Strike Graph security compliance blog

CMMC 2.0 Level 2 Simplified: Steps, Controls List & Checklist

Written by Stephen Ferrell, CISA, CRISC | Feb 7, 2025 6:34:44 PM

Explore the new CMMC 2.0 Level 2 requirements for defense contractors and learn how to meet them. Get expert tips to save time and money, a task checklist, and a timeline to stay on track.

What is CMMC 2.0 Level 2 compliance?

CMMC 2.0 Level 2 is a new set of rules from the Department of Defense (DoD) for contractors who handle Controlled Unclassified Information (CUI). Contractors must meet these rules to get certified and work on defense contracts that involve CUI.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 introduces major updates to the original CMMC 1.0 framework that the DoD e introduced in 2020. CMMC 2.0 aims to simplify compliance, lower costs, and streamline assessments while maintaining strong security. The DoD reduced the compliance levels from five to three as part of the update.

Level 2 applies to organizations handling Controlled Unclassified Information (CUI), which the DoD considers sensitive but not classified. This includes data requiring protection from unauthorized access but not involving top-secret material.

To meet Level 2 requirements, contractors must comply with the 110 security practices in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). They must also prove their ability to protect CUI through CMMC 2.0 assessments. These steps help contractors meet DoD security standards, continue working with the DoD, and bid on contracts involving CUI.

Key Takeaways:

  • CMMC 2.0 Level 2 applies to contracts involving Controlled Unclassified Information (CUI) and requires stricter security measures than Level 1, which focuses on Federal Contract Information (FCI), but fewer than Level 3, which covers highly critical projects.
  • The effective dates for new Level 2 CMMC 2.0 contracts follow a phased timeline over three years: new contracts require self-assessments by 2025, third-party assessments by 2026, and full compliance for all new and existing contracts by 2027.
  • To comply with CMMC 2.0 Level 2, contractors must determine the scope, create a system security plan (SSP), complete a self-assessment, fix gaps, and secure third-party certification when needed.
  • Achieving CMMC 2.0 Level 2 compliance typically takes six months to one year and costs between $34,000 and $112,000, but specifics depend on your organization’s size and current security posture.
  • You can reduce the time and cost of achieving CMMC 2.0 Level 2 compliance by limiting the scope of CUI and using compliance software to automate key tasks.

 

What is the effective date of CMMC 2.0 level 2?

CMMC 2.0 took effect on December 16, 2024, for all levels, including Level 2. The DoD will phase in requirements over three years. Full Level 2 compliance is required for new contracts by December 2026 and all contracts by December 2027, with some exceptions.

Here’s an overview of the CMMC rules that take effect during each of the four phases for Level 2 organizations. While these are general guidelines, the DoD may enforce CMMC requirements earlier. Contractors should review their contracts for specific compliance dates.

  • Phase 1: Initial Implementation
    • Start date: December 16, 2024
    • Applicable for: New CMMC Level 2 contracts that are eligible to perform self-assessments to demonstrate compliance.
      This distinction applies to a small percentage of Level 2 organizations. For example, in the CMMC 2.0 final rule, the DoD estimates that 9,510 entities will need to perform Level 2 self-assessments over the next 10 years.
    • Requirements: Contractors must submit self-assessments to the Supplier Performance Risk System (SPRS) to be eligible for a contract. The DoD may also require self-assessments for existing contracts as a condition for extending or modifying the contract.

  • Phase 2
    • Start date: Late 2025 (one year after Phase 1 began)
    • Applicable for: New CMMC Level 2 contracts that require an external assessment from a Certified-Third Party Assessment Organization (C3PAO) to demonstrate compliance.
      This group represents the vast majority of Level 2 contracts (about 182,105 entities over 10 years according to the formal CMMC 2.0 rule, or 20 times more than the number of organizations eligible for self-assessment).

    • Requirements for Level 2: Obtain Level 2 Certification Assessment by a C3PAO for new contracts.
      The DoD may also require this assessment to extend an existing contract. 

  • Phase 3
    • Start date: Late 2026 (one year after Phase 2 begins)
    • Applicable for: New Level 2 contracts
    • Requirements for Level 2: Continue relevant assessments for new Level 2 contracts and possibly for existing contract extensions.

