CMMC 2.0 Level 2: The Complete Compliance Guide for Defense Contractors
Jeff Sowell · 2026-04-12 · Compliance
CMMC 2.0 Level 2 compliance guide for defense contractors handling CUI. Covers the 14 NIST 800-171 domains, assessment preparation, and common mistakes to avoid.
What Is CMMC 2.0 and Why It Exists
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for ensuring that defense contractors protect sensitive information. CMMC 2.0 replaced the original five-level model with a simplified three-level structure, aligning more closely with existing NIST standards and reducing the compliance burden on smaller contractors.
The driver behind CMMC is straightforward: defense contractors handle Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that adversaries actively target. Self-attestation under DFARS 252.204-7012 was not working — contractors claimed compliance without actually implementing the required controls. CMMC adds third-party verification to ensure contractors are doing what they say they are doing.
If you are new to compliance frameworks in general, our guide on what GRC is and why it matters provides foundational context for how frameworks like CMMC fit into a broader governance strategy.
Why Level 2 Matters
CMMC 2.0 has three levels:
- Level 1 (Foundational): 17 practices based on FAR 52.204-21. Covers FCI. Self-assessment is sufficient.
- Level 2 (Advanced): 110 practices based on NIST SP 800-171 Rev 2. Covers CUI. Requires third-party assessment by a C3PAO for most contracts.
- Level 3 (Expert): Based on a subset of NIST SP 800-172. Covers the most sensitive programs. Requires government-led assessment.
Level 2 is where the majority of defense contractors land. If your contract involves CUI — and most contracts involving technical data, engineering drawings, controlled technical specifications, or operational security information do — you need Level 2.
The critical distinction is that Level 2 requires a third-party assessment from a CMMC Third-Party Assessment Organization (C3PAO), not just a self-attestation. This means your controls must actually be implemented, documented, and demonstrable — not just described in a policy.
The 14 Domains of NIST 800-171
CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171, organized across 14 domains. Understanding these domains is essential for scoping your compliance effort.
Access Control (AC) — 22 Requirements
The largest domain. Covers account management, access enforcement, remote access, wireless access, and the principle of least privilege. Most organizations underestimate the scope here — it includes not just user accounts but also system accounts, service accounts, and automated processes.
Awareness and Training (AT) — 3 Requirements
Security awareness training for all users and specialized training for roles with security responsibilities. Training must be documented and refreshed periodically.
Audit and Accountability (AU) — 9 Requirements
System audit logging, log protection, log review, and correlation. You must create, protect, and review audit records — and be able to trace actions back to individual users.
Configuration Management (CM)