Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?
Explore the new CMMC 2.0 Level 2 requirements for defense contractors and learn how to meet them. Get expert tips to save time and money, a task checklist, and a timeline to stay on track.
CMMC 2.0 Level 2 is a new set of rules from the Department of Defense (DoD) for contractors who handle Controlled Unclassified Information (CUI). Contractors must meet these rules to get certified and work on defense contracts that involve CUI.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 introduces major updates to the original CMMC 1.0 framework that the DoD e introduced in 2020. CMMC 2.0 aims to simplify compliance, lower costs, and streamline assessments while maintaining strong security. The DoD reduced the compliance levels from five to three as part of the update.
Level 2 applies to organizations handling Controlled Unclassified Information (CUI), which the DoD considers sensitive but not classified. This includes data requiring protection from unauthorized access but not involving top-secret material.
To meet Level 2 requirements, contractors must comply with the 110 security practices in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). They must also prove their ability to protect CUI through CMMC 2.0 assessments. These steps help contractors meet DoD security standards, continue working with the DoD, and bid on contracts involving CUI.
Key Takeaways:
CMMC 2.0 took effect on December 16, 2024, for all levels, including Level 2. The DoD will phase in requirements over three years. Full Level 2 compliance is required for new contracts by December 2026 and all contracts by December 2027, with some exceptions.
Here’s an overview of the CMMC rules that take effect during each of the four phases for Level 2 organizations. While these are general guidelines, the DoD may enforce CMMC requirements earlier. Contractors should review their contracts for specific compliance dates.
CMMC 2.0 Level 2 is important because it protects Controlled Unclassified Information (CUI) from advanced cyberattacks. Defense contractors must now comply with new rules if they handle CUI.
The CMMC model ensures organizations meet security requirements and practice adequate cyber hygiene to safeguard sensitive unclassified information. According to the DoD, the model's purpose is to “increase the cybersecurity posture of the Defense Industrial Base (DIB) and better protect sensitive unclassified information. "“The goal of creating the CMMC 2.0 Level 2 standard is to safeguard national security by protecting CUI,” says Elliott Harnagel, Product and Compliance Strategist at Strike Graph. “This information isn’t classified, but it still needs to be controlled. The CMMC safeguards are critical to maintaining the integrity of defense-related data and protecting it from malicious cyberattacks.”
The main difference between CMMC 2.0 Level 2 and Level 1 contractors is the data and security requirements. Level 2 contractors handle CUI, follow stricter cybersecurity rules, and often need third-party assessors. Level 1 handles less sensitive FCI data and can perform self-assessments.
Here's an overview of the differences between CMMC 2.0 Level 2 and Level 1:
CMMC 2.0 Level 2 offers two types of assessments: third-party and self-assessments. Most contractors must hire a Certified Third-party Assessor (C3PAO) every three years. Some contractors handling less sensitive data qualify for self-assessments instead.
One major change in CMMC 2.0 is a self-assessment option for certain Level 2 organizations. Most Level 2 organizations will still require a C3PAO assessment every three years. The CMMC Accreditation Body (CMMC-AB) is responsible for certifying C3PAOs and maintaining a list of credible organizations authorized to conduct these assessments. The CMMC-AB, now officially called the Cyber AB (Accreditation Body), is the entity responsible for overseeing the CMMC model.
This rebranding led some experts to refer to assessors as Cyber AB certified assessors, even though the official term remains C3PAOs.
Organizations that work with less critical CUI may qualify for the new self-assessment process, reducing compliance costs and complexity.
Here's a broad overview of the difference between a Level 2 self-assessment vs. a third-party assessment:
Self-assessment:
Third-party assessment:
Level 3 contractors handle more sensitive data and stricter rules than Level 2. They must follow the 110 Level 2 controls and add 24 enhanced ones. Also, Level 3 contractors can only receive assessments from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
"CMMC 2.0 Level 3 compliance applies to a small number of contracts tied to critical DoD missions, such as weapons development, intelligence, or secure communications," says Steven Bjarnason, a cybersecurity leader with over 30 years of experience and CISSP, Technical Services Manager at 360 Advanced. "These contracts often involve sensitive information like technical drawings, operational plans, maintenance manuals, or research and development data. Usually, they involve major companies like Boeing, Raytheon, and Lockheed Martin, but smaller contractors may also be affected. Overall, Level 3 contractors represent the smallest portion of the entire Defense Industrial Base (DIB).”
