CMMC Level 2 Requirements 2026: The Complete Guide to All 110 Practices
If you're a defense contractor handling Controlled Unclassified Information (CUI), CMMC Level 2 certification is no longer optional — it's the price of admission. With the final rule now in effect and DoD contracts beginning to include CMMC requirements in 2025-2026, the clock is ticking.
This guide breaks down every CMMC Level 2 requirement across all 14 domains, explains what's actually changed under CMMC 2.0, and gives you a practical roadmap for getting compliant — whether you have 10 employees or 200.
What Is CMMC Level 2 and Who Needs It?
CMMC Level 2 — formally known as "Advanced" under the Cybersecurity Maturity Model Certification framework — requires organizations to implement all 110 security practices from NIST SP 800-171 Revision 2. These practices protect Controlled Unclassified Information (CUI) that flows through the Defense Industrial Base (DIB).
You need CMMC Level 2 if:
- Your contracts include DFARS 252.204-7012 (Safeguarding Covered Defense Information)
- You handle, process, store, or transmit CUI
- You're a subcontractor receiving CUI from a prime contractor
- Your contract's Section L or M references CMMC Level 2
You do NOT need Level 2 if:
- You only handle Federal Contract Information (FCI) — Level 1 (17 practices) is sufficient
- You have no DoD contracts involving CUI
CMMC 2.0 vs. the Original CMMC 1.0
The original CMMC framework had five levels and included practices beyond NIST 800-171. CMMC 2.0 simplified this dramatically:
| Feature | CMMC 1.0 | CMMC 2.0 (Current) |
|---|---|---|
| Levels | 5 | 3 |
| Level 2 practices | 72 (partial NIST) | 110 (full NIST 800-171) |
| Unique practices | Yes (delta practices) | No — aligned 1:1 with NIST |
| Self-assessment option | No | Yes, for select contracts |
| POA&Ms allowed | No | Yes, with conditions |
| Maturity processes | Required | Removed |
The key change: CMMC Level 2 now maps directly to NIST SP 800-171 Rev 2. If you've been working toward 800-171 compliance, you're already working toward CMMC Level 2. No extra "delta" practices to learn.
The 2026 Timeline: What's Happening When
The CMMC program is rolling out in phases under 48 CFR (the acquisition rule):
- Phase 1 (Now through mid-2026): CMMC Level 1 self-assessments required in applicable contracts. Level 2 self-assessments begin appearing.
- Phase 2 (Mid-2026 onward): Level 2 third-party assessments (C3PAO) required in applicable contracts.
- Phase 3 (2027): Level 2 required for option years on existing contracts.
- Phase 4 (2028): Full implementation across all applicable contracts.
The practical implication: If you're bidding on new DoD contracts in 2026 that involve CUI, you should expect a CMMC Level 2 requirement. Waiting until you see it in an RFP means you're already 6-12 months behind.
All 14 Domains and 110 Practices Explained
CMMC Level 2's 110 practices are organized into 14 domains (also called "families"). Each domain addresses a specific area of cybersecurity. Here's what each requires — and what it means in practice.
1. Access Control (AC) — 22 Practices
Access Control is the largest domain and the foundation of your security posture. It governs who can access what, when, and how.
Key requirements: - AC.L2-3.1.1: Limit system access to authorized users, processes, and devices - AC.L2-3.1.2: Limit access to the types of transactions and functions authorized users are permitted to execute - AC.L2-3.1.3: Control the flow of CUI in accordance with approved authorizations - AC.L2-3.1.5: Employ the principle of least privilege - AC.L2-3.1.7: Prevent non-privileged users from executing privileged functions - AC.L2-3.1.12–3.1.13: Monitor and control remote access sessions - AC.L2-3.1.18–3.1.19: Control access to CUI on mobile devices; encrypt CUI on mobile devices - AC.L2-3.1.22: Control CUI posted or processed on publicly accessible systems
Practical advice: Start with a complete user access inventory. Map every user to their role and the minimum access they need. Implement role-based access control (RBAC) and enforce multi-factor authentication (MFA) for all remote access. Most small companies fail here because of "convenience" access — the owner's account that's admin on everything.
