CMMC Level 2 Certification: Complete Guide for DoD Contractors

Why CMMC Now Determines DoD Contract Eligibility

The Cybersecurity Maturity Model Certification (CMMC) program is the U.S. Department of Defense's mechanism to verify that defense contractors and subcontractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The final rule was published in October 2024 and CMMC requirements began appearing in DoD contracts in 2025. Within the program's phased rollout, a CMMC certification at the level specified in the contract becomes a contract-award prerequisite.

The shift is consequential. Under the prior model (DFARS 252.204-7012 with self-attestation against NIST SP 800-171), contractors could claim compliance based on internal review. Under CMMC, Level 2 and Level 3 certifications require third-party assessment by a CMMC-Accredited Body assessor (a C3PAO). Self-attestation is acceptable only at Level 1. For the roughly 80,000 contractors in the Defense Industrial Base (DIB) that handle CUI, this is a structural change in how compliance must be operated and proven.

This guide focuses on Level 2, the most consequential tier for the typical DIB contractor.

The Three CMMC Levels

Level Controls Information protected Assessment

Level 1 17 practices FCI only Annual self-assessment

Level 2 110 practices (full NIST 800-171) CUI Triennial C3PAO assessment + annual affirmation

Level 3 110 + 24 additional from NIST 800-172 CUI at higher risk Government-led assessment

The overwhelming majority of contractors handling CUI fall into Level 2. Level 1 applies only when the contract scope is limited strictly to Federal Contract Information (a much narrower category that excludes CUI). Level 3 applies to a small number of high-value DoD programs and is operated as a government-led process distinct from the C3PAO ecosystem.

What "Controlled Unclassified Information" Actually Means

CMMC Level 2 is triggered when a contract involves CUI. The CUI category is defined by 32 CFR Part 2002 and the NARA CUI Registry. Common CUI categories that appear in DoD contracts:

Controlled Technical Information (CTI)

Controlled Defense Information (CDI)

Privacy information for service members and federal civilians

Procurement-sensitive information

Critical infrastructure information

Naval Nuclear Propulsion Information (NNPI)

Export-controlled information

If a contract requires the contractor to receive, generate, or store CUI of any of these categories, Level 2 typically applies. The contracting officer specifies the level in the contract or solicitation; contractors should not assume.

The 14 Domains of NIST SP 800-171

CMMC Level 2 implements all 110 security requirements of NIST SP 800-171 organized into 14 control families (also called domains):

Domain Code Practices

Access Control AC 22

Awareness and Training AT 3

Audit and Accountability AU 9

Configuration Management CM 9

Identification and Authentication IA 11

Incident Response IR 3

Maintenance MA 6

Media Protection MP 9

Personnel Security PS 2

Physical Protection PE 6

Risk Assessment RA 3

Security Assessment CA 4

System and Communications Protection SC 16

System and Information Integrity SI 7

Each requirement is articulated as a specific operating capability the contractor must demonstrate. The 110 count is fixed; CMMC does not add or remove practices relative to NIST 800-171. What CMMC adds is the assessment rigor, the certification artifact, and the contract-award gate.

How the C3PAO Assessment Works

A CMMC Level 2 assessment is conducted by a CMMC Third-Party Assessor Organization (C3PAO) authorized by the Cyber AB. The assessment is not a paperwork review; it is a fact-based determination of whether each of the 110 practices is implemented and operating effectively.

The assessment lifecycle:

1. Scoping: define the CUI environment boundary, including assets, networks, personnel, and facilities. Out-of-scope systems are excluded from assessment but must be demonstrably isolated.

2. Pre-assessment: many contractors engage the C3PAO for a readiness review before the formal assessment. Findings here can be remediated without affecting the certification record.

3. Formal assessment: typically 1-3 weeks on-site or remote, depending on scope. Includes interviews with personnel, document review, configuration inspection, and live testing of controls.

4. Findings disposition: each of the 110 practices receives a score: MET (1 point per practice), NOT MET (0 points), or partial credit possible on some practices. The total possible score is 110.

5. POA&M for limited gaps: at certification, up to a limited number of practices may be open under a Plan of Action and Milestones (POA&M) with a 180-day remediation window. A subset of practices are not POA&M-eligible and must be MET for certification.

6. Certification: a CMMC Level 2 certificate is issued, valid for three years with annual self-affirmation.

The triennial cadence means that a Level 2 certification is not a one-time exercise. The contractor must operate the controls continuously and pass re-assessment every three years to remain certified.

What POA&M-Ineligible Practices Look Like

Most of the 110 practices can be open under a POA&M at certification time, with remediation required within 180 days. A specific subset cannot. These are the foundational controls that the program treats as non-negotiable, including:

Multi-factor authentication for privileged accounts and remote access

Encryption of CUI at rest and in transit using FIPS-validated mechanisms

Boundary protection between the CUI enclave and the wider network

Audit logging for security-relevant events

Identification of users, processes, and devices

If any of these are NOT MET at assessment, certification is not issued. Remediation must occur and a re-assessment scheduled. The lesson: foundational controls should be in place well before the formal assessment.

