Call now for cybersecurity help: 888-646-1616
Josh Ablett

CMMC Level 2: Compliance Guide for Small & Midsize Businesses

February 1, 2024

With a looming target date for CMMC Level 2 compliance among DoD contractors, the urgency cannot be overstated.

For businesses that have yet to embark on this critical journey, time is of the essence, as the path to compliance can span up to three years for certain organizations.

In this article, we provide clarity, direction, and actionable insights for meeting each of the 110 controls in NIST 800-171 and CMMC 2.

This guidance provides a comprehensive approach that is essential for any company, especially small to midsize businesses, handling Controlled Unclassified Information (CUI).

We aim to offer clarity, direction, and actionable insights so that you can start your compliance journey today, safeguarding your role in the defense contracting landscape.


CMMC is a complex regulation and may undergo changes in the future.

The following document is meant for informational purposes only. It is not meant to serve as definitive CMMC guidance.

You should always follow the official CMMC Assessment Guide.

What is CMMC Level 2?

CMMC Level 2 represents a significant leap in cybersecurity readiness for organizations working with the U.S. Department of Defense (DoD). 


This intermediate level strikes a crucial balance between basic safeguarding (Level 1) and the more complex security requirements of Level 3. 

At its core, CMMC Level 2 is all about enhancing your cybersecurity practices to protect Controlled Unclassified Information (CUI) without overwhelming your organization with complexity. 

Does CMMC Apply To My Organization?

To best answer this, you’re going to want to either review your client contracts or talk to the purchasing managers at your customers. 

If your contracts refer to DFARS 252.204-7012, DFARS 252.204-7020, ITAR, or NIST 800-171, CMMC will likely apply to you.

What Level Applies To Me?

If you handle or receive Controlled Unclassified Information (CUI), then you’ll need to be Level 2. If not, then you can likely aim for Level 1.  Your client purchasing managers should be able to tell you what level you’ll need.


Level 3 places a higher emphasis on protecting Controlled Unclassified Information (CUI), and is unlikely to apply to the small and mid-sized businesses that this resource guide aims to help. 

CMMC Level 2 isn't optional for contracts that include the DFARS 252.204-7012 requirement.

Compared to Level 1, which consists of 15 basic requirements, Level 2 demands compliance with all 110 security controls from NIST SP 800-171. 

This resource guide is focused on complying with Level 2.

Is CMMC A Final Regulation From The DoD?

No, the Cybersecurity Maturity Model Certification (CMMC) is not yet a final regulation from the Department of Defense (DoD) as of 2024. 

The proposed rule for CMMC, unveiled on December 26, 2023, outlines a plan to gradually implement CMMC requirements over three years, with complete adoption targeted by October 1, 2026. 

Following its announcement, the rule awaits finalization after a public commentary period ending on February 24, 2024. Until the rule becomes official, DoD program managers have the discretion to include CMMC requirements in contracts, setting the stage for a phased integration of these standards into contracts involving controlled unclassified information (CUI) or federal contracting information.

What is CUI, and How Do I Know if I Have it?

This entire regulation has been built to safeguard Controlled Unclassified Information (CUI). CUI is a broad term that the Department of Defense (DoD) uses to identify information that is sensitive enough that we don’t want it to fall into an enemy’s hands, but is not classified.

This is an important question because CMMC only applies to systems that contain CUI, and the systems that protect and support them. 

The easiest way to tell if you have CUI is to search for any of the following keywords in your environment:

  • CUI
  • Controlled Unclassified Information
  • Distribution Statements B, C, D, E, or F (and common abbreviations like “distro b” or “distribution c”)
  • Export Controlled
  • Arms Export Control Act

A qualified IT or cybersecurity firm should be able to help you search your cloud systems and local computers for files that contain these keywords.

In the future, the DoD will be more consistently labeling documents with CUI and will be explicitly saying in each contract what CUI you will be given. Until then, this requires a bit of an educated guess.

Also, please keep in mind that your company may be creating CUI, which will also need to follow the standards outlined below.

What are Common Types of CUI?

