CMMC Level 2 Compliance Guide

Defense contractors face an increasingly complex cybersecurity landscape where protecting Controlled Unclassified Information (CUI) is not just a regulatory requirement but a national security imperative. The Cybersecurity Maturity Model Certification (CMMC) Level 2 represents a significant step up from basic cyber hygiene, requiring organizations to implement 110 advanced security controls across 15 domains.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity framework developed by the U.S. Department of Defense (DoD) to strengthen the safeguarding of sensitive unclassified information across the defense industrial base.The CMMC framework is constantly evolving from previous compliance approaches. It combines cybersecurity standards, references, and best practices into a comprehensive verification mechanism.

The CMMC framework includes security requirements from two documents:

• NIST SP 800-171 Rev 2 and NIST SP 800-172. NIST SP 800-171 Rev 2 focuses on protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations.

• NIST SP 800-172 provides additional security requirements for the same purpose.

The CMMC framework organizes these security practices into different areas, which align with the categories in NIST SP 800-171 Rev 2. There are three levels in the CMMC: Level 1, Level 2, and Level 3.

CMMC 2.0 Model Overview

CMMC 2.0 equips the U.S. Department of Defense (DoD) with a robust framework to safeguard sensitive information within its supply chain from cyber threats. It aligns each of its Level 2 practices with the requirements of NIST SP 800-171, and incorporates an additional 24 controls from NIST SP 800-172 for Level 3 compliance.

CMMC 2.0 Framework Overview showing three security levels.

• Level 1: Covers the basic safeguarding requirements for Federal Contract Information (FCI) as specified in Federal Acquisition Regulation (FAR) Clause 52.204-21. This level focuses on fundamental cybersecurity practices to protect FCI, consisting solely of basic safeguarding controls.

• Level 2: Emphasizes the protection of Controlled Unclassified Information (CUI) by requiring adherence to the 110 security controls outlined in NIST SP 800-171 Rev 2.

• Level 3: Details for Level 3 will be provided in the future and will include a specific subset of security requirements outlined in NIST SP 800-172.

  
  

CMMC Level 1 compliance focuses on basic cyber hygiene practices. As organizations aim for CMMC Level 2 compliance, they must implement more advanced security controls, maintain thorough documentation, and establish continuous monitoring processes to effectively protect sensitive information.

The CMMC program represents the DoD's response to increasing cyber threats targeting the defense industrial base, where adversaries often exploit vulnerabilities in contractor networks to access sensitive information. Unlike previous self-attestation models, CMMC requires third-party assessments for higher levels, ensuring independent verification of cybersecurity implementations.

Who Needs CMMC Level 2 Compliance?

The CMMC requirements cover every entity involved in the DoD supply chain that manages federal contract information (FCI), controlled unclassified information (CUI), or other sensitive data, no matter which organization holds the contract. This encompasses prime contractors, subcontractors across all tiers, and also suppliers, vendors, and consultants engaged in the defense industrial base.

All civilian organizations that conduct business with the government must comply with CMMC 2.0. This requirement applies to:

• DoD prime contractors

• DoD subcontractors

• Suppliers at all tiers in the Defense Industrial Base (DIB)

• DoD small businesses suppliers

• Commercial suppliers that process, handle, or store CUI

• Foreign suppliers

• Team members of DoD contractors that handle CUI such as IT managed service providers

CMMC level compliance is determined for contractors and subcontractors based on the types of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) they handle and exchange.

CMMC 2.0 Implementation and Timeline

Defense contractors must show that they follow the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0). They do this by completing self-assessments and having evaluations done by accredited CMMC Third Party Assessor Organizations (C3PAOs).

The CMMC 2.0 Program Rule (32 CFR Part 170) became effective on December 16, 2024, officially launching the CMMC program and marketplace. However, the actual inclusion of CMMC requirements in DoD contracts depends on the finalization of the complementary 48 CFR Defense Federal Acquisition Regulation Supplement (DFARS) rule.

Current status indicates that CMMC requirements are expected to begin appearing in new DoD contracts in mid-2025. The 48 CFR rule finalization is expected in Q2 or summer 2025. In anticipation of the final CMMC rule taking effect in 2025, some DoD contractors are already requiring their subcontractors to demonstrate compliance.

What CMMC Level Does Your Organization Need?

Determining the appropriate CMMC level requires a careful assessment of the types of information your organization handles and your contractual obligations with the DoD. The decision framework centers on two critical questions:

1. whether your organization processes Federal Contract Information (FCI)

2. whether it handles Controlled Unclassified Information (CUI)

If your organization only deals with FCI, CMMC Level 1 may be sufficient, requiring implementation of 17 basic safeguarding practices outlined in FAR 52.204-21. However, any involvement with CUI automatically elevates the requirement to Level 2. It results in the need for compliance with all 110 advanced security controls.

💡 Our tip:

Organizations should carefully review both their current and upcoming contracts, especially looking for clauses referencing CUI protection or compliance with NIST SP 800-171, as these strongly indicate a requirement for CMMC Level 2 certification.

CMMC 2.0 Compliance Requirements

The CMMC levels and their associated sets of practices across various domains build cumulatively. This means that to achieve a specific CMMC level, an organization must also meet all the requirements of the preceding lower levels. If an organization falls short of its targeted level, it will be certified at the highest level for which it has successfully met all applicable practices.

