CMMC Level 2 Requirements Explained: All 14 Control Domains in Plain English

CMMC Level 2 maps directly to NIST SP 800-171 Revision 2 — 110 security requirements organized into 14 control families. The certification verifies that your organization has implemented these controls to protect Controlled Unclassified Information (CUI) in your systems.

The key distinction most contractors miss: CMMC is not the same as NIST 800-171. NIST 800-171 defines the security requirements. CMMC adds a certification layer — third-party verification by a C3PAO (Certified Third-Party Assessment Organization), documented evidence, and structured assessment. Having implemented the controls is necessary but not sufficient. You also need to prove it.

The current enforceable standard is NIST 800-171 Revision 2 (published February 2020, updated January 2021). Revision 3 exists but is not yet authorized for CMMC scoring, SPRS reporting, or C3PAO assessments per DoD class deviation. Do not mix Rev 2 and Rev 3 requirements — doing so will produce inaccurate SPRS scores.

Access Control is the largest domain and produces the most assessment gaps. It covers who can access your systems, how they authenticate, and what they can do once inside.

What the assessor checks: Least privilege enforcement (users only have access they need), session management (automatic lockouts), remote access controls (VPN with MFA), wireless access restrictions, mobile device policies, and CUI flow control (preventing unauthorized data movement between systems).

Where small contractors fail: The most common gap is incomplete MFA deployment. You have MFA for remote access but not for local privileged access. Or you have MFA for admins but not for all users who access CUI. The assessor checks every access path — not just the obvious ones.

Practical example: A 40-person manufacturer has MFA on their VPN but uses shared local admin accounts on shop floor computers that access technical drawings (CUI). The assessor tests local login and finds no MFA, no individual accountability. Three controls fail.

This small domain covers whether your employees understand security responsibilities and receive role-specific training.

What the assessor checks: General security awareness training for all users, specialized training for roles with security responsibilities (IT admins, managers), and training records that prove completion.

Where small contractors fail: Training exists as a PowerPoint from 2022 that new hires watch on their first day. No annual refresher, no role-specific content, no quiz or acknowledgment record. The assessor asks an employee what to do if they suspect a security incident — they shrug.

What passes: Annual security awareness training with a signed acknowledgment, role-specific training for IT staff covering their responsibilities for CUI protection, and records showing who completed what and when.

Audit and Accountability requires that your systems generate logs of security-relevant events and that someone actually reviews them.

What the assessor checks: Audit event logging on all CUI systems, log content (what events are captured, with enough detail to reconstruct what happened), log protection (logs can’t be modified or deleted by users), log review process, time synchronization across systems, and correlation capability.

Where small contractors fail: Two common patterns. First: logging is enabled but nobody reviews the logs. Having audit logs that sit unread for months is a control failure — the requirement is not just to capture events but to review and act on them. Second: logs exist on individual machines but there is no centralized collection or correlation. The assessor asks to see how you would detect a compromised account across multiple systems.

Practical tip: If you don’t have a SIEM, you need a documented manual process: who reviews logs, how often, what they look for, and what they do when they find something.

Configuration Management covers maintaining documented system baselines, controlling changes, and restricting unnecessary software and services.

What the assessor checks: Documented baseline configurations for all CUI systems, change control process (who approves changes, how changes are tracked), least functionality (unnecessary services disabled, ports closed), software restriction policies, and physical/logical access restrictions on system configurations.

Where small contractors fail: The baseline document. Most small contractors do not have a written record of how each system is configured. When the assessor asks “show me your documented baseline for this server,” there’s nothing to show. Changes happen ad hoc — the IT admin updates a server, doesn’t document it, and the baseline (if it existed) is immediately stale.

Identification and Authentication (IA, 11 controls): MFA for all access to CUI systems, password complexity and rotation policies, authenticator management (how passwords and keys are stored), and device identification. The MFA requirement is the single most impactful control for most small contractors.