  • Phase 4: Full Implementation
    • Start date: Late 2027 (one year after Phase 3 begins)
    • Applicable for: All Level 2 contracts, including new contracts and extensions of existing contracts
    • Requirements: Contractors must fully comply with CMMC 2.0 requirements to qualify for new contracts or extend existing ones.
 

CMMC Level 2 Implementation Timeline


 

Why is CMMC 2.0 Level 2 important?

CMMC 2.0 Level 2 is important because it protects Controlled Unclassified Information (CUI) from advanced cyberattacks. Defense contractors must now comply with new rules if they handle CUI.

The CMMC model ensures organizations meet security requirements and practice adequate cyber hygiene to safeguard sensitive unclassified information. According to the DoD, the model's purpose is to “increase the cybersecurity posture of the Defense Industrial Base (DIB) and better protect sensitive unclassified information. "

“The goal of creating the CMMC 2.0 Level 2 standard is to safeguard national security by protecting CUI,” says Elliott Harnagel, Product and Compliance Strategist at Strike Graph. “This information isn’t classified, but it still needs to be controlled. The CMMC safeguards are critical to maintaining the integrity of defense-related data and protecting it from malicious cyberattacks.”

 

Difference between CMMC 2.0 Level 2 and Level 1

The main difference between CMMC 2.0 Level 2 and Level 1 contractors is the data and security requirements. Level 2 contractors handle CUI, follow stricter cybersecurity rules, and often need third-party assessors. Level 1 handles less sensitive FCI data and can perform self-assessments.

Here's an overview of the differences between CMMC 2.0 Level 2 and Level 1:

  • Eligibility and types of data
    • Level 1:
      Level 1 organizations handle Federal Contract Information (FCI). In the formal CMMC 2.0 rule, the DoD defines FCI as “information not intended for public release, provided by or generated for the government.”  FCI includes data like contract details and technical specifications. It’s data that contractors need to execute their contracts, but it isn’t critical to national security.
    • Level 2:
      Level 2 organizations handle Controlled Unclassified Information (CUI). In the formal CMMC 2.0 rule, the DoD defines CI as “sensitive information requiring safeguarding or dissemination controls under U.S. laws, regulations, or policies.” They state CUI data could harm national interests if malicious attackers gain access.

  • Cybersecurity requirements
    • Level 1:
      The cybersecurity requirements are the same as the 15 basic safeguarding practices outlined in the federal clause FAR 52.2024-21, “Basic Safeguarding of Covered Contractor Information Systems.” These are the minimum cybersecurity requirements that contractors must implement to protect FCI.
    • Level 2:
      Level 2 requires compliance with all 110 security practices in the National Institute of Standards and Technology Standard Practice 800-171 revision 2 (NIST SP 800-171 r2). Although NIST SP 800-171 revision 3 (r3) reduces the number of requirements to 97 by consolidating and simplifying practices, the Department of Defense (DoD) requires organizations to comply with revision 2 to meet CMMC 2.0 Level 2 standards.

  • Assessment types
    • Level 1:
      Organizations can meet requirements through a CMMC self-assessment performed annually.
    • Level 2:
      Most organizations require a third-party assessment by a Certified Third-Party Assessor Organization (C3PAO). Some contracts allow self-assessments if the organization meets specific conditions:
      • Self-assessments: To qualify, the organization must complete a Level 2 Conditional or Final Self-Assessment and submit an affirmation. Self-assessments must be completed every three years, with annual affirmations.
      • C3PAO assessments: Most Level 2 organizations will need to hire a C3PAO to conduct a formal assessment every three years. 

  • Option for conditional compliance 
    • Level 1:
      Contractors seeking Level 1 compliance do not have the option for conditional compliance. They must fully implement all the required practices.
    • Level 2:
      Level 2 organizations can achieve conditional compliance if they meet at least 80% of the required 110 practices outlined in NIST SP 800-171 r2. Conditional compliance allows the organization to be temporarily compliant. As part of conditional compliance, the contractor must develop a Plan of Action and Milestones (POA&M) and resolve outstanding issues within 180 days to maintain compliance.

CMMC 2.0 Level 2 self-assessment vs. third party


CMMC 2.0 Level 2 offers two types of assessments: third-party and self-assessments. Most contractors must hire a Certified Third-party Assessor (C3PAO) every three years. Some contractors handling less sensitive data qualify for self-assessments instead.

