Loading...
Comprehensive guide to all 110 CMMC Level 2 security requirements mapped from NIST SP 800-171. Covers all 14 control families — Access Control through System Integrity — with assessor expectations, common failures, and implementation guidance.
Cabrillo Club
Editorial Team · February 24, 2026 · 11 min read
CMMC Level 2 requirements are the compliance standard that most defense contractors must meet to continue handling Controlled Unclassified Information (CUI) on DoD contracts. Level 2 maps directly to all 110 security requirements in NIST SP 800-171 Rev 2, organized across 14 control families — from Access Control to System and Information Integrity.
This guide explains what each domain requires, what assessors actually look for, and how to implement controls efficiently using modern compliance tools.
CMMC 2.0 Level 2 is a one-to-one mapping to NIST SP 800-171 Rev 2. Every practice in Level 2 corresponds to a specific NIST requirement. The Cyber AB and NIST provide the authoritative control descriptions, but assessors evaluate your implementation — not just your policies.
The 110 requirements are organized into 14 families. Here's every domain, its requirement count, and what you need to know.
Access Control is the largest domain and often the most complex to implement. It governs who can access CUI, from where, and under what conditions.
Core requirements include:
What assessors look for: Evidence of role-based access control (RBAC) implementation, documented access authorization procedures, session timeout configurations, remote access policies with MFA, and CUI flow diagrams showing how data moves between systems. They'll verify that access reviews happen regularly — not just that a policy exists.
Implementation tip: Define your CUI boundary first. Every system inside the boundary needs full AC controls. Cabrillo Club's CUI-safe CRM enforces role-based access natively, reducing the number of custom AC implementations needed.
What assessors look for: Training records with dates, completion tracking, role-specific training for system administrators, and evidence that training covers CUI handling procedures — not just generic cybersecurity awareness.
Audit logging proves compliance and enables incident investigation. This domain requires comprehensive logging, protection of audit data, and regular review.
Core requirements include:
What assessors look for: Audit log configurations showing WHO did WHAT, WHEN, and WHERE. Logs must be retained for a defined period (typically 1+ year), protected from tampering, and actually reviewed — assessors may ask to see evidence of log review findings.
Common failure point: Many contractors enable logging but never review the logs. Automated SIEM tools address this, but assessors want to see evidence of human review or alert triage, not just tool deployment.
Configuration management ensures systems are consistently configured and changes are tracked.
What assessors look for: Hardware and software inventories, documented baseline configurations (CIS Benchmarks or DISA STIGs), change management procedures with approval records, and evidence that systems match their documented baselines.
IA controls verify that users and devices are who they claim to be before granting access.
Core requirements include:
What assessors look for: MFA deployed on all accounts with CUI access (not just admins), password policy enforcement in Active Directory or identity provider, unique account identification (no shared accounts), and certificate-based authentication where applicable.
Key requirement: MFA is non-negotiable for Level 2. Every user accessing CUI — whether locally or remotely — must use multifactor authentication. This is one of the most frequently cited deficiencies in NIST 800-171 self-assessments.
What assessors look for: A documented incident response plan (IRP) that specifically addresses CUI incidents, evidence of tabletop exercises or actual incident handling, designated incident response team members, and DFARS 7012 reporting procedures (72-hour notification to DIBNet).
System maintenance controls ensure that maintenance activities don't introduce security risks.
What assessors look for: Maintenance logs, procedures for remote maintenance sessions (with MFA), media sanitization before maintenance equipment leaves the facility, and escorting procedures for third-party maintenance personnel.
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC ReadinessMedia protection controls address how CUI is stored on and removed from physical and digital media.
What assessors look for: Media sanitization procedures (NIST 800-88 compliant), encryption of portable storage devices, physical controls for media containing CUI (locked cabinets, access logs), and backup encryption verification.
What assessors look for: Background check records, access revocation procedures for terminated employees (same-day revocation is best practice), and access modification procedures for role changes.
What assessors look for: Physical access controls (badge readers, visitor logs, locked server rooms), security camera coverage of CUI processing areas, and documented procedures for managing physical access credentials.
What assessors look for: Documented risk assessments (at least annual), vulnerability scanning results with remediation timelines, and a risk register that tracks open findings through closure.
What assessors look for: Your SSP is the single most important document. Assessors use it as their roadmap. It must accurately describe your CUI environment, control implementations, and system interconnections. POA&Ms must track open items with realistic milestones — assessors accept POA&Ms for non-critical items, but not for fundamental controls like encryption or MFA.
SC is the second-largest domain and covers how data is protected during transmission and at rest.