Incident Response (IR, 3 controls): A documented, tested incident response plan that includes the 72-hour DoD reporting requirement (DFARS 252.204-7012). “Tested” means tabletop exercises or simulations with documented results — not just a plan document that sits on a shelf.

Maintenance (MA, 6 controls): Controlled maintenance procedures, remote maintenance session logging, and equipment sanitization before leaving the facility. Remote maintenance is the sticking point for most — every remote support session must be logged and monitored.

Media Protection (MP, 9 controls): Controlling access to media containing CUI (USB drives, hard drives, paper), marking CUI media, secure storage, controlled transport, and sanitization before disposal. The marking requirement catches many contractors — CUI on a USB drive must be labeled as such.

Personnel Security (PS, 2 controls): Screen individuals before granting CUI access and revoke access promptly on termination or transfer. Small domain but universally applicable.

Physical Protection (PE, 6 controls): Facility access controls, visitor management, monitoring physical access, and alternate work site security. If employees work from home with CUI, home office security is in scope.

Risk Assessment (RA, 3 controls): Periodic risk assessments of CUI systems and vulnerability scanning. Many small contractors have never conducted a formal risk assessment — this is a documentation-intensive control that requires structured methodology.

Security Assessment (CA, 4 controls): Periodic assessment of security controls, monitoring system connections, and maintaining a security plan. The SSP (System Security Plan) is the centerpiece of this domain.

System and Communications Protection (SC, 16 controls): Boundary protection (firewalls), FIPS-validated encryption for CUI in transit and at rest, session authenticity, and network segmentation. The FIPS encryption requirement specifically means FIPS 140-2 or 140-3 validated cryptographic modules — not just “we use AES-256.”

System and Information Integrity (SI, 7 controls): Flaw remediation (patching), malicious code protection (antivirus/EDR), system monitoring, and security alerting. Patching within a reasonable timeframe is the minimum — the assessor checks actual patch status on live systems.

Your SPRS (Supplier Performance Risk System) score starts at 110 — perfect compliance. Each unimplemented control deducts 1, 3, or 5 points based on security impact:

• 5-point controls: Significant exploitation risk or potential CUI exfiltration. These must be fully remediated before certification. No POA&Ms allowed.
• 3-point controls: Specific, confined security impact. Must also be fully remediated before certification.
• 1-point controls: Limited or indirect impact. Can be addressed via POA&M if your overall score is 88 or above.

The minimum score for conditional certification (with POA&Ms) is 88. All POA&M items must be closed within 180 days. There is no partial credit on any individual control — each one is either fully implemented or fully deducted.

The complete score range is -203 (nothing implemented) to +110 (fully compliant). All DoD contractors handling CUI must submit their SPRS score to the DISA SPRS portal.

Your readiness quiz results are a starting point, not a certification outcome. Use them to:

1. Prioritize by SPRS point impact. Fix 5-point controls first — they have the largest impact on your score and represent the most significant security risks.
2. Address quick wins. Some controls (like updating a password policy) can be implemented in days. Others (like deploying FIPS-validated encryption across all CUI systems) take months.
3. Budget with evidence. A readiness score helps justify compliance spending to leadership. “We need $150K for CMMC preparation” is vague. “We’re at SPRS 62, we need to reach 88, and our top gaps cost $85K to remediate” is actionable.
4. Decide on scope. If your score is low across all domains, consider whether an enclave strategy (segregating CUI into a smaller network segment) could reduce the number of systems in scope and lower remediation costs.
5. Set a timeline. At a Critical readiness tier, plan for 12–18 months. Developing tier, 6–12 months. Nearly Ready, 3–6 months. Phase 2 (mandatory C3PAO for most contracts) begins November 2026.

Remember: self-assessments typically overestimate readiness by 20–30%. If your estimated SPRS score is 95, a professional gap assessment may find you closer to 70. Plan accordingly.