One major change in CMMC 2.0 is a self-assessment option for certain Level 2 organizations.  Most Level 2 organizations will still require a C3PAO assessment every three years. The CMMC Accreditation Body (CMMC-AB) is responsible for certifying C3PAOs and maintaining a list of credible organizations authorized to conduct these assessments. The CMMC-AB, now officially called the Cyber AB (Accreditation Body), is the entity responsible for overseeing the CMMC model.

This rebranding led some experts to refer to assessors as Cyber AB certified assessors, even though the official term remains C3PAOs.

Organizations that work with less critical CUI may qualify for the new self-assessment process, reducing compliance costs and complexity.

Here's a broad overview of the difference between a Level 2 self-assessment vs. a third-party assessment:

Self-assessment:

  • Eligibility: Limited to organizations handling non-critical CUI, as determined by the DoD
  • Frequency: Conducted every three years by the organization seeking compliance 
  • Process: The organization uses DoD materials to evaluate its compliance with CMMC Level 2 requirements. It enters the results into the Supplier Performance Risk System (SPRS) to generate an SPRS score that evaluates how well the organization meets the required standards. 
  • Validity: CMMC status is valid for three years.

Third-party assessment:

  • Eligibility: Required for most Level 2 organizations that handle sensitive CUI
  • Frequency: Every three years by a C3PAO
  • Process: An external review verifies the organization’s compliance with CMMC Level 2 requirements and enters the results into the SPRS.
  • Validity: CMMC Status is valid for three years 

Difference between CMMC 2.0 Level 2 and Level 3

Level 3 contractors handle more sensitive data and stricter rules than Level 2. They must follow the 110 Level 2 controls and add 24 enhanced ones. Also, Level 3 contractors can only receive assessments from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

"CMMC 2.0 Level 3 compliance applies to a small number of contracts tied to critical DoD missions, such as weapons development, intelligence, or secure communications," says Steven Bjarnason, a cybersecurity leader with over 30 years of experience and CISSP, Technical Services Manager at 360 Advanced. "These contracts often involve sensitive information like technical drawings, operational plans, maintenance manuals, or research and development data. Usually, they involve major companies like Boeing, Raytheon, and Lockheed Martin, but smaller contractors may also be affected. Overall, Level 3 contractors represent the smallest portion of the entire Defense Industrial Base (DIB).”

Here's an overview of the major differences between CMMC 2.0 Level 2 and Level 3 compliance:

  • Eligibility and types of data
    • Level 2:
      Applies to contractors handling Controlled Unclassified Information (CUI) for non-critical programs.
    • Level 3:
      Targets contractors working on high-priority or high-risk DoD programs involving advanced persistent threats (APTs). It protects CUI with enhanced security requirements, including data associated with critical missions or high-value assets.

  • Cybersecurity requirements
    • Level 2:
      Requires compliance with 110 security practices from NIST SP 800-171 Revision 2.
    • Level 3:
      Adds 24 enhanced controls from NIST SP 800-172, bringing the total to 134.
      These enhanced requirements include controls related to:
      • Penetration-resistant architecture
      • Damage-limiting operations
      • Designs focused on cybersecurity and survivability

Organizations seeking Level 3 compliance must first reach Level 2 compliance. 

  • Assessment types:
    • Level 2:
      Most contractors undergo third-party assessments by C3PAOs every three years. Some contractors handling non-critical CUI may qualify for self-assessments, which also occur every three years.
    • Level 3:
      Level 3 contractors must receive an assessment from The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a DoD organization. The DIBCAC conducts these assessments every three years.

Comparison of CMMC 2.0 Levels 1, 2, and 3
 

Level 1 (“Foundational”)

Level 2 (“Advanced”)

Level 3 (“Expert”)

Data

Handles Federal Control Information (FCI)

Handles Controlled Unclassified Information (CUI)

Handles more critical CUI

Cybersecurity requirements

Follows 15 basic safeguarding practices outlined in FAR 52.2024-21 that focus on basic cybersecurity measures

Follow 110 security requirements outlined in NIST SP 800-171 r2.

134 requirements (110 from NIST SP 800-171 r2 and 24 from NIST 800-172).

