The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your Level 2 path →

CMMC Level 2 Requirements

By The Defense Compliance Report Editorial Team— an independent trade publication on CMMC 2.0 and DIB compliance

Last verified: June 12, 2026

CMMC Level 2 requirements are the 110 security requirements in NIST SP 800-171 Revision 2, applied to the controlled unclassified information (CUI) in a scope you define under 32 CFR Part 170 — and proven through either a self-assessment or an independent C3PAO assessment, depending on what your contract says. That last clause is where most of the money, and most of the confusion, lives. Some Level 2 contracts let you assess yourself and post the score. Others require a certified third-party assessor. A software platform, an RPO, or any single vendor cannot produce Level 2 status for you. You own it.

Here’s the part nobody puts in the headline: “requirements” isn’t one thing. It’s four things stacked on top of each other — the 110 controls, the assessment path, the CUI scope, and the contract obligations (your SPRS score, your annual affirmation, your unique identifiers). Miss any one of the four and you can do everything right and still lose the award.

The exceptions to keep straight: Level 1 covers federal contract information (FCI) only — 15 basic safeguards, self-assessed every year. Level 3is for the most sensitive CUI, adds 24 enhanced requirements from NIST SP 800-172, and is assessed by the government’s DIBCAC. If you handle CUI on a DoD contract, you’re almost certainly looking at Level 2.

Last reviewed June 2026

In short: CMMC Level 2 requirements are the 110 security requirements in NIST SP 800-171 Revision 2, applied to the CUI in a scope you define, and proven through either a self-assessment or a C3PAO assessment depending on what your contract requires. No single tool or vendor can produce Level 2 status for you.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

CMMC Level 2 in one screen

If you read nothing else, read this. Everything below is the detail behind it.

What you’re decidingThe short answer
Which standard?All 110 security requirements in NIST SP 800-171 Revision 2 — 14 families, 320 assessment objectives. Not Revision 3 (see below).
Who it's forCompanies that store, process, or transmit CUI on a DoD contract. (FCI-only → Level 1.)
How you prove itLevel 2 (Self) — you assess and post to SPRS — or Level 2 (C3PAO) — a certified third party assesses you. Your contract decides which.
Minimum to pass conditionallyAn assessment score of at least 88 out of 110 (the 0.8 threshold), with any remaining gaps on an allowed POA&M.
Minimum for final statusAll applicable requirements MET (a 110 score). If you first earned Conditional status, the POA&M must be closed within 180 days.
The cycleA full assessment every 3 years, plus an annual affirmation in SPRS.
DoD's published cost (to prove it)~$37,196 small-entity self / ~$104,670 small-entity C3PAO over three years — but that figure assumes you're already compliant and excludes implementation. Real first-cycle spend runs far higher.
The clock that mattersPhase 2 begins November 10, 2026, when DoD intends to make Level 2 (C3PAO) a condition of award for applicable contracts.
Your smart first moveConfirm your level and CUI scope before buying any tool. Scope drives everything downstream.

Sources: 32 CFR Part 170, NIST SP 800-171 Rev. 2, 32 CFR § 170.21, 32 CFR § 170.24. Cost figures from the CMMC Program rule’s Regulatory Impact Analysis (89 FR 83092).


What are the CMMC Level 2 requirements?

  1. 1. The 110 security requirements. These are identical to NIST SP 800-171 Rev. 2. The CMMC rule adopts them by reference at 32 CFR § 170.14. Precise wording: 110 security requirements, organized into 14 families and assessed against 320 objectives in the NIST SP 800-171A companion document.
  2. 2. The assessment path. Level 2 splits into two statuses: Level 2 (Self), where your organization conducts the assessment and posts the result to SPRS, and Level 2 (C3PAO), where a Certified Third-Party Assessment Organization does the work. Same 110 requirements. Different proof. Your solicitation tells you which. See our self-assessment vs. C3PAO guide for the full breakdown.
  3. 3. The scope.The requirements don’t apply to your whole company by default. They apply to your CMMC Assessment Scope as defined at 32 CFR § 170.19 — the assets that touch CUI, plus certain assets that protect them. Getting this boundary right is the single biggest lever on your cost and your timeline.
  4. 4. The contract obligations.Even with 110 controls met, you still owe the paperwork that makes you eligible: a current status in SPRS, an annual affirmation of continuous compliance signed by an authorized official, and your CMMC unique identifiers (CMMC UIDs) in your proposal. Skip these and you’re non-compliant on paper regardless of how good your security is.

