See how top teams stay future-ready for audits. 🚀
Go back to blogs

CMMC Level 2: Meaning, requirements, process, and cost

Last updated on
December 17, 2025
4
min. read

The Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) to strengthen how contractors protect sensitive government data. CMMC 2.0 includes three levels, each tied to the type of information you handle and the depth of cybersecurity required.

Level 2 applies to companies working with Controlled Unclassified Information (CUI) and builds directly on the NIST SP 800-171 standard.

In this blog, we’ll unpack what CMMC Level 2 means, what it requires, how the assessment works, and what it might cost your organization.

What is CMMC Level 2?

CMMC Level 2 represents the “Advanced” tier of the DoD’s CMMC program. It applies to contractors and subcontractors that create, store, process, or transmit CUI as part of fulfilling DoD contracts.

At this level, organizations are required to implement 110 cybersecurity practices that align directly with NIST SP 800-171, covering areas like access control, incident response, and system integrity.

Unlike Level 1, which relies on self-assessment, most Level 2 contractors must undergo a third-party audit by a Certified Third-Party Assessment Organization (C3PAO). Only a limited subset of contracts involving less sensitive CUI qualify for self-assessment.

In short, CMMC Level 2 serves as the benchmark for proving that a defense contractor can adequately safeguard sensitive government data throughout its lifecycle.

Who does CMMC Level 2 apply to?

CMMC Level 2 applies to organizations that handle CUI as part of federal contracts. These are typically businesses in the Defense Industrial Base (DIB) that work closely with the DoD or serve as subcontractors to larger defense primes.

Defense contractors:

Companies directly supplying goods or services to the DoD fall under CMMC Level 2. They often deal with sensitive project data, designs, and communications that must be protected from unauthorized access.

Subcontractors and service providers:

Even if you don’t work directly with the DoD, handling CUI on behalf of a prime contractor requires Level 2 compliance. This includes IT service providers, logistics partners, and engineering consultants within the defense supply chain.

Technology and manufacturing firms:

Vendors producing components, software, or systems that could integrate into defense equipment or infrastructure also need to meet Level 2 standards. These firms play a critical role in safeguarding the confidentiality and integrity of shared data.

What are the requirements for CMMC Level 2?

CMMC Level 2 requires organizations to implement the 110 security practices from NIST SP 800 171 to protect Controlled Unclassified Information (CUI). While the expectation is to meet all 110 practices, the DoD allows a limited number of low-risk gaps to be addressed through a Plan of Action and Milestones (POA&M). High-impact requirements must still be fully implemented before certification.

Level 2 goes beyond the basic safeguards of Level 1. It includes technical and procedural controls, detailed documentation, and an independent third-party assessment to verify that the organization can consistently protect CUI.

Key requirements for CMMC Level 2

1. Implementation of all 110 NIST SP 800-171 practices

Organizations must adopt and maintain all 110 practices across 14 control families, including Access Control, Incident Response, System Integrity, and Risk Assessment. These practices form the technical foundation for CUI protection.

2. Development of a System Security Plan (SSP)

A detailed SSP must describe how each control is implemented, which systems are in scope, and how CUI is safeguarded. The SSP serves as a central reference for assessors during evaluation.

3. Creation of a Plan of Action and Milestones (POA&M)

A POA&M documents any deficiencies or unimplemented controls and outlines how and when they will be remediated. Only limited, low-risk items may remain open during certification.

4. Documented policies and procedures

Organizations must maintain written, version-controlled policies covering key areas such as access control, configuration management, incident response, personnel security, and media protection. These documents show that security practices are institutionalized, not ad hoc.

5. Technical and operational controls

Implementation of key security mechanisms such as multi factor authentication for privileged or remote access, encryption for data at rest and in transit, network segmentation, and regular monitoring is required. Organizations must maintain logging and auditing capabilities, review security events periodically, and carry out routine vulnerability management as part of their ongoing risk management activities.

6. Security awareness and role-based training

Employees must receive regular cybersecurity training, including awareness sessions and role-specific instruction for those handling CUI or managing critical systems.

