CMMC Level 2 Requirements: All 110 Security Controls Explained

CMMC Level 2 requirements are the compliance standard that most defense contractors must meet to continue handling Controlled Unclassified Information (CUI) on DoD contracts. Level 2 maps directly to all 110 security requirements in NIST SP 800-171 Rev 2, organized across 14 control families — from Access Control to System and Information Integrity.

This guide explains what each domain requires, what assessors actually look for, and how to implement controls efficiently using modern compliance tools.

How CMMC Level 2 Maps to NIST 800-171

CMMC 2.0 Level 2 is a one-to-one mapping to NIST SP 800-171 Rev 2. Every practice in Level 2 corresponds to a specific NIST requirement. The Cyber AB and NIST provide the authoritative control descriptions, but assessors evaluate your implementation — not just your policies.

The 110 requirements are organized into 14 families. Here's every domain, its requirement count, and what you need to know.

Access Control (AC) — 22 Requirements

Access Control is the largest domain and often the most complex to implement. It governs who can access CUI, from where, and under what conditions.

Core requirements include:

• AC.L2-3.1.1: Limit system access to authorized users, processes, and devices
• AC.L2-3.1.2: Limit access to the types of transactions and functions authorized users are permitted to execute
• AC.L2-3.1.3: Control the flow of CUI in accordance with approved authorizations
• AC.L2-3.1.5: Employ the principle of least privilege
• AC.L2-3.1.7: Prevent non-privileged users from executing privileged functions
• AC.L2-3.1.12: Monitor and control remote access sessions
• AC.L2-3.1.14: Route remote access via managed access control points
• AC.L2-3.1.18: Control connection of mobile devices
• AC.L2-3.1.22: Control CUI posted or processed on publicly accessible systems

What assessors look for: Evidence of role-based access control (RBAC) implementation, documented access authorization procedures, session timeout configurations, remote access policies with MFA, and CUI flow diagrams showing how data moves between systems. They'll verify that access reviews happen regularly — not just that a policy exists.

Implementation tip: Define your CUI boundary first. Every system inside the boundary needs full AC controls. Cabrillo Club's CUI-safe CRM enforces role-based access natively, reducing the number of custom AC implementations needed.

Awareness and Training (AT) — 3 Requirements

• AT.L2-3.2.1: Ensure personnel are aware of security risks associated with their activities
• AT.L2-3.2.2: Ensure personnel are trained to carry out their information security responsibilities
• AT.L2-3.2.3: Provide security awareness training on recognizing and reporting potential indicators of insider threat

What assessors look for: Training records with dates, completion tracking, role-specific training for system administrators, and evidence that training covers CUI handling procedures — not just generic cybersecurity awareness.

Audit and Accountability (AU) — 9 Requirements

Audit logging proves compliance and enables incident investigation. This domain requires comprehensive logging, protection of audit data, and regular review.

Core requirements include:

• AU.L2-3.3.1: Create and retain system audit logs and records
• AU.L2-3.3.2: Ensure actions of individual system users can be uniquely traced
• AU.L2-3.3.5: Correlate audit review, analysis, and reporting processes
• AU.L2-3.3.8: Protect audit information and audit logging tools from unauthorized access
• AU.L2-3.3.9: Limit management of audit logging functionality to a subset of privileged users

What assessors look for: Audit log configurations showing WHO did WHAT, WHEN, and WHERE. Logs must be retained for a defined period (typically 1+ year), protected from tampering, and actually reviewed — assessors may ask to see evidence of log review findings.

Common failure point: Many contractors enable logging but never review the logs. Automated SIEM tools address this, but assessors want to see evidence of human review or alert triage, not just tool deployment.

Configuration Management (CM) — 9 Requirements

Configuration management ensures systems are consistently configured and changes are tracked.