What CMMC Level 2 is not

  • Not automatically a C3PAO assessment. During the current phase, many Level 2 contracts allow self-assessment.
  • Not based on NIST SP 800-171 Rev. 3. For CMMC, Rev. 2 is the controlling baseline until DoD amends the rule.
  • Not a software purchase. No platform, by itself, produces Level 2 status.
  • Not Level 3. Level 2 does not include the NIST SP 800-172 enhanced requirements.

Who actually needs CMMC Level 2?

The fastest way to answer “is this me?” is to find two clauses and read one field. In the solicitation, look for DFARS 252.204-7025. It contains a single blank the contracting officer fills in, and it can only say one of four things: Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). That field is the answer. Also see our full guide on who needs CMMC.

The fast decision tree

Your situationLikely pathWhat to verify
FCI only, no CUI in performanceLevel 1, not Level 2Confirm in writing that no CUI/CDI will be processed, stored, or transmitted.
CUI in performance; 7025 says Level 2 (Self)Level 2 (Self)The inserted level, plus your current SPRS and affirmation obligations.
CUI in performance; 7025 says Level 2 (C3PAO)Level 2 (C3PAO)Assessment scheduling, scope, CMMC UID, annual affirmation.
Sensitive/specified CUI; Level 3 namedLevel 3 (DIBCAC) after Final Level 2 (C3PAO)The DIBCAC requirement and the Level 2 prerequisite.
Sub receiving CUI or FCI from a primeFlowed-down status matching the informationThe required level, in writing, from your prime.
Sub not receiving FCI or CUI from the primeCMMC flow-down may not applyDoD has stated CMMC is not required to flow down to subs that do not receive FCI or CUI from the prime. Confirm with prime/contract documentation.

When the paperwork is ambiguous

If DFARS 252.204-7012 is in the contract but the work seems to involve no CUI, don’t guess. Ask your contracting officer or prime — in writing — four things: What CMMC status level is required? Is it Level 2 (Self) or Level 2 (C3PAO)? Which information systems will process, store, or transmit CUI? And what CMMC UID must be associated with this system? Written answers from an authorized source are the only protection against a later dispute. See our guide on CMMC flow-down requirements for the subcontractor specifics.


Is CMMC Level 2 the same as NIST SP 800-171?

If you’ve been complying with NIST SP 800-171 since 2017 under DFARS 252.204-7012, you already own the hard part of Level 2. What CMMC adds is verification and consequence.

NIST SP 800-171 Rev. 2CMMC Level 2
What it isA security-requirements publication for protecting CUI in nonfederal systemsA DoD assessment-and-status framework that uses NIST SP 800-171 Rev. 2 for Level 2
Requirement set14 families, 110 requirementsThe same 110 requirements
AssessmentNIST SP 800-171A provides the assessment proceduresLevel 2 (Self) or Level 2 (C3PAO)
Where results goSelf-reportedSPRS (self) or CMMC eMASS → SPRS (C3PAO)
Contract statusNot itself a “CMMC status”Produces Conditional or Final Level 2 status
AffirmationNot the same as the CMMC annual affirmationAnnual affirmation required to keep status

Why Revision 2 still controls — even though Revision 3 exists

NIST published Revision 3 in 2024. It is not the CMMC Level 2 standard. The CMMC rule at 32 CFR Part 170 incorporates Revision 2, and a C3PAO assesses you against Revision 2. The most common expensive error we see: a company “modernizes” to Rev. 3, then shows unmetrequirements under the Rev. 2 baseline the assessor actually uses. DoD has signaled it will move to Rev. 3 through future rulemaking — but “future” is the operative word. Build to Rev. 2 today. See our NIST 800-171 gap analysis guide for evidence-level detail.