Here's an overview of the major differences between CMMC 2.0 Level 2 and Level 3 compliance:
Organizations seeking Level 3 compliance must first reach Level 2 compliance.
Level 1 (“Foundational”) |
Level 2 (“Advanced”) |
Level 3 (“Expert”) |
|
Data |
Handles Federal Control Information (FCI) |
Handles Controlled Unclassified Information (CUI) |
Handles more critical CUI |
Cybersecurity requirements |
Follows 15 basic safeguarding practices outlined in FAR 52.2024-21 that focus on basic cybersecurity measures |
Follow 110 security requirements outlined in NIST SP 800-171 r2. |
134 requirements (110 from NIST SP 800-171 r2 and 24 from NIST 800-172). |
Assessment |
Annual self-assessment Annual self-attestation of compliance |
Most Level 2 require a triennial third-party assessment from a C3PAO |
Government personnel; DIBCAC assessment every three years |
Conditional Certification |
No conditional certification option |
Yes, can achieve conditional certification if the organization meets 80% of the requirements |
Yes, can achieve conditional certification if the organization meets 80% of the requirements |
Any company working on DoD contracts with Controlled Unclassified Information (CUI) must comply with CMMC Level 2 rules. The DoD decides which contracts involve CUI and requires those companies to follow these standards.
Unfortunately, it’s not always clear which organizations need CMMC 2.0 level 2 compliance. The distinction between Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) — which falls under CMMC 2.0 Level 1 — can often cause confusion. This uncertainty leaves some organizations unsure of their required compliance level, especially for Level 2.
Bjarnason acknowledges the complexity. “The CMMC model can be difficult to understand,” he says. “In particular, many organizations struggle to determine whether they deal with CUI, and, if so, where it’s located within their systems. Our advice is simple: Start with the contract. Go back to the source. It’s ultimately up to the DoD to decide the compliance level required and, within that level, the type of assessment that fits your situation.”
Typically, the DoD includes the relevant compliance level in the Defense Federal Acquisition Regulation Supplement (DFARS) 7012 section of the contract.
CMMC requirements also apply to subcontractors working with a prime contractor, even if the subcontractors don’t have a direct defense contract. “It’s not just big defense manufacturers —CMMC can apply to companies making generic parts, like bolts, which end up in defense systems,” Harnagel explains. “If your work touches controlled unclassified information (CUI), even indirectly, you’re pulled into the CMMC requirements.”
It’s important to understand that not all subcontractors working under a Level 2 prime contractor default to Level 2 compliance. Bjarnason explains that the compliance level depends on how CUI flows through the supply chain.
”If a subcontractor still handles CUI for their role in the contract, they’ll need to be Level 2 compliant,” he says. “By the time other subcontractors get to work, they might only be dealing with FCI, so they’ll just need to be Level 1. Again, it all depends on how CI travels across the different contractors and whether it’s segmented so only some contractors handle or transmit it. It’s important that the prime contractor and the government make the distinction clear in the contracts between the prime and subs.”
CMMC 2.0 Level 2 requirements follow the 110 controls in the federal standard, NIST SP 800-171. The document groups these controls into 14 security domains, such as access control, risk assessment, and configuration management. These controls keep CUI safe through its lifecycle.
“One of the most common questions about CMMC is how it differs from NIST SP 800-171,” says Harnagel. “The reality is that the DoD required organizations to follow NIST SP 800-171 before introducing CMMC. However, many organizations weren’t complying. CMMC was created as an enforcement mechanism to ensure contractors follow the NIST cybersecurity standards.”
Since the core requirements of CMMC Level 2 come directly from NIST SP 800-171, the security controls in both frameworks are identical. Specifically, CMMC Level 2 incorporates all 110 requirements from NIST SP 800-171 rev 2.
The CMMC model organizes its 14 domains to align with the “families” of NIST SP 800-171.
Below is an overview of these domains and their key security controls for Level 2 organizations:
Get this free downloadable spreadsheet of CMMC Level 2 controls and evidence. It more fully explains the controls and the necessary evidence to demonstrate them.