Security measures must mitigate against advanced persistent threats (ATPs)

Assessment

Annual self-assessment

Annual self-attestation of compliance

Most Level 2 require a triennial third-party assessment from a C3PAO

A small subset that handles less sensitive CUI is eligible for triennial self-assessments

Annual self-attestation of compliance

Government personnel; DIBCAC assessment every three years

Annual self-affirmation of compliance

Conditional Certification

No conditional certification option

Yes, can achieve conditional certification if the organization meets 80% of the requirements

Yes, can achieve conditional certification if the organization meets 80% of the requirements



Who needs CMMC 2.0 level 2 compliance?

Any company working on DoD contracts with Controlled Unclassified Information (CUI) must comply with CMMC Level 2 rules. The DoD decides which contracts involve CUI and requires those companies to follow these standards.

Unfortunately, it’s not always clear which organizations need CMMC 2.0 level 2 compliance. The distinction between Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) — which falls under CMMC 2.0 Level 1 — can often cause confusion. This uncertainty leaves some organizations unsure of their required compliance level, especially for Level 2.

Bjarnason acknowledges the complexity. “The CMMC model can be difficult to understand,” he says. “In particular, many organizations struggle to determine whether they deal with CUI, and, if so, where it’s located within their systems. Our advice is simple: Start with the contract. Go back to the source. It’s ultimately up to the DoD to decide the compliance level required and, within that level, the type of assessment that fits your situation.”

Typically, the DoD includes the relevant compliance level in the Defense Federal Acquisition Regulation Supplement (DFARS) 7012 section of the contract.

CMMC requirements also apply to subcontractors working with a prime contractor, even if the subcontractors don’t have a direct defense contract. “It’s not just big defense manufacturers —CMMC can apply to companies making generic parts, like bolts, which end up in defense systems,” Harnagel explains. “If your work touches controlled unclassified information (CUI), even indirectly, you’re pulled into the CMMC requirements.”

It’s important to understand that not all subcontractors working under a Level 2 prime contractor default to Level 2 compliance. Bjarnason explains that the compliance level depends on how CUI flows through the supply chain.

”If a subcontractor still handles CUI for their role in the contract, they’ll need to be Level 2 compliant,” he says. “By the time other subcontractors get to work, they might only be dealing with FCI, so they’ll just need to be Level 1. Again, it all depends on how CI travels across the different contractors and whether it’s segmented so only some contractors handle or transmit it. It’s important that the prime contractor and the government make the distinction clear in the contracts between the prime and subs.” 

CMMC 2.0 Level 2 requirements follow the 110 controls in the federal standard, NIST SP 800-171. The document groups these controls into 14 security domains, such as access control, risk assessment, and configuration management. These controls keep CUI safe through its lifecycle.  

“One of the most common questions about CMMC is how it differs from NIST SP 800-171,” says Harnagel. “The reality is that the DoD required organizations to follow NIST SP 800-171 before introducing CMMC. However, many organizations weren’t complying. CMMC was created as an enforcement mechanism to ensure contractors follow the NIST cybersecurity standards.”

Since the core requirements of CMMC Level 2 come directly from NIST SP 800-171, the security controls in both frameworks are identical. Specifically, CMMC Level 2 incorporates all 110 requirements from NIST SP 800-171 rev 2.

The CMMC model organizes its 14 domains to align with the “families” of NIST SP 800-171. 

Below is an overview of these domains and their key security controls for Level 2 organizations:

  1. Access Control (AC)
    • Restrict access of CUI to authorized users and device
    • Implement session locks and remote access protections

  2. Awareness Training (AT)
    • Train employees on recognizing security risks and insider threats
    • Provide role-specific cybersecurity training

  3. Audit and Accountability (AU)
    • Maintain audit logs for security monitoring
    • Ensure user accountability
    • Alert if there’s an audit failure
    • Use authoritative time sources for audit logs that generate time stamps for audit records

  4. Configuration Management (CM)
    • Establish and enforce security configurations
    • Track and approve system changes
    • Limit systems to essential functions and restrict unauthorized software
    • Configure organization systems to provide only essential capabilities
    • Control and monitor user-installed software

  5. Identification Authentication (IA)
    • Use multifactor authentication (MFA)
    • Prevent password reuse and disable identifiers after a period of inactivity
    • Enforce a minimum password complexity and change of characters for new passwords
    • Use cryptographic protections for authentication

  6. Incident Response (IR)
    • Prepare for and handle cybersecurity incidents
    • Test incident response capabilities regularly
    • Track and report incidents to designated officials

  7. Maintenance (MA)
    • Control maintenance tools and activities
    • Sanitize equipment before off-site maintenance
    • Authenticate remote maintenance sessions

  8. Media Protection (MP)
    • Securely store and transport CUI media.
    • Mark media with required labels and limit access.
    • Encrypt data on removable storage devices.