What are the 14 CMMC Level 2 control families?

Requirement counts are verified against NIST SP 800-171 Rev. 2 and NIST SP 800-171A, Chapter Three — not from a vendor summary. The “where readiness usually breaks” and “provider category” columns are The Defense Compliance Report’s editorial mapping of common implementation and evidence patterns — useful for planning, not regulatory requirements.

#Family (requirements)What it controls, in plain EnglishWhere readiness usually breaksProvider category that helps
1Access Control (22)Who can reach CUI, from where, with what privilegesShared accounts, unmanaged external connections, over-permissioned usersMSP/MSSP, identity/cloud implementer
2Awareness & Training (3)Whether people understand their CUI responsibilitiesGeneric training with no CUI-specific, role-based proofReadiness/RPO, GRC software
3Audit & Accountability (9)Recording, protecting, and reviewing security eventsLogs exist but nobody reviews or retains themMSSP/SOC, SIEM, MSP
4Configuration Management (9)Secure baselines and controlled changes"Current state" lives in people's heads; no change trailMSP, endpoint/config tooling
5Identification & Authentication (11)Unique identity and authentication for users/devicesMFA gaps, unmanaged service accounts, local admin sprawlMSP, identity implementer
6Incident Response (3)Detect, respond, report, learnA paper IR plan that's never been testedMSSP, vCISO, readiness
7Maintenance (6)Authorized, logged system maintenanceVendor remote access that's informal and undocumentedMSP/MSSP, readiness
8Media Protection (9)Protecting, transporting, sanitizing CUI mediaBackups, removable media, or paper CUI fall outside the enclaveMSP, enclave/cloud implementer
9Personnel Security (2)Access during hiring, transfer, terminationTerminated users still have accessReadiness, MSP/GRC
10Physical Protection (6)Controlling physical access to CUI systems/mediaFacilities undocumented in scopeReadiness, facilities/IT
11Risk Assessment (3)Finding and remediating vulnerabilitiesScans run, but remediation isn't tracked to closureMSSP, vuln management
12Security Assessment (4)The SSP, POA&M, and ongoing assessment disciplineAn incomplete or stale System Security PlanRPO/readiness, GRC software
13System & Communications Protection (16)Boundary protection, FIPS-validated encryption, segmentationCUI flows wider than the diagram; unsupported encryption claimsSecure enclave/cloud, MSP/MSSP
14System & Information Integrity (7)Flaw remediation, malware defense, monitoringA patch/vulnerability backlog with no managed closureMSSP, MSP, endpoint tooling

What evidence do you need for CMMC Level 2?

Evidence categoryExamples
Scope evidenceAsset inventory, CUI data-flow map, network diagram, CAGE/system mapping, scope narrative
Governance evidenceSystem Security Plan (SSP), policies and procedures, POA&M, risk assessment, continuous-monitoring plan
Technical evidenceConfiguration exports/screenshots, identity-provider and MFA policies, firewall rules, EDR status, vulnerability scans, encryption/FIPS evidence
Operational evidenceTickets, approvals, log reviews, incident-response test records, training records, maintenance and change-control records
Third-party evidenceExternal Service Provider (ESP) service description, Customer Responsibility Matrix (CRM), cloud-provider FedRAMP evidence where applicable
  • A subscription is not a met requirement.If a control depends on configuration, monitoring, review, or a defined process, your evidence has to show the process happened and is tied to the CUI scope — not just that you bought the product.
  • The six-year clock is real. Under 32 CFR § 170.17, hashed evidence artifacts must be kept for six years from your CMMC Status Date, hashed with a NIST-approved algorithm. Build your evidence to be archived, not assembled in a panic the week before the assessor arrives.

What’s actually in scope for CMMC Level 2?

