CMMC Level 2: What You Actually Need to Know in 2026 [Video + Complete Guide]
Posted: March 6, 2026 to Compliance.
Watch the video above for a quick overview, or read the full guide below for an in-depth breakdown of CMMC Level 2 requirements, costs, and how to prepare your organization.
What Is CMMC Level 2?
The Cybersecurity Maturity Model Certification (CMMC) Level 2 represents the middle tier of the Department of Defense's cybersecurity framework. It requires defense contractors who handle Controlled Unclassified Information (CUI) to implement 110 security controls aligned with NIST SP 800-171. Unlike Level 1, which covers basic cyber hygiene with 17 practices, Level 2 demands a significantly more mature cybersecurity posture that protects sensitive defense information from increasingly sophisticated threats.
As of 2026, CMMC 2.0 is being actively enforced in DoD contracts. If your company handles CUI and you want to continue winning or maintaining defense contracts, achieving CMMC Level 2 certification is not optional. It is a contractual requirement.
Who Needs CMMC Level 2 Certification?
CMMC Level 2 applies to any organization in the Defense Industrial Base (DIB) that processes, stores, or transmits CUI. This includes prime contractors, subcontractors, and any company in the supply chain that touches CUI. Common industries affected include aerospace and defense manufacturers, IT service providers to the DoD, engineering firms working on classified or sensitive projects, and research institutions with DoD-funded programs.
If your contract includes a DFARS 252.204-7012 clause, you almost certainly need Level 2 certification. The DoD estimates that more than 80,000 companies in the defense supply chain will need to achieve this level of certification.
The 110 Security Controls Explained
CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Revision 2. These controls are organized across 14 domains:
Access Control (AC): 22 practices covering who can access your systems and data. This includes multi-factor authentication, least privilege principles, and session management.
Awareness and Training (AT): 3 practices ensuring all personnel understand their cybersecurity responsibilities through regular training and awareness programs.
Audit and Accountability (AU): 9 practices for logging system events, protecting audit logs, and maintaining accountability for user actions.
Configuration Management (CM): 9 practices for establishing and maintaining secure configurations across your IT environment.
Identification and Authentication (IA): 11 practices for verifying the identity of users, devices, and processes before granting access.
Incident Response (IR): 3 practices for establishing incident handling capabilities, including preparation, detection, analysis, containment, and recovery.
Maintenance (MA): 6 practices for performing timely maintenance on organizational systems and controlling maintenance tools.
Media Protection (MP): 9 practices for protecting, sanitizing, and controlling system media containing CUI.
Personnel Security (PS): 2 practices for screening personnel and protecting CUI during personnel actions like terminations and transfers.
Physical Protection (PE): 6 practices for limiting physical access to systems and protecting the physical environment.
Risk Assessment (RA): 3 practices for identifying and evaluating risks to organizational operations and assets.
Security Assessment (CA): 4 practices for periodically assessing security controls and implementing plans of action.
System and Communications Protection (SC): 16 practices for monitoring and protecting communications at system boundaries, including encryption requirements.
System and Information Integrity (SI): 7 practices for identifying, reporting, and correcting system flaws in a timely manner.
CMMC Level 2 Assessment Process
The assessment process for Level 2 has changed significantly under CMMC 2.0. There are two paths depending on the sensitivity of the CUI involved:
Self-Assessment: For contracts involving less critical CUI, organizations can conduct a self-assessment. You must complete the assessment, achieve a score, and submit your results along with a Senior Official Affirmation to the Supplier Performance Risk System (SPRS).
Third-Party Assessment (C3PAO): For contracts involving more sensitive CUI, a CMMC Third-Party Assessment Organization (C3PAO) must conduct the evaluation. C3PAOs are accredited by the Cyber AB (formerly CMMC-AB) and will verify your implementation of all 110 controls.
The assessment evaluates each practice as Met, Not Met, or Not Applicable. To achieve certification, you must demonstrate that all applicable controls are fully implemented and operating effectively. A Plan of Action and Milestones (POA&M) may be accepted for a limited number of controls, but the majority must be fully met at the time of assessment.
How Much Does CMMC Level 2 Cost?
The cost of achieving CMMC Level 2 certification varies significantly based on your organization's current cybersecurity maturity, size, and IT complexity. Here are the typical cost ranges:
Gap Assessment: $15,000 to $50,000 to identify where your current security posture falls short of the 110 requirements.
Remediation: $50,000 to $500,000 or more to implement missing controls, deploy required technologies, and establish necessary policies and procedures.