Download the CMMC 2.0 Level 2 Controls and Evidence Spreadsheet
To achieve CMMC 2.0 Level 2 compliance, review your DoD contract, identify where you handle CUI, and draft a system security plan. Then, perform a self-assessment to assess vulnerabilities. Finally, engage a C3PAO to conduct an external assessment and submit your results to the DoD.
Harnagel suggests organizations seeking Level 2 compliance follow these broad steps:
You can skip this step if your contract specifies that you handle non-critical CUI and only need a self-assessment. However, some organizations that don’t need an external audit may still engage a C3PAO for their first assessment to ensure they follow the process correctly. A C3PAO can also provide expert insights to refine your compliance practices for future assessments.
Stay organized with our downloadable CMMC 2.0 Level 2 compliance checklist. It covers all the essential tasks and helps you stay on track as you work toward achieving CMMC 2.0 Level 2 compliance. The download contains more detail than the version shown in this table.
Step |
Description |
Key Details |
1. Confirm applicability |
Verify if CMMC applies to your contracts |
|
2. Determine scope |
Identify parts of your systems needing CMMC controls |
|
3. Develop a System Security Plan (SSP) |
Create a plan for managing required controls |
|
4. Conduct a self-assessment |
Evaluate your current compliance status |
|
5. Draft a Plan of Action and Milestones (POAM) |
Address weaknesses with remediation plans |
|
6. Engage a C3PAO |
Hire a Certified Third-Party Assessor Organization (C3PAO) for an external audit |
|
Download our CMMC 2.0 Level 2 compliance task checklist
The difficulty of achieving CMMC 2.0 Level 2 compliance varies widely and depends on your starting point. Organizations that follow NIST SP 800-171 may find it straightforward. However, others may face a harder, longer process that requires extensive time, resources, and expert help.
The CMMC framework assumes contractors have already implemented the NIST SP 800-171 practices it builds upon. Complying with CMMC 2.0 will be a significant challenge for organizations that don't follow these practices. Even for organizations with strong security foundations, achieving the documentation required by CMMC 2.0 is often the most labor-intensive part of the process. Also, organizations that follow NIST SP 800-171 will find it easier to comply with related frameworks like FedRAMP (Federal Risk and Authorization Management Program), which regulates the security of federal data in the cloud. Since many organizations handle both CUI and federal data, many will need to comply with both frameworks.
Key factors influencing the difficulty of CMMC 2.0 compliance include:
The time it takes to achieve CMMC 2.0 Level 2 compliance depends on many variables, such as your organization and what security controls you’ve already implemented. Most companies will take three months to a year. To save time, engage with experts, limit your scope, and use compliance software.
Experts agree that there’s no universal timeline for achieving CMMC 2.0 compliance due to the many variables affecting the process's complexity and duration. For a rough guideline, Harnagel says that most organizations can expect the compliance process to fall within the three-month to one-year range.
“For smaller organizations with limited scope, it could take as little as three months,” he says. “However, for most companies, especially those with more complex systems, the process generally takes eight months to a year. Documentation is often the most time-consuming part. While many organizations already follow these requirements informally, they may not have properly documented their processes.”
To streamline the process and minimize delays, consider these expert tips:
The cost of CMMC 2.0 Level 2 compliance varies widely, with the DoD estimating $34,000 to $112,000. Costs depend on organizational size, scope, assessment type, and existing cybersecurity infrastructure. Experts caution that there are too many variables for a definitive range.
According to the official CMMC Program rule, the DoD averages the cost of a three-year assessment between $34,000 and $110,000, including expenses for implementing security controls, conducting assessments, and maintaining compliance. Actual costs depend on system complexity, current controls, and contractual requirements.
Harnagel agrees with these estimates but emphasizes the importance of individual factors, especially the need for a Certified Third-Party Assessor Organization (C3PAO). “A CMMC Level 2 external audit by a C3PAO costs about $30,000 on average. Since these audits occur every three years, that breaks down to roughly $10,000 per year,” he explains.
He also notes that estimates often exclude consultant fees and internal preparation costs. “These costs depend on the organization’s size and existing compliance posture. Expect to allocate additional resources if significant remediation is needed,” Harnagel adds.