Core requirements include:
What assessors look for: FIPS 140-2/140-3 validated encryption for CUI at rest and in transit, network segmentation between CUI and non-CUI environments, VPN configurations for remote access, and documented cryptographic key management procedures. This is where many tools fail — commercial-grade encryption doesn't satisfy the FIPS requirement.
Critical point: FIPS-validated encryption is mandatory, not optional. Standard TLS or AES implementations that aren't FIPS-validated do not satisfy SC requirements. Verify your tools' FIPS certification status before relying on them.
For contractors evaluating compliant tools, our secure operations guide covers platforms that meet SC requirements natively.
What assessors look for: Patch management procedures with evidence of timely patching (30-day windows for critical vulnerabilities), endpoint protection deployment, intrusion detection/prevention systems, and evidence of security alert review and response.
Based on early CMMC assessments and years of NIST 800-171 evaluations, these are the most frequent failures:
Your System Security Plan is your primary assessment artifact. If it doesn't accurately reflect your environment, assessors will flag discrepancies. Keep it updated with every infrastructure change.
Logging must be enabled on every system within the CUI boundary. Assessors will pull sample logs and verify they contain required data elements (user ID, timestamp, action, success/failure).
You must document exactly which systems, networks, and data flows handle CUI. A vague statement like "our network handles CUI" is insufficient. Assessors expect network diagrams, data flow diagrams, and system inventories.
Partial MFA deployment fails. If any user can access CUI without MFA, the control is not met. This applies to service accounts, API connections, and automated processes — not just interactive logins.
Plans of Action and Milestones must have specific remediation dates and responsible parties. Open-ended POA&Ms ("we plan to address this") are not acceptable.
If you're starting your CMMC Level 2 journey, here's the sequence that works:
For cost planning, see our CMMC certification cost guide, and for a step-by-step certification walkthrough, see how to get CMMC certified.
Meeting all 110 controls across every tool in your CUI boundary is the core challenge. Each separate system — email, CRM, file storage, AI tools — must independently satisfy applicable controls, and each adds complexity to your SSP.
Cabrillo Club's approach consolidates CUI-handling workflows into a single compliant platform:
Instead of mapping 110 controls across 8–12 separate tools, you map them once for a unified platform. This approach aligns with DoD's intent: make compliance achievable for contractors of all sizes.
Learn more about our platform's compliance architecture in our CMMC compliance guide or explore winning federal contracts with compliant AI.
Level 1 requires 17 basic safeguarding practices from FAR 52.204-21 and allows self-assessment. Level 2 requires all 110 NIST SP 800-171 Rev 2 security requirements and typically mandates third-party assessment by an accredited C3PAO. Level 2 is required for contractors handling CUI, while Level 1 covers only Federal Contract Information (FCI).
CMMC Level 2 contains 110 security requirements mapped directly from NIST SP 800-171 Rev 2, organized across 14 control families: Access Control (22), Awareness & Training (3), Audit & Accountability (9), Configuration Management (9), Identification & Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System & Communications Protection (16), and System & Information Integrity (7).
POA&Ms are accepted for some non-critical controls, but assessors set strict conditions. You must demonstrate a specific remediation plan with milestones, responsible parties, and completion dates. Critical controls like encryption (FIPS-validated), MFA, and access control cannot be addressed through POA&Ms — they must be fully implemented at assessment time.
CMMC Level 2 certification is valid for three years. Between assessments, you must submit annual affirmations confirming continued compliance. If significant changes occur in your CUI environment (new systems, infrastructure changes), you may need to update your SSP and potentially undergo reassessment.
If you don't meet the certification threshold, the C3PAO will identify the specific controls that failed. You'll receive a detailed findings report and can remediate the issues before requesting reassessment. There's no penalty for failing beyond the cost of remediation and reassessment fees. However, you cannot bid on CMMC-requiring contracts until certified.
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC Readiness
Cabrillo Club
Editorial Team
Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC Readiness
Your complete CMMC assessment readiness checklist — from SSP and POA&M preparation to evidence collection, mock assessments, C3PAO selection, and day-of management. Includes a 90-day preparation timeline and evidence requirements for all 14 NIST 800-171 control families.
Complete breakdown of CMMC certification costs for 2026 — from Level 1 self-assessment ($5K–$20K) to Level 2 C3PAO assessment ($50K–$200K+). Covers assessment fees, technology remediation, consulting, and ongoing compliance costs by organization size.
The definitive CMMC CRM compliance checklist — 25 requirements organized by NIST 800-171 control family. Includes CRM platform scorecard comparing Salesforce Gov, Microsoft Dynamics GovCloud, HubSpot, and Cabrillo Club across all control families.