C3PAO Assessment: $50,000 to $150,000 for the formal third-party certification assessment.
Ongoing Compliance: $30,000 to $100,000 annually for continuous monitoring, training, and maintaining your security posture.
For small to mid-sized businesses, total first-year costs typically range from $150,000 to $500,000. However, the return on investment is clear: without certification, you cannot compete for DoD contracts that require Level 2.
How to Prepare for CMMC Level 2
Preparation should begin 12 to 18 months before your target certification date. Here is a strategic approach:
Step 1 - Scope Your CUI Environment: Identify exactly where CUI flows through your organization. Document every system, network, and process that touches CUI. The smaller you can make your CUI enclave, the fewer controls you need to implement.
Step 2 - Conduct a Gap Assessment: Compare your current security posture against all 110 NIST 800-171 controls. Document each gap and estimate the effort required to remediate.
Step 3 - Develop a System Security Plan (SSP): Your SSP is the foundational document that describes your security environment, control implementations, and system boundaries. It is required for certification.
Step 4 - Implement Missing Controls: Address the gaps identified in your assessment. Prioritize high-impact controls first, such as multi-factor authentication, encryption, and access controls.
Step 5 - Calculate Your SPRS Score: Use the NIST 800-171 DoD Assessment Methodology to calculate your score. A perfect score is 110, and you should aim as close to that as possible before your formal assessment.
Step 6 - Engage a C3PAO: Schedule your assessment well in advance, as qualified assessors have limited availability. The formal assessment typically takes 1 to 3 weeks depending on your organization's size.
Common CMMC Level 2 Mistakes to Avoid
After helping dozens of defense contractors through the certification process, we see the same mistakes repeatedly:
Underestimating the scope: Many organizations fail to properly identify all systems and processes that handle CUI, leading to gaps during assessment.
Paper compliance without practice: Writing policies is not enough. Assessors verify that controls are actually implemented and operating effectively.
Ignoring the supply chain: Your subcontractors and vendors must also meet appropriate CMMC levels. Your certification can be jeopardized by a non-compliant partner.
Waiting too long to start: The remediation process typically takes 6 to 12 months. Starting late means missing contract deadlines.
Frequently Asked Questions
How long does CMMC Level 2 certification take?
From initial gap assessment to certification, most organizations need 12 to 18 months. The timeline depends on your starting maturity level and the complexity of your IT environment. Organizations with an existing NIST 800-171 compliance program can move faster.
Can I get a conditional CMMC Level 2 certification with a POA&M?
Under CMMC 2.0, a limited number of controls can be addressed through a Plan of Action and Milestones (POA&M). However, certain critical controls must be fully met with no exceptions. The POA&M must be closed within 180 days of the conditional certification.
What happens if I fail my CMMC Level 2 assessment?
If you do not achieve the required score, you will not receive certification. You can remediate the identified gaps and schedule a reassessment. However, the cost of reassessment and the delay in contract eligibility make it critical to be fully prepared before your initial assessment.
Do I need a separate IT environment for CUI?
While not strictly required, creating a separate enclave for CUI processing significantly reduces the scope and cost of compliance. Many organizations use a dedicated CUI environment with controlled access points to minimize the number of systems subject to CMMC controls.
How does CMMC Level 2 relate to NIST 800-171?
CMMC Level 2 is directly mapped to the 110 security requirements in NIST SP 800-171 Revision 2. The key difference is that CMMC adds a verification and certification mechanism. While NIST 800-171 required self-attestation under DFARS, CMMC Level 2 requires either a verified self-assessment or a third-party assessment by a C3PAO.
How PTG Helps with CMMC Level 2 Certification
Petronella Technology Group has been helping defense contractors achieve and maintain CMMC compliance since the framework was first announced. With over 23 years in business and deep expertise in CMMC compliance consulting, cybersecurity, and managed IT services, we guide organizations through every phase of the certification journey.
Our services include comprehensive gap assessments, SSP and POA&M development, technology implementation, employee training, and ongoing compliance monitoring. We work with you to build a sustainable security program that meets CMMC requirements while supporting your business operations.
Ready to start your CMMC Level 2 journey? Contact PTG today for a free consultation. And for ongoing cybersecurity education, join our Training Academy at petronellatech.com/training/.
![AI-Powered SOC: How Artificial Intelligence Is Transforming Security Operations Centers in 2026 [Video + Guide]](https://petronellatech.com/inc/modules/Blog/images/icons/1310.webp){kind=icon}