Asset categoryWhat it meansHow it’s treated
CUI AssetsAssets that process, store, or transmit CUIAssessed against all applicable Level 2 requirements
Security Protection AssetsAssets that provide security functions to the CUI scope (e.g., a SIEM, a firewall manager)Assessed against the relevant requirements for the protections they provide
Contractor Risk Managed AssetsAssets that could but aren't intended to handle CUI, kept out by policy and practiceDocumented in the SSP; may receive limited checks
Specialized AssetsIoT/OT, government-furnished equipment, test gear, restricted systems that can handle CUI but can't be fully securedDocumented and reviewed through the SSP; not assessed against the other CMMC requirements
Out-of-Scope AssetsAssets that can't handle CUI and don't protect CUI assets; physically or logically separatedNo assessment — but you must be ready to justify why they're out

How do MSPs, MSSPs, cloud providers, and ESPs affect Level 2?

The one hard truth this entire industry would rather you not lead with:

No tool, template, managed service provider, consultant, or C3PAO can make you “CMMC Level 2 compliant” on its own. Level 2 is an assessed implementation state for a defined CUI scope, backed by evidence, an SPRS score, and an annual affirmation. Under 32 CFR § 170.8(b)(17), a firm — and its people — that served as your consultant to prepare you for any CMMC assessment is prohibited from participating in your Level 2 certification assessment for three years. Anyone promising to “get you certified” as a single package is either misreading the rule or hoping you are.

The good news: that truth makes your path simpler. Your job is two clean, separable steps. Step one:get genuinely ready — scope, implement, document, and gather evidence. Step two: when your scope and evidence are defensible, engage an independent assessor only if your contract requires Level 2 (C3PAO). See our RPO vs. C3PAO guide for who helps with which step.

CSP vs. non-CSP ESP — what to verify

Provider typeWhat to verify
CSP processing/storing/transmitting CUIFedRAMP Moderate authorization or equivalency where required, the service boundary, the Customer Responsibility Matrix, the exact services in use
Non-CSP ESP processing/storing/transmitting CUIThose services are inside your assessment scope and assessed as part of your assessment
ESP handling security-protection data onlyTreated as Security Protection Asset services where applicable
Provider touching neither CUI nor security dataMay not meet the CMMC ESP definition — document the reasoning

Buying GCC High, a secure enclave, AWS GovCloud, or a GRC platform may reduce scope, provide evidence, or support controls— but you still own the scope, the SSP, the responsibility matrix, the SPRS posting, the affirmation, and the required status. The technology is a means. It is never the certification.


How is CMMC Level 2 scored, and what can’t a POA&M cover?

Conditional vs. Final — the four statuses

StatusWhat it means
Final Level 2 (Self)Passing self-assessment status, posted in SPRS with affirmation
Conditional Level 2 (Self)Self-assessed status with an allowed POA&M; close within 180 days
Final Level 2 (C3PAO)Passing status after a C3PAO assessment
Conditional Level 2 (C3PAO)C3PAO-assessed status with an allowed POA&M; C3PAO closeout within 180 days

What a Level 2 POA&M can — and can’t — cover

Per 32 CFR § 170.21, you can earn Conditional Level 2 with a POA&M only if all three of these are true:

  1. 1. You clear the bar.Your assessment score divided by 110 is ≥ 0.8 — that’s the 88-point minimum.
  2. 2. Only light items defer. No requirement worth more than 1 pointmay sit on the POA&M — with one narrow exception: SC.L2-3.13.11 (CUI Encryption) may go on a POA&M if encryption is in use but not yet FIPS-validated. Every other 3- and 5-point requirement must be met at the assessment.
  3. 3. Six specific 1-point requirements can never defer.Even though they’re worth only 1 point each, these are excluded by name and must be met:
    • AC.L2-3.1.20 — External Connections
    • AC.L2-3.1.22 — Control Public Information
    • CA.L2-3.12.4 — System Security Plan
    • PE.L2-3.10.3 — Escort Visitors
    • PE.L2-3.10.4 — Physical Access Logs
    • PE.L2-3.10.5 — Manage Physical Access

What SPRS and affirmation entries does Level 2 require?

SPRS is the DoD’s authoritative database for supplier risk and assessment data, and it’s where contracting officers look at your CMMC status during source selection. A current status and a current affirmation are conditions of award. See our SPRS score guide for details.

