The Cybersecurity Maturity Model Certification (CMMC) program establishes cybersecurity requirements across the defense industrial base (DIB). Many contractors handling more sensitive government information must now achieve CMMC Level 2 Certification to bid on or maintain Department of Defense (DoD) contracts. Level 2 builds on Level 1, adding additional safeguards designed to protect Controlled Unclassified Information (CUI). Understanding these requirements and implementing them correctly is critical for organizations that want to remain eligible for DoD work.
What Is CMMC Level 2 Certification?
CMMC Level 2 Certification is an intermediate certification level that focuses on protecting Controlled Unclassified Information (CUI). Unlike Level 1, which protects basic Federal Contract Information (FCI), Level 2 is aligned with NIST SP 800-171 requirements and has become the foundational requirement that most contractors and subcontractors will need to meet.
Level 2 requires organizations to:
- Implement more advanced cybersecurity practices
- Maintain formal policies and procedures for security operations
- Demonstrate effective security management across systems
Level 2 is intended for contractors who handle sensitive information that is not classified, such as:
- Defense designs, plans, and technical specifications
- Program management documents
- Certain types of financial, operational, or logistical data
- Non-public data shared under federal contracts
Who Must Meet CMMC Level 2 Requirements?
CMMC Level 2 Certification applies to organizations that process, store, or transmit CUI as part of DoD contracts.
This includes:
- Prime contractors working directly with the DoD
- Subcontractors providing technical services or products that involve CUI
- Manufacturers or IT vendors handling sensitive program data
- MSPs (Managed Service Providers) helping contractors achieve CMMC
- Professional service firms involved in program management or engineering
If your organization handles CUI, CMMC Level 2 compliance is mandatory prior to contract award. Unlike Level 1, Level 2 will require more formal documentation and could involve a third-party assessment depending on contract requirements.
What Are the CMMC Level 2 Requirements?
CMMC Level 2 includes 110 security requirements across 14 domains assessed at 320 assessment objectives, mapped directly from NIST SP 800-171 r.2. These practices cover all the foundational protections of Level 1 plus additional controls required for sensitive information. If you
The 14 domains are:
- Access Control (AC) – Role-based access, multi-factor authentication, session control
- Awareness and Training (AT) – Security training for all users
- Audit and Accountability (AU) – Logging and monitoring system activity
- Configuration Management (CM) – System configuration standards and change management
- Identification and Authentication (IA) – Strong user authentication and credential management
- Incident Response (IR) – Procedures for detecting, reporting, and responding to incidents
- Maintenance (MA) – Secure maintenance of systems and components
- Media Protection (MP) – Protecting CUI stored on media
- Personnel Security (PS) – Security considerations for personnel access
- Physical Protection (PE) – Securing physical access to systems and data
- Risk Assessment (RA) – Conducting risk assessments and mitigation
- Security Assessment (CA) – Continuous evaluation of security controls
- System and Communications Protection (SC) – Network protections, encryption, and boundary defense
- System and Information Integrity (SI) – Patching, malware protection, and system monitoring
Together, these practices create a comprehensive cybersecurity posture that ensures sensitive DoD information is protected against a wide range of threats.
How Organizations Can Achieve CMMC Level 2 Compliance
The first critical step involves defining the assessment scope, which requires identifying every asset, including people, technology, and facilities, that stores, processes, or transmits CUI within the organization’s environment. This scoping exercise is vital for creating a clear boundary between internal networks and external or publicly accessible systems. Once the scope is defined, organizations must develop a formal System Security Plan (SSP). The SSP serves as a foundational document that describes the system boundaries, the operational environment, and the specific methods used to implement each security requirement.
After documenting existing controls, organizations conduct a gap analysis to identify “NOT MET” requirements, which must then be addressed through an operational plan of action and milestones (POA&M). Remediation efforts often focus on high-impact technical areas such as enforcing multifactor authentication (MFA) for all local and network access and ensuring that all cryptography used to protect CUI is FIPS-validated. Beyond technical settings, the organization must establish operational capabilities, such as incident handling procedures that cover preparation, detection, analysis, and recovery. Additionally, personnel must receive role-based training to ensure they understand the security risks associated with their specific duties and can recognize potential indicators of insider threats.
The final stage of the compliance journey is the formal assessment, which varies depending on the specific contract requirements and is required every three years. Some organizations may perform a self-assessment to achieve a Conditional or Final Level 2 (Self) status, while most organizations will require an assessment by a Certified Third-Party Assessment Organization (C3PAO). During these assessments, certified assessors use methods such as interviewing staff, examining specifications like policies and diagrams, and testing technical mechanisms to verify that every assessment objective has been satisfied. To maintain a Final Level 2 status, organizations must not only achieve a “MET” finding on all requirements but also conduct periodic reviews and updates of their SSP and security controls to ensure long-term effectiveness
How NeQter Labs Helps With CMMC Level 2
Without centralized tools, companies often rely on spreadsheets, manual documentation, and disconnected security systems. At NeQter Labs, we simplify how organizations meet and maintain CMMC Level 2 requirements by combining control implementation and compliance tracking into one platform.
The tools within NeQter Core deliver the technical foundation needed for Level 1 through a set of integrated tools. Its SIEM capabilities provide centralized logging and monitoring to support system integrity (SI) and help detect suspicious activity. The vulnerability scanner continuously identifies and helps remediate system weaknesses, supporting ongoing patching and risk reduction. The asset inventory tracker ensures you have full visibility into devices and users in your environment, critical for enforcing access control (AC) and maintaining secure configurations. Together, these capabilities help implement and maintain key controls across access management, authentication (IA), network protection (SC), and system integrity (SI).
NeQter Comply (included in NeQter Core) then connects those controls directly to all CMMC Level 1 practices, giving you real-time insight into your compliance posture. It highlights gaps, tracks progress, and organizes the evidence needed for annual self-assessments and SPRS reporting.
Together, NeQter Core and NeQter Comply provide a centralized, automated approach to achieving CMMC Level 1—helping you stay compliant, maintain proof, and avoid the complexity of manual processes.
Interested in learning more? Schedule a meeting with us here.