The 14 Core Security Domains of CMMC 2.0 encompass the essential security practices and processes that organizations must follow when managing Controlled Unclassified Information (CUI). These domains form the critical foundation upon which the different levels of CMMC certification are established, ensuring comprehensive protection of sensitive data.

CMMC requirements at Level 2 include 110 controls grouped under 15 domains, each addressing specific aspects of cybersecurity and information protection.

The requirements align directly with NIST SP 800-171 Rev 2, ensuring consistency with established federal cybersecurity standards.

💡 Good to know:

The framework requires organizations to implement both technical and administrative controls, spanning areas from access management and audit logging to physical security and incident response.

1. Access Control (AC)

Access Control is about ensuring only the right people and processes can interact with your sensitive data. It also monitors and logs all access to CUI, ensuring that only authenticated and authorized individuals, processes, and other entities have access.

2. Audit and Accountability (AU)

These controls are designed to ensure every action is traceable and every user is accountable. The Audit and Accountability domain requires organizations to create comprehensive logging systems that track user activities and system events across all CUI-handling systems.

Example: The Parakeet platform automates the heavy lifting by continuously collecting, correlating, and analyzing audit logs from across your environment to detect unauthorized activity in real time.

3. Awareness and Training (AT)

Your team is your first line of defense! That's why security awareness and training requirements under CMMC Level 2 mandate that all personnel understand their cybersecurity responsibilities and can recognize potential threats.

Example: Parakeet helps you ensure every employee, from managers to system administrators, understands the security risks tied to their role. By integrating with your existing HR and training platforms, we automate the assignment and tracking of security awareness education.

4. Configuration Management (CM)

The controls are about establishing and maintaining secure baseline configurations for all your systems (hardware, software, and firmware) to prevent unauthorized changes that could introduce vulnerabilities.

5. Identification and Authentication (IA)

The Identification and Authentication domain encompasses 11 controls focused on verifying user and device identities before granting system access.

Example: Parakeet Risk platform supports multi-factor authentication requirements, automating the enforcement of password policies and managing the entire identity lifecycle.

6. Incident Response (IR)

A swift, coordinated response is critical when a security incident occurs! Organizations need a clear incident response plan to quickly handle any situation that could lead to a data breach. These set of controls help them detect, analyze, and respond to security incidents effectively.

7. Maintenance (MA)

Improper system maintenance can inadvertently expose CUI. Maintenance addresses the ongoing support and upkeeps of organizational information systems, ensuring that maintenance activities do not introduce security vulnerabilities.

8. Media Protection (MP)

Controls address the handling, marking, and disposal of physical and digital media containing CUI.

9. Personnel Security (PS)

Ensure that individuals with access to CUI meet appropriate trustworthiness standards.

10. Physical Protection (PP)

These requirements address the physical security of facilities, systems, and equipment that process, store, or transmit CUI.

11. Recovery (RE)

Ensure that organizations can restore CUI and associated systems following disruptions or security incidents.

12. Risk Management (RM)

Require organizations to conduct periodic assessments of cybersecurity risks and implement appropriate mitigation measures.

13. Security Assessment (SA)

Require organizations to periodically evaluate the effectiveness of their security controls and implement corrective actions.

Example: You can easily address security incidents, as well as report them to your team or the relevant authorities—and consistently evaluate its incident response plan.

14. System and Communications Protection (SC)

These controls address network security, encryption, and secure communications requirements.

15. System and Information Integrity (SI)

System and Information Integrity controls ensure that organizational systems and the information they process maintain accuracy, completeness, and protection from unauthorized modification.

Achieve Advanced Cybersecurity with Parakeet Risk Platform!

The Parakeet Risk platform transforms the traditionally complex CMMC compliance process into streamlined, automated workflows that guide organizations through each of the 15 required domains. Our platform's AI-native design enables proactive risk management and continuous compliance monitoring, essential capabilities for maintaining CMMC Level 2 certification.

Parakeet Risk streamlines your path to CMMC Level 2 compliance through intelligent automation, continuous monitoring, and integrated risk management capabilities.

Getting Ready for CMMC Level 2: A Checklist

Preparing for CMMC Level 2 compliance requires a structured approach to strengthening your organization's cybersecurity framework. Use this checklist for annual self assessment:

1. Understand CMMC Level 2 Requirements: Familiarize yourself with all 110 requirements across 14 domains.

2. Conduct a Gap Analysis: Identify areas where your current cybersecurity practices fall short of CMMC Level 2 requirements.

3. Develop a Remediation Plan: Create a detailed plan to address all identified gaps and implement necessary security controls.

4. Allocate Resources: Secure the necessary budget, personnel, and tools to support your compliance efforts.

5. Train Your Staff: Educate employees on CMMC requirements and essential cybersecurity best practices.

6. Implement Policies and Procedures: Establish and document robust policies and procedures to support your compliance initiatives.

7. Regularly Review and Update: Continuously review and update your cybersecurity practices to ensure ongoing compliance.

8. Engage with Experts: Work with CMMC consultants or C3PAOs (CMMC Third-Party Assessment Organizations) for expert guidance and assessment support.

9. Perform a Self-Assessment: Conduct an internal assessment to gauge your readiness before the official CMMC assessment.

10. Schedule Your CMMC Assessment: Arrange your official CMMC assessment with an accredited C3PAO to verify your compliance.