Clause / provisionWhat it does for you
DFARS 252.204-7012Requires adequate security on covered systems and rapid (72-hour) cyber-incident reporting; the long-standing basis for NIST SP 800-171
DFARS 252.204-7019Notice that you must have a current NIST SP 800-171 assessment and SPRS score when applicable
DFARS 252.204-7020Defines the Basic/Medium/High DoD assessments and the SPRS scoring and flow-down obligations
DFARS 252.204-7021The contract clause: maintain your CMMC status, process FCI/CUI only on systems that hold it, affirm annually, flow down to applicable subs
DFARS 252.204-7025The solicitation provision: names the required level before award and requires your CMMC UIDs in the proposal

The pairing to memorize: see 7025 in a solicitation, expect 7021 in the contract.One tells you what you’ll need to win; the other holds you to it through performance.


How much does CMMC Level 2 cost, and how long does it take?

Level / path (3-year cost to prove compliance)Small entityOther-than-small entity
Level 1 self-assessment~$6,000~$6,000
Level 2 self-assessment + affirmations~$37,196~$48,827
Level 2 C3PAO assessment + affirmations~$104,670~$117,768
Level 3Level 2 + new-requirement engineering costsHigher

Source: CMMC Program rule regulatory analysis, 89 FR 83092. DoD’s estimates cover assessment and affirmation, not implementation. DoD’s estimates also do not reflect actual C3PAO market prices. Inside the $104,670: ~$76,743 assessment, ~$20,699 planning/prep, ~$2,851 reporting, ~$4,377 three years of affirmations.

What drives your cost

Cost driverWhy it matters
CUI spreadMore workflows, users, and systems touching CUI = a bigger assessment scope
Starting maturityExisting MFA, logging, vuln management, and policies cut remediation sharply
Evidence maturityMany companies have controls but can't prove them — that's still rework
Cloud/ESP architectureMSPs, MSSPs, CSPs, and collaboration tools add responsibility-matrix and scope questions
Assessment pathLevel 2 (C3PAO) adds scheduling and formal evidence pressure
Facilities & specialized assetsMultiple sites, OT, test gear, and GFE complicate scope
Internal laborOwner, IT, HR, facilities, security, and contracts all feed evidence

The clock is real — and it’s not a sales line

PhaseBeginsWhat changes
Phase 1Nov. 10, 2025Level 1 (Self) or Level 2 (Self) as a condition of award; Level 2 (C3PAO) at DoD discretion
Phase 2Nov. 10, 2026DoD intends to make Level 2 (C3PAO) a condition of award for applicable contracts (it may defer to an option period)
Phase 3Nov. 10, 2027Broader Level 2 (C3PAO); Level 3 (DIBCAC) introduced at DoD discretion
Phase 4Nov. 10, 2028Full implementation, including option periods

Source: 32 CFR § 170.3. DoD estimates 80,000+ organizations will ultimately need Level 2. Industry tallies of the Cyber AB Marketplace in early-to-mid 2026 counted roughly 80 to 105 authorized C3PAOs, and Cyber AB Town Hall reporting has put the number of organizations with Level 2 certifications on the order of 1% of the affected population. *(C3PAO count and certification totals are date-sensitive — confirm live numbers at the Cyber AB Marketplace.)* See our C3PAO wait-time guide for current backlog data.


What should you do first if you just found CUI or got a Level 2 flow-down?

Your first 10 days

  1. 1. Pull the solicitation, contract, or flow-down.
  2. 2. Search it for DFARS 252.204-7025, 7021, 7012, 7019, and 7020.
  3. 3. Identify whether the inserted status is Level 2 (Self) or Level 2 (C3PAO).
  4. 4. Confirm whether you receive, generate, process, store, or transmit CUI.
  5. 5. Map where CUI lives today — apps, email, file shares, endpoints, cloud.
  6. 6. List CUI users, systems, cloud/MSP/MSSP involvement, and physical locations.
  7. 7. Check your current SSP, POA&M, SPRS score, and affirmation status.
  8. 8. Decide which gap is biggest: readiness, managed IT/security, enclave/cloud, evidence software, legal, or assessment.
  9. 9. Don't sign an assessment contract before your scope and evidence are defensible.
  10. 10. Put any ambiguity to your prime or contracting officer in writing.

