What Is CMMC 2.0 Level 2?
CMMC 2.0 (Cybersecurity Maturity Model Certification) is the DoD's framework for verifying that defense contractors adequately protect Controlled Unclassified Information (CUI). Level 2 — the tier most defense prime subcontractors face — maps precisely to all 110 security requirements in NIST Special Publication 800-171 Rev 2.
As of December 2024, CMMC 2.0 is codified in 32 CFR Part 170 and is being phased into defense contracts. By 2026, the majority of contracts involving CUI will require demonstrated CMMC Level 2 compliance. Contractors that fail to certify will be unable to bid on covered contracts.
Key deadline: CMMC 2.0 requirements are being progressively inserted into DoD contracts through 2025–2026. Check your contracts and RFPs for DFARS 252.204-7012 and 252.204-7021 clauses to determine your current obligation.
The 14 NIST 800-171 Control Domains
CMMC Level 2 organizes the 110 requirements into 14 control families. Here's the complete domain breakdown with control counts and where most SMBs struggle:
| # | Domain | Controls | Common Gap |
|---|---|---|---|
| 1 | Access Control (AC) | 22 | Least privilege enforcement, remote access logging |
| 2 | Awareness & Training (AT) | 3 | Documented training records |
| 3 | Audit & Accountability (AU) | 9 | Centralized log collection, retention policies |
| 4 | Configuration Management (CM) | 9 | Baseline configurations, change control process |
| 5 | Identification & Authentication (IA) | 11 | MFA on all systems, password complexity enforcement |
| 6 | Incident Response (IR) | 3 | Documented IR plan, 72-hour reporting capability |
| 7 | Maintenance (MA) | 6 | Controlled remote maintenance, sanitized equipment |
| 8 | Media Protection (MP) | 9 | CUI labeling, secure disposal processes |
| 9 | Personnel Security (PS) | 2 | Termination checklists, access review cadence |
| 10 | Physical Protection (PE) | 6 | Visitor logs, physical access controls for CUI areas |
| 11 | Risk Assessment (RA) | 3 | Formal risk assessment documentation |
| 12 | Security Assessment (CA) | 4 | Internal audit process, POA&M management |
| 13 | System & Comm. Protection (SC) | 16 | Network segmentation, CUI boundary definition |
| 14 | System & Info. Integrity (SI) | 7 | Patch management cadence, malware protection |
The Top 5 Gaps That Fail Defense SMBs
Based on assessments of hundreds of defense contractors, these five gaps are the most common reasons SMBs fail their initial CMMC readiness review:
1. No Defined CUI Boundary
Before you can protect CUI, you need to know exactly where it lives — which systems, drives, email accounts, and shared folders contain controlled data. Most SMBs haven't formally defined this boundary. Without it, you can't scope your SSP, and your assessor can't evaluate compliance. Start here: identify every system that touches CUI and draw a formal system boundary.
2. Missing Multi-Factor Authentication
NIST 800-171 requirement 3.5.3 requires MFA for all privileged users and for all remote access. Many SMBs have MFA on email but not on VPNs, servers, or admin accounts. Every remote access pathway to CUI systems needs MFA — no exceptions.
3. No Centralized Logging
Audit & Accountability (AU) controls require that you collect, protect, and retain audit logs from all systems in your CUI environment. Point solutions logging locally — to Windows Event Viewer, individual firewall logs — don't satisfy this. You need a SIEM or centralized log aggregator with at least 90-day retention (3 years recommended).
4. Undocumented or Missing SSP
A System Security Plan is not optional. It's required by DFARS 252.204-7012 and is the primary artifact your C3PAO will review. Many SMBs have implemented controls but never documented them. An undocumented control is a failed control in an assessment. Your SSP needs to describe exactly how you satisfy each of the 110 requirements, or document them as POA&M items with remediation timelines.
