CMMC consists of three (3) levels ranging from Foundational to Expert. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas.

Level 2 (Advanced) is for companies working with CUI. The requirements mirror NIST SP 800-171, and align with the 14 levels and 110 security controls developed to protect CUI.

CMMC Level 2 Requirements

Level 2 is primarily focusing on protecting, storing and transmitting Controlled Unclassified Information (CUI).  If your organization handles both – FCI and CUI – you will have to meet CMMC Level 2 requirements or higher.

This level aims at fleshing out the base security practices established in Level 1 and increasing the overall security of the organization. Level 2 is a considerable step up that impacts both timeline and cost.

Assessment requirements for Level 2 compliance differ based on whether the CUI data handled is considered critical or non-critical to national security. 

  • Defense Industrial Base organizations with prioritized acquisitions that handle data critical to national security must pass a higher level third-party assessment, conducted by an authorized CMMC Third Party Assessment Organizations (C3PAO), every 3 years.
  • For non-prioritized acquisitions handling non-critical data to national security, an annual self-assessment is required.

The Department of Defense has stated that roughly 80,000 in the DIB will need to achieve CMMC Level 2 via a C3PAO assessment. 

CMMC Level 2 Practices

Level 2 requires organizations to engage in a set of 110 practices from NIST 800-171.

medal icon

Based on Existing Regulations

Based on the 110 controls found in NIST 800-171.

consultant icon

Controlled Unclassified Information (CUI)

Required for any contractor that handles CUI, CTI, or ITAR.

Official Assessment

In most cases, requires a third-party assessment by an authorized C3PAO.