CMMC Level 2


CMMC consists of three (3) levels ranging from Foundational to Expert. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas.

Level 2 (Advanced) is for companies working with CUI. The requirements mirror NIST SP 800-171, and align with the 14 levels and 110 security controls developed to protect CUI.

CMMC Level 2 Requirements

Level 2 is primarily focusing on protecting, storing and transmitting Controlled Unclassified Information (CUI).

CMMC Level 2 Practices

Level 2 requires organizations to engage in a set of 110 practices from NIST 800-171.

medal icon

Based on Existing Regulations

Based on the 110 controls found in NIST 800-171.

consultant icon

Controlled Unclassified Information (CUI)

Required for any contractor that handles CUI, CTI, or ITAR.


Requires third-party audit by a C3PAO.