Reducing the cost of CMMC compliance involves the same strategies experts recommend to streamline the process. "The single most effective way to reduce both cost and time is by limiting your scope," emphasizes Bjarnason. Additionally, outsourcing compliance tasks to software can streamline tedious processes, speeding up the effort and cutting expenses.
Strike Graph’s compliance platform gives you the tools to navigate CMMC 2.0 requirements efficiently. The customizable system lets you select common controls, add your own, and manage documentation. It helps you build a compliance program tailored to your unique operations.
“Preparing for CMMC compliance can feel like a full-time job,” says Strickler. “Fortunately, Strike Graph makes it easier with a flexible NIST 800-171 framework that lets organizations tailor controls to meet Level 2 CMMC requirements.”
Strike Graph’s NIST 800-171 framework lets users select common controls or add custom ones. “Strike Graph’s platform offers pre-populated evidence items to meet typical CMMC requirements while giving you the flexibility to adjust them to your needs,” explains Strickler. “You can assign evidence collection to team members inside or outside your organization, and the compliance dashboard helps you track progress and catch anything that might get missed.”
Strike Graph’s Verify AI tool takes compliance a step further. “Validating evidence adds even more complexity that takes up valuable time and resources,” Strickler says. “Verify AI detects changes in evidence versions, checks content against descriptions, and alerts you to issues before they reach an assessor.”
The platform also simplifies organization. “Strike Graph organizes everything in one platform, so you don’t need to worry about maintaining scattered file folders across your network. Users can configure the platform to connect evidence to its original sources and automatically check for updates based on a schedule they set. This keeps your evidence current and makes compliance more efficient every year.
To top it off, Strike Graph’s expert team supports customers throughout the compliance process. With their help, your organization can reduce errors and meet CMMC standards from start to finish so you can land any government contract. Connect with our compliance experts today to learn how you can achieve CMMC.
Find answers to common questions about CMMC 2.0 Level 2 compliance. Learn about key topics like security requirements and assessments. Fill in gaps in your understanding to determine if you need to meet CMMC 2.0 requirements to comply with Department of Defense standards for protecting CUI.
Subcontractors must meet CMMC 2.0 Level 2 requirements if they handle, send, or process Controlled Unclassified Information (CUI) for the prime contractor. They should check their contract to know what’s required.
If an organization does not comply with CMMC level 2, it will lose its defense contracts and cannot bid on new ones. It also damages the organization’s reputation. The Department of Defense may also withhold payments or impose fines if the organization doesn’t resolve the issue quickly.
The main objective of a CMMC Level 2 assessment is to judge how a defense contractor protects Controlled Unclassified Information (CUI). It ensures the contractor follows the rules to meet the DoD's Level 2 data security standards.
CMMC Level 2 requires contractors to follow the 110 security practices from NIST SP 800-171 to protect CUI. These include controls for access, incident response, audit logs, and encryption. Contractors also must document compliance and may undergo external audits.
Some Level 2 organizations can perform a self-assessment to prove compliance. Most Level 2 organizations must hire a Certified Third-party Assessment Organization (C3PAO) to conduct an audit. Level 2 contractors can check their contracts to determine the type of assessment they need.
C3PAOs conduct audits to see if Level 2 contractors meet CMMC standards. They review practices, test compliance, and certify organizations.
To determine if your company handles CUI, check your contract. The Department of Defense sets CUI requirements on a contract-by-contract basis. Look in the DFARS section of your defense contract. If you’re unsure, consult your contracting contact.
CMMC Level 2 requires contractors to protect emails with CUI. Contractors must encrypt emails and use multi-factor authentication. They also need a protection gateway.
The CMMC Level 2 scope includes systems, processes, and networks that handle, store, or transmit CUI.
CMMC 2.0 Level 2 and NIST 800-171 have the same security controls. NIST 800-171 explains the requirements, while CMMC 2.0 acts as the enforcement mechanism the Department of Defense (DoD) created to ensure organizations follow and implement these controls.
The DFARS clause in Department of Defense contracts will detail whether an organization needs to comply with CMMC Level 2 standards.
Small businesses can get CMMC Level 2 certification if they meet the required security controls and pass the assessment. Small businesses often outsource much of the work to consulting services to meet the standards.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.
© 2025 Strike Graph, Inc. All Rights Reserved • Privacy Policy • Terms of Service • EU AI Act
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?