaluate the level of effort needed to balance technical and administrative gaps, possibly leading to inefficient resource distribution.
  3. Develop a gap remediation plan: After identifying security gaps, prepare a remediation plan. The plan needs to include the specific actions, resources, responsibilities, and timelines needed for remediation workflows. Prioritize the most critical gaps first, especially if they are related to handling CUI.
  4. Undergo the chosen assessment type: Once you’ve addressed all identified gaps, choose an assessment type depending on the kind of information you handle and the contract requirements. When the assessment is completed, the results need to be submitted to the SPRS or eMASS, depending on the type of assessment performed.
  5. Maintain your certificate: Achieving CMMC certification is not the final step of the process. The CMMC Level 2 certificate lasts for three years, but you must submit annual reaffirmations confirming your organization still meets the requirements. 

Once a business meets Level 2 requirements, it’s important to implement a robust continuous monitoring program for high-risk controls. This helps to ensure the business can maintain Level 2 compliance.”

Tim Blair

 {{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

Common CMMC Level 2 certification challenges

The program’s comprehensive nature presents the most significant challenge for CMMC Level 2 certification. The extensive workflows required during the compliance process may put considerable pressure on security and compliance teams, as well as other departments, which can strain resources, reduce productivity, and lead to delays.

Small and medium businesses (SMBs) may find certification particularly challenging because they often lack the necessary headcount and in-house expertise. Examples of bottlenecks include the gap analysis and the System Security Plan (SSP), which can be remedied by using a risk-based strategy to assess controls, helping organizations establish a strong foundation for their CMMC efforts.

Another notable issue is manual workflows. By manually tracking and documenting compliance efforts, generating reports, and monitoring security controls across siloed technologies, you may increase the odds of human error and inefficiencies, slowing down compliance efforts.

However, most of the challenges of CMMC compliance can be reduced by leveraging automated compliance solutions. These programs allow you to automate the most repetitive workflows, centralize documentation, and monitor CMMC practices in real time, improving efficiency and conserving resources over the long term.

Streamline CMMC compliance with Vanta

Vanta is a trust management platform that accelerates the path to CMMC compliance by providing clear guidance, automation, and resources during every step of the process.

The platform’s dedicated CMMC solution comes with multiple features that automate up to 50 percent of related workflows, including: 

  • Out-of-the-box support for all CMMC certification levels
  • Automated evidence collection supported by 375+ integrations
  • Automated gap assessments
  • Centralized real-time tracking and monitoring of CMMC practices
  • Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172

When you're ready for assessment, you can find a reputable C3PAO through Vanta’s partner network. Partnering with the right organization ensures support throughout the compliance and assessment process, helping you secure your Level 2 certificate and build a foundation for Level 3.

See first-hand how Vanta can make your CMMC compliance efforts more efficient by scheduling a custom demo.

{{cta_simple33="/cta-blocks"}} | CMMC product page

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney. 

Get started with CMMC

Start your CMMC journey with these related resources.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan

Vanta’s director of US government strategy and affairs shares how current and future contractors for the DoD can get CMMC certified.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
CMMC Checklist cover image

CMMC Checklist

This checklist will guide you through the steps to take to get CMMC certified and how to successfully implement and maintain the certification.

CMMC Checklist
CMMC Checklist
The nst 800 - 1717 logo on a yellow background.

The ultimate guide to NIST 800-171

Jumpstart your NIST 800-171 compliance with Vanta's complete guide to this legally required security standard.

The ultimate guide to NIST 800-171
The ultimate guide to NIST 800-171