CMMC Level 2 Certification Checklist

CMMC Level 2 certification requires contractors to implement all necessary NIST SP 800-171 requirements and complete a third-party assessment

The Cybersecurity Maturity Model Certification (CMMC) is an important milestone for defense contractors to address, measuring cybersecurity maturity at three levels - Foundational, Advanced, and Expert. 

While CMMC Level 1 focuses exclusively on protecting Federal Contract Information (FCI) and aligns with 15 FAR 52.204-21 requirements, CMMC Level 2 focuses on protecting Controlled Unclassified Information (CUI) and requires organizations to implement security controls from NIST SP 800-171. As a result, CMMC Level 2 expands on the basic security practices established in Level 1 and is more complex, requiring more time and resources to achieve.

Delve deeper into the CMMC Level 2 compliance requirements with our CMMC Level 2 checklist.

What is CMMC Level 2?

CMMC Level 2 is an advanced level of CMMC certification. It applies to current and bidding DoD contractors that have the DFARS 252.204-7012 requirements in their contracts that handle CUI, CTI, and ECI:

• Controlled Unclassified Information (CUI) CUI is government-owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. 

Read more about CUI protection requirements for Dod Contractors

• Controlled Technical Information (CTI)  is technical information with military or space applications that requires controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.  
• Export-controlled information (ECI) includes information regulated for national security, foreign policy, anti-terrorism, or non-proliferation reasons.

CMMC Level 2 requirements consist of security controls listed in  NIST SP 800-171 distributed across applicable control families. 

What is the Difference Between CMMC Level 2 and NIST 800-171?

The main difference between NIST 800 171 and CMMC Level 2 is that the former is set by the National Institute of Standards and Technology (NIST) as a security standard for CUI protection. At the same time, CMMC is a certification based on meeting NIST SP 800-171 requirements. 

CMMC Level 2 closely aligns with the control requirements in NIST SP 800-171, with some additional practices. It requires documenting security policies and practices and includes maturity elements that assess how well an organization has institutionalized its cybersecurity practices. CMMC Level 2 requires a third-party assessment from an accredited CMMC Third-Party Assessor Organization (C3PAO).

NIST SP 800-171 focuses purely on implementing the technical and operational security controls. It does not include a certification or third-party audit component.

CMMC 2.0. Level 2 Control Requirements

CMMC Level 2 organizations must meet the following requirements:

Access control

Access control is the most extensive category within the NIST 800-171 control families. It mandates organizations to oversee all access activities within their IT environment and restrict access to systems and information. Key requirements include:

• Proper account management (processes for creating, modifying, disabling, and removing system accounts)
• Controlling the flow of CUI within the organization’s system
• Enforcing the principle of least privilege access
• Impose strict encryption, authorization, and authentication measures
• Overseeing remote access and access termination procedures
• Managing and limiting the usage of mobile devices

Awareness and training

Provide security literacy training to managers, system administrators, and other users as part of initial training, when required by system changes, or when experiencing insider threats, social engineering, and social mining. Provide role-based security training to organizational personnel and regularly update security literacy training content

Audit and accountability

Audit and Accountability controls require evolving around retaining audit logs and records, and keeping users accountable for their actions. Organizations must have audit logs to detect any unauthorized activity by:

• Reviewing and updating audited events
• Reporting on failures in the audit process
• Generating reports that support on-demand analysis and provide compliance evidence

Configuration management

Configuration management requires businesses to establish and maintain baseline configurations. These include monitoring user-installed software, identifying deviations from established configuration settings, and tracking any changes in the organization’s systems. The compliance requirements include: 

• Blacklisting Shadow IT - software installed without the approval of the IT team
• Documenting all suspicious access attempts
• Configuring systems to provide only essential capabilities 

Identification and authentication

The identification and authentication control family requires organizations to verify the identity of users, devices, or systems before granting access to resources within an organization’s IT environment. It ensures that only authorized individuals/entities can access sensitive systems, data, or applications. Some of the best practices under this control family include: 

• Implement MFA
• Follow proper password-hygiene procedures
• Implement password management systems that help securely create, store, and rotate passwords.
• Enforce periodic credential updates (e.g., changing passwords every 90 days) and when specific events like breaches or suspicious activity occur.

Incident response

This control family obligates organizations to have an updated incident response strategy that ensures the incidents are detected, responded to, communicated, and addressed in a timely and effective manner. In particular, organizations must:

• Implement capabilities to prepare, detect, and analyse, contain, eradicate, and recover from incidents.
• Develop and implement an incident response plan. 
• Track and document system security incidents
• Report incidents to the internal team and external bodies. 
• Regularly test the incident response capability. 
• Provide incident response training to system users.