7. DFARS 252.204-7019 reporting

Organizations must submit their NIST SP 800 171 self-assessment score to the Supplier Performance Risk System as required by DFARS 252.204-7019. This score must be kept current and accurate.

8. DFARS 252.204-7020 assessment

Organizations must provide the DoD or a designated assessor access to systems, facilities, and personnel if a DoD assessment is required under DFARS 252.204-7020.

9. Assessment and affirmation obligations

Organizations with non-prioritized contracts must complete an annual self assessment and submit an annual affirmation. Organizations handling prioritized CUI must complete an independent C3PAO assessment every three years.

How to get started with CMMC Level 2 certification

Getting started with CMMC Level 2 can seem complex, but breaking it into structured steps makes the process manageable.

1. Identify where CUI resides

Start by mapping all systems, tools, and processes that handle or store CUI. This helps you define the scope of your assessment and determine which systems must meet CMMC requirements.

2. Conduct a self-assessment

Review your current cybersecurity practices against the 110 practices in NIST SP 800-171. Identify existing gaps and document them in an SSP and a POA&M.

3. Define and implement remediation actions

Close the identified gaps by applying the required technical and procedural controls. This may involve configuring systems securely, updating policies, training employees, or improving monitoring.

4. Determine whether you need a C3PAO assessment

CMMC level 2 has two assessment paths based on the type of contract and the sensitivity of the CUI involved.

• Prioritized CUI requires a third party assessment conducted by a certified third party assessment organization.

• Non prioritized CUI allows organizations to perform an annual self assessment, with results submitted to SPRS as required by DFARS 252.204 7019.

Organizations should confirm their assessment path based on the contract language and DoD guidance.

5. Maintain compliance continuously

CMMC certification is valid for three years with annual self assessments. You’re expected to maintain the same level of cybersecurity throughout that period through regular reviews, updates to the SSP, and consistent control monitoring.

What is the cost of CMMC level 2 compliance?

Preparing for CMMC level 2 involves both direct and indirect costs. The total budget depends on the size of your organization, the complexity of your systems, and the scope of your assessment.

According to current industry estimates, the required third-party assessment by a C3PAO can cost anywhere between $100,000 and $120,000.

However, certification fees are just one part of the total cost. Organizations should plan for:

1. Implementation and remediation: Upgrading systems, deploying encryption, setting up MFA, and addressing gaps identified in readiness assessments.

2. Automation tools: Software for evidence collection, policy management, and continuous monitoring can increase upfront costs but reduce manual work and long-term audit effort.

3. Hidden costs: These often include staff training, consultant fees, data migration, and internal resource time.

4. Ongoing maintenance: CMMC level 2 certifications are valid for three years. During this period, organizations must perform an annual self assessment, keep the SSP and POA&M updated, and periodically review key security controls. The goal is to ensure practices remain aligned with NIST SP 800 171 expectations throughout the contract cycle.

How long does CMMC level 2 certification take?

The CMMC level 2 certification process can take anywhere from 7 to 16 months, depending on your organization’s current cybersecurity maturity and resource availability.

The timeline typically includes:

  • 3–6 months for readiness assessments and gap remediation
  • 2–4 months for control implementation and documentation
  • 1–2 months for the third-party audit and remediation follow-ups

Once achieved, the certification is valid for three years, during which time organizations are expected to maintain practices and be audit-ready.

What are the common challenges in achieving CMMC level 2?

Achieving level 2 certification is a significant undertaking, especially for small and mid-sized defense contractors. Some common challenges include:

1. Defining scope correctly: Misidentifying systems or data that handle CUI can lead to unnecessary work or missed coverage during assessment.

2. Managing documentation: Even organizations with strong technical controls often struggle to maintain complete and up-to-date documentation such as the SSP, POA&M, and training records.

3. Allocating sufficient resources: Many teams underestimate the time, personnel, and budget needed to implement and sustain 110 security practices. This often delays audits or creates compliance fatigue.