5. Inadequate Incident Response Plan
DFARS requires you to report cyber incidents to DoD within 72 hours. Most defense SMBs don't have a documented IR plan, don't have an incident tracking system, and have never run a tabletop exercise. The IR controls are only 3 requirements, but they're frequently cited in assessments.
Realistic Timeline & Cost Estimates
These estimates are based on publicly available C3PAO assessment data and industry benchmarks. Actual costs vary significantly based on organization size, existing maturity, and infrastructure complexity.
[ESTIMATE — AI-generated based on industry data] These figures represent broad ranges. Seek independent quotes from qualified RPOs and C3PAOs before budgeting. Costs can vary 3–5x based on scope.
- Gap assessment (RPO engagement): $8K–$25K, 2–4 weeks
- Remediation (technical + documentation): $20K–$100K, 3–12 months
- Third-party C3PAO assessment: $50K–$250K, 4–8 weeks
- Ongoing compliance maintenance: $15K–$40K/year
- Total from scratch to certified: $75K–$350K over 6–18 months
Smaller organizations (<25 employees, narrow CUI scope) often achieve compliance at the low end of these ranges. Complex organizations with multiple facilities, large CUI environments, or legacy infrastructure typically land at the high end or beyond.
The 2026 CMMC Level 2 Compliance Checklist
Use this checklist to track your readiness across the five most critical preparation phases:
Phase 1: Scoping (Weeks 1–4)
- ☐ Identify all CUI across your organization (email, drives, cloud storage, physical media)
- ☐ Define your system boundary — every system that processes, stores, or transmits CUI
- ☐ Identify all personnel with access to CUI
- ☐ Map external service providers in your CUI environment (cloud, IT MSPs)
Phase 2: Gap Assessment (Weeks 4–8)
- ☐ Complete a self-assessment against all 110 NIST 800-171 requirements
- ☐ Score each control: Met / Partially Met / Not Met / N/A
- ☐ Calculate your SPRS (Supplier Performance Risk System) score
- ☐ Prioritize gaps by risk level and remediation complexity
Phase 3: Remediation (Months 2–12)
- ☐ Implement MFA on all remote access and privileged accounts
- ☐ Deploy centralized logging and SIEM
- ☐ Implement network segmentation around CUI systems
- ☐ Deploy endpoint detection and response (EDR)
- ☐ Establish patch management cadence (critical patches within 72 hours)
- ☐ Conduct annual security awareness training with documented records
Phase 4: Documentation (Months 3–12, parallel with remediation)
- ☐ Write your System Security Plan (SSP) — describe implementation of all 110 controls
- ☐ Create Plans of Action & Milestones (POA&M) for any remaining gaps
- ☐ Document your incident response plan
- ☐ Establish configuration baselines and change management procedures
- ☐ Create and conduct tabletop IR exercise
Phase 5: Assessment Preparation (Months 10–14)
- ☐ Engage a Registered Practitioner Organization (RPO) for pre-assessment review
- ☐ Resolve all high-priority POA&M items before C3PAO engagement
- ☐ Select a Certified Third-Party Assessment Organization (C3PAO)
- ☐ Submit SPRS score to DoD DIBNET portal
- ☐ Complete C3PAO assessment and receive CMMC Level 2 certification
Start With a Free Readiness Assessment
Before engaging an RPO or C3PAO, get a baseline understanding of your current posture. DefenseBizStack's free CMMC 2.0 Level 2 Readiness Assessment evaluates your organization across all 14 NIST domains, scores each control family, and generates a prioritized gap report with specific NIST 800-171 control IDs and remediation guidance.
The assessment takes 15–25 minutes and requires no login. It's built for defense SMBs doing the actual work of compliance — not for consultants billing by the hour.
⚠ AI Disclaimer: This article contains AI-generated analysis and estimates. CMMC compliance requirements, cost estimates, and timelines are subject to change. Consult qualified CMMC RPOs and C3PAOs for authoritative guidance specific to your contract requirements. See our full AI disclaimer.