  9. Personnel Security (PS)
    • Screen personnel accessing systems with CUI.
    • Protect CUI during personnel changes like transfers or terminations.

  10. Physical Protection (PE)
    • Limit physical access to systems
    • Monitor facilities and safeguard CUI at alternate work locations

  11. Risk Assessment (RA)
    • Conduct regular risk assessments
    • Scan and remediate system vulnerabilities

  12. Security Assessment (CA)
    • Periodically assess security controls
    • Develop action plans to address vulnerabilities
    • Maintain and update a system security plan

  13. System and Communications Protection (SC)
    • Protect data in transit and at rest with encryption
    • Use FIST 140-2 (Federal Information Processing Standards) encryption standards 
    • Maintain cryptographic keys
    • Prevent split tunneling and enforce secure network connections 
    • Deny network communications traffic by default
    • Employ FIPS-validated cryptography to protect the confidentiality of CUI
    • Control and monitor the use of mobile code and Voice over Internet Protocol (VoIP)
    • Protect the confidentiality of CUI at rest

  14. System and Information Integrity (SI)
    • Monitor system security alerts for unauthorized use
    • Protect systems against malicious code
    • Respond to security alerts and advisories

Get this free downloadable spreadsheet of CMMC Level 2 controls and evidence. It more fully explains the controls and the necessary evidence to demonstrate them. 

Download the CMMC 2.0 Level 2 Controls and Evidence Spreadsheet

To achieve CMMC 2.0 Level 2 compliance, review your DoD contract, identify where you handle CUI, and draft a system security plan. Then, perform a self-assessment to assess vulnerabilities. Finally, engage a C3PAO to conduct an external assessment and submit your results to the DoD.

Harnagel suggests organizations seeking Level 2 compliance follow these broad steps:

  1. Confirm applicability
    “Before you do anything, confirm that CMMC applies to your contracts,” he explains. “Look for DFARS clauses in your contracts or your contractor’s contracts. If you're a subcontractor — or even a subcontractor's subcontractor — your compliance needs will flow downhill, meaning they will stem from the prime contractor’s DoD contract. You should be able to talk to the prime contractor, who’s directly working with the government, to verify your responsibilities.”

  2. Determine scope
    The next step is to determine your scope, or what parts of your systems need the CMMC controls.

    "Identify where your organization handles, stores, or transmits CUI,” Harnagel says. “For example, any technical information or schematics associated with defense-related work would count as CUI."

    Harnagel emphasizes that limiting your scope to systems that handle CUI is critical. “You only need to apply the strict CMMC controls to parts of your company that deal with CUI — mapping out your data flows can help pinpoint which systems fall into scope. Trying to implement these controls on every system would be very expensive and cumbersome.”

    He recommends carefully reviewing the DoD CMMC 2.0 Level 2 scoping guidelines.

  3. Develop a system security plan (SSP)
    Once you understand your scope, create a plan for managing the required controls.

    "Start working on your SSP,” Harnagel says. “The goal is to list out the CMMC requirements and document in your own words how you plan to meet them. It acts as a checklist for compliance."

    A good starting point is Strike Graph’s downloadable list of CMMC 2.0 Level 2 controls and evidence spreadsheet, also mentioned above. Add a column to type in how you plan to meet each requirement.

  4. Conduct a self-assessment
    Now, it’s time to evaluate your current compliance status through a self-assessment.

    "Generate a Supplier Performance Risk System (SPRS) score by scoring your implementation against the requirements,” says Harnagel. “You assign point values to your implementation, and the government requires you to submit this score. The scoring process will highlight areas where you're not meeting criteria."

    Harnagel recommends following the DoD's CMMC 2.0 Level 2 assessment guide to get started. He also says that it’s important to document the reasoning behind your scoring decisions for transparency in case of future audits.

