CMMC Level 2

CMMC Level 2 is the middle tier and the most common target for defense contractors. It requires implementing all 110 security requirements from NIST SP 800-171, covering areas like access control, incident response, system protection, and audit logging.

Level 2 applies to contractors who handle Controlled Unclassified Information (CUI). Depending on the contract, you may need either a self-assessment or a third-party assessment by a C3PAO. The third-party assessment path is more rigorous and results in a formal certification valid for three years.

Why It Matters

Level 2 is where most defense contractors will land. Achieving certification requires significant investment in security controls, documentation, and organizational change — starting early gives you the best chance of passing your assessment on the first attempt.