Maintenance

Organizations must implement effective system maintenance practices to safeguard CUI and other sensitive information from potential threats or compromise. Among the activities that organizations must perform as part of systems maintenance are:

• Keep a close eye on how the system maintenance tools are used and by whom.
• Test programs for malicious code before using them.
• Approve nonlocal maintenance and diagnostic activities, require multi-factor authentication with replay resistance, and terminate sessions when maintenance is complete.

Media protection

Under the media protection control, organizations must ensure the security of system media containing CUI. Some of the specific activities include, but are not limited to:

• Ensure physical control and securely store system media that contain CUI.
• Restrict access to CUI on system media to authorized personnel or roles.
• Sanitize system media that contain CUI prior to disposal, release out of organizational control, or release for reuse.
• Protect and control media that contain CUI during transportation.
• Protect the confidentiality of backup information.

Personnel security

This is a small family of controls that requires businesses to properly manage personnel changes, such as hiring, transfers, and offboarding. This includes ensuring necessary agreements, identity verifications, background checks, and other personnel controls. 

Physical protection

Physical Protection involves safeguarding hardware, software, networks, and data from damage or loss caused by physical events. This domain requires organizations to take various actions to reduce the risk of physical harm, such as:

• Control physical access devices.
• Limit physical access to systems and equipment to authorized users only.
• Maintain audit logs of physical access.

Risk assessment

There are two major requirements that cover the performance of regular risk assessments:

• Regularly assess the risk of unauthorized disclosure resulting from the processing, storage, or transmission of CUI.
• Monitor and scan the system for vulnerabilities, and when new vulnerabilities affecting the system are
• identified.

Organizations are required to do both to meet this control. 

Security assessment

Organizations must monitor and assess their security controls to determine whether they are effective at keeping data secure. Under this control family, organizations are required to:

• Develop and regularly update a plan of action and milestones for the system to document the planned remediation actions to correct weaknesses and/or reduce or eliminate known system vulnerabilities.
• Develop and implement a system-level continuous monitoring strategy that includes ongoing monitoring and security assessments.

System and communications protection

This is a broad set of requirements consisting of 16 controls aimed at monitoring, controlling, and securing information transmitted or received by IT systems. Key activities include:

• Preventing unauthorized information transfer
• Using cryptographic methods to safeguard CUI from unauthorized disclosure
• Creating sub-networks for publicly accessible components, isolated from internal networks
• Blocking network traffic by default unless explicitly allowed

System and information integrity

This set of controls requires organizations to swiftly detect and fix system vulnerabilities while protecting critical assets from malicious code. Key tasks include:

• Monitoring and quickly responding to security alerts about unauthorized system use
• Regularly scanning IT systems and scanning external files when downloaded or accessed
• Updating malware protection mechanisms as soon as new versions become available

Planning

This control family addresses policies and procedures for the protection of CUI and includes the requirements to:

• Develop, document, disseminate, and regularly update policies and procedures needed to satisfy the security requirements for the protection of CUI.
• Develop a system security plan that includes other relevant information necessary for the protection of CUI, such as system components, information types processed, stored, and transmitted by the system, threats to the system, etc. 
• Establish rules that describe the responsibilities and expected behavior for system usage and CUI protection.

System and service acquisition

Organizations should apply systems security engineering principles to system modifications and development and ensure:

• Replacing system components when support for the components is no longer available from the developer, vendor, or manufacturer.
• Provide risk-mitigation options or alternative sources of support for unsupported components that cannot be replaced.

Supply chain risk management

This control family requires organizations to develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services. Besides this, organizations must :

• Review and update the supply chain risk management plan.
• Protect the supply chain risk management plan from unauthorized disclosure.
• Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and mitigate supply chain risks.

CMMC level 2 assessment guide 

The main conditions for CMMC 2.0 Level 2 compliance are:

• Protect CUI in all systems and processes where it is stored, processed, or transmitted
• Implement all security requirements from NIST SP 800-171
• Undergo the required assessment type (Third-party assessment (C3PAO) for prioritized DoD contracts or self-assessment for non-prioritized contracts
• Maintain documentation and evidence, including policies, procedures, and a System Security Plan (SSP)
• Remediate gaps and manage POA&Ms (when allowed by contract)
• Continuously maintain controls, not just “point-in-time” compliance

Let’s see these steps in more detail:

CMMC Level 2 self-assessment requirements

Depending on the sensitivity and priority of DoD contracts, CMMC Level 2 organizations may be required to undergo a self-assessment or a third-party audit. For contracts considered lower risk, the DoD allows organizations to conduct an internal self-assessment. The self-assessment requirements include:

• Conducting an annual CMMC Level 2 Self-Assessment to determine their conformity to protect CUI.
• Submitting an annual self-affirmation of the organization’s compliance with the NIST SP 800-171 security requirements to SPRS (as per CMMC §170.22, Affirmation).

However, the DoD can still review your documentation or require a third-party audit later if the risk increases.

