CMMC Level 2 Requirements: Complete Guide to All 110 Controls 

For defense contractors and subcontractors handling Controlled Unclassified Information (CUI), CMMC Level 2 (Cybersecurity Maturity Model Certification) is the cybersecurity benchmark that matters most. Under CMMC 2.0, Level 2 aligns directly with the 110 security requirements in NIST SP 800-171and is designed to protect sensitive defense information across the Defense Industrial Base (DIB).  

Organizations pursuing applicable Department of War (DoW) contracts must implement these controls, document them thoroughly, and prove compliance through either self-assessment or third-party certification depending on contract and security requirements. 

This guide breaks down what CMMC Level 2 includes, how the 110 controls are organized, and what businesses need to do to prepare. 

What Is CMMC Level 2? 

CMMC Level 2 focuses on protecting CUI and serves as the bridge between basic cyber hygiene and advanced security maturity. Unlike CMMC Level 1, which covers only Federal Contract Information (FCI), CMMC Level 2 requires organizations to implement all 110 NIST SP 800-171 controls across 14 security domains. These security controls are not optional checkboxes. They require documented policies, operational procedures, technical safeguards, and evidence that security controls are functioning as intended. 

For many contractors, CMMC Level 2 is the most critical certification tier because it applies broadly to companies storing, processing, or transmitting CUI. 

What Are the 14 Control Families in CMMC Level 2? 

The 110 controls are divided into 14 domains, each covering a core cybersecurity discipline: 

1. Access Control (AC) – 22 Controls 

Ensures only authorized users, devices, and systems can access CUI. 
Key examples: 

• Least privilege access 

• Role-based permissions 

• Session lock 

• Remote access restrictions 

• Network segmentation 

2. Awareness and Training (AT) – 3 Controls 

Requires personnel to understand cybersecurity risks. 
Key examples: 

• Security awareness training 

• Insider threat awareness 

• Role-specific security education 

3. Audit and Accountability (AU) – 9 Controls 

Focuses on logging, monitoring, and traceability. 
Key examples: 

• Audit log generation 

• Event monitoring 

• Log review 

• Time synchronization 

4. Configuration Management (CM) – 9 Controls 

Ensures systems are securely configured and controlled. 
Key examples: 

• Baseline configurations 

• Change management 

• Application whitelisting 

• Least functionality 

5. Identification and Authentication (IA) – 11 Controls 

Verifies users and devices before access is granted. 
Key examples: 

• Multi-factor authentication 

• Unique IDs 

• Password complexity 

• Device authentication 

6. Incident Response (IR) – 3 Controls 

Defines how organizations detect and respond to cybersecurity events. 
Key examples: 

• Incident response plans 

• Reporting 

• Testing 

7. Maintenance (MA) – 6 Controls 

Secures system maintenance activities. 
Key examples: 

• Controlled maintenance tools 

• Remote maintenance approvals 

• Sanitization after repairs 

8. Media Protection (MP) – 9 Controls 

Protects physical and digital media containing CUI. 
Key examples: 

• Media marking 

• Secure disposal 

• Encryption 

• Physical transport controls 

9. Personnel Security (PS) – 2 Controls 

Addresses personnel screening and termination security. 
Key examples: 

• Background screening 

• Access revocation upon termination 

10. Physical Protection (PE) – 6 Controls 

Protects facilities and physical access points. 
Key examples: 

• Visitor controls 

• Facility monitoring 

• Escort procedures 

11. Risk Assessment (RA) – 3 Controls 

Requires organizations to identify and assess threats. 
Key examples: 

• Vulnerability scanning 

• Risk assessments 

• Threat remediation 

12. Security Assessment (CA) – 4 Controls 

Ensures ongoing evaluation of security posture. 
Key examples: 

• Periodic assessments 

• Plan of Action & Milestones (POA&M) 

• SSP updates 

13. System and Communications Protection (SC) – 16 Controls 

Protects networks and communications channels. 
Key examples: 

• Boundary defense 

• Encryption 

• Session integrity 

• Split tunneling restrictions 

14. System and Information Integrity (SI) – 7 Controls 

Maintains system resilience against threats. 
Key examples: 

• Malware protection 

• Patch management 

• Flaw remediation 

• Monitoring 

Beyond the 110 CMMC Controls: 320 Assessment Objectives 

A common misconception is that implementing 110 security controls is enough. In reality, CMMC assessments evaluate roughly 320 assessment objectives tied to those controls. This means each control may require multiple pieces of evidence, such as policy documents, technical settings, screenshots, interviews, and operational procedures. 