  5. Draft a Plan of Action and Milestones (POAM) document
    A self-assessment will identify areas of weakness, which you can address through a remediation plan.

    "Develop POAMs for any areas where you're non-compliant,” explains Harnagel. “These remediation plans outline how you'll fix gaps. Prioritize the most critical vulnerabilities first, especially those impacting your SPRS score. Work on these until your SPRS score is strong."

  6. Engage a C3PAO
    "Once your score is solid, hire a Certified Third-Party Assessor Organization (C3PAO) to perform the required external audit,” Harnagel says. 

You can skip this step if your contract specifies that you handle non-critical CUI and only need a self-assessment. However, some organizations that don’t need an external audit may still engage a C3PAO for their first assessment to ensure they follow the process correctly. A C3PAO can also provide expert insights to refine your compliance practices for future assessments.

Stay organized with our downloadable CMMC 2.0 Level 2 compliance checklist. It covers all the essential tasks and helps you stay on track as you work toward achieving CMMC 2.0 Level 2 compliance. The download contains more detail than the version shown in this table.


Steps for CMMC 2.0 Level 2 compliance

Step

Description

Key Details

1. Confirm applicability

Verify if CMMC applies to your contracts
  • Look for DFARS clauses in contracts
  • Confirm sub-contractor responsibilities with the prime contractor

2. Determine scope

Identify parts of your systems needing CMMC controls
  • Focus on systems handling, storing, or transmitting CUI
  • Limit controls to relevant systems to save cost and effort

3. Develop a System Security Plan (SSP)

Create a plan for managing required controls
  • Use SSP templates to document CMMC requirements and how you plan to meet them

4. Conduct a self-assessment

Evaluate your current compliance status
  • Generate an SPRS score by assessing your implementation against requirements 

5. Draft a Plan of Action and Milestones (POAM)

Address weaknesses with remediation plans
  • Develop plans for non-compliant areas
  • Prioritize critical vulnerabilities that impact your SPRS score

6. Engage a C3PAO

Hire a Certified Third-Party Assessor Organization  (C3PAO) for an external audit
  • Required if your contract involves critical CUI




Download our CMMC 2.0 Level 2 compliance task checklist

How hard is CMMC 2.0 Level 2 compliance?

The difficulty of achieving CMMC 2.0 Level 2 compliance varies widely and depends on your starting point. Organizations that follow NIST SP 800-171 may find it straightforward. However,  others may face a harder, longer process that requires extensive time, resources, and expert help.

The CMMC framework assumes contractors have already implemented the NIST SP 800-171 practices it builds upon. Complying with CMMC 2.0 will be a significant challenge for organizations that don't follow these practices. Even for organizations with strong security foundations, achieving the documentation required by CMMC 2.0 is often the most labor-intensive part of the process. Also, organizations that follow NIST SP 800-171 will find it easier to comply with related frameworks like FedRAMP (Federal Risk and Authorization Management Program), which regulates the security of federal data in the cloud. Since many organizations handle both CUI and federal data, many will need to comply with both frameworks.  

Key factors influencing the difficulty of CMMC 2.0 compliance include:

  • Cybersecurity maturity: The more mature your existing practices, the easier it will be to close gaps.
  • CUI scope: A larger scope of Controlled Unclassified Information (CUI) increases complexity.
  • Assessment type: Self-assessments are less demanding than external audits by a C3PAO.


Time needed to get CMMC 2.0 Level 2 compliance

The time it takes to achieve CMMC 2.0 Level 2 compliance depends on many variables, such as your organization and what security controls you’ve already implemented. Most companies will take three months to a year. To save time, engage with experts, limit your scope, and use compliance software.

Experts agree that there’s no universal timeline for achieving CMMC 2.0 compliance due to the many variables affecting the process's complexity and duration. For a rough guideline, Harnagel says that most organizations can expect the compliance process to fall within the three-month to one-year range.

“For smaller organizations with limited scope, it could take as little as three months,” he says. “However, for most companies, especially those with more complex systems, the process generally takes eight months to a year. Documentation is often the most time-consuming part. While many organizations already follow these requirements informally, they may not have properly documented their processes.”

