What Is CMMC Level 2? A Plain-English Guide for Small Contractors

Published April 17, 2026 — Everything you need to know about CMMC Level 2 certification, explained without the jargon.

If you work with the Department of Defense — even as a small subcontractor — you have probably heard about CMMC by now. The Cybersecurity Maturity Model Certification is the DoD’s way of making sure every company in the defense supply chain has adequate cybersecurity protections. And for most contractors handling sensitive data, that means CMMC Level 2.

This guide breaks down exactly what CMMC Level 2 requires, who needs it, how assessments work, and what you can do right now to start preparing — even if your IT team is just you and a managed service provider.

What Is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. It is a DoD framework established through the CMMC Final Rule (32 CFR Part 170) that went into effect in late 2024. The purpose is simple: verify that defense contractors actually implement the cybersecurity controls they claim to have in place.

Before CMMC, contractors self-attested to compliance with NIST SP 800-171 — and the DoD found that many companies checked the boxes without actually implementing the controls. CMMC adds verification through independent assessments.

The framework is being phased into DoD contracts through DFARS clause 252.204-7021. Once a contract includes this clause, you must have the required CMMC level before you can bid on or continue performing that work.

The Three CMMC Maturity Levels

CMMC 2.0 defines three maturity levels, each building on the one below:

Level	Name	Controls	Assessment	Protects
Level 1	Foundational	17 practices (FAR 52.204-21)	Annual self-assessment	Federal Contract Information (FCI)
Level 2	Advanced	110 controls (NIST SP 800-171 Rev 2)	Self or C3PAO third-party	Controlled Unclassified Information (CUI)
Level 3	Expert	110 + selected NIST SP 800-172 controls	Government-led (DIBCAC)	CUI on highest-priority programs

Most small and mid-size defense contractors will need either Level 1 or Level 2. Level 3 applies to a relatively small number of contracts involving the most sensitive programs.

What Does CMMC Level 2 Specifically Require?

CMMC Level 2 maps directly to NIST SP 800-171 Revision 2. That means you must implement all 110 security controls across 14 control families. There is no picking and choosing — every control applies if your contract requires Level 2.

The 110 controls cover everything from who can access your systems, to how you log activity, to how you respond to security incidents. They are organized into these 14 families:

The 14 NIST SP 800-171 Control Families

ID	Family	Controls	What It Covers
AC	Access Control	22	Who can access what systems and data, least privilege, remote access, wireless access
AU	Audit and Accountability	9	Logging system events, protecting audit logs, audit review and reporting
AT	Awareness and Training	3	Security awareness training, role-based training for privileged users
CM	Configuration Management	9	Baseline configurations, change control, least functionality, software restrictions
IA	Identification and Authentication	11	Multi-factor authentication, password policies, device identification
IR	Incident Response	3	Incident response plans, reporting, testing your IR capabilities
MA	Maintenance	6	System maintenance controls, remote maintenance, maintenance personnel
MP	Media Protection	9	Media access, marking, storage, transport, sanitization of CUI media
PE	Physical Protection	6	Physical access to systems, visitor management, monitoring physical access
PS	Personnel Security	2	Personnel screening, personnel termination and transfer procedures
RA	Risk Assessment	3	Risk assessments, vulnerability scanning, remediation
SA	Security Assessment	4	Periodic security assessments, system of records, POA&M management
SC	System and Communications Protection	16	Boundary protection, encryption, CUI transmission protection, session management
SI	System and Information Integrity	7	Flaw remediation, malicious code protection, security alerts, system monitoring

Some of these families carry more weight than others. Access Control (AC) alone has 22 controls — one-fifth of the total. System and Communications Protection (SC) has 16. Together those two families make up more than a third of the entire framework.

Who Needs CMMC Level 2?

You need CMMC Level 2 if your DoD contracts involve handling Controlled Unclassified Information (CUI). CUI includes a wide range of sensitive but unclassified data:

• Technical drawings and specifications for defense systems
• Export-controlled data (ITAR, EAR)
• Vulnerability information about DoD systems
• Personally identifiable information (PII) from DoD personnel
• Controlled technical information (CTI) with military or space application
• Budget and financial data for defense programs

If you are unsure, check your current contracts for DFARS clauses 252.204-7012 (current CUI protection requirement) and 252.204-7021 (CMMC requirement). Your contracting officer can also confirm your required level.

How CMMC Level 2 Assessments Work

There are two paths to CMMC Level 2 certification, depending on the sensitivity of the CUI involved:

Self-Assessment (Level 2, lower sensitivity)

For some contracts, the DoD will allow a self-assessment. You evaluate your own compliance against all 110 controls, calculate your SPRS score, and submit the results to the DoD’s Supplier Performance Risk System. A senior company official must affirm the results, and making a false statement carries penalties under the False Claims Act.

C3PAO Assessment (Level 2, higher sensitivity)

For most CUI-handling contracts — especially after Phase 2 begins in October 2026 — you need a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). These are organizations accredited by the Cyber AB (formerly CMMC-AB) to perform CMMC assessments.

