CMMC Level 2 Requirements: The 110 Controls Your DoD Contract Depends On

Most defense contractors learn the count first: CMMC Level 2 requires 110 security controls from NIST SP 800-171 Rev 2. What that count obscures is the distribution. Roughly 22 of those controls live in Access Control alone, another 16 in System and Communications Protection, and the gap-assessment data shows small manufacturers typically fail 40–70 of the 110 on first review. The checklist that matters is not the count — it is the per-domain density and which controls deduct 5 SPRS points instead of 1.

This guide walks the 110 controls by family, calls out the 5-point deduction items inside each, and points to where defense contractors most often fail when they self-assess. Use it as a structural map for your CMMC gap analysis, not a yes/no checklist.

Before the Checklist: Confirm Level 2 Actually Applies

Level 2 applies to organizations that handle Controlled Unclassified Information (CUI). If your contracts are FCI-only, you need 17 controls under Level 1, not 110. Misclassifying CUI as FCI is the most expensive scoping error in CMMC — an entire 93 controls’ worth. If you have not made this determination yet, see our walkthrough on CUI vs FCI and which CMMC level applies before working through the 110.

The 110 controls are organized into 14 families, each with a two-letter abbreviation. Per 32 CFR Part 170 (the CMMC Final Rule), Level 2 maps directly to NIST 800-171 Rev 2 — not Rev 3. DoD has not authorized Rev 3 for CMMC scoring, SPRS reporting, or C3PAO assessments, so any checklist tooling you use must target Rev 2 exclusively.

The 14 Control Families: A CMMC Level 2 Requirements Checklist

AC — Access Control (~22 requirements)

The largest family and the one that produces the most assessment failures. Covers least privilege, session lock, remote access, multifactor authentication for privileged accounts, separation of duties, and CUI flow control.

• 5-point deductions inside AC: AC.L2-3.1.12 (control remote access sessions), AC.L2-3.1.13 (cryptographic mechanisms for remote access), AC.L2-3.1.14 (route remote access via managed access control points), AC.L2-3.1.16 (control wireless access), AC.L2-3.1.17 (cryptographic protection for wireless), AC.L2-3.1.18 (control mobile device connection), AC.L2-3.1.20 (verify external system connections), AC.L2-3.1.22 (control CUI on publicly accessible systems).
• Where teams fail: separation of duties on a small team, unmanaged remote-access paths through consumer-grade VPNs, and CUI ending up in shared cloud storage that was never inside the boundary.

AT — Awareness and Training (~3 requirements)

Security awareness for all users, role-based training for personnel with security responsibilities, and insider-threat indicator training. Small family but easy to fail on evidence: training records must show recent completion, not a one-time onboarding video from three years ago.

AU — Audit and Accountability (~9 requirements)

Logging, log review, log protection, audit reduction tooling, time synchronization, and protected audit records. Includes AU.L2-3.3.5 (correlate audit record review across multiple components) and AU.L2-3.3.6 (provide audit reduction and report generation) — both 5-point items if missing.

• Where teams fail: logging is enabled but nobody reviews the logs. Test phase will catch this when the assessor asks the IT lead to walk through how they detected the last anomalous event.

CM — Configuration Management (~9 requirements)

Baseline configurations, change control, security impact analysis for changes, least functionality, software allowlisting, and inventory of software (including unauthorized software detection). CM.L2-3.4.1 (establish baselines) and CM.L2-3.4.2 (enforce security configuration settings) are the foundation — without them most other CM controls cannot be evidenced.

IA — Identification and Authentication (~11 requirements)

MFA for privileged and non-privileged accounts accessing CUI, password complexity, replay-resistant authentication, identifier management, and authenticator management. The MFA-everywhere requirement (IA.L2-3.5.3) trips most teams because consumer apps and legacy systems often lack support — and applying compensating controls without documenting them is a common evidence gap.

IR — Incident Response (~3 requirements)

IR plan, incident detection and reporting, and IR plan testing. Small family, but DFARS 252.204-7012 layers on a 72-hour reporting requirement to DoD that lives outside the 110 — do not let your IR plan stop at the CMMC text.

MA — Maintenance (~6 requirements)

Controlled maintenance, maintenance personnel authorization, equipment sanitization before off-site service, and remote maintenance approval and monitoring. Maintenance is where third-party access to CUI most often goes undocumented.

