As of November 10, 2025, CMMC requirements have officially begun appearing in Department of Defense (DoD) contracts—ending years of anticipation and making compliance a contractual obligation, not an optional initiative. Yet the majority of the Defense Industrial Base (DIB) is still unprepared. 

According to Redspin’s second annual report on the state of DIB readiness, only 28.7% of organizations have completed a Level 2 assessment with a certified assessor. Many more organizations (nearly 37%) still aren’t scheduled for one or don’t know their next step. Yet, almost half (47%) have already received flow-down requests from primes.

Most contractors that handle sensitive defense information are now racing to meet Level 2 requirements, complete scoping, remediate gaps, and prepare for third-party assessments that are already booking far out. While this process may seem complex, having the right tools and guidance in place can help contractors meet CMMC requirements efficiently and with fewer headaches along the way.

As part of our commitment to provide those tools and guidance, we’ve created this guide to break down everything you need to know, including what CMMC Level 2 compliance requires, who needs it and when, and how to streamline the process.

If you’re new to CMMC, check out our on-demand webinar that explains what this framework requires, who it applies to, and how to get certified.

The CMMC 2.0 Levels: How do Level 2 requirements compare to other levels?

The CMMC framework is divided into three levels. The DoD designed this tiered structure to strike a balance between strengthening cybersecurity across the entire defense supply chain and making compliance achievable for organizations of all sizes, especially small businesses.

Not every contractor handles the same type or volume of sensitive information. A company that builds software for internal DoD use will have very different cybersecurity needs than a subcontractor that simply repairs parts or manages logistics. By tailoring the requirements to the type of data a company handles, the DoD ensures that every organization has to meet an appropriate level of security.

The DoD defined CMMC level requirements in the CMMC Level Determination Guide released in a memo in January 2025. 

CMMC Level 1 is the most basic level of cybersecurity posture for organizations handling the least sensitive type of defense information known as Federal Contract Information (FCI). This includes proposals, progress reports, and internal communications related to defense contracts. The DoD expects approximately 63% of the DIB to fall under Level 1.

CMMC Level 2 represents a significant step up in cybersecurity maturity from Level 1. It requires organizations to implement more advanced protections and typically undergo third-party assessments to validate their security posture. The DoD expects approximately 37% of the DIB to fall under Level 2.

CMMC Level 3 represents the most advanced cybersecurity practices and is reserved for contractors that must safeguard CUI associated with mission critical or unique technologies and programs. The DoD expects less than 1% of the DIB to fall under Level 3.

Here’s a recap of each level’s security and assessment requirements:

Level 1 (Foundational):

• For DoD contractors handling only FCI
• Aligns with 15 baseline requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21
• Assessed annually via self-assessment

Level 2 (Advanced):

• For contractors handling CUI 
• Aligns with the 110 requirements from NIST SP 800-171, as specified by DFARS Clause 252.204-7012
• Assessed by a C3PAO (most likely) or via self-assessment every three years 

Level 3 (Expert):

• For contractors handling highly sensitive CUI and facing advanced persistent threats (APTs)
• Includes all Level 2 requirements plus 24 additional practices from NIST SP 800-172
• Requires a government-led assessment every three years, conducted by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Which defense contractors and subcontractors need CMMC Level 2?

If your organization works with the DoD and handles Controlled Unclassified Information (CUI), you’ll need to achieve at least CMMC Level 2 certification. This includes both prime contractors and subcontractors that receive, process, store, or transmit CUI on behalf of the government or other contractors.

What is CUI?

CUI is sensitive information the federal government has deemed requires safeguarding but does not rise to the level of classified information. More sensitive in nature than FCI, CUI is often related to national security, infrastructure, law enforcement, or other critical functions.

Examples include:

• Export controlled information
• Technical drawings and blueprints
• Law enforcement records
• HIPAA-regulated health data
• Personally identifiable information (PII)
• Critical defense system specifications
• Security protection data 

Documents that contain CUI are often marked with DoD distribution statements, which must be properly safeguarded according to a combination of DoD directives, DFARS clauses, and broader federal regulations.

Since handling CUI comes with significantly higher compliance responsibilities under CMMC, Level 2 compliance and typically a third-party assessment is required.

CMMC Level 2 assessment

Unlike Level 1, which only requires an annual self-assessment, most organizations pursuing Level 2 must undergo a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) every three years. 