NOTE: If the organization's FCI and CUI boundaries overlap, the CMMC Level 2 annual assessment and self-affirmation letter will satisfy Level 1 requirements.

Unlike Level 1, CMMC Level 2 allows conditional certification based on the Plans of Action & Milestones (POA&M). 

CMMC Level 2 third-party certification requirements

If a contract involves CUI tied to national security priorities, organizations must undergo a third-party CMMC Conformity Assessment once every three years. Only accredited 3rd-Party Assessment Organizations (C3PAO) are authorized to conduct assessments. To meet Level 2 third-party assessment requirements, a company must either fully implement all required security controls or qualify for conditional certification. Organizations may also receive a conditional certification in cases when a small, clearly defined number of lower-risk security gaps remain. In this case, the organization must document those gaps in a Plan of Action & Milestones (POA&M) and remediate them within the timeframe set by the Department of Defense.

In practice, most contracts that require an independent third-party assessment expect all controls to be fully implemented before certification, while self-assessed contracts may allow limited remediation after assessment.

CMMC Level 2 scoring

CMMC Level 2 scoring is inherited directly from NIST SP 800-171. The objective is to achieve a maximum of 110 points. Importantly, not all controls carry the same weight: lower-impact requirements may account for 1 point, moderate protections 3 points, and critical safeguards such as multi-factor authentication, audit logging, incident response, and boundary protection reduce your score by 5 points if they are missing.

To achieve CMMC Level 2 certification, a company does not need a perfect score. Instead, it must reach a verified score of at least 88 points and ensure that any remaining gaps fall within the allowable POA&M threshold. Certain high-impact controls cannot be deferred, and all documented gaps must be remediated within 180 days. During the C3PAO assessment, the assessor recalculates and validates the organization’s self-reported SPRS score, so accurate pre-assessment scoring and control prioritization are critical.

System Security Plan

For CMMC 2.0 Level 2, organizations must develop and maintain a System Security Plan (SSP) that documents how CUIis protected across their systems and environment. The SSP must define the system boundary, including all devices, users, networks, and cloud services that store, process, or transmit CUI. I should also describe the architecture, data flows, and external connections. 

Specifically, it must explain how each NIST SP 800-171 security control is implemented, referencing the technologies, policies, and procedures used to enforce it. This document must reflect the organization’s actual environment and be kept current, as it serves as the primary evidence assessors use to verify CMMC Level 2 compliance.

CMMC Level 2 Plans of Action & Milestones (POA&M)

POA&M is a formal document used by organizations to identify and manage gaps in their cybersecurity practices. The POA&M outlines specific actions the organization must take to address and remediate deficiencies or weaknesses identified during a security assessment, such as non-compliance with CMMC requirements. CMMC POA&Ms is governed by the paragraph §170,21(a)(2).

All organizations are expected to have and maintain a POA&M for all actions required to achieve compliance.  During a Conformity Assessment, your organization should be able to provide a POA&M with completed remediations to address deficiencies.

CMMC Level 2 compliance checklist

Summing up, here's a concise checklist to help you achieve CMMC Level 2 compliance:

1. Scope your environment. Determine the types of information your organization handles (e.g., FCI, CUI). Establish which systems, networks, and processes will be included in the assessment. Evaluate any third-party vendors or partners that may impact your compliance.

2. Understand your requirements. Familiarize yourself with CMMC Level 2 requirements, focusing on the NIST SP 800-171 controls.

2. Conduct a gap analysis. Assess your current cybersecurity practices against the NIST SP 800-171 controls to identify gaps where your organization is not meeting the requirements.

3. SSP is a kind of plan include the controls you need to have, who is responsible for those

4. Develop a Plan of Action & Milestones (POA&M). Create a document outlining how to address gaps, including timelines and responsible personnel for remediation.

5. Perform annual self-assessments. Conduct annual self-assessments to evaluate compliance with NIST SP 800-171 controls. Document findings and continuously improve practices.

6. Prepare for external assessments. Prepare for third-party assessments by choosing a C3PAO that is fully authorized by the Cyber AB (CMMC Accreditation body). Gather all documentation, policies, and evidence of compliance for the assessor.

7. Conduct a third-party Conformity Assessment and provide a POA&M completed remediations to address deficiencies and become conditionally or fully CMMC certified.

Planet 9 services for CMMC Level 2 Compliance 

To reduce your organization’s burden with CMMC 2.0. compliance efforts, engage third-party security and compliance services, such as Planet 9. For CMMC Level 2, Planet 9 can support your organization with the following services:

• Scope your environment;
• Understand requirements;
• Conduct CMMC Level 2 readiness assessment;
• Conduct gap analysis;
• Help address gaps;
• Conduct self-assessment;
• Prepare for a third-party CMMC Conformity assessment. 

Website: https://planet9security.com

Email:  info@planet9security.com

Phone: 888-437-3646