MP — Media Protection (~9 requirements)

Media access, marking (CUI labels), storage, transport, sanitization, and use of removable media on external systems. Covers physical media (USB, hard drives, paper printouts) as well as digital media. MP.L2-3.8.7 (control use of removable media) is a 5-point item and the source of many assessment-day surprises.

PE — Physical Protection (~6 requirements)

Facility access, visitor escort and monitoring, audit logs of physical access, and alternate work site protections. Remote-work policies need explicit treatment here — staff handling CUI from home offices are an explicit PE control surface.

PS — Personnel Security (~2 requirements)

Screening individuals before granting access to systems containing CUI, and protecting CUI during and after personnel actions (termination, transfer). Small family, but the termination-revocation control (PS.L2-3.9.2) is a 5-point item if access is not removed promptly.

RA — Risk Assessment (~3 requirements)

Periodic risk assessments, vulnerability scanning, and remediation of vulnerabilities. RA.L2-3.11.2 (vulnerability scanning) is concrete and testable — assessors will ask for recent scan reports.

CA — Security Assessment (~4 requirements)

System security plan, security assessments, plan of action and milestones, and continuous monitoring. CA.L2-3.12.4 requires a current SSP — this is the single artifact assessors examine first. No SSP, no Level 2.

SC — System and Communications Protection (~16 requirements)

Boundary protection, FIPS-validated cryptography, denial-of-service protection, network architecture, transmission confidentiality and integrity, mobile code, VoIP, and CUI at rest. SC.L2-3.13.11 (employ FIPS-validated cryptography for CUI) is one of the highest-impact 5-point items — non-FIPS encryption fails the control regardless of strength.

• Where teams fail: using TLS without verifying the cryptographic module is FIPS 140-2 or 140-3 validated, or storing CUI in cloud services that are not on the appropriate DoD impact level (typically GCC High for CUI workloads).

SI — System and Information Integrity (~7 requirements)

Flaw remediation, malicious code protection, system monitoring, and security alerts. SI.L2-3.14.1 (identify, report, and correct system flaws) is testable through patch management evidence — assessors check whether known vulnerabilities have been patched within the organization’s stated remediation window.

SPRS Point Values: Why Some Controls Cost More

Each unmet control deducts 1, 3, or 5 points from a starting score of 110, per the DoD assessment methodology. The point assignment reflects security impact:

• 5 points: significant exploitation risk or direct CUI exfiltration risk — for example, missing FIPS-validated encryption for CUI at rest or in transit, or no boundary protection at the CUI enclave perimeter.
• 3 points: specific, confined security impact — for example, weak password complexity or missing audit log review.
• 1 point: limited or indirect impact — for example, missing a security awareness refresher cycle.

The math matters because POA&Ms (Plan of Action & Milestones) are only allowed for 1-point controls, and only if your overall SPRS score is at least 88. A single missing 5-point control cannot be POA&M’d — it must be remediated before certification. For the full point-value mechanics, see how SPRS scoring works.

Common Self-Assessment Errors on the 110

Self-assessors consistently overrate compliance. The pattern across professional gap assessments: organizations self-score in the 100s, then a consultant finds 40–70 deficiencies. The errors cluster in three places:

1. Policy counted as control implementation. A written incident response plan is not the same as a tested IR plan. Assessors use three methods — Examine, Interview, and Test — and Test catches policy-only compliance. Each control should be evaluated against all three methods.
2. Tools counted without configuration. Buying a SIEM does not satisfy AU controls; configuring it to correlate events and alert on relevant patterns does. The assessor will check actual log content, not the vendor brochure.
3. Drift since the last review. Controls that were implemented 18 months ago may have decayed. Patching cadence slipped, MFA exceptions accumulated, the CUI boundary changed. Periodic re-assessment is the only defense.

Where to Go After the Checklist

The 110 controls are the framework, not the work. Working through them produces an SSP, a POA&M, an evidence package, and a target SPRS score. The sequence that produces a passing assessment looks like:

1. Confirm CUI vs FCI scope and define the CUI boundary.
2. Walk the 110 controls family by family and record implementation status (Implemented, Partially Implemented, Not Implemented, N/A).
3. For each Implemented claim, identify the supporting evidence artifact — if no artifact exists, the control is not implemented in practice.
4. Calculate the estimated SPRS score and prioritize gaps by point value.
5. Build a 12–18 month remediation roadmap before engaging a C3PAO.

Our CMMC readiness assessment walks through this domain by domain with evidence-focused questions. The output is a per-family gap report and an estimated SPRS score — the same artifact a paid gap assessment produces, at no cost.