In select cases where the information handled is deemed non-critical to national security, the DoD may allow an annual self-assessment.

According to DoD estimates, approximately 80,000 DIB organizations will need to complete a Level 2 certification. 95% will require a C3PAO-conducted Level 2 assessment. Only 5%—approximately 4,000 organizations—handling non-critical CUI may qualify for self-assessments.

Image Source: Impact and Cost Analysis of the Revised CMMC Program in 32 CFR rule

As defined in the DoD’s CMMC Level 2 Assessment Guide, a Level 2 assessment involves testing or evaluating your organization’s security controls to determine the extent to which the controls are:

• implemented correctly, 
• operating as intended, and 
• meeting the 110 security requirements and 320 assessment objectives in NIST SP 800-171 Revision 2. 

Since these assessments are intended to provide increased assurance to the DoD that an organization can adequately protect CUI at a level commensurate with the adversarial risk, assessment results, along with your score and an annual affirmation of compliance, must be submitted in the Supplier Performance Risk System (SPRS). Those with a passing score will achieve a current CMMC Level 2 status. DoD program managers and prime contractors must verify you have this status prior to awarding or renewing your contract.

Those who have fully implemented all requirements and have a score of 110 will achieve a Final Level 2 (Self) or Final Level 2 (C3PAO) status. 

Those with a score between 88 and 109 can achieve a conditional CMMC Level 2 status as long as any unmet requirements are documented in a Plan of Action and Milestones (POA&M) and are not listed as prohibited in 32 CFR 170.21(a)(2)(iii). These POA&M items must be remediated no later than six months after the conditional status was issued to achieve a final Level 2 certification—otherwise, the CMMC status will expire.

You can see all the requirements for CMMC Level 2 and how they’re calculated in your SPRS score in the Requirement Explorer tool on CMMC.com. 

When will CMMC Level 2 be enforced?

Since Phase 1 of the CMMC rollout kicked off on November 10, 2025, DoD program managers and prime contractors are already embedding or flowing down CMMC Level 2 requirements in solicitations and contract awards across the defense supply chain. 

While this phase of enforcement is focused primarily on self-assessments for Levels 1 and 2, some high-priority contracts may require C3PAO assessments for Level 2 at this time. During the CyberAB town hall on November 18, a Department PMO representative confirmed that Level 2 (C3PAO) requirements are already showing up in real solicitations. 

This enforcement is happening while readiness remains critically low. Out of the roughly 80,000 organizations estimated to ultimately require CMMC Level 2, fewer than 0.6% (only 459 organizations) had achieved certification as of the November town hall.

To ensure you understand and are prepared for the different CMMC deadlines, here’s an overview of what to expect during each phase of enforcement:

Phase 1 (Started November 10, 2025)

• CMMC Level 1 and Level 2 assessment requirements are now being inserted into new DoD solicitations.
• Level 2 (C3PAO) requirements are appearing in priority acquisitions.

Phase 2 (November 10, 2026)

• All applicable Level 2 contractors must complete a C3PAO assessment
• Eligibility for Level 2 self-assessment narrows to the ~2% handling non-critical CUI

Phase 3 (November 10, 2027)

• Level 3 assessments begin for highest-sensitivity programs.

Phase 4 (November 10, 2028)

• Full implementation across the DIB.

CMMC Level 2 compliance requirements

At Level 2, the DoD expects contractors to demonstrate a mature and well-documented approach to security, grounded in the 110 requirements and associated 320 assessment objectives defined by NIST 800-171. Below, we’ll walk through the key requirements that organizations must implement and maintain to achieve CMMC Level 2 certification.

1. Define scope

Before you implement controls or take other readiness steps, you first need a clear picture of what’s in scope for a CMMC Level 2 assessment. At this level, scoping is about identifying where CUI lives, how it flows through your environment, and which assets can impact their security.