Don’t do this first

  • Don’t assume every Level 2 contract means a C3PAO right now — many allow self-assessment in this phase.
  • Don’t assume self-assessment is enough when the solicitation says Level 2 (C3PAO).
  • Don’t assume GCC High is mandatory for every CUI environment.
  • Don’t upload CUI into a random tool while you’re trying to “solve” CMMC.
  • Don’t hire a C3PAO expecting it to both remediate and assess the same engagement — the independence rules don’t allow it.

What changes for subcontractors?

What the subcontractor handlesMinimum CMMC status for the sub
FCI only (no CUI)Level 1 (Self) — regardless of the prime's level
CUILevel 2 (Self) minimum (assessment type tracks the prime contract's requirement)
CUI, where the prime contract requires Level 2 (C3PAO)Level 2 (C3PAO) minimum
CUI, where the prime contract has a Level 3 requirementLevel 2 (C3PAO) minimum unless DoD gives specific guidance

Ask your prime, in writing

  • What CMMC status are you flowing down?
  • Is it Level 2 (Self) or Level 2 (C3PAO)?
  • What CUI will we receive, generate, process, store, or transmit?
  • Which systems or workflows are expected to handle CUI?
  • Is the requirement a condition of award, of performance, or of an option exercise?
  • What CAGE/CMMC UID information must we provide?
  • Is there a prime-hosted environment option that would change our scope?

When walking away is a rational business decision

If the revenue is small, the CUI scope is broad, the timeline is short, and the flow-down requires Level 2 (C3PAO), a small subcontractor is allowed to ask whether the work justifies the investment. Sometimes the right answer is to restructure the data handling so you’re out of scope, or to pass on that particular subcontract. See our guide to CMMC providers for small businesses for this math.


Which CMMC provider category do you actually need for Level 2?

This provider-category table is editorial guidance from The Defense Compliance Report, not a CMMC rule. CMMC does not require you to hire any specific provider category; the right category depends on your scope, evidence gaps, contract status, and assessment readiness.

Your situationFirst category to considerWhat to verify before hiring
"We don't know our scope."Readiness/RPO/vCISO or a CUI-scoping specialistCUI-mapping process, SSP experience, fluency with 32 CFR § 170.19
"Our IT is unmanaged."CMMC-focused MSP/MSSPCan they operate controls, collect evidence, and supply a Customer Responsibility Matrix?
"CUI is everywhere."Secure enclave/cloud implementerDoes the architecture truly reduce scope? FedRAMP/CSP/CRM treatment?
"We have controls but no evidence."GRC/evidence software + readiness supportNIST 800-171 mapping, evidence export, SSP/POA&M workflow
"Contract says Level 2 (C3PAO) and we're ready."An authorized C3PAOCurrent Cyber AB Marketplace status, independence/COI screening, schedule, appeals process, no guarantee language
"The clause is ambiguous."Contracts counsel + a CMMC advisorWritten CO/prime clarification before spending

For more, see our CMMC provider categories guide, best CMMC consultants, and how to find an authorized C3PAO.

A verifiable caution worth your two minutes

In January 2025, the DoD Inspector General reported that DoD had not effectively implemented the process for authorizing third-party organizations to perform CMMC 2.0 Level 2 assessments, and issued recommendations to strengthen quality assurance and oversight (DODIG-2025-056). The practical lesson: confirm a C3PAO’s currentstatus directly on the Cyber AB Marketplace, and keep readiness and assessment roles cleanly separated. When you’re at that stage, our guide to the best C3PAOs for CMMC Level 2 walks through what to check.


