CMMC Level 2 requires full implementation of all 110 security practices from NIST SP 800-171 Rev 2, verified by a Cyber AB-authorized C3PAO. If you’re reading this to understand what you’re actually being asked to implement — not what CMMC is — you’re in the right place.
This guide is for defense contractors who have already accepted that Level 2 is required. You’re now evaluating the scope of the work, how it maps to your actual environment, and what it takes to reach a certifiable posture. We’ll cover all 14 domains, the controls that cause the most assessment failures, and what “implementation” actually means in an assessment context.
The Regulatory Foundation: DFARS, NIST, and CMMC 2.0
CMMC Level 2 is built on NIST SP 800-171 Rev 2, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” This document — published by the National Institute of Standards and Technology — defines the 110 security practices that Level 2 requires.
The compliance obligation flows from DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which has required NIST SP 800-171 compliance since December 2017. CMMC 2.0 adds the formal third-party verification requirement: you can no longer self-certify Level 2. An authorized C3PAO must verify implementation.
The CMMC 2.0 Final Rule was published in December 2024. The anticipated DFARS 252.204-7021 clause, which will flow CMMC requirements into contracts, is expected to appear in DoD contracts on an accelerating basis through 2026, with broad enforcement against new and modified contracts containing CUI requirements.
The 14 Control Domains: What Each One Requires
NIST SP 800-171 Rev 2 organizes 110 practices across 14 security domains. Here’s what each domain requires and where assessment risk concentrates.
1. Access Control (AC) — 22 Practices
The largest domain by control count. Access Control governs who can access what within your systems.
Key requirements:
- Enforce least-privilege access — users have only the access necessary for their role
- Separate duties where possible (administrators shouldn’t also be auditors)
- Control remote access — explicit authorization, encrypted connections, disconnect inactive sessions
- Control use of portable storage devices
- Implement session controls (lock after inactivity, terminate after defined period)
Assessment risk areas: Remote access controls are frequently misconfigured. Contractors who allow unrestricted remote desktop or VPN access without MFA, session logging, or access controls face findings in nearly every assessment. Portable storage control (USB policies) is consistently under-documented.
2. Awareness and Training (AT) — 3 Practices
Requires documented security awareness training and role-based training for personnel with security responsibilities.
Key requirements:
- Conduct security awareness training for all personnel
- Ensure personnel with security responsibilities receive training on their responsibilities
- Provide training before authorization to access systems
Assessment risk areas: Training exists but isn’t documented. Contractors often have training programs but can’t produce evidence of completion records, training content, or authorization documentation. Existence without evidence = Not Met.
3. Audit and Accountability (AU) — 9 Practices
Requires creating and protecting audit logs that allow you to reconstruct security events and hold users accountable.
Key requirements:
- Audit logging enabled across all in-scope systems
- Protect logs from unauthorized modification or deletion
- Review and analyze audit logs for anomalies
- Retain logs for defined periods
- Correlate audit records across systems
Assessment risk areas: Log collection exists but coverage is incomplete. Contractors running Microsoft 365 often have Entra ID (Azure AD) logs but not Exchange Online, SharePoint, or endpoint logs. Incomplete coverage = Not Met for practices requiring system-wide audit capability.
4. Configuration Management (CM) — 9 Practices
Requires establishing and maintaining secure baseline configurations for all in-scope systems.
Key requirements:
- Maintain baseline configurations for all systems
- Establish and enforce configuration change control
- Analyze security impact of changes before implementation
- Define, document, and enforce user-installed software restrictions
- Configure systems according to least-functionality principle
Assessment risk areas: “Baseline configuration” is frequently documented as a policy rather than an actual technical baseline. Assessors expect to see documented configurations (or a tool-produced configuration report) for each system type in scope — not a policy that says configurations are managed.
5. Identification and Authentication (IA) — 11 Practices
Governs user identity verification and credential management. Contains the MFA requirements that drive the most assessment failures.
Key requirements:
- Unique user identification and authentication — no shared accounts
- Multi-factor authentication (MFA) for local and network access to privileged accounts, and for all network access
- Enforce minimum password complexity and change requirements
- Prohibit reuse of passwords within defined history
- Store and transmit only cryptographically protected passwords
- Employ replay-resistant authentication mechanisms
Assessment risk areas: MFA is the single most commonly failed control area. “MFA is deployed” is frequently Not Met because:
- MFA is deployed for email but not VPN or remote desktop
- Privileged accounts (admins) bypass MFA
- MFA is deployed but not enforced via Conditional Access policies (users can opt out)
Practice 3.5.3 (MFA for network access) carries a 5-point SPRS deduction — the highest-weight control in the entire framework.
6. Incident Response (IR) — 3 Practices
Requires an established incident response capability.
Key requirements:
- Establish an operational incident response capability
- Track, document, and report incidents
- Test incident response capability
Assessment risk areas: The incident response plan exists as a document but has never been tested. Testing can be as simple as a tabletop exercise — but it must be documented. An untested plan with no exercise record = Not Met on the testing practice.
7. Maintenance (MA) — 6 Practices
Governs system maintenance activities, particularly for remote and external maintenance.