To streamline the process and minimize delays, consider these expert tips:

  • Limit your scope:
    Bjarnason emphasizes that minimizing its scope is the best way to reduce the time and cost of achieving CMMC compliance. This means reducing the number of systems and processes subject to strict security controls. The smaller the scope, the fewer areas in your system that require these rigorous measures, significantly cutting down on complexity and expenses.

    “For Level 2, the location of your CUI  defines the scope,” he explains. “Keeping CUI in a tightly controlled environment — accessible only through a single port or gateway —limits the extent of security controls you need. This approach minimizes costs by reducing the footprint of CUI and the associated compliance requirements. If CUI propagates beyond a controlled area, like onto personal devices, every location it touches requires the same stringent controls, which significantly increases costs."

    He adds that while limiting your scope is effective, restricting it can disrupt how smoothly and efficiently your organization operates. "Reducing scope is key to controlling costs, but it’s a seesaw between security and convenience. Keeping CUI in a single, tightly controlled enclave minimizes the compliance footprint, but not every organization can function with that level of restriction. The challenge is finding the right balance on the seesaw — ensuring security without sacrificing the operational flexibility needed to get work done."

  • Automate compliance processes
    Outsourcing some of your compliance needs to automated software can significantly reduce manual effort and speed up the process. Automated tools can assist with generating necessary reports, tracking controls, and maintaining accurate records — all of which reduce human error and administrative bottlenecks.

    For example, Michelle Strickler, Senior Cybersecurity Compliance Manager at Workstreet, says that some of Strike Graph’s tools can help speed up the process by automating tedious tasks. “Strike Graph’s platform streamlines compliance by offering customizable controls and evidence items. You can tailor compliance requirements to fit your organization’s needs, manage them efficiently down to the smallest detail, and directly populate your System Security Plan (SSP)—a key document outlining your security controls.”

  • Establish clear ownership
     "Designating a compliance lead or team to oversee the process is essential for accountability, especially for organizations that have to oversee CMMC compliance across multiple locations,” Strickler says.

    Compliance software can also streamline this task. Strickler explains, "Our new enterprise content management feature is a game-changer for handling CMMC requirements across multiple locations. This tool allows you to distribute common controls to your subsidiaries, plants, or divisions, reducing duplicate efforts and simplifying the compliance process."

    Harnagel adds, “We enable you to delegate responsibilities for controls and evidence to specific owners. These individuals can update the required documentation, and our system sends them reminders when updates are due."

Cost of CMMC 2.0 Level 2 compliance

The cost of CMMC 2.0 Level 2 compliance varies widely, with the DoD estimating $34,000 to $112,000. Costs depend on organizational size, scope, assessment type, and existing cybersecurity infrastructure. Experts caution that there are too many variables for a definitive range.

According to the official CMMC Program rule, the DoD averages the cost of a three-year assessment between $34,000 and $110,000, including expenses for implementing security controls, conducting assessments, and maintaining compliance. Actual costs depend on system complexity, current controls, and contractual requirements.

Harnagel agrees with these estimates but emphasizes the importance of individual factors, especially the need for a Certified Third-Party Assessor Organization (C3PAO). “A CMMC Level 2 external audit by a C3PAO costs about $30,000 on average. Since these audits occur every three years, that breaks down to roughly $10,000 per year,” he explains.

He also notes that estimates often exclude consultant fees and internal preparation costs. “These costs depend on the organization’s size and existing compliance posture. Expect to allocate additional resources if significant remediation is needed,” Harnagel adds.

Reducing the cost of CMMC compliance involves the same strategies experts recommend to streamline the process. "The single most effective way to reduce both cost and time is by limiting your scope," emphasizes Bjarnason. Additionally, outsourcing compliance tasks to software can streamline tedious processes, speeding up the effort and cutting expenses.

Streamline your CMMC 2.0 level 2 compliance with Strike Graph

Strike Graph’s compliance platform gives you the tools to navigate CMMC 2.0 requirements efficiently. The customizable system lets you select common controls, add your own, and manage documentation. It helps you build a compliance program tailored to your unique operations.

“Preparing for CMMC compliance can feel like a full-time job,” says Strickler. “Fortunately, Strike Graph makes it easier with a flexible NIST 800-171 framework that lets organizations tailor controls to meet Level 2 CMMC requirements.”