2. Awareness and Training (AT) — 3 Practices
Key requirements: - AT.L2-3.2.1: Ensure personnel are aware of security risks associated with their activities - AT.L2-3.2.2: Ensure personnel are trained to carry out their information security responsibilities - AT.L2-3.2.3: Provide security awareness training on recognizing and reporting potential insider threats
Practical advice: Annual security training isn't enough for a checkmark — it needs to be role-specific. Your IT admin needs different training than your project manager. Document everything: who was trained, when, on what. Use phishing simulations quarterly at minimum.
3. Audit and Accountability (AU) — 9 Practices
Key requirements: - AU.L2-3.3.1: Create and retain system audit logs to enable monitoring, analysis, and investigation - AU.L2-3.3.2: Ensure individual user actions can be uniquely traced - AU.L2-3.3.5: Use automated mechanisms to integrate and correlate audit review, analysis, and reporting - AU.L2-3.3.8–3.3.9: Protect audit information and logs from unauthorized access, modification, and deletion
Practical advice: You need centralized logging — not just "we have logs somewhere." Every system handling CUI should forward logs to a SIEM or central log collector. Retain logs for at least 90 days online, longer in archive. Make sure log timestamps are synchronized (NTP) across all systems.
4. Configuration Management (CM) — 9 Practices
Key requirements: - CM.L2-3.4.1: Establish and maintain baseline configurations and inventories of organizational systems - CM.L2-3.4.2: Establish and enforce security configuration settings - CM.L2-3.4.5: Define, document, approve, and enforce physical and logical access restrictions associated with changes - CM.L2-3.4.6: Employ the principle of least functionality (disable unnecessary services/functions) - CM.L2-3.4.8–3.4.9: Apply deny-by-exception (blacklisting) or allow-by-exception (whitelisting) policies for software
Practical advice: Create a hardware and software inventory — every device, every application. Use CIS Benchmarks or DISA STIGs as your baseline. Application whitelisting is ideal but hard to implement; at minimum, block known-bad software and restrict installation privileges.
5. Identification and Authentication (IA) — 11 Practices
Key requirements: - IA.L2-3.5.1–3.5.2: Identify and authenticate users, processes, and devices - IA.L2-3.5.3: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts - IA.L2-3.5.7: Enforce minimum password complexity and change of characters when new passwords are created - IA.L2-3.5.10: Store and transmit only cryptographically protected passwords
Practical advice: MFA is non-negotiable. Period. For every account that touches CUI, enforce MFA. Use FIDO2/WebAuthn tokens where possible, authenticator apps as a minimum. SMS-based MFA is better than nothing but not ideal. Password policies should follow current NIST 800-63B guidance: longer passphrases, no forced periodic rotation, check against breached password lists.
6. Incident Response (IR) — 3 Practices
Key requirements: - IR.L2-3.6.1: Establish an operational incident-handling capability including preparation, detection, analysis, containment, recovery, and user response - IR.L2-3.6.2: Track, document, and report incidents to designated officials and/or authorities - IR.L2-3.6.3: Test the organizational incident response capability
Practical advice: Write an Incident Response Plan (IRP) — and actually test it. At least annually, run a tabletop exercise. Your plan must include the 72-hour reporting requirement to the DoD via the DIBNet portal for cyber incidents affecting CUI. Know who your incident response team is before an incident happens.
7. Maintenance (MA) — 6 Practices
Key requirements: - MA.L2-3.7.1: Perform maintenance on organizational systems - MA.L2-3.7.2: Provide controls on tools, techniques, mechanisms, and personnel used for system maintenance - MA.L2-3.7.5: Require MFA to establish nonlocal maintenance sessions and terminate when complete - MA.L2-3.7.6: Supervise maintenance activities of personnel without required access authorization
Practical advice: Document your maintenance procedures — patching schedules, who performs maintenance, how remote maintenance sessions are secured. If a vendor needs remote access to maintain a system, ensure they use MFA, you monitor the session, and access is terminated immediately after.