The mistakes that make CMMC Level 2 harder than it needs to be

MistakeWhy it hurtsBetter move
Buying tools before scoping CUIExpands cost without proving the boundaryDefine CUI workflows and asset categories first
Treating all Level 2 as C3PAOOverstates many current self-assessment casesRead the inserted status in 7025/flow-down
Treating self-assessment as casualLevel 2 (Self) still means all 110 requirements plus SPRS and affirmationUse NIST 800-171A-grade evidence discipline
Ignoring ESPs/MSPsThird parties may be in scope or require a CRM/FedRAMP evidenceDocument ESP/CSP treatment in the SSP and CRM
Running on a stale SSPCA.L2-3.12.4 can't be deferred to a POA&MFix the SSP before planning the assessment
Blurring assessor and implementerThe 3-year COI rule can disqualify the assessmentKeep readiness/remediation and assessment separate
Treating DoD's estimate as a full budgetDoD's number excludes implementation and real C3PAO pricesBudget implementation, readiness, software, labor, and assessment separately

What we actually verified for this guide

Source we checkedWhat it supports here
Federal Register — 32 CFR Part 170 (Oct. 15, 2024)Effective date (Dec. 16, 2024), program structure, Level 2 framework, cost estimates
Federal Register — DFARS rule (Sept. 10, 2025)DFARS effective date (Nov. 10, 2025), flow-down statement
eCFR — 32 CFR Part 170 (§§ 170.3, 170.8, 170.14, 170.16, 170.17, 170.19, 170.20, 170.21, 170.23, 170.24)Level 2 model, self/C3PAO assessment, scoping, POA&M, scoring, conflicts of interest, subcontractor minimums, phases
NIST SP 800-171 Rev. 2 and NIST SP 800-171AThe 14 families, 110 requirements, 320 assessment objectives, SSP/POA&M concepts
Acquisition.gov — DFARS 252.204-7012/7019/7020/7021 and eCFR 7025Status, award eligibility, CMMC UID, flow-down, affirmation
Cyber AB Code of Professional Conduct and 32 CFR § 170.8(b)(17)Assessment process, conflict-of-interest, the 3-year consultant/assessor separation
DoD CIO — CMMCCurrent implementation and affirmation guidance
SPRSThe authoritative system for CMMC/NIST assessment results
DoD OIG — DODIG-2025-056Caution on the C3PAO authorization process; verify assessor status

What we did not independently verify(and you should confirm before relying on it): the real-world market cost ranges above (third-party industry figures, not our own quote dataset), the live Cyber AB Marketplace C3PAO count and certification totals (date-sensitive — check the Marketplace and the latest Cyber AB Town Hall), and current state grant or tax-credit programs.

Read more about how we work in our editorial standards and methodology, and report anything that needs fixing through our corrections policy.


Which provider category fits your situation

  • C3PAO (Certified Third-Party Assessment Organization) — the only category that can perform a Level 2 (C3PAO) certification assessment when your contract requires one.
  • RPO/RP (Registered Provider Organization / Registered Practitioner)— readiness help to scope CUI, build your SSP and POA&M, and prepare evidence before you assess.
  • MSSP (Managed Security Service Provider) — operates the IT and security controls behind the 110 requirements day to day.
  • GRC platform— organizes requirements, evidence, and SSP/POA&M work, though it cannot by itself produce Level 2 status.
  • CUI enclave — isolates CUI workflows to reduce the scope the 110 requirements apply to.
  • You don't need a C3PAO yet if your contract allows Level 2 (Self), or you are still scoping, remediating, or finalizing evidence.