• CM.L2-3.4.1: Establish and maintain baseline configurations and inventories
• CM.L2-3.4.2: Establish and enforce security configuration settings
• CM.L2-3.4.5: Define, document, approve, and enforce physical and logical access restrictions associated with changes
• CM.L2-3.4.6: Employ the principle of least functionality (disable unnecessary services)
• CM.L2-3.4.8: Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software

What assessors look for: Hardware and software inventories, documented baseline configurations (CIS Benchmarks or DISA STIGs), change management procedures with approval records, and evidence that systems match their documented baselines.

Identification and Authentication (IA) — 11 Requirements

IA controls verify that users and devices are who they claim to be before granting access.

Core requirements include:

• IA.L2-3.5.1: Identify system users, processes, and devices
• IA.L2-3.5.2: Authenticate the identity of users, processes, and devices
• IA.L2-3.5.3: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts
• IA.L2-3.5.7: Enforce a minimum password complexity
• IA.L2-3.5.10: Store and transmit only cryptographically-protected passwords

What assessors look for: MFA deployed on all accounts with CUI access (not just admins), password policy enforcement in Active Directory or identity provider, unique account identification (no shared accounts), and certificate-based authentication where applicable.

Key requirement: MFA is non-negotiable for Level 2. Every user accessing CUI — whether locally or remotely — must use multifactor authentication. This is one of the most frequently cited deficiencies in NIST 800-171 self-assessments.

Incident Response (IR) — 3 Requirements

• IR.L2-3.6.1: Establish an operational incident-handling capability
• IR.L2-3.6.2: Track, document, and report incidents to designated officials and/or authorities
• IR.L2-3.6.3: Test the organizational incident response capability

What assessors look for: A documented incident response plan (IRP) that specifically addresses CUI incidents, evidence of tabletop exercises or actual incident handling, designated incident response team members, and DFARS 7012 reporting procedures (72-hour notification to DIBNet).

Maintenance (MA) — 6 Requirements

System maintenance controls ensure that maintenance activities don't introduce security risks.

• MA.L2-3.7.1: Perform maintenance on organizational systems
• MA.L2-3.7.2: Provide controls on tools, techniques, and personnel for system maintenance
• MA.L2-3.7.5: Require multifactor authentication to establish nonlocal maintenance sessions and terminate such sessions when complete
• MA.L2-3.7.6: Supervise maintenance activities of personnel without required access authorization

What assessors look for: Maintenance logs, procedures for remote maintenance sessions (with MFA), media sanitization before maintenance equipment leaves the facility, and escorting procedures for third-party maintenance personnel.

Media Protection (MP) — 9 Requirements

Media protection controls address how CUI is stored on and removed from physical and digital media.

• MP.L2-3.8.1: Protect (i.e., physically control and securely store) system media containing CUI
• MP.L2-3.8.3: Sanitize or destroy system media containing CUI before disposal or release
• MP.L2-3.8.5: Control access to media containing CUI and maintain accountability during transport
• MP.L2-3.8.9: Protect the confidentiality of backup CUI at storage locations

What assessors look for: Media sanitization procedures (NIST 800-88 compliant), encryption of portable storage devices, physical controls for media containing CUI (locked cabinets, access logs), and backup encryption verification.

Personnel Security (PS) — 2 Requirements

• PS.L2-3.9.1: Screen individuals prior to authorizing access to CUI systems
• PS.L2-3.9.2: Ensure CUI systems are protected during and after personnel actions (terminations, transfers)

What assessors look for: Background check records, access revocation procedures for terminated employees (same-day revocation is best practice), and access modification procedures for role changes.

Physical Protection (PE) — 6 Requirements

• PE.L2-3.10.1: Limit physical access to organizational systems, equipment, and operating environments
• PE.L2-3.10.3: Escort visitors and monitor visitor activity
• PE.L2-3.10.4: Maintain audit logs of physical access
• PE.L2-3.10.5: Control and manage physical access devices (keys, badges)

What assessors look for: Physical access controls (badge readers, visitor logs, locked server rooms), security camera coverage of CUI processing areas, and documented procedures for managing physical access credentials.