8. Media Protection (MP) — 9 Practices
Key requirements: - MP.L2-3.8.1–3.8.2: Protect and control system media containing CUI, both paper and digital - MP.L2-3.8.3: Sanitize or destroy media before disposal or release for reuse - MP.L2-3.8.5: Control access to media containing CUI and maintain accountability during transport - MP.L2-3.8.6: Implement cryptographic mechanisms to protect CUI during transport (unless protected by alternative physical safeguards)
Practical advice: Encrypt all portable media — USB drives, laptops, external hard drives. Better yet, prohibit USB drives entirely and use encrypted cloud storage. Have a documented media sanitization procedure (NIST 800-88 guidelines) and maintain destruction logs.
9. Personnel Security (PS) — 2 Practices
Key requirements: - PS.L2-3.9.1: Screen individuals prior to authorizing access to systems containing CUI - PS.L2-3.9.2: Ensure CUI is protected during and after personnel actions such as terminations and transfers
Practical advice: Background checks before CUI access — no exceptions. When someone leaves or transfers, revoke access immediately (within hours, not days). Have a documented offboarding checklist that includes retrieving devices, revoking accounts, and changing shared credentials they had access to.
10. Physical Protection (PE) — 6 Practices
Key requirements: - PE.L2-3.10.1–3.10.2: Limit physical access to authorized individuals; protect and monitor the physical facility - PE.L2-3.10.3–3.10.4: Escort visitors and maintain visitor logs - PE.L2-3.10.5: Manage physical access devices (keys, badges, combinations) - PE.L2-3.10.6: Enforce safeguarding measures for CUI at alternate work sites (home offices)
Practical advice: For companies with home-based workers (common in small DIB firms), PE.L2-3.10.6 requires that CUI is protected even at home. This means locked offices or rooms, encrypted devices, and policies about who can see screens. Document your physical security measures for every location where CUI is accessed.
11. Risk Assessment (RA) — 3 Practices
Key requirements: - RA.L2-3.11.1: Periodically assess the risk to operations, assets, and individuals from system operations - RA.L2-3.11.2: Scan for vulnerabilities periodically and when new vulnerabilities are identified - RA.L2-3.11.3: Remediate vulnerabilities in accordance with risk assessments
Practical advice: Quarterly vulnerability scans at minimum. Use tools like Nessus, Qualys, or OpenVAS. But scanning without remediating is theater — track every vulnerability, prioritize by risk, and document remediation timelines. Annual risk assessments should be comprehensive and feed into your security planning.
12. Security Assessment (CA) — 4 Practices
Key requirements: - CA.L2-3.12.1: Periodically assess security controls to determine effectiveness - CA.L2-3.12.2: Develop and implement plans of action to correct deficiencies and reduce vulnerabilities - CA.L2-3.12.3: Monitor security controls on an ongoing basis - CA.L2-3.12.4: Develop, document, and periodically update system security plans (SSPs)
Practical advice: Your System Security Plan (SSP) is the single most important document for CMMC. It describes your system boundary, how you implement each of the 110 practices, and your current compliance status. Start here. Update it quarterly. Your Plan of Action and Milestones (POA&M) documents what's not yet compliant and your timeline to fix it — assessors will review both.
13. System and Communications Protection (SC) — 16 Practices
Key requirements: - SC.L2-3.13.1: Monitor, control, and protect communications at external and key internal boundaries - SC.L2-3.13.2: Employ architectural designs and techniques that promote effective information security - SC.L2-3.13.5: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks - SC.L2-3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission - SC.L2-3.13.11: Employ FIPS-validated cryptography when used to protect CUI - SC.L2-3.13.16: Protect the confidentiality of CUI at rest
Practical advice: FIPS-validated cryptography is a hard requirement — this means using encryption modules that have been FIPS 140-2 (or 140-3) validated. Windows BitLocker with the correct configuration qualifies. Network segmentation is critical: your CUI environment should be on its own VLAN, separated from guest networks, IoT devices, and general-purpose systems.
