CMMC Level 2 Requirements: Complete Guide to the 110 Controls Your Defense Business Must Implement
Posted: March 6, 2026 to Compliance.
What CMMC Level 2 Requires and Why It Matters
CMMC Level 2 (Advanced) is the certification level required for defense contractors and subcontractors that handle Controlled Unclassified Information (CUI). With the CMMC final rule now in effect, contractors that cannot demonstrate Level 2 compliance will be ineligible for DoD contracts involving CUI — a category that covers the vast majority of defense work involving technical data, engineering drawings, test results, and operational information.
CMMC Level 2 maps directly to the 110 security controls defined in NIST SP 800-171 Revision 2. Unlike Level 1 (which allows self-assessment for 15 basic practices), Level 2 requires either self-assessment or third-party assessment by a Certified Third-Party Assessment Organization (C3PAO), depending on the sensitivity of the CUI involved. Most contracts involving CUI will require C3PAO assessment.
This guide covers what the 110 controls require, how to prioritize implementation, common gaps that cause assessment failures, and how to prepare your organization for CMMC certification.
The 14 CMMC Level 2 Control Families
1. Access Control (AC) — 22 Controls
The largest control family governs who can access CUI and how. Requirements include:
- Limiting system access to authorized users, processes, and devices
- Controlling the flow of CUI between systems and networks
- Separating duties to reduce risk of insider threats
- Using the principle of least privilege for all access
- Controlling remote access sessions with encryption and multi-factor authentication
- Controlling access via mobile devices and portable storage
Common failures: Excessive administrator privileges, lack of MFA on remote access, no documented access control policy, and CUI accessible from systems that do not meet security requirements.
2. Awareness and Training (AT) — 3 Controls
All users must understand their security responsibilities. Requirements include security awareness training for all users, role-based training for personnel with security responsibilities, and training on recognizing and reporting insider threats.
3. Audit and Accountability (AU) — 9 Controls
You must create, protect, and review audit logs of system activity. Requirements include logging all access to CUI, protecting logs from unauthorized modification or deletion, reviewing logs regularly, alerting on audit failures, and correlating audit information across systems. Most organizations need a SIEM solution to meet these requirements effectively.
4. Configuration Management (CM) — 9 Controls
Systems must be configured securely and changes must be controlled. Requirements include baseline configurations for all systems, change management processes, restricting unnecessary software, and applying least-functionality principles (disabling unused services and ports).
5. Identification and Authentication (IA) — 11 Controls
Users and devices must be uniquely identified and authenticated. Multi-factor authentication is required for network access to privileged and non-privileged accounts. Password complexity, replay-resistant authentication, and device identification are all required.
6. Incident Response (IR) — 3 Controls
You must have an incident response capability including a documented plan, the ability to detect and report incidents, and testing of your incident response procedures. Incidents involving CUI must be reported to the DoD within 72 hours.
7. Maintenance (MA) — 6 Controls
Systems must be maintained properly with controls on maintenance tools, remote maintenance sessions, and personnel performing maintenance on systems containing CUI.
8. Media Protection (MP) — 9 Controls
Media containing CUI (hard drives, USB drives, paper documents) must be protected, marked, sanitized before disposal, and controlled during transport. This includes controlling the use of removable media and encrypting CUI on portable storage.
9. Personnel Security (PS) — 2 Controls
Screen personnel before granting access to CUI and protect CUI during and after personnel actions (terminations, transfers).
10. Physical Protection (PE) — 6 Controls
Physical access to systems, equipment, and facilities must be controlled. Visitor access must be monitored and logged. Physical access logs must be maintained.
11. Risk Assessment (RA) — 3 Controls
Conduct periodic risk assessments, scan for vulnerabilities regularly, and remediate vulnerabilities in accordance with risk assessments.
12. Security Assessment (CA) — 4 Controls
Periodically assess your security controls to determine their effectiveness, develop and implement remediation plans, monitor controls on an ongoing basis, and implement system-level security plans.
13. System and Communications Protection (SC) — 16 Controls
Protect communications at external and internal boundaries, implement architectural designs with security zones, use encryption to protect CUI in transit, control collaborative computing devices, and protect the confidentiality of CUI at rest.
14. System and Information Integrity (SI) — 7 Controls
Identify and fix system flaws in a timely manner, protect against malicious code, monitor system security alerts, and update malicious code protection mechanisms.
Prioritizing CMMC Level 2 Implementation
Implementing all 110 controls simultaneously is impractical. Prioritize based on risk and assessment impact:
Highest priority (address first):
- Multi-factor authentication on all accounts accessing CUI
- Encryption of CUI at rest and in transit
- FIPS-validated encryption modules
- Audit logging with SIEM implementation
- Documented System Security Plan (SSP)
- Incident response plan and procedures
Second priority:
- Access control policies and least privilege implementation
- Vulnerability scanning and remediation program
- Security awareness training program
- Configuration management baselines
- Media protection and sanitization procedures
Third priority:
- Physical security controls and visitor logging
- Personnel screening procedures
- Maintenance documentation
- Risk assessment procedures
- Security assessment and continuous monitoring
Common CMMC Level 2 Assessment Failures
Based on our experience preparing defense contractors for assessment, these are the most common gaps:
- Incomplete System Security Plan: The SSP must document all 110 controls and how they are implemented in your specific environment. Generic templates do not pass.
- CUI scope not properly defined: If you cannot clearly identify where CUI enters, flows through, is stored, and exits your environment, your entire assessment is undermined.
- Shared infrastructure with non-CUI systems: CUI systems must be properly segmented. Running CUI workloads on the same infrastructure as general business operations without proper controls is a common failure.
- Missing or inadequate FIPS encryption: Using encryption that is not FIPS 140-2 validated is a common and costly mistake.
- No evidence of control operation: Assessors need evidence that controls are not just implemented but actively operating. Screenshots, logs, and documented procedures from actual operations are required.
CMMC Level 2 Assessment Process
The assessment process involves:
- Pre-assessment readiness review: Work with a consultant to identify and remediate gaps before engaging a C3PAO
- Select a C3PAO: Choose from the list of accredited assessment organizations on the Cyber AB marketplace
- Assessment planning: The C3PAO reviews your SSP and scopes the assessment
- Assessment execution: On-site and remote evaluation of all 110 controls (typically 1 to 2 weeks)
- Final report and certification: Results submitted to the CMMC eMASS system for adjudication
Get CMMC Level 2 Ready
Petronella Technology Group has helped defense contractors throughout the Raleigh-Durham Triangle achieve CMMC compliance for over 23 years. Our CMMC consulting services include gap analysis against all 110 Level 2 controls, SSP development, remediation implementation, and pre-assessment readiness reviews. We also provide ongoing compliance management to ensure your controls remain effective between assessment cycles.
Schedule a CMMC readiness assessment to understand your current compliance gaps and get a clear roadmap to Level 2 certification.
![AI-Powered SOC: How Artificial Intelligence Is Transforming Security Operations Centers in 2026 [Video + Guide]](https://petronellatech.com/inc/modules/Blog/images/icons/1310.webp){kind=icon}