  • Plans, drawings, specifications
  • Tangible items: models, photographs
  • Procedures, work instructions
  • Paper (e.g., printed travelers)
  • Purchase orders and invoices (in some cases)
  • Emails containing any of the above

Do My Subcontractors Have to Comply?

If you send CUI to subcontractors, then they are also required to comply with CMMC (and have been required to comply with NIST 800-171 since 2017).

It is also likely (though not guaranteed) that the I.T. managed service providers that work with CMMC-compliant firms will also need to be CMMC-compliant themselves.  


You should be taking steps to confirm that they are working on their CMMC compliance.

This will become easier once CMMC audits are fully implemented. In the meantime, here are some tips:

  • Inquire if your subcontractors have uploaded their self-assessment score to SPRS and request details regarding their score.
  • Request that subcontractors provide a screenshot of their SPRS upload for your records.
  • Ask subcontractors to complete a form regarding their NIST 800-171 compliance process, which you may have previously received.

How Much Will CMMC Cost?

This is tough to answer without doing some analysis, so here are some general principles:

  • Even the smallest companies are spending at least $50,000 to move toward CMMC compliance. Considering that the audits are expected to cost tens of thousands of dollars, this isn’t entirely surprising.
  • Much of the cost will be driven by the need to modernize your I.T. infrastructure. If you haven’t implemented many of the recommendations that your I.T. team has made over the past few years, then your costs will be significantly higher.
  • If you’ve kept up with modernizing your technology, then much of the work you’ll need to do is just configuration and policy development. If you hire outside help for this piece, then you can expect it will also cost in the tens of thousands of dollars.

How Long Will CMMC Compliance Take?

This is tough to answer without doing an analysis. Highly motivated companies have finished the process (other than the audit) in 6-9 months with outside help. Some companies, who are having a tough time deciding on large changes, have been working on this for three years and still have a ways to go.

What will the Audit Process look like?

Companies that must comply with CMMC will need to pass an audit every three years.

To get the audit done, companies will need to:

  • Have all of their documentation and evidence ready for the audit
  • Hire a certified C3PAO organization to conduct the audit
  • Participate in the audit, which will likely be a weeks-long process.
  • The pricing of audits is not well-known yet, but they’re expected to be at least $15k-20k.

What are the 110 Security Control Requirements for Level 2?

Level 2 is primarily dedicated to safeguarding Controlled Unclassified Information (CUI) and encompasses the 110 security requirements outlined in NIST SP 800-171 Rev 2, which are further divided into 14 control families.

Access Control (AC)

Involves the management of information access to ensure only authorized users and devices interact with sensitive data. It includes encryption, monitoring remote access, session termination due to inactivity, and login attempt limits. Its core purpose is to protect data confidentiality and integrity by regulating access.

Learn access control for CMMC Level 2 Compliance

Awareness and Training (AT)

Involves educating personnel about security risks and explaining the policies and procedures in place to manage them. It empowers individuals to make informed decisions and enhances overall security awareness.

Learn Awareness and Training for CMMC Level 2 Compliance

Audit and Accountability (AU)

Entails preserving secure information system audit records that track system usage. These records trace actions back to specific users for accountability when needed, supporting effective incident investigations and security management.

Learn Audit and Accountability for Level 2 Compliance

Configuration Management (CM)

Involves establishing, maintaining, and enforcing configurations across the entire lifecycle of an information system. This process ensures that the system remains consistently configured and adheres to established standards, enhancing its reliability and security.

Learn Configuration Management for Level 2 Compliance

Identification and Authentication (IA)

Verifying and confirming users' identities is a prerequisite for granting access to organizational information systems. This process is fundamental in ensuring that only authorized individuals gain entry to these systems.

Learn Identification and Authentication for Level 2 Compliance

Incident Response (IR)

Involves testing and implementing capabilities to prepare for, detect, analyze, contain, recover from, and respond to security incidents. This comprehensive approach ensures organizations are well-equipped to handle and mitigate incidents.

Learn Incident Response for Level 2 Compliance

Maintenance (MA)

Encompasses the practice of maintaining information systems and implementing necessary controls to verify and oversee the actions of personnel responsible for this maintenance. This ensures that the systems are properly cared for and that maintenance activities adhere to established protocols.