How does CMMC Level 2 differ from the other levels?

Understanding how level 2 compares to the other CMMC levels helps determine where your organization fits within the defense supply chain. Here’s how CMMC level 2 differs from the other two levels:

Level 1 vs Level 2

Level 1 applies to contractors handling only FCI and requires an annual self-assessment. Level 2, on the other hand, applies to those handling CUI and involves implementing all 110 practices from NIST SP 800-171, verified through a third-party audit.

Level 2 vs Level 3

Level 3 is intended for organizations managing critical national security programs. It adds enhanced controls from NIST SP 800-172, focuses on protection from advanced persistent threats, and involves a DoD-led assessment.

How Scrut can simplify CMMC Level 2 compliance

CMMC Level 2 compliance involves aligning with NIST SP 800-171, managing evidence for 110 practices, and maintaining readiness for periodic assessments, all of which can be complex and time-intensive without automation.

Scrut helps simplify this process by automatically mapping your existing controls and security data to CMMC Level 2 requirements. The platform provides real-time visibility into compliance status, generates documentation and required policies, and centralizes evidence for internal reviews and third-party audits.

Teams can also use Scrut to identify and remediate gaps, assign ownership, and maintain continuous compliance through automated monitoring and alerts. Whether you’re preparing for your first audit or maintaining certification, Scrut ensures you stay audit-ready year-round.

FAQs

Is CMMC only for DoD contractors?

Yes. The Cybersecurity Maturity Model Certification applies to all contractors and subcontractors within the Defense Industrial Base that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under Department of Defense contracts.

Do CMMC Level 2 requirements apply to subcontractors?

Yes. If subcontractors handle CUI, they must meet Level 2 requirements. Prime contractors are responsible for ensuring that all subcontractors in their supply chain have the appropriate certification level before any CUI is shared.

What are the penalties for non-compliance with CMMC Level 2?

Non compliance can make you ineligible for DoD contracts that require CMMC level 2. Only certain low risk items are allowed on a POA&M, and those must be remediated within the DoD’s permitted timeframe before certification can be granted. High-impact requirements must be fully implemented, otherwise the organization cannot be certified.

If I only handle FCI, do I still need to meet CMMC Level 2?

No. Organizations that handle only FCI need to comply with CMMC Level 1, which includes 17 basic security practices derived from FAR 52.204-21. CMMC Level 2 applies only to organizations that handle CUI.

Who can conduct a CMMC Level 2 assessment?

Level 2 assessments are performed by accredited Certified Third-Party Assessment Organizations (C3PAOs) listed on the Cyber AB Marketplace. However, non-prioritized contracts that involve less sensitive CUI may allow for annual self-assessments.

How do NIST SP 800-171 and CMMC Level 2 differ?

CMMC Level 2 is directly based on the 110 requirements of NIST SP 800-171, but it adds a formal certification process. While NIST SP 800-171 compliance can be self-attested, CMMC Level 2 requires documented evidence and, in many cases, independent third-party verification.

Can I automate CMMC Level 2 compliance?

Yes. Automation platforms like Scrut can simplify the process by mapping existing controls to CMMC Level 2 requirements, collecting audit evidence through integrations, and maintaining continuous compliance monitoring. This reduces manual effort and ensures readiness for third-party assessments.

Liked the post? Share on:
Susmita Joseph

Susmita Joseph is a cybersecurity and compliance enthusiast with a passion for simplifying complex topics for businesses of all sizes. With a keen interest in AI, she enjoys writing about its impact on GRC and cybersecurity, focusing on how it is reshaping the industry.

Authored by
Table of contents
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6
Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
I agree to receive marketing insights and other communications from Scrut Automation.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Product Updates
Compliance Essentials
Harnessing automation for evidence management with Scrut Monitor
Compliance Essentials
Trust Management
CPRA Regulations: Unraveling the California Privacy Rights Act
Cloud Security
Risk Management
Vulnerability Management
Cloud security monitoring best practices

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.