CMMC Level 2 Requirements
A complete breakdown of the 110 NIST SP 800-171 security controls required for CMMC Level 2 certification β organized by the 14 control families.
What is CMMC Level 2?
CMMC Level 2 (Advanced) is designed for organizations that handle Controlled Unclassified Information (CUI) under DoD contracts. It requires full implementation of all 110 security requirements defined in NIST Special Publication 800-171 Revision 2.
Level 2 is the most common certification level for defense contractors. It has two assessment paths:
Self-Assessment
For contracts involving non-critical CUI. Annual self-assessment submitted to SPRS with senior official affirmation.
C3PAO Assessment
For contracts involving critical CUI programs. Independent third-party assessment every three years by an authorized C3PAO.
NIST SP 800-171 Control Families
The 110 controls are organized into 14 families. Each family addresses a specific area of cybersecurity:
| Family | Domain | Controls | Focus Area |
|---|---|---|---|
| AC | Access Control | 22 | Who can access systems and data |
| AT | Awareness & Training | 3 | Security training for personnel |
| AU | Audit & Accountability | 9 | Logging and monitoring activities |
| CM | Configuration Management | 9 | Secure system configurations |
| IA | Identification & Authentication | 11 | User identity verification |
| IR | Incident Response | 3 | Handling security incidents |
| MA | Maintenance | 6 | System maintenance practices |
| MP | Media Protection | 9 | Protecting digital and physical media |
| PE | Physical Protection | 6 | Physical access to facilities |
| PS | Personnel Security | 2 | Personnel screening and termination |
| RA | Risk Assessment | 3 | Identifying and managing risks |
| CA | Security Assessment | 4 | Evaluating control effectiveness |
| SC | System & Communications Protection | 16 | Network and data transmission security |
| SI | System & Information Integrity | 7 | Detecting and correcting flaws |
π SPRS Scoring
Each of the 110 controls carries point values. A perfect SPRS (Supplier Performance Risk System) score is 110. Organizations must submit their self-assessment score to SPRS before contract award. Missing controls reduce your score based on their weighted impact.
Highest-Impact Control Families
Access Control (22 Controls)
The largest family covers system access policies, remote access, information flow enforcement, separation of duties, least privilege, and session management. Key requirements include:
- Limit system access to authorized users and authorized transaction types
- Enforce approved authorizations for controlling information flow
- Implement multi-factor authentication (MFA) for network and remote access
- Control remote access sessions and encrypt all remote connections
- Limit unsuccessful logon attempts and provide privacy/security notices
System & Communications Protection (16 Controls)
Covers network segmentation, encryption, boundary protection, and communications security:
- Monitor and protect communications at system boundaries
- Implement FIPS-validated cryptography for CUI protection
- Deny network traffic by default (allow by exception)
- Protect confidentiality of CUI at rest and in transit
- Establish and manage cryptographic keys
Identification & Authentication (11 Controls)
Ensures that all users and devices are properly identified before access is granted:
- Uniquely identify all system users, processes, and devices
- Use multi-factor authentication for local and remote access
- Enforce minimum password complexity and change requirements
- Store and transmit only cryptographically-protected passwords
- Authenticate devices before establishing connections
Required Documentation for Level 2
CMMC Level 2 assessment requires extensive documentation to demonstrate control implementation:
System Security Plan (SSP)
Comprehensive document describing your system boundary, architecture, and how each of the 110 controls is implemented.
Plan of Action & Milestones
Tracks any unmet requirements with remediation plans, timelines, and responsible parties. Must be closed within 180 days.
Network Diagram
Visual representation of your CUI boundary, data flows, security controls placement, and interconnections.
Policies & Procedures
Written security policies covering each control family, with corresponding procedures for implementation and enforcement.
π‘οΈ Need help with specific Level 2 controls?
Ask ChatCMMC about any specific NIST SP 800-171 control β get implementation guidance, assessment criteria, and evidence requirements instantly. Ask ChatCMMC β