Strike Graph’s NIST 800-171 framework lets users select common controls or add custom ones. “Strike Graph’s platform offers pre-populated evidence items to meet typical CMMC requirements while giving you the flexibility to adjust them to your needs,” explains Strickler. “You can assign evidence collection to team members inside or outside your organization, and the compliance dashboard helps you track progress and catch anything that might get missed.”

Strike Graph’s Verify AI tool takes compliance a step further. “Validating evidence adds even more complexity that takes up valuable time and resources,” Strickler says. “Verify AI detects changes in evidence versions, checks content against descriptions, and alerts you to issues before they reach an assessor.” 

The platform also simplifies organization. “Strike Graph organizes everything in one platform, so you don’t need to worry about maintaining scattered file folders across your network. Users can configure the platform to connect evidence to its original sources and automatically check for updates based on a schedule they set. This keeps your evidence current and makes compliance more efficient every year.

To top it off, Strike Graph’s expert team supports customers throughout the compliance process. With their help, your organization can reduce errors and meet CMMC standards from start to finish so you can land any government contract. Connect with our compliance experts today to learn how you can achieve CMMC. 

CMMC 2.0 Level 2 Compliance FAQs

Find answers to common questions about CMMC 2.0 Level 2 compliance. Learn about key topics like security requirements and assessments. Fill in gaps in your understanding to determine if you need to meet CMMC 2.0 requirements to comply with Department of Defense standards for protecting CUI.

Do CMMC 2.0 level 2 requirements apply to subcontractors?

Subcontractors must meet CMMC 2.0 Level 2 requirements if they handle, send, or process Controlled Unclassified Information (CUI) for the prime contractor. They should check their contract to know what’s required.

What are the penalties for non-compliance with CMMC level 2?

If an organization does not comply with CMMC level 2, it will lose its defense contracts and cannot bid on new ones. It also damages the organization’s reputation. The Department of Defense may also withhold payments or impose fines if the organization doesn’t resolve the issue quickly.

What are the objectives of a CMMC Level 2 assessment?

The main objective of a CMMC Level 2 assessment is to judge how a defense contractor protects Controlled Unclassified Information (CUI). It ensures the contractor follows the rules to meet the DoD's Level 2 data security standards.

Which practices are specific to CMMC 2.0 Level 2

CMMC Level 2 requires contractors to follow the 110 security practices from NIST SP 800-171 to protect CUI. These include controls for access, incident response, audit logs, and encryption. Contractors also must document compliance and may undergo external audits.

Who can conduct a CMMC 2.0 Level 2 assessment?

Some Level 2 organizations can perform a self-assessment to prove compliance. Most Level 2 organizations must hire a Certified Third-party Assessment Organization (C3PAO) to conduct an audit. Level 2 contractors can check their contracts to determine the type of assessment they need.

What is the role of C3PAOs in the CMMC process?

C3PAOs conduct audits to see if Level 2 contractors meet CMMC standards. They review practices, test compliance, and certify organizations.

How can I determine if my company handles Controlled Unclassified Information (CUI)?

To determine if your company handles CUI, check your contract. The Department of Defense sets CUI requirements on a contract-by-contract basis. Look in the DFARS section of your defense contract. If you’re unsure, consult your contracting contact.

What are CMMC Level 2 requirements for email?

CMMC Level 2 requires contractors to protect emails with CUI. Contractors must encrypt emails and use multi-factor authentication. They also need a protection gateway.

What is the assessment scope for CMMC 2.0 Level 2?

The CMMC Level 2 scope includes systems, processes, and networks that handle, store, or transmit CUI.

How do NIST 800-171 and CMMC 2.0 Level 2 differ?

CMMC 2.0 Level 2 and NIST 800-171 have the same security controls. NIST 800-171 explains the requirements, while CMMC 2.0 acts as the enforcement mechanism the Department of Defense (DoD) created to ensure organizations follow and implement these controls.

How do DFARS and CMMC Level 2 overlap?

The DFARS clause in Department of Defense contracts will detail whether an organization needs to comply with CMMC Level 2 standards.

Can small businesses achieve a CMMC 2.0 Level 2 certification?

Small businesses can get CMMC Level 2 certification if they meet the required security controls and pass the assessment. Small businesses often outsource much of the work to consulting services to meet the standards.
View full post