The C3PAO assessment process typically looks like this:

1. Pre-assessment readiness review — The C3PAO reviews your documentation and System Security Plan (SSP)
2. On-site assessment — Assessors examine evidence, interview staff, and test controls (typically 3–5 days)
3. Findings report — The C3PAO documents results, including any Not Met controls
4. Conditional certification — If you have limited gaps, you may receive conditional certification with a POA&M (Plan of Action and Milestones) to close gaps within 180 days
5. Final certification — Valid for three years once all controls are met

What Does a CMMC Level 2 Assessment Cost?

The total cost of achieving CMMC Level 2 varies widely based on your company size, existing security infrastructure, and current compliance gaps. Here are realistic ranges for a small contractor (under 100 employees):

Cost Category	Range	Notes
Gap assessment / readiness review	$10,000–$30,000	Optional but recommended before C3PAO assessment
Remediation (tools, infrastructure)	$20,000–$200,000+	Depends on current state; MFA, SIEM, encryption upgrades
C3PAO assessment fees	$50,000–$150,000	Depends on scope, number of locations, system complexity
Compliance tools and documentation	$5,000–$50,000/year	GRC platforms, SPRS tracking, SSP builders
Ongoing maintenance	$10,000–$30,000/year	Continuous monitoring, annual reviews, training

The DoD has acknowledged the cost burden on small businesses and has indicated that CMMC compliance costs can be considered allowable costs on DoD contracts. Check with your contracting officer about cost recovery options.

How to Start Preparing for CMMC Level 2

Certification can take 6 to 12 months of preparation, so start now if you have not already. Here is a practical starting path:

1. Identify your CUI — Determine exactly what CUI you handle, where it lives, and how it flows through your systems. This defines your assessment scope.
2. Define your CUI boundary — Document which systems, networks, and physical spaces are in scope. Minimizing your CUI boundary reduces compliance costs.
3. Assess your current state — Score each of the 110 controls as Met, Partially Met, or Not Met. Calculate your SPRS score.
4. Build your POA&M — For every control that is Not Met or Partially Met, document what needs to change, who is responsible, and when it will be done.
5. Write your SSP — Your System Security Plan is the single most important document. It describes how each control is implemented in your specific environment.
6. Remediate gaps — Implement the technical, operational, and policy changes needed to close your gaps.
7. Collect evidence — For every control, document proof of implementation — screenshots, configurations, policies, training records.
8. Engage a C3PAO — Book early. C3PAO availability is limited and wait times are growing as the deadline approaches.

How NormSuite CMMC Tracker Helps

Preparing for CMMC Level 2 involves tracking 110 controls, generating documentation, managing evidence, and calculating your SPRS score — all while running your actual business. NormSuite CMMC Tracker is purpose-built for this:

• All 110 controls mapped and organized by family, with plain-English descriptions of what each requires
• Assessment workflow — Score each control and see your real-time SPRS score update instantly
• Automatic POA&M generation — Non-compliant controls automatically populate your Plan of Action & Milestones
• SSP builder — AI-assisted System Security Plan narrative generation for each control family
• Evidence vault — Upload and link evidence artifacts directly to the controls they support
• Compliance dashboard — Track progress across all 14 families with a clear readiness percentage

Frequently Asked Questions

What does CMMC stand for?

CMMC stands for Cybersecurity Maturity Model Certification. It is a Department of Defense framework that verifies defense contractors have adequate cybersecurity practices in place to protect sensitive government information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 requires 17 basic cyber hygiene practices from FAR 52.204-21 and allows self-assessment. CMMC Level 2 requires all 110 controls from NIST SP 800-171 Rev 2, covers Controlled Unclassified Information (CUI), and most contractors will need a third-party assessment by a C3PAO. For a detailed comparison, see our guide on CMMC Level 2 vs Level 1.

Do all defense contractors need CMMC Level 2?

No. Only contractors who handle Controlled Unclassified Information (CUI) need Level 2. Contractors who only handle Federal Contract Information (FCI) need Level 1. Your required level is specified in your DoD contract solicitations under DFARS clause 252.204-7021.

How much does CMMC Level 2 certification cost?

Total costs typically range from $50,000 to $500,000+ depending on company size and current security posture. This includes remediation costs, C3PAO assessment fees, compliance tools, and ongoing maintenance. The DoD considers these allowable costs on defense contracts.

Is there a free CMMC compliance tracker?

Yes. NormSuite CMMC Tracker offers a free tier that lets you assess up to 20 controls and preview your SPRS score. It helps you understand your compliance gaps before committing to a paid plan for full 110-control tracking, SSP generation, and evidence management.

Next Steps

CMMC Level 2 is a significant undertaking, but it is manageable if you start early and work methodically. Read our related guides to go deeper on specific topics:

• CMMC Level 2 vs Level 1 — Detailed comparison to confirm which level you need
• How to Calculate Your SPRS Score — Step-by-step scoring guide
• CMMC 2026 Deadline — Phase 2 timeline and month-by-month action plan