What CMMC Level 2 Actually Requires
If your organization handles Controlled Unclassified Information (CUI) under a Department of Defense contract, CMMC Level 2 compliance is not optional—it is a prerequisite for contract award and retention. Level 2 is the tier that applies to the vast majority of defense contractors in the supply chain, and it carries real weight: 110 security practices drawn directly from NIST SP 800-171, organized across 14 control domains, verified through a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO).
This post breaks down every domain and the core practices you must implement. Think of it as your working reference before you engage an assessor or begin closing gaps in your System Security Plan.
The 14 Domains of CMMC Level 2
CMMC Level 2 maps directly to NIST SP 800-171 Rev 2, which organizes its 110 controls into 14 families. Each domain addresses a distinct security function. Weakness in any one of them can result in a failed assessment, delayed contracts, or a required Plan of Action and Milestones (POA&M) that must be resolved before certification is granted.
1. Access Control (AC) — 22 Practices
Access Control is the largest domain and governs who can reach your systems and CUI. Requirements include limiting system access to authorized users, controlling remote access sessions, enforcing the principle of least privilege, and separating duties to reduce insider risk. You must also manage and audit privileged accounts separately from standard user accounts. Mobile device access and wireless connectivity require documented policies and technical controls.
2. Awareness and Training (AT) — 3 Practices
Your workforce must understand their security responsibilities. This domain requires that all personnel handling CUI receive role-based security awareness training, that training is documented, and that employees recognize and report potential threats. Insider threats are explicitly called out as a training topic.
3. Audit and Accountability (AU) — 9 Practices
You must create, protect, and retain audit logs sufficient to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity. This includes defining what events to log, reviewing logs regularly, and protecting audit records from unauthorized access or deletion. Log integrity is not negotiable under a C3PAO assessment.
4. Configuration Management (CM) — 9 Practices
Baseline configurations must be established and maintained for all systems that process, store, or transmit CUI. This domain requires documenting approved configurations, controlling configuration changes through a formal change management process, and restricting the use of unauthorized software through application whitelisting or equivalent controls. User-installed software without approval is a common finding in assessments.
5. Identification and Authentication (IA) — 11 Practices
Every user and device accessing CUI must be uniquely identified and authenticated. Multi-factor authentication (MFA) is required for all privileged accounts and for any remote access—no exceptions. Password complexity, reuse limits, and temporary credentials also fall under this domain. This is one of the most scrutinized areas in C3PAO assessments.
6. Incident Response (IR) — 3 Practices
You need a documented and tested incident response capability. This means having an incident response plan, the ability to track and document incidents, and a process for reporting incidents to appropriate authorities including the DoD. Simply having a plan on paper is insufficient—assessors will look for evidence of tabletop exercises or real incident documentation. Our post on how to prepare for your CMMC audit covers how to demonstrate IR readiness effectively.
7. Maintenance (MA) — 6 Practices
System maintenance—whether performed on-site or remotely—must be controlled and logged. Remote maintenance sessions require MFA, must be supervised, and session records must be retained. Equipment being sent off-site for maintenance must be sanitized of CUI before departure.
8. Media Protection (MP) — 9 Practices
All media containing CUI—hard drives, USB drives, paper records, backup tapes—must be identified, labeled, controlled, and sanitized before disposal or reuse. Portable media in particular is a high-risk vector. Physical access to CUI media must be restricted and logged. Destruction of media must follow NIST-approved methods such as purging or physical destruction.
9. Personnel Security (PS) — 2 Practices
Screen individuals prior to authorizing access to systems containing CUI, and ensure that CUI and system access are properly terminated when an employee departs. While this is the smallest domain by practice count, gaps here—particularly around offboarding—create serious exposure.
10. Physical Protection (PE) — 6 Practices
Physical access to systems, equipment, and operating environments containing CUI must be limited to authorized individuals. This includes visitor controls, physical access logs, and escort procedures for unauthorized visitors. Physical security overlaps with operational security in ways that many organizations underestimate. See our detailed guidance on meeting CMMC 2.0 physical security requirements.
11. Risk Assessment (RA) — 3 Practices
You must periodically assess the risk to organizational operations and assets from CUI exposure. This includes scanning for vulnerabilities, remediating findings in a timely manner, and updating risk assessments when significant changes occur. Vulnerability scanning results must be documented and tied to remediation timelines. Our Federal risk assessment services are specifically structured to satisfy this domain.
12. Security Assessment (CA) — 4 Practices
Periodically assess your security controls to determine effectiveness, develop and manage a Plan of Action and Milestones (POA&M) for deficiencies, and establish a System Security Plan (SSP) documenting your environment and controls. The SSP is the foundational document for every C3PAO assessment—it must be current, accurate, and complete. Learn more about SSPs and POA&Ms as critical components of a strong security program.
13. System and Communications Protection (SC) — 16 Practices
This domain governs how CUI is protected in transit and at rest across your network architecture. Requirements include network segmentation, boundary protection, encrypting CUI in transit and at rest, controlling mobile code, and managing DNS and mail filtering. Architectural decisions made here have cascading effects on your overall compliance posture.
14. System and Information Integrity (SI) — 7 Practices
Identify, report, and correct information and system flaws in a timely manner. Deploy malicious code protection on all endpoints and at network entry/exit points, keep those protections updated, and monitor your systems to detect attacks and unauthorized activity. Endpoint security is a core pillar of this domain and must be demonstrable through technical evidence, not just policy documents.
Third-Party Assessment: What It Means for Your Organization
Unlike CMMC Level 1, which allows annual self-attestation, Level 2 compliance for organizations handling CUI in prioritized acquisitions requires a triennial assessment by an accredited C3PAO. The assessor will review your SSP, interview personnel, test technical controls, and examine evidence across all 14 domains. Conditional certification may be granted when a limited number of practices are deficient with an approved POA&M, but high-risk deficiencies—particularly in access control, authentication, and incident response—will block certification entirely.
Organizations that attempt to prepare without structured support frequently discover that their documentation does not match their technical implementation. That gap is the most common reason assessments fail. Our CMMC, CUI and DFARS compliance services are designed specifically to close that gap before an assessor sets foot in your environment.
Building Your Compliance Program Before the Assessment
A successful Level 2 assessment is the result of a deliberate compliance program—not a sprint in the weeks before your C3PAO visit. The practices across all 14 domains must be embedded in your daily operations, documented in your SSP, and supported by evidence that survives scrutiny. Organizations that treat CMMC as a checkbox exercise consistently underperform those that build compliance into their operational culture.
If you are still mapping your environment or trying to understand where your gaps are, our NIST SP 800-171 assessment template is a useful starting point. For contractors who need structured expert support throughout the process, our Compliance Program Development service provides the roadmap, documentation, and advisory support to carry you through certification.
Take the Next Step Toward CMMC Level 2 Certification
CMMC Level 2 compliance is achievable, but it requires honest gap analysis, disciplined remediation, and documentation that accurately reflects your environment. At Cleared Systems, we have guided defense contractors across the full spectrum of readiness—from initial scoping through final C3PAO assessment. If you are ready to move forward, request a quote today and let our team build a clear path to certification for your organization.