CMMC Level 2 Requirements: The Complete 2026 Guide
CMMC Level 2 (Advanced) is the certification level required for defense contractors who handle Controlled Unclassified Information (CUI). It maps directly to the 110 security controls in NIST SP 800-171 Rev 2 and requires either a self-assessment or a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO), depending on the sensitivity of the CUI involved.
With the final rule published in October 2024 and enforcement beginning in November 2026, every contractor in the Defense Industrial Base (DIB) that handles CUI needs to achieve Level 2 certification — or risk losing contracts.
CMMC Level 2 requires implementation of all 110 controls from NIST 800-171, organized into 14 families:
| Family | Abbr. | Controls | Focus Area |
|---|---|---|---|
| Access Control | AC | 22 | Who can access what systems and data |
| Awareness & Training | AT | 3 | Security training for personnel |
| Audit & Accountability | AU | 9 | Logging, monitoring, and audit trails |
| Configuration Management | CM | 9 | Baseline configs and change control |
| Identification & Authentication | IA | 11 | User identity verification and MFA |
| Incident Response | IR | 3 | Detecting and responding to incidents |
| Maintenance | MA | 6 | System maintenance procedures |
| Media Protection | MP | 9 | Protecting CUI on storage media |
| Personnel Security | PS | 2 | Screening and termination procedures |
| Physical Protection | PE | 6 | Physical access controls |
| Risk Assessment | RA | 3 | Identifying and managing risk |
| Security Assessment | CA | 4 | Evaluating control effectiveness |
| System & Communications Protection | SC | 16 | Network security and encryption |
| System & Information Integrity | SI | 7 | Patching, monitoring, and alerting |
Not all Level 2 certifications require a third-party assessment:
**Self-Assessment (Level 2, Self):** For contracts involving CUI that is not critical to national security. Your organization conducts its own assessment, calculates your SPRS score, and submits it to the Supplier Performance Risk System (SPRS).
**C3PAO Assessment (Level 2, Certification):** For contracts involving CUI that IS critical to national security. A Certified Third-Party Assessment Organization conducts an on-site assessment. This is the more rigorous path and is expected for most major defense contracts.
Your contracting officer will specify which level is required in the solicitation (DFARS clause 252.204-7021).
Before anything else, you need to know where CUI lives in your organization. This includes:
- Systems that store, process, or transmit CUI
- Network segments that carry CUI traffic
- Physical locations where CUI is accessed
- Personnel with CUI access
Work through each control family systematically. For each control, you need:
- An **implementation statement** describing how you meet the requirement
- **Evidence** proving the control is in place (screenshots, policies, configs)
- A **responsible party** assigned to maintain the control
The SSP is the single most important document in your assessment. It describes:
- Your system boundary and architecture
- How each of the 110 controls is implemented
- Roles and responsibilities
- Network diagrams and data flow
For any controls not fully implemented, you need a Plan of Action & Milestones (POA&M) documenting:
- The specific weakness or gap
- Planned remediation actions
- Responsible parties and target completion dates
- Resources required
Your SPRS score starts at 110 (perfect) and subtracts points for each unimplemented control. The scoring is weighted — some controls are worth 5 points, others 1 or 3. A score of 110 means full implementation. The minimum acceptable score varies by contract, but anything below 70 signals significant gaps.
For self-assessments, submit your score to SPRS. For C3PAO assessments, schedule through the Cyber AB marketplace.
| Date | Milestone |
|---|---|
| Oct 2024 | Final CMMC rule published (32 CFR Part 170) |
| Q1 2025 | C3PAO assessments begin |
| Nov 2026 | CMMC requirements appear in new contracts |
| 2027-2028 | Phase-in for option periods on existing contracts |
**The critical date is November 2026.** After that, new DoD contracts will include CMMC requirements. If you don't have your certification (or a valid self-assessment score), you won't be eligible to bid.
- **Underscoping your CUI boundary.** If you miss systems that handle CUI, your assessment is invalid. Be thorough in mapping data flows.
- **Writing generic implementation statements.** "We have a firewall" doesn't satisfy SC.3.13.1. Assessors want specifics: product names, configuration details, who manages it.
- **Ignoring the POA&M.** Having gaps is acceptable — ignoring them is not. A well-documented POA&M with realistic timelines shows maturity.
- **Waiting until the deadline.** Getting 110 controls implemented, documented, and evidenced takes 6-12 months for most organizations. Start now.
- **Treating it as an IT-only project.** CMMC touches HR (personnel security), facilities (physical protection), training, legal, and leadership. It's an organizational effort.
Our interactive compliance platform was built specifically for this process:
- **20 guided questionnaires** walk you through each control family with specific questions about your implementation
- **Real-time SPRS score tracking** shows your score as you implement controls
- **CUI and Network Boundary Builders** help you define your assessment scope
- **110-control tracker** lets you manage implementation status and evidence
- **30+ audit-ready templates** give you SSP, POA&M, and policy documents formatted for C3PAO review
Built by a CISSP/CCP who led a CMMC Level 2 certification in the aerospace sector — so every question, template, and workflow reflects what assessors actually look for.
*Ready to start your CMMC Level 2 journey? See our plans and pricing or try a free sample.*