Risk Assessment (RA) — 3 Requirements

• RA.L2-3.11.1: Periodically assess the risk to organizational operations, assets, and individuals
• RA.L2-3.11.2: Scan for vulnerabilities in organizational systems periodically and when new vulnerabilities are identified
• RA.L2-3.11.3: Remediate vulnerabilities in accordance with risk assessments

What assessors look for: Documented risk assessments (at least annual), vulnerability scanning results with remediation timelines, and a risk register that tracks open findings through closure.

Security Assessment (CA) — 4 Requirements

• CA.L2-3.12.1: Periodically assess security controls to determine if they are effective
• CA.L2-3.12.2: Develop and implement plans of action (POA&Ms) to correct deficiencies
• CA.L2-3.12.3: Monitor security controls on an ongoing basis
• CA.L2-3.12.4: Develop, document, and periodically update system security plans (SSPs)

What assessors look for: Your SSP is the single most important document. Assessors use it as their roadmap. It must accurately describe your CUI environment, control implementations, and system interconnections. POA&Ms must track open items with realistic milestones — assessors accept POA&Ms for non-critical items, but not for fundamental controls like encryption or MFA.

System and Communications Protection (SC) — 16 Requirements

SC is the second-largest domain and covers how data is protected during transmission and at rest.

Core requirements include:

• SC.L2-3.13.1: Monitor, control, and protect communications at external and key internal boundaries
• SC.L2-3.13.4: Prevent unauthorized and unintended information transfer via shared system resources
• SC.L2-3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
• SC.L2-3.13.10: Establish and manage cryptographic keys for cryptography employed in organizational systems
• SC.L2-3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI
• SC.L2-3.13.16: Protect the confidentiality of CUI at rest

What assessors look for: FIPS 140-2/140-3 validated encryption for CUI at rest and in transit, network segmentation between CUI and non-CUI environments, VPN configurations for remote access, and documented cryptographic key management procedures. This is where many tools fail — commercial-grade encryption doesn't satisfy the FIPS requirement.

Critical point: FIPS-validated encryption is mandatory, not optional. Standard TLS or AES implementations that aren't FIPS-validated do not satisfy SC requirements. Verify your tools' FIPS certification status before relying on them.

For contractors evaluating compliant tools, our secure operations guide covers platforms that meet SC requirements natively.

System and Information Integrity (SI) — 7 Requirements

• SI.L2-3.14.1: Identify, report, and correct system flaws in a timely manner
• SI.L2-3.14.2: Provide protection from malicious code at designated locations
• SI.L2-3.14.3: Monitor system security alerts and advisories and take action in response
• SI.L2-3.14.6: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks
• SI.L2-3.14.7: Identify unauthorized use of organizational systems

What assessors look for: Patch management procedures with evidence of timely patching (30-day windows for critical vulnerabilities), endpoint protection deployment, intrusion detection/prevention systems, and evidence of security alert review and response.

Common Assessment Failures and How to Avoid Them

Based on early CMMC assessments and years of NIST 800-171 evaluations, these are the most frequent failures:

1. Incomplete or Inaccurate SSP

Your System Security Plan is your primary assessment artifact. If it doesn't accurately reflect your environment, assessors will flag discrepancies. Keep it updated with every infrastructure change.

2. Missing or Incomplete Audit Logs

Logging must be enabled on every system within the CUI boundary. Assessors will pull sample logs and verify they contain required data elements (user ID, timestamp, action, success/failure).

3. No Evidence of CUI Boundary Definition

You must document exactly which systems, networks, and data flows handle CUI. A vague statement like "our network handles CUI" is insufficient. Assessors expect network diagrams, data flow diagrams, and system inventories.

4. MFA Not Fully Deployed

Partial MFA deployment fails. If any user can access CUI without MFA, the control is not met. This applies to service accounts, API connections, and automated processes — not just interactive logins.

