CMMC Level 2 is where most small defense contractors are heading — and it's significantly more demanding than Level 1. If your contracts involve Controlled Unclassified Information (CUI), Level 2 applies to you. That means all 110 controls from NIST SP 800-171, a third-party assessment by a C3PAO, and a documented compliance program that a trained assessor will scrutinize.
This guide breaks down exactly what Level 2 requires — translated out of regulation-speak and into what you actually need to do as a small contractor.
The Basics: What Makes Level 2 Different from Level 1
CMMC Level 1 covers 15 basic safeguarding practices for Federal Contract Information (FCI). Think: use antivirus, limit access, require passwords. You can self-assess Level 1 — no third party required.
Level 2 is a different animal. It requires:
- All 110 NIST SP 800-171 controls across 14 security domains
- A third-party assessment by a C3PAO (a certified organization authorized by the Cyber AB)
- A complete System Security Plan (SSP) describing how you meet every control
- Plans of Action & Milestones (POA&M) for any controls not yet fully met
- Triennial reassessment plus annual affirmation that your posture hasn't degraded
The 14 Control Families: What Each One Actually Means
NIST 800-171's 110 controls are organized into 14 families. Here's what each family requires in practical terms — not just the regulatory definition.
3.1 · Access Control 22 controls
The largest family. Requires you to limit system access to authorized users, control what those users can do, enforce least privilege, and control remote access. In practice: user account management, role-based permissions, MFA for remote access, and documented access control policies. This is often where small contractors have the most gaps.
3.2 · Awareness & Training 3 controls
Requires security awareness training for all users who access CUI, plus role-based training for people with elevated privileges. You need documented training records showing who was trained and when. This is one of the more achievable families — platforms like KnowBe4 or custom training sessions satisfy the requirement.
3.3 · Audit & Accountability 9 controls
Requires logging of user activity, system events, and security-relevant actions — and protecting those logs from tampering. Most small contractors lack sufficient logging. Microsoft 365 audit logging covers some of this; a SIEM or log management solution covers the rest. Your logs need to be retained and reviewable.
3.4 · Configuration Management 9 controls
Requires establishing baseline configurations for your systems, controlling changes to those configurations, and maintaining an inventory of authorized software. In practice: documented system baselines, a change management process, and software whitelisting or application control. This is one of the more process-heavy families.
3.5 · Identification & Authentication 11 controls
Requires verifying the identity of users, processes, and devices before granting access — including multi-factor authentication for privileged and remote access. MFA is explicitly required. Password complexity, account lockout, and authenticator management are also covered. Microsoft 365 with Entra ID satisfies most of this family if configured correctly.
3.6 · Incident Response 3 controls
Requires a documented incident response capability: a plan for what to do when a security incident occurs, a process to report incidents to the DoD (DIBNET/US-CERT), and post-incident analysis. Small contractors often have informal incident response — Level 2 requires it to be written down and tested.
3.7 · Maintenance 6 controls
Requires controlling and documenting maintenance on systems that process CUI — including remote maintenance. If a vendor or IT provider does remote work on your systems, you need documented procedures, session monitoring, and MFA for remote maintenance access. This catches small contractors who outsource IT without tracking what the MSP actually does.
3.8 · Media Protection 9 controls
Requires protecting physical and digital media that contains CUI — including marking, storage, transport, and sanitization when disposing of media. USB drives, laptops, backup drives, and printed documents containing CUI all fall under this family. Requires documented media handling procedures.
3.9 · Personnel Security 2 controls
Requires screening individuals with access to CUI before granting access, and terminating access promptly when employment ends. Background checks (or equivalent screening) are required. Exit procedures ensuring access is revoked must be documented. Only 2 controls — achievable but often overlooked.
3.10 · Physical Protection 6 controls
Requires controlling physical access to systems that process CUI — locked server rooms, visitor escorts, monitoring of physical access, and protection of equipment. Many small contractors have adequate physical security but haven't documented it. Visitor logs, badge systems, and locked equipment rooms satisfy most of these controls.
3.11 · Risk Assessment 3 controls
Requires periodically assessing risk to your CUI environment — identifying threats, vulnerabilities, and the likelihood and impact of security incidents. A formal risk assessment process, documented risk register, and periodic vulnerability scanning satisfy this family. Your SPRS score calculation is essentially a risk assessment output.
3.12 · Security Assessment 4 controls
Requires periodically assessing the effectiveness of your security controls, developing and implementing plans to correct deficiencies, and monitoring security on an ongoing basis. Your POA&M is the primary artifact here. Annual self-assessments and the CMMC assessment itself satisfy these controls.
3.13 · System & Communications Protection 16 controls
Requires protecting information at rest and in transit through encryption, network segmentation, and communications monitoring. Encryption for CUI (both storage and transmission), network boundary protection, and controls on mobile code and remote access sessions are all covered. This family often requires technology investment for small contractors.
3.14 · System & Information Integrity 7 controls
Requires protecting against malicious code, monitoring systems for security alerts, and patching promptly. Antivirus/EDR, patch management, system alerts, and spam protection all fall here. Many small contractors are strong in this family because it maps closely to standard IT hygiene practices.
The Documentation Requirement: Why It's Harder Than the Controls
Here's something most CMMC guides don't say plainly: for many small contractors, meeting the controls isn't the problem — documenting that you meet them is.
A C3PAO assessor doesn't take your word for anything. They read your SSP, interview your staff, and test your systems. If your MFA is deployed but your SSP doesn't describe it, the assessor marks that control as not evidenced. If your patch management works but there's no policy document, same result.
You can have excellent security and fail a CMMC assessment because you couldn't prove it on paper. Documentation is not optional — it is the assessment.
This is why writing a complete SSP is the single most important compliance activity for a small contractor. Everything else flows from it.
Start your CMMC Level 2 gap assessment today
CMMC Map walks you through all 110 controls, generates your SSP and POA&M, and tracks your progress to assessment readiness.
Start Free Trial →