Learn Maintenance for Level 2 Compliance

Media Protection (MP)

Involves the secure storage of information system media that contains both paper and digital Controlled Unclassified Information (CUI). Additionally, it entails the use of secure procedures to sanitize and properly dispose of CUI.

Learn Media Protection for Level 2 Compliance

Personnel Security (PS)

Requires screening of all individuals who will access information systems containing Controlled Unclassified Information (CUI). Additionally, it mandates the timely revocation of access privileges in cases of transfer or termination.

Learn Personnel Security For Level 2 Compliance

Physical Protection (PE)

Entails the restriction of physical access to information systems. It involves the implementation of physical security controls and monitoring to safeguard these systems. This ensures that only authorized personnel can physically access the systems and that they are protected from unauthorized entry or tampering through effective security measures.

Learn Physical Protection For Level 2 Compliance

Risk Assessment (RA)

Involves the continuous process of evaluating and assessing risks and vulnerabilities in information systems that handle Controlled Unclassified Information (CUI). 

Learn Risk Assessment For Level 2 Compliance

Security Assessment (CA)

Requires the periodic evaluation of security controls to assess their effectiveness. This process involves testing the controls, replacing any that are found to be deficient, and implementing continuous monitoring to ensure that the security measures remain effective over time. 

Learn Security Assessment For Level 2 Compliance

System and Communications Protection (SC)

Involves enabling secure communication between information systems. This practice ensures that data and information can be exchanged between systems in a manner that preserves its confidentiality, integrity, and availability, safeguarding it from unauthorized access or interception during transmission.

Learn System and Communications Protection For Level 2 Compliance

System and Information Integrity (SI)

Requires continuous monitoring of information systems to safeguard against malicious code, detect and report vulnerabilities or flaws, and respond appropriately to security alerts. 

Learn System and Information Integrity For Level 2 Compliance

Getting Started With CMMC Level 2 Compliance (Scoping) 

One of the most important parts of a CMMC project is to accurately identify the scope of the project. 

Not only will this save you time and money by reducing the size and complexity of your audit, but it will also increase the likelihood of success during the CMMC audit, as the auditors will have fewer systems to examine.

CMMC only applies to the parts of your business that have CUI.

Figuring out what CUI you have and where it’s stored is the most important part of your CMMC project.

Let me explain why using two examples:

  • Example #1 - One company we know has CUI everywhere. It’s in their emails, their files (paper and electronic), their ERP system, out on the shop floor, everywhere. They’ve had to make the whole company CMMC-compliant, which is quite expensive.
  • Example #2 - Another company we know has CUI in an enclave. It’s a locked room that only a few trusted people can access, and it has computer systems that are configured to CMMC standards. Before CUI goes out on the shop floor, it’s redacted. They’ve been able to spend much less on CMMC compliance.

As you work on this project, always ask yourself if there’s a way to restrict access to CUI.

Better yet, figure out how to limit the places where it’s stored and handled, and possibly even redact the parts that make it CUI.

What Should I Focus on? (Top 10 Priorities For Compliance)

As you delve into the 110 requirements for CMMC compliance, it can be an overwhelming prospect.

Here are the Top 10 sections that will drive much of the cost and complexity of your CMMC project. 

We recommend focusing on these initially:

  1. Start scoping your migration to Microsoft 365 GCC or GCC High, or your plans to build an enclave.
  2. Identify all CUI and ITAR data, and start mapping out where it is stored and who should have access to it. Make sure to include all cloud systems and any home-grown systems. See AC.L2-3.1.3 – CONTROL CUI FLOW).
  3. Work with your I.T. team to confirm that your network and backup gear (firewalls, switches, routers, WiFi, etc.) can meet all of the following requirements: AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION, MP.L2-3.8.9 – PROTECT BACKUPS, SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION, SC.L2-3.13.6 – NETWORK COMMUNICATION BY EXCEPTION, SC.L2-3.13.11 – CUI ENCRYPTION, and SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY.
  4. Work with your IT team or cybersecurity provider to find a Managed Security Service Provider (MSSP) or Security Operations Center (SOC) vendor to meet all of the requirements in Audit and Accountability (AU).
  5. Work with your I.T. team or cybersecurity provider to install an enterprise-class vulnerability scanner so you can see how big of a challenge you’ll have for CM.L2-3.4.1 – SYSTEM BASELINING and RA.L2-3.11.2 – VULNERABILITY SCAN.
  6. Work with your I.T. team to figure out how to implement Multi-Factor Authentication (MFA) across all computers, networks, cloud systems, and remote access (see IA.L2-3.5.3 – MULTI-FACTOR AUTHENTICATION).
  7. Figure out what kind of physical changes need to be made to your facilities to ensure that unapproved people can’t access paper or electronic CUI without being escorted (see Physical Protection (PE)).
  8. Set up your users (on local computers, servers, and cloud systems) so that they use non-privileged Standard accounts for their day-to-day work (see AC.L2-3.1.6 – NON-PRIVILEGED ACCOUNT USE).
  9. If you have employees who work from home, from client sites, or generally on the road, start thinking about how you will address the security of PE.L2-3.10.6 – ALTERNATIVE WORK SITES
  10. Start building your Plan of Action & Milestones, or POAM (see CA.L2-3.12.2 – PLAN OF ACTION). This is a project plan of how you plan to address all 110 requirements. At the same time, come up with your game plan for how you will build your System Security Plan (SSP, see CA.L2-3.12.4 – SYSTEM SECURITY PLAN). Many companies choose to work with an external consultant to build their SSP.

Pro Tip: Working through this Top 10 list is a great way to get started and test how well you’ll be able to manage CMMC compliance using your existing team. If you find this list overwhelming or difficult, it might make sense to hire a CMMC expert (called a Registered Practitioner) to help you with your efforts. 

CMMC Requirements For Emails And File Sharing

Most companies are already using Microsoft 365.

Unfortunately, according to this Microsoft post, the commercial version of Microsoft 365 cannot be used by companies looking to comply with CMMC.

You will need to migrate to one of two different “Government Community Cloud” (GCC) versions:

  • If you only handle CUI but not ITAR, you can use the standard GCC version. This can be purchased through many good I.T. companies.
  • If you handle CUI and ITAR, you’ll need to move to the higher-security GCC High version. This can only be purchased through dedicated government resellers like LiftOff (or others listed on this Microsoft site).

GCC and GCC High are more expensive than the normal version of Microsoft 365 (20-100% more per license), and we recommend looking into this as one of the first things that you do in this project.

However, if you plan to build an enclave, there may be a less expensive option. Systems like Preveil offer a more affordable way (~$20-30/user/month) to handle secure email and secure document sharing, but it wouldn’t be appropriate for an entire company. If you are planning to build an enclave, take a look at Preveil, an enclave is a CMMC-compliant repository that segregates CUI from a larger organization.

Where Do I Go From Here?

If you're eager to dive deeper into the world of CMMC Level 2 compliance and explore the 110 security controls, you're in the right place. 

Below, you'll find links to our comprehensive guides, each dedicated to helping you master these essential controls, ensuring your organization is well-prepared for the journey ahead. 

How Can I Get Help?

Are you a DoD contractor grappling with the challenges of securing government contracts? 

Compliance complexities, security threats, and budget constraints can weigh you down.

Our team, led by CMMC Registered Practitioner Josh Ablett, specializes in providing expert guidance and hands-on support to help you navigate the intricacies of compliance, so you can focus on what you do best.

Build a Robust SSP: Your System Security Plan (SSP) is the backbone of your compliance efforts. Let us help you create a comprehensive, customized SSP that aligns with CMMC Level 2 requirements.

Manage Your POAM: Plan of Action and Milestones (POAM) can be daunting. Our experts will assist you in developing and managing an effective POAM, ensuring you're always on the right track.

Stay Ahead of the Curve: With Adelia Risk, you'll have the guidance and support you need to continually adapt to evolving cybersecurity standards and emerging technologies.

Contact us today to learn more about how our vCISO service can help you thrive in the world of DoD contracting.

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2024 Adelia Associates, LLC | All Rights Reserved