As defined in 32 CFR § 170.19(c)(1), the following asset categories will be assessed for a Level 2 assessment:

• CUI assets: Systems that directly process, store, or transmit CUI. These are the core focus of your implementation and are assessed against all Level 2 requirements.
• Security Protection Assets (SPAs): Tools and systems (e.g., firewalls, SIEM, MDM, IAM, SOC services) that enforce or support security controls for CUI assets and the CUI environment. While these don’t necessarily touch CUI, SPAs often handle SPD such as configs, logs, and credentials. They may be assessed against relevant Level 2 requirements, depending on their security functions and capabilities and FedRAMP authorization status.
• Contractor Risk Managed Assets (CRMAs): Assets that could access CUI or SPD but are not intended to and are restricted by risk-based policies, segmentation, or technical controls. If they’re properly risk-managed and documented in your SSP, they may not be assessed against other Level 2 requirements or only be assessed in limited check(s).
• Specialized assets: Operational Technology (OT) systems, IoT/IoTT devices, government-furnished equipment, and other hard-to-secure systems that may interact with CUI. These must be documented and explained in your SSP and data flow diagrams, but are not fully assessed against other CMMC requirements. 
• Out-of-scope assets – Systems that do not store, process, transmit, or protect CUI or SPD. These don’t need to be evaluated but you must be able to justify why they’re excluded.

Scoping your environment is a crucial first step toward CMMC certification and can result in unnecessary work and costs if done incorrectly. To ensure you get this step right, consult the DoD’s DoD’s CMMC Level 2 Scoping Guidance or check out our on-demand webinar led by an expert with actual experience scoping for a CMMC Level 2 assessment. 

2. Implement all 110 NIST 800-171 security requirements

CMMC Level 2 requirements include all 110 security requirements and 320 assessment objectives outlined in NIST 800-171. These span 14 control families:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

On average, an organization will need to implement over 450 controls to fully meet these requirements, but the exact number will depend on the assessment scope, size of the organization, current level of cybersecurity maturity, and other factors.

Consult the DoD’s CMMC Level 2 assessment guide for a description of all the requirements in each NIST 800-171 control family as well as implementation guidance and assessment criteria.

3. Create and maintain a System Security Plan (SSP)

Your SSP is a comprehensive document that outlines how your organization meets each of the 110 requirements. It should include details on system boundaries, hardware and software inventories, network architecture, and policies like a CUI policy. 

The SSP is a critical document that’s often hundreds of pages long and one of the first things a C3PAO or DoD assessor will review.

4. Develop a Plan of Action and Milestones (POA&M)

If there are any gaps between your current state and full compliance, those should be documented in a POA&M. This document outlines how and when you plan to close those gaps, and you can find a downloadable POA&M template here.

Keep in mind: The CMMC Final Rule makes it clear that a POA&M cannot be used to defer required controls during a certification assessment, they will only give you 180 additional days to remediate the issue and meet that requirement. But even though you can’t be certified with open items on your POA&M, it’s an essential document for tracking issues and prioritizing remediation work as you prepare for assessment.

5. Perform regular risk assessments

You need a documented, repeatable process for identifying, evaluating, and mitigating risks to CUI. This includes assessing threats, vulnerabilities, and potential impacts on your systems. Risk assessments should be updated regularly, or anytime there’s a significant change in your environment.

6. Ensure personnel complete security training

Your team plays a critical role in protecting CUI. That’s why CMMC Level 2 requires security awareness, insider threat, and role-based training for all employees with access to CUI or security systems. Training should cover topics like insider threats, phishing, password hygiene, and incident reporting, and it needs to be reviewed and refreshed at least annually.

7. Document and test your incident response plans

You need a documented incident response plan that outlines how you’ll detect, respond to, and recover from security incidents involving CUI. That plan also needs to be tested regularly (e.g., through tabletop exercises) so your team is prepared when it matters most.

8. Apply role-based access controls

CUI should only be accessible to people who need it to do their jobs. That means implementing the principle of least privilege and assigning access based on user roles. This includes defining roles clearly, limiting administrative privileges, and ensuring access is revoked when employees leave or change roles.

9. Maintain audit logs and continuously monitor systems

Your systems should generate audit logs that track user activity, system changes, and access to sensitive data. More importantly, your systems need to be continuously monitored and those logs need to be reviewed regularly for suspicious activity. Automated tools can help here, but human oversight is essential too.

10. Encrypt CUI at rest and in transit

Whether stored on a hard drive or transmitted over the internet, CUI must be encrypted using FIPS-validated cryptographic methods. This protects data even if it falls into the wrong hands. Don’t forget to include mobile devices, backups, and cloud storage in your encryption strategy.

11. Perform regular vulnerability scans and apply patches

You need to continuously evaluate your environment for weaknesses, which includes running vulnerability scans, reviewing the results, and applying patches or other fixes in a timely manner. Unpatched systems are one of the most common ways attackers gain access.