For example, enabling MFA is not enough. Assessors may also review: 

• Which users are covered 

• Whether privileged accounts are included 

• How enforcement is configured 

• Whether documentation aligns with implementation 

The Key Documentation Required for CMMC Level 2 

To succeed at CMMC Level 2, documentation is just as important as technical controls. 

Essential documents include: 

• System Security Plan (SSP) 

• POA&M 

• Asset inventory 

• Network diagrams 

• Incident Response Plan 

• Access Control Policies 

• Security Awareness Records 

Without strong documentation, even technically secure organizations can fail an assessment. 

How SPRS Scores Impact CMMC Level 2 Readiness 

Defense contractors subject to DFARS 252.204-7012 are required to assess their implementation of NIST SP 800-171 and submit their score to the Supplier Performance Risk System (SPRS). 

SPRS is the Department of War’s system for recording NIST SP 800-171 assessment scores and tracking contractor compliance with DFARS requirements. Because those assessments are based on the same 110 NIST SP 800-171 security controls that underpin CMMC Level 2, an SPRS score can provide valuable insight into an organization’s current cybersecurity posture. 

SPRS assessments include: 

• Documenting compliance with DFARS 252.204-7012 requirements  

• Measuring implementation progress against NIST SP 800-171  

• Identifying security gaps and remediation priorities  

• Supporting preparation efforts for a future CMMC Level 2 assessment  

• Demonstrating cybersecurity maturity to DoW stakeholders  

While an SPRS score is not a measure of CMMC readiness on its own, it serves as an important benchmark for organizations working toward CMMC Level 2 certification. 

Self-Assessment vs C3PAO Certification: What To Know 

CMMC Level 2 has two pathways: 

Self-Assessment: 

For select contracts with lower national security sensitivity. Requires annual affirmation and SPRS score submission.  

C3PAO CMMC Assessment: 

For prioritized contracts involving sensitive CUI. Requires formal third-party assessment every three years plus annual affirmation. 

Most defense contractors should prepare as though third-party assessment will eventually apply.  

The Common Challenges Organizations Face With CMMC Level 2 

Many companies underestimate: 

• Scoping complexity 

• Legacy systems 

• Security configuration gaps across cloud, endpoint, and identity environments  

• Vendor management 

• Documentation maturity 

• Resource constraints 

The hardest security controls are often not technical. They are operational, procedural, and evidence-based. 

Practical Steps to Prepare for a CMMC Level 2 Assessment 

Step 1: Define Scope 

Identify all people, processes, technology, and external providers that touch CUI. 

Step 2: Conduct Gap Assessment 

Map current controls to NIST SP 800-171. 

Step 3: Prioritize High-Risk Gaps 

MFA, logging, endpoint security, and boundary protection often come first. 

Step 4: Build Documentation 

Develop SSP and POA&M early. 

Step 5: Perform Internal Mock Assessment 

Test against third-party assessment objectives, not just control statements. 

Get CMMC Assessment Ready Today 

If your organization is preparing for CMMC Level 2, the stakes go far beyond passing an assessment. Defense contractors across the DIB are facing increasing pressure to demonstrate strong cybersecurity practices, protect sensitive government information, and maintain eligibility for future contract opportunities. 

Organizations that fail to address compliance gaps risk more than operational headaches. They risk lost revenue opportunities, delayed contract awards, increased scrutiny, and weakened trust across the defense supply chain. 

CloudFit and easyCMMC help simplify the path forward with a streamlined 30-day approach designed to help organizations strengthen security posture, improve compliance maturity, and prepare for the operational and evidence-based requirements of modern CMMC assessments before engaging third-party assessment organizations.