Common Level 2 Deficiencies

Across early CMMC assessments, recurring findings cluster around the same gaps:

Incomplete CUI boundary definition. The contractor cannot produce a definitive list of systems, personnel, and facilities that handle CUI. The assessment is impossible to conduct against an undefined scope.

Missing or weak multi-factor authentication. MFA exists for some users or some systems but not consistently across all access paths to CUI. Privileged remote access without MFA is the most common variant.

Encryption gaps. Data at rest is encrypted with platform-default mechanisms that may not be FIPS-validated. Data in transit between internal systems lacks consistent encryption. Backup data is unencrypted.

Audit logging gaps. Logs are generated but retention is shorter than the practice requires (90 days for the Audit Generation practice). Audit log review processes are documented but not consistently executed.

Configuration management drift. Baselines are defined but drift detection is not in place. Changes occur outside the change management process.

Vulnerability management lag. Vulnerability scans run but remediation does not consistently meet the documented timelines. POA&Ms accumulate without progress.

Incident response readiness. Incident response plans exist but have not been exercised. Personnel cannot reliably execute the procedures during a tabletop test.

Media protection. Procedures exist for media handling but practices in operation do not align: USB drives are used without authorization tracking, end-of-life media is not consistently sanitized.

Most of these gaps are operational discipline issues, not architectural ones. They are correctable, but not in the final weeks before assessment.

Building a Sustainable CMMC Operating Model

CMMC certification is a triennial event; CMMC compliance is a daily operating posture. The contractors that pass without drama are those that built operating practices aligned to the 110 controls before the assessment.

The patterns that work:

Define the CUI boundary in code. Tag every asset with CUI classification at provisioning. Use the tags to scope configuration enforcement, monitoring, and access control. Boundary disputes during assessment evaporate when the tagging is authoritative.

Automate configuration management. Use configuration-as-code tooling (Group Policy DSC, Ansible, Terraform) to define and apply baselines. Use continuous compliance scanning to detect drift. The Configuration Management domain (CM) becomes operationally tractable.

Centralize audit log collection. Forward logs from every in-scope system to a central SIEM with FIPS-validated transport and retention aligned to the practice (90 days minimum, often longer per contractor policy). Audit and Accountability (AU) findings drop sharply.

Treat MFA as universal, not selective. Implement MFA for every user authentication against any in-scope system. Exceptions become explicit POA&M items, not silent gaps.

Rehearse incident response. Run tabletop exercises at least annually and document the outcomes. Update the IR plan based on lessons learned. The Incident Response (IR) domain finds become evidence rather than fiction.

Document, but minimize. Each practice requires documentary evidence of the operating procedure. Documentation should be specific enough to satisfy the assessor and minimal enough to remain accurate. Sprawling documentation that nobody maintains is worse than concise documentation that everyone follows.

How CIS Benchmark Scanning Supports CMMC Level 2

A substantial portion of the 110 CMMC Level 2 practices map to configuration settings that CIS benchmark scanning evaluates automatically. The strongest coverage is in:

Access Control (AC): account management, account types, least privilege, session controls, system use notification — all evaluated by CIS Windows, Linux, and cloud benchmarks

Audit and Accountability (AU): audit policy configuration, audit log content, audit log protection — covered by AU subcategory configuration in benchmarks

Configuration Management (CM): baseline configuration, configuration settings, least functionality — the central use case for benchmark scanning

Identification and Authentication (IA): password complexity, replay-resistant authentication, identifier management — fully covered by benchmark scanning

System and Communications Protection (SC): cryptographic settings, network boundary protection, cryptographic protection of CUI — extensively covered

System and Information Integrity (SI): monitoring, malware protection, security alerts — partial coverage through scanner integration

For a typical CMMC Level 2 boundary, continuous CIS benchmark scanning produces evidence for 40-60 of the 110 practices automatically. The remaining practices are organizational, governance, or specialized requirements that require human process documentation.

How CISGuard Supports CMMC Level 2 Programs

CISGuard is built for the continuous monitoring discipline CMMC requires:

22 CIS benchmarks across Windows, Linux, Azure, AWS, M365, Kubernetes, Docker — the platforms most CUI environments actually operate

NIST SP 800-171 mapping built into every scan, with per-practice evaluation status across the 14 domains

Drift detection with timestamped regressions, satisfying CM and SI domain expectations

Air-gapped deployment for CUI environments that cannot accept SaaS dependencies — a common architectural requirement for DoD contractors

Per-asset tagging for CUI boundary management — tag assets with their CUI classification and scope all scanning and reporting accordingly

Immutable audit trail of every scan, drift event, and exception, with cryptographic integrity protection

POA&M-formatted reporting with finding, severity, owner, target date, and compensating control tracked per item

U.S.-person operations by platform design — administrative access is held within the customer environment

A CISGuard deployment inside a CUI enclave produces the bulk of CM, AC, AU, IA, SC technical evidence that C3PAOs evaluate, in the format CMMC assessments require.

See CMMC-aligned features in CISGuard or request a CMMC Level 2 readiness assessment.