12. Undergo a C3PAO assessment

For most organizations pursuing CMMC Level 2, the next step is a formal, evidence-based assessment conducted by a C3PAO. 

Here’s what the assessment process typically looks like:

• Readiness review: An optional pre-assessment to help identify any gaps in your current security posture before the formal audit begins.
• Assessment planning: The C3PAO will define the scope of the assessment, establish timelines, and ensure all documentation and access requirements are in place.
• Formal assessment: C3PAO assessors conduct a comprehensive review of your implementation of all 110 NIST 800-171 controls, evaluating evidence, conducting interviews, and reviewing policies and procedures.
• Remediation (if needed): If any deficiencies or issues are found or controls have not been implemented/met, you’ll document them in your POA&M and address them within 180 days and before certification can be granted.
• Certification decision: Once the assessment is complete and all requirements are met, you’ll receive a certification that is valid for three years—though you’ll still need to submit an annual affirmation of continued compliance.

Note: Self-assessments are permitted only for contracts involving non-critical CUI and must be explicitly allowed by the DoD. When in doubt, confirm the applicable requirements with your contracting officer.

13. Affirm compliance annually

Regardless of whether you’re assessed by a C3PAO or self-assessing, you must submit an annual affirmation that your organization is still meeting the required controls. This affirmation must come from a senior executive and submitted to the SPRS via eMASS to reflect your organization’s ongoing commitment to securing CUI.

The true cost of CMMC level 2 compliance​

According to the DoD’s regulatory impact analysis, the estimated costs for preparing, conducting, and reporting CMMC Level 2 assessments are as follows:

• Level 2 self-assessment: $37,000–$49,000 every three years
• Level 2 certification (third-party): $104,000–$118,000 every three years

In response to public comment feedback on the interim CMMC rule indicating that cost estimates were too low, these estimates now account for outsourced services and more time dedicated to preparing for the assessment and complete administrative tasks like submitting assessment results to the SPRS. However, they are still likely low since they still do not account for the far more resource-intensive work of implementing, remediating, and maintaining the security requirements themselves. 

That’s because the DoD assumes organizations have already implemented the security requirements for CMMC Level 2, which have been prescribed in the existing DFARS 7012 regulation since 2017. 

However, this is likely not true for many organizations given that one of the catalysts of the entire CMMC program was a report from the DoD Inspector General (IG) in 2019 uncovering widespread noncompliance with DoD-mandated cybersecurity requirements, which has been supported by more recent reports. For example, in CyberSheath’s 2025 State of the DIB on CMMC Compliance report released in October, only 1% of defense contractors said they felt fully prepared for upcoming CMMC assessments.

As a result of this lack of readiness, many organizations will need to factor in the one-time cost of implementing CMMC Level 2 security requirements and the recurring costs of maintaining these requirements and remediating POA&Ms for any unimplemented ones. 

While these cost estimates are not included in the DoD’s regulatory impact analysis for Level 2, they are for CMMC Level 3 certification. According to DoD estimates, Level 3 organizations may face $2.7 million to $21.1 million in one-time implementation costs and $490,000 to $4.12 million in recurring annual maintenance costs.

Although most DIB organizations will never pursue Level 3 and Level 2 security requirements are less complex, these Level 3 cost projections help emphasize the gap between the DoD’s assessment-only estimates and the true cost of compliance when factoring in the implementation and maintenance of security requirements.

The true total cost of CMMC Level 2 compliance is likely double or triple the DoD’s cost estimate, ranging from $100,000-$200,000 at least. 

This estimated range is supported by Redspin’s most recent survey, which showed that the vast majority of DIB organizations spent upwards of $100,000 getting ready for CMMC:

• 26% spent between $100,000-$250,000
• 32% spent more than $250,000
• 15% spent more than $500,000

CMMC Level 2 compliance automation tools

Managing hundreds of security controls, organizing assessment evidence, and creating required documents can quickly become a resource-intensive and costly process.

While consultants can help shoulder the operational burden, they typically don’t reduce the manual effort and drive up costs related to compliance. Traditional federal tools are another option to simplify parts of the process, but are typically limited to documenting your point-in-time compliance status and planning remediation.