5. POA&Ms Without Milestones

Plans of Action and Milestones must have specific remediation dates and responsible parties. Open-ended POA&Ms ("we plan to address this") are not acceptable.

Building Your CMMC Level 2 Compliance Roadmap

If you're starting your CMMC Level 2 journey, here's the sequence that works:

1. Define your CUI boundary — Identify every system, application, and data flow that touches CUI. Minimize this boundary aggressively.
2. Complete a gap assessment — Map your current state against all 110 requirements. Score each as Implemented, Partially Implemented, or Not Implemented.
3. Develop your SSP — Document your environment, control implementations, and interconnections. This is a living document.
4. Build your POA&M — For any gaps, create specific remediation plans with timelines and owners.
5. Implement controls — Start with the highest-risk gaps (encryption, MFA, access control) and work through systematically.
6. Conduct internal assessment — Use the NIST 800-171A assessment guide to verify your implementations.
7. Schedule C3PAO assessment — Select an accredited C3PAO from the Cyber AB Marketplace.

For cost planning, see our CMMC certification cost guide, and for a step-by-step certification walkthrough, see how to get CMMC certified.

How Cabrillo Club Simplifies Level 2 Compliance

Meeting all 110 controls across every tool in your CUI boundary is the core challenge. Each separate system — email, CRM, file storage, AI tools — must independently satisfy applicable controls, and each adds complexity to your SSP.

Cabrillo Club's approach consolidates CUI-handling workflows into a single compliant platform:

• Private AI infrastructure runs on-premises or in your sovereign cloud — no CUI leaves your boundary
• Built-in audit logging satisfies AU requirements across all platform functions
• FIPS-validated encryption at rest and in transit meets SC requirements
• Role-based access control with MFA satisfies AC and IA requirements natively
• CUI data flow documentation simplifies your SSP and CUI boundary definition

Instead of mapping 110 controls across 8–12 separate tools, you map them once for a unified platform. This approach aligns with DoD's intent: make compliance achievable for contractors of all sizes.

Learn more about our platform's compliance architecture in our CMMC compliance guide or explore winning federal contracts with compliant AI.

Frequently Asked Questions

What is the difference between CMMC Level 1 and Level 2?

Level 1 requires 17 basic safeguarding practices from FAR 52.204-21 and allows self-assessment. Level 2 requires all 110 NIST SP 800-171 Rev 2 security requirements and typically mandates third-party assessment by an accredited C3PAO. Level 2 is required for contractors handling CUI, while Level 1 covers only Federal Contract Information (FCI).

How many controls are in CMMC Level 2?

CMMC Level 2 contains 110 security requirements mapped directly from NIST SP 800-171 Rev 2, organized across 14 control families: Access Control (22), Awareness & Training (3), Audit & Accountability (9), Configuration Management (9), Identification & Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System & Communications Protection (16), and System & Information Integrity (7).

Can I use a POA&M to pass a CMMC Level 2 assessment?

POA&Ms are accepted for some non-critical controls, but assessors set strict conditions. You must demonstrate a specific remediation plan with milestones, responsible parties, and completion dates. Critical controls like encryption (FIPS-validated), MFA, and access control cannot be addressed through POA&Ms — they must be fully implemented at assessment time.

How often do I need to recertify for CMMC Level 2?

CMMC Level 2 certification is valid for three years. Between assessments, you must submit annual affirmations confirming continued compliance. If significant changes occur in your CUI environment (new systems, infrastructure changes), you may need to update your SSP and potentially undergo reassessment.

What happens if I fail a CMMC Level 2 assessment?

If you don't meet the certification threshold, the C3PAO will identify the specific controls that failed. You'll receive a detailed findings report and can remediate the issues before requesting reassessment. There's no penalty for failing beyond the cost of remediation and reassessment fees. However, you cannot bid on CMMC-requiring contracts until certified.