14. System and Information Integrity (SI) — 7 Practices
Key requirements: - SI.L2-3.14.1: Identify, report, and correct system flaws in a timely manner - SI.L2-3.14.2: Provide protection from malicious code at designated locations - SI.L2-3.14.3: Monitor system security alerts and advisories and take action - SI.L2-3.14.6–3.14.7: Monitor organizational systems and identify unauthorized use
Practical advice: Endpoint protection (antivirus/EDR) on every system — no exceptions. Subscribe to CISA alerts and US-CERT advisories for your technology stack. Patch critical vulnerabilities within 14 days, high within 30 days. Document your patching cadence and track it.
Common Mistakes Small Contractors Make
These are the patterns that trip up small defense contractors most often:
-
Scoping too broadly. You don't need to make your entire network CMMC-compliant. Define your CUI boundary tightly — only the systems, people, and processes that handle CUI. Smaller scope = lower cost = faster compliance.
-
Ignoring the SSP. Your System Security Plan isn't paperwork — it's the roadmap an assessor follows. If it's outdated, incomplete, or doesn't match reality, you will fail.
-
Assuming cloud = compliant. Using Microsoft 365 GCC High or AWS GovCloud is a start, but the shared responsibility model means YOU are still responsible for configuration, access control, and monitoring. The cloud provider handles infrastructure; you handle everything else.
-
Treating compliance as a project, not a program. CMMC isn't "get certified and forget." You need ongoing monitoring, annual assessments, and continuous improvement. Build it into operations from day one.
-
Waiting for a contract requirement. The companies winning CMMC-required contracts in 2026 started preparing in 2024. If you start when you see it in an RFP, you're 6-12 months too late.
Self-Assessment vs. Third-Party Assessment
CMMC Level 2 has two assessment tracks:
- Self-assessment: Allowed for contracts that are NOT designated as requiring a higher level of protection. You conduct your own assessment, submit your SPRS score, and a senior official signs an affirmation. This carries legal liability under the False Claims Act.
- Third-party assessment (C3PAO): Required for contracts involving CUI that the DoD designates as critical. A CMMC Third-Party Assessment Organization conducts an independent evaluation.
Check your contracts carefully. If in doubt, prepare for the third-party assessment — a self-assessment that meets third-party standards has zero downside.
How to Start: A Practical Roadmap
Month 1-2: Foundation - Define your CUI boundary (what systems, people, data) - Complete a gap analysis against all 110 practices - Calculate your initial SPRS score - Draft or update your System Security Plan
Month 3-4: Critical Gaps - Implement MFA everywhere - Deploy endpoint protection on all systems - Enable and centralize logging - Encrypt CUI at rest and in transit
Month 5-6: Hardening - Implement network segmentation - Establish configuration baselines - Write and test your Incident Response Plan - Deploy vulnerability scanning
Month 7-9: Maturity - Conduct security awareness training - Perform internal security assessment - Complete your POA&M for remaining gaps - Begin evidence collection and documentation
Month 10-12: Assessment Ready - Conduct a mock assessment - Close POA&M items - Finalize all documentation - Schedule your C3PAO assessment (if required)
Take the Next Step
CMMC Level 2 is achievable for small businesses — but only if you start now and work systematically. The companies that succeed treat compliance as an operational advantage, not a burden.
Ready to find out where you stand?
📋 Take our free CMMC Self-Assessment Quiz — get your estimated SPRS score in 10 minutes.
📖 Download the free CMMC Survival Guide
🛡️ Get the CMMC Starter Kit ($129) — SSP template, POA&M tracker, gap assessment, and all 110 controls mapped to plain-English actions.
— the no-nonsense playbook for small defense contractors.🚀 Get the CMMC Starter Kit ($129) — SSP templates, POA&M tracker, gap analysis worksheets, and policy templates to jumpstart your compliance journey.
Attestio helps small defense contractors achieve and maintain CMMC compliance without the six-figure consulting bills. Learn more at attestio.ai.