That’s why many organizations are turning to CMMC Level 2 compliance automation tools. These tools can dramatically reduce the cost and complexity of getting CMMC ready by centralizing and automating key compliance tasks, such as:

• Gap analysis and readiness assessments
• Automated evidence collection and validation with AI
• Role-based access logs and audit trails
• Document management for SSPs, POA&Ms, security policies, and procedures
• Automated risk assessments and vulnerability tracking
• Remediation workflows for failed controls
• Continuous monitoring of control performance and compliance posture

However, these tools are not all alike. Traditional GRC tools are typically not aligned to CMMC and can’t automate much of the process. 

That’s why the best platform to achieve certification is an end-to-end CMMC solution that’s purpose-built for DIB organizations to streamline documentation, track remediation, and ensure continuous compliance to maintain contract-eligibility year-round. 

Best platform to achieve CMMC Level 2 certification​

Secureframe is the best platform to achieve CMMC Level 2 certification at a fraction of the time and cost. When done manually, CMMC Level 2 certification typically takes 6–12+ months and costs upwards of $100,000. With Secureframe, defense contractors can cut that time in half while saving hundreds of thousands of dollars.

Secureframe gives you everything you need to fast-track readiness and maintain compliance in one powerful platform. Key features include:

• Support from experts with first-hand experience: One of Secureframe’s biggest differentiators is that we’re not just building and offering federal tooling—we’ve gone through a CMMC Level 2 certification assessment ourselves. That means we understand the complexity, pressure, and nuance of preparing for this level and use this first-hand experience to develop and improve the Secureframe platform and help customers navigate the process. We have over 25 CMMC Registered Practitioners (RPs) and have been listed as a CMMC Registered Practitioner Organization (RPO) in the CyberAB Marketplace since March 2025.
• Automated Evidence Collection: One of the biggest challenges with CMMC Level 2 is the amount of documentation required to prove compliance. Secureframe automates evidence collection across your tech stack—including AWS GovCloud, Azure Government, Google Workspace, Microsoft GCC High, and other government cloud services—so you can continuously pull artifacts from systems and reduce manual effort. This ensures your documentation stays current and assessment-ready.
• System Security Plan (SSP) Builder: Secureframe makes it easy to generate and maintain your SSP, along with your policies, procedures, POA&Ms and other documentation in one place. Your SSP is mapped to the 110 requirements and 320 assessment objectives of Level 2 and automatically filled in with data from your controls, vendors, policies, and other modules in the Secureframe platform. Our own SSP was over 150 pages, and that was for a small boundary—so this feature alone saves our customers hundreds of hours.
• POA&M Management: If any controls aren’t fully met during your prep or Level 2 assessment, our platform helps you generate and manage a Plan of Action & Milestones (POA&M). You can assign remediation owners, track deadlines, and ensure all open items are addressed before the clock runs out for your assessment or conditional certification.
• SPRS Scoring Tool: Secureframe also automatically tracks and calculates your SPRS score based on the implementation status of each CMMC Level 2 requirement and its assessment objective(s). Maintaining an accurate and defensible SPRS score is key to readiness, especially ahead of contract award timelines.
• Asset, Vendor, and Risk Management: Secureframe integrates with your infrastructure to automatically discover in-scope assets and link them to required CMMC practices. You can also inventory and track vendors—especially those storing or transmitting CUI or providing security functions—to ensure they meet flowdown requirements. And you can assess, manage, and remediate risk to those assets and vendors using our automation and AI workflows. 
• Policy Templates & Control Mapping: We provide pre-built policy templates aligned to the CMMC domains, which you can tailor to your environment. Each policy is mapped directly to the relevant control and test objective, helping you meet documentation requirements faster and with less guesswork.
• In-platform training: Deliver security awareness, insider threat, and role-based training that meets CMMC Level 2 expectations and is always up-to-date—directly in the platform. 
• Cross-Framework Mapping: Many DIB contractors need to comply with multiple frameworks—like SOC 2, ISO 27001, NIST 800-53, and FedRAMP. Secureframe maps overlapping controls across frameworks so your efforts scale. This saves time, reduces duplication, and streamlines evidence collection across all your compliance initiatives.
• Auditor Module for C3PAOs: Finally, our platform includes a dedicated Auditor Module, which allows C3PAOs to securely review your evidence and documentation in-platform—reducing the back-and-forth and improving audit efficiency. This is especially valuable for CMMC, where audit timelines can be tight and collaboration is critical.

Ready to see how Secureframe can streamline your path to Level 2 certification? Schedule a demo with one of our product experts today.

This post was originally published in May 2025 and has been updated for accuracy and comprehensiveness based on the latest CMMC rulemaking and industry news.