CMMC Level 2 requirements: FAQ

Are CMMC Level 2 requirements 110 controls?
In everyday language, yes — Level 2 is often described as 110 controls. The precise wording is 110 security requirements from NIST SP 800-171 Revision 2, organized into 14 families and 320 assessment objectives. The CMMC rule adopts that requirement set for Level 2 at 32 CFR § 170.14.
Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?
CMMC Level 2 currently uses Revision 2, because that is the version incorporated into 32 CFR Part 170. Do not treat Revision 3 as the controlling CMMC Level 2 standard unless and until DoD amends the rule.
Do all Level 2 contractors need a C3PAO?
No. Level 2 can be Level 2 (Self) or Level 2 (C3PAO). The solicitation provision (DFARS 252.204-7025) names which one applies. In the current phase, many Level 2 contracts allow self-assessment; from November 10, 2026, DoD intends to make third-party assessment the condition of award for applicable contracts.
Can you pass CMMC Level 2 with a POA&M?
You can earn Conditional Level 2 only if your score is at least 88 of 110, no deferred item is worth more than 1 point (except the narrow CUI-encryption exception), and none of the six named requirements in 32 CFR § 170.21 are on the POA&M. You must close the POA&M within 180 days to reach Final status, or the Conditional status expires.
What's the minimum SPRS score for CMMC Level 2?
88 out of 110 for Conditional status; all applicable requirements MET (a 110 score) for Final status. Scores range from -203 to +110. Most requirements are all-or-nothing, with limited partial credit (for example, multifactor authentication), and a Not-Applicable requirement counts as MET.
Is GCC High required for CMMC Level 2?
Not categorically. Level 2 requires meeting the 110 requirements within your defined CUI scope, and any cloud service handling CUI must meet the applicable FedRAMP requirement. GCC High is one architecture choice that can help — it is not the rule itself.
Does a GRC tool make us CMMC Level 2 compliant?
No. A GRC platform can organize requirements, evidence, and SSP/POA&M work, but Level 2 status depends on implemented requirements, defined scope, the assessment path, your score and status, and your annual affirmation.
What is a CMMC UID?
A CMMC UID (unique identifier) is the identifier SPRS assigns to a CMMC assessment/status for a given information system. DFARS 252.204-7025 requires offerors to provide the CMMC UID for each contractor information system that will process, store, or transmit FCI or CUI during performance.
Can a DCMA DIBCAC High Assessment count for CMMC Level 2?
Yes, in a specific case. Under 32 CFR § 170.20, an organization that earned a perfect score with no open POA&M on a DCMA DIBCAC High Assessment conducted before the CMMC Program rule's effective date can be granted Final Level 2 (C3PAO) status for three years from the date of that original assessment, if the scope aligns and the required affirmation is in SPRS. Eligible assessments include those conducted under Joint Surveillance per DCMA Manual 2302-01.
What is the first thing to do for CMMC Level 2?
Confirm whether you process, store, or transmit CUI; find your required status in the solicitation/contract/flow-down; define a preliminary CUI scope; then assess your SSP, SPRS score, evidence, and POA&M before choosing a provider category.
Do subcontractors need CMMC Level 2?
Under 32 CFR § 170.23, a sub handling only FCI needs Level 1; a sub handling CUI needs Level 2 (Self) at minimum; and a CUI-handling sub under a Level 2 (C3PAO) prime contract needs Level 2 (C3PAO). DoD has stated CMMC is not required to flow down to subs that do not receive FCI or CUI from the prime — so confirm what data you'll actually touch, in writing.
When does CMMC Level 2 become mandatory?
It's phasing in now. Phase 1 began November 10, 2025; in Phase 2, beginning November 10, 2026, DoD intends to make Level 2 (C3PAO) a condition of award for applicable contracts. The CMMC Program rule (32 CFR Part 170) took effect December 16, 2024, and the DFARS rule took effect November 10, 2025.

The bottom line

CMMC Level 2 is not a mystery, and it’s not a tool you can buy your way out of. It’s 110 NIST SP 800-171 Rev. 2 requirements, a self-or-C3PAO assessment path your contract chooses for you, a CUI scope you define, and a set of SPRS and affirmation obligations that make it count. Get those four things straight — in that order — and you’ve already done what most companies get wrong.

If we removed every link on this page, the fastest, cheapest, safest move would still be the same: confirm your level and scope before you spend, and get the right help in the right order.


Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. We are not affiliated with the U.S. Department of Defense, DCMA DIBCAC, the Cyber AB, SPRS, NIST, or any U.S. government agency. This article is editorial analysis for Defense Industrial Base decision-makers; it is not legal, contractual, or compliance advice.

Last verified: June 12, 2026. All regulatory claims should be re-verified against the current eCFR, Acquisition.gov, and the Cyber AB Marketplace before you rely on them.

Your situation changes the answer

Find My CMMC Path

The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →