CMMC Level 2 compliance automation

As the Department of Defense rolls out the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, organizations across the Defense Industrial Base (DIB) are working to meet the new cybersecurity standards that will soon be required to win and maintain DoD contracts. For contractors that store, process, or transmit Controlled Unclassified Information (CUI), that means achieving CMMC Level 2 compliance.

CMMC Level 2 represents a significant step up in cybersecurity maturity from Level 1. It requires organizations to implement more advanced protections and undergo third-party assessments to validate their security posture. While the process may seem complex, having the right tools and guidance in place can help contractors meet CMMC requirements efficiently and with fewer headaches along the way.

In this guide, we’ll walk through what’s required for CMMC Level 2 compliance, who it applies to, and how a compliance automation platform can help streamline the process. Let’s dive in.

The DoD’s CMMC 2.0 levels

The CMMC framework is divided into three levels. The Department of Defense designed this tiered structure to strike a balance between strengthening cybersecurity across the entire defense supply chain and making compliance achievable for organizations of all sizes, especially small businesses.

Not every contractor handles the same type or volume of sensitive information. A company that builds software for internal DoD use will have very different cybersecurity needs than a subcontractor that simply repairs parts or manages logistics. By tailoring the requirements to the type of data a company handles, the DoD ensures that every organization has to meet an appropriate level of security.

Level 1 (Foundational):

• For DoD contractors handling only FCI
• Aligns with baseline requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21
• Assessed annually via self-assessment

Level 2 (Advanced):

• For contractors handling CUI or Security Protection Data (SPD)
• Aligns with the 110 controls from NIST SP 800-171, as specified by DFARS Clause 252.204-7012
• Assessed by a C3PAO every three years

Level 3 (Expert):

• For contractors handling highly sensitive CUI and facing advanced persistent threats (APTs)
• Includes all Level 2 controls plus 24 additional practices from NIST SP 800-172
• Requires a government-led assessment every three years, conducted by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
• An annual affirmation of compliance with the 24 additional NIST SP 800-172 controls, submitted to the Supplier Performance Risk System (SPRS) by a senior company official.

Which defense contractors and subcontractors need CMMC Level 2?

If your organization works with the DoD and handles CUI, you’ll need to achieve at least CMMC Level 2 certification. This includes both prime contractors and subcontractors that receive, process, store, or transmit CUI on behalf of the government or other contractors.

Unlike Level 1, which only requires an annual self-assessment, most organizations pursuing Level 2 must undergo a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) every three years. In select cases where the information handled is deemed non-critical to national security, the DoD may allow a self-assessment with annual affirmation instead.

What is FCI?

Federal Contract Information (FCI) is any information provided by or generated for the government under contract that isn’t intended for public release. Examples include proposals, progress reports, and internal communications related to DoD contracts. Contractors that handle only FCI must meet the requirements for CMMC Level 1 and complete annual self-assessments.

What is CUI?

CUI is sensitive information the federal government has deemed requires safeguarding but does not rise to the level of classified information. CUI is often related to national security, infrastructure, law enforcement, or other critical functions.

Examples include:

• Export control data
• Technical drawings and blueprints
• Law enforcement records
• HIPAA-regulated health data
• Personally identifiable information (PII)
• Critical defense system specifications

Handling CUI comes with significantly higher compliance responsibilities under CMMC 2.0, which is why Level 2 certification and a third-party assessment is required.

What is SPD?

Security Protection Data (SPD) is information that is generated by or used to configure the assets, information systems, and tools responsible for implementing an organization’s security controls, particularly those required under NIST 800-171 and CMMC Level 2. While SPD doesn’t directly involve CUI, it is critical to the protection of CUI and therefore falls under similar compliance requirements.

Examples of SPD include:

• Configuration files or rule sets from a SIEM or intrusion detection system
• Passwords or credentials that provide access to CUI systems
• VPN or firewall configuration data
• Logs and telemetry from Mobile Device Management (MDM) systems
• Network architecture details maintained by a co-located data center
• Access control settings within a cloud-based identity provider

Assets that store or process SPD are called Security Protection Assets (SPAs). These assets don’t necessarily touch CUI but support the implementation of security practices that protect CUI, so they must be treated with the same level of scrutiny.

SPAs must be listed in your asset inventory, included in your System Security Plan (SSP), and mapped in your network diagram. If an external vendor provides the SPA (e.g., a managed SIEM, hosted firewall, or identity provider), you must also document their service description and collect a Customer Responsibility Matrix (CRM).

When will CMMC Level 2 be enforced?

With the Final Rule published in the Code of Federal Regulations (CFR) and the companion 48 CFR rule finalized, the DoD has begun a phased rollout of CMMC requirements into contracts. This means that CMMC Level 2 requirements are being incorporated into new solicitations, and enforcement of Level 2 is now underway.

• Phase 1: Begins with the effective date of the 48 CFR rule in March 2025. During this phase, the DoD may include CMMC Level 1 or Level 2 self-assessments in solicitations and may require Level 2 third-party certifications for select high-priority acquisitions at its discretion.
• Phase 2: Begins March 2026, one year after Phase 1. At this stage, CMMC Level 2 third-party certifications will be required for applicable contracts.
• Phase 3: Begins March 2027, introducing mandatory CMMC Level 3 certifications for contracts requiring the protection of more sensitive national security information.
• Phase 4: Begins March 2028, marking full implementation of CMMC 2.0 across all relevant DoD contracts.

CMMC Level 2 compliance requirements

At Level 2, the DoD expects contractors to demonstrate a mature and well-documented approach to security, grounded in the 110 controls and associated 320 assessment objectives defined by NIST 800-171. Below, we’ll walk through the key requirements that organizations must implement and maintain to achieve CMMC Level 2 certification.

1. Implement all 110 NIST 800-171 security controls

CMMC Level 2 requirements include all 110 security requirements outlined in NIST 800-171, covering 14 control families:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

The Cyber AB provides a detailed CMMC Level 2 assessment guide that outlines the NIST 800-171 control families and offers implementation guidance, as well as assessment criteria, including 320 assessment objectives, and requirement descriptions. 

2. Create and maintain a System Security Plan (SSP)

Your SSP is a comprehensive document that outlines how your organization meets each of the 110 controls. It should include details on system boundaries, hardware and software inventories, network architecture, and policies. The SSP is a critical document and one of the first things a C3PAO or DoD assessor will review.

3. Develop a Plan of Action and Milestones (POA&M)

If there are any gaps between your current state and full compliance, those should be documented in a POA&M. This document outlines how and when you plan to close those gaps, and you can find a downloadable POA&M template here.

Keep in mind: The CMMC Final Rule makes it clear that a POA&M cannot be used to defer required controls during a certification assessment, they will only give you 180 additional days to remediate the issue and meet that requirement. But even though you can’t be certified with open items on your POA&M, it’s an essential document for tracking issues and prioritizing remediation work as you prepare for assessment.

4. Perform regular risk assessments

You need a documented, repeatable process for identifying, evaluating, and mitigating risks to CUI. This includes assessing threats, vulnerabilities, and potential impacts on your systems. Risk assessments should be updated regularly, or anytime there’s a significant change in your environment.

5. Ensure personnel complete security training

Your team plays a critical role in protecting CUI. That’s why CMMC Level 2 requires security awareness, insider threat, and role-based training for all employees with access to CUI or security systems. Training should cover topics like insider threats, phishing, password hygiene, and incident reporting, and it needs to be reviewed and refreshed at least annually.

6. Document and test your incident response plans

You need a documented incident response plan that outlines how you’ll detect, respond to, and recover from security incidents involving CUI. That plan also needs to be tested regularly (e.g., through tabletop exercises) so your team is prepared when it matters most.

7. Apply role-based access controls

CUI should only be accessible to people who need it to do their jobs. That means implementing the principle of least privilege and assigning access based on user roles. This includes defining roles clearly, limiting administrative privileges, and ensuring access is revoked when employees leave or change roles.

8. Maintain audit logs and continuously monitor systems

Your systems should generate audit logs that track user activity, system changes, and access to sensitive data. More importantly, those logs need to be reviewed regularly for suspicious activity. Automated tools can help here, but human oversight is essential too.

9. Encrypt CUI at rest and in transit

Whether stored on a hard drive or transmitted over the internet, CUI must be encrypted using FIPS-validated cryptographic methods. This protects data even if it falls into the wrong hands. Don’t forget to include mobile devices, backups, and cloud storage in your encryption strategy.

10. Perform regular vulnerability scans and apply patches

You need to continuously evaluate your environment for weaknesses, which includes running vulnerability scans, reviewing the results, and applying patches or other fixes in a timely manner. Unpatched systems are one of the most common ways attackers gain access.

11. Undergo a C3PAO assessment

For most organizations pursuing CMMC Level 2, the next step is a formal, evidence-based assessment conducted by a C3PAO. While a small subset of contractors handling non-critical CUI may be eligible to submit an annual self-assessment with a senior official’s affirmation, the majority will need to complete a full third-party assessment to meet DoD requirements.

Here’s what the assessment process typically looks like:

• Readiness review: An optional pre-assessment to help identify any gaps in your current security posture before the formal audit begins.
• Assessment planning: The C3PAO will define the scope of the assessment, establish timelines, and ensure all documentation and access requirements are in place.
• Formal assessment: C3PAO assessors conduct a comprehensive review of your implementation of all 110 NIST 800-171 controls, evaluating evidence, conducting interviews, and reviewing policies and procedures.
• Remediation (if needed): If any deficiencies or issues are found or controls have not been implemented/met, you’ll document them in your POA&M and address them within 180 days and before certification can be granted.
• Certification decision: Once the assessment is complete and all requirements are met, you’ll receive a certification that is valid for three years—though you’ll still need to submit an annual affirmation of continued compliance.

Note: Self-assessments are permitted only for contracts involving non-critical CUI and must be explicitly allowed by the DoD. When in doubt, confirm the applicable requirements with your contracting officer.

12. Affirm compliance annually

Regardless of whether you’re assessed by a C3PAO or self-assessing, you must submit an annual affirmation that your organization is still meeting the required controls. This affirmation must come from a senior executive and submitted to the SPRS via eMASS to reflect your organization’s ongoing commitment to securing CUI.

CMMC Level 2 compliance automation

Managing hundreds of security controls, organizing assessment evidence, and creating required documents can quickly become a resource-intensive process. Compliance automation software can dramatically reduce that workload by centralizing and automating key compliance tasks such as:

• Gap analysis and readiness assessments
• Continuous monitoring of control performance and compliance posture
• Automated evidence collection and validation with AI
• Role-based access logs and audit trails
• Document management for SSPs, POA&Ms, security policies, and procedures
• Automated risk assessments and vulnerability tracking
• Remediation workflows for failed controls

Automation platforms like Secureframe ensure nothing slips through the cracks and that you're always assessment-ready.

Why Secureframe is the leading solution for CMMC compliance

Secureframe simplifies the complexity of CMMC Level 2 by giving you everything you need in one powerful platform:

• End-to-end CMMC support: Get guided support from former federal auditors and compliance experts to help you meet all 110 controls and 320 assessment objectives of NIST SP 800-171.
• Automated evidence collection: Integrates with your tech stack to collect and organize the documentation needed for a C3PAO assessment.
• SSP and POA&M management: Generate your SSP, POA&M, and SPRS score and simplify control documentation, and access customizable CMMC 2.0 policies and procedures written by former federal auditors.
• AI-powered remediation: When tests fail, Comply AI for Remediation generates recommended fixes as infrastructure-as-code so your team can quickly patch issues.
• Continuous monitoring: Proactively identifies security misconfigurations, gaps, and failing controls across your environment.
• Multi-framework mapping: Accelerate compliance with related frameworks like NIST 800-53, FedRAMP, GovRAMP, CJIS, and more by automatically mapping your CMMC controls to shared requirements.
• In-platform training: Deliver security awareness, insider threat, and role-based training that meets CMMC Level 2 expectations and is always up-to-date.

With Secureframe, defense contractors can reduce the time, cost, and effort required to achieve CMMC Level 2 and stay compliant as cybersecurity requirements evolve.

Ready to see how Secureframe can streamline your path to certification? Schedule a demo with one of our product experts today.