Key requirements:
- Perform maintenance on organizational systems
- Provide controls on the tools, techniques, and personnel for system maintenance
- Control and monitor remote maintenance sessions
- Require MFA for remote maintenance connections
- Sanitize maintenance equipment
Assessment risk areas: Remote maintenance by IT vendors or MSPs without explicit controls is a common gap. If your MSP performs remote maintenance, you need documented procedures for authorizing and monitoring those sessions — not just trust that the MSP is secure.
8. Media Protection (MP) — 9 Practices
Governs the protection of system media (physical and digital) containing CUI.
Key requirements:
- Protect system media containing CUI (paper and digital)
- Limit access to CUI on media to authorized users
- Sanitize or destroy media before disposal or reuse
- Mark media with necessary CUI markings
- Control portable storage use
Assessment risk areas: Media sanitization procedures are frequently undocumented. Contractors who replace hardware must be able to demonstrate that drives were sanitized according to NIST SP 800-88 before disposal. A policy that says “we wipe drives before disposal” requires evidence of an implemented process.
9. Personnel Security (PS) — 2 Practices
Requires screening personnel prior to authorization and protecting CUI during and after personnel actions.
Key requirements:
- Screen individuals prior to authorizing access to CUI systems
- Ensure CUI protection during and after personnel actions (termination, transfer)
Assessment risk areas: Termination procedures are commonly incomplete — policies specify account deactivation within a defined window, but audit logs don’t support that the procedure is actually followed. Attestation without evidence is insufficient.
10. Physical Protection (PE) — 6 Practices
Governs physical access to systems and environments containing CUI.
Key requirements:
- Limit physical access to systems to authorized users
- Protect and monitor physical infrastructure
- Escort visitors and monitor visitor activity
- Maintain audit logs of physical access
- Control and manage physical access devices (keys, badges, cards)
Assessment risk areas: Home offices and remote work environments create physical protection complexity. If employees with CUI access work from home, physical protection controls (locked rooms, visitor controls) must be addressed for the home office environment.
11. Risk Assessment (RA) — 3 Practices
Requires periodic risk assessments and remediation of identified vulnerabilities.
Key requirements:
- Periodically assess risk to operations, assets, and individuals from system operation
- Scan for vulnerabilities periodically and when new vulnerabilities are identified
- Remediate vulnerabilities in accordance with risk assessments
Assessment risk areas: Vulnerability scanning is the most common gap. Contractors with no automated vulnerability scanning tool in place cannot demonstrate periodic scanning. Authenticated scans of all in-scope systems are expected — not just perimeter scans.
12. Security Assessment (CA) — 4 Practices
Requires periodic security assessments and monitoring of security controls.
Key requirements:
- Periodically assess security controls to determine effectiveness
- Develop and implement plans of action for identified deficiencies
- Monitor security controls on an ongoing basis
- Develop, document, and periodically update SSP
Assessment risk areas: The SSP — System Security Plan — is the central evidence document for the entire CMMC assessment. Contractors without a current, accurate SSP cannot pass assessment regardless of their technical posture. The SSP must describe how each of the 110 controls is implemented in your specific environment.
13. System and Communications Protection (SC) — 16 Practices
Governs technical controls protecting data in transit and at rest.
Key requirements:
- Monitor, control, and protect communications at external boundaries and key internal boundaries
- Employ architectural designs, software development techniques, and systems engineering principles that promote security
- Implement subnetworks for publicly accessible system components
- Prohibit remote activation of collaborative computing devices without indication to users
- Use cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
- Implement FIPS-validated cryptography
Assessment risk areas: FIPS-validated cryptography is frequently the gap. If your VPN, file sharing, or email encryption doesn’t use FIPS 140-2 validated cryptographic modules, you have a finding. Many common security tools use cryptography that isn’t FIPS-validated. This requires explicit configuration verification, not assumption.
14. System and Information Integrity (SI) — 7 Practices
Governs protection against malicious code and monitoring for attacks.
Key requirements:
- Identify, report, and correct system flaws in a timely manner
- Provide protection against malicious code at appropriate locations
- Monitor system security alerts and advisories
- Update malicious code protection mechanisms
- Perform periodic scans and real-time scans of files
- Monitor systems to detect attacks and indicators of compromise
- Identify unauthorized use of systems
Assessment risk areas: Malicious code protection “at appropriate locations” requires endpoint protection on all in-scope systems — including servers, not just workstations. Many contractors have endpoint protection on desktops but not on file servers or virtualized environments.
The Controls That Fail the Most Assessments
Based on practitioner experience with CMMC assessment preparation, these are the controls that generate the highest proportion of findings:
- 3.5.3 (IA) — MFA for network access (5-point SPRS weight)
- 3.13.8 (SC) — Cryptographic protection for CUI in transmission (FIPS requirement)
- 3.11.2 (RA) — Vulnerability scanning (no tooling in place)
- 3.12.4 (CA) — SSP currency and accuracy
- 3.1.3 (AC) — CUI flow control (boundary protection)
- 3.3.1 / 3.3.2 (AU) — Audit logging coverage and completeness
- 3.6.3 (IR) — Incident response testing (documented exercise required)
If you’re doing a self-assessment before engaging a consultant, start with these seven.
What “Implemented” Means to a C3PAO
A C3PAO doesn’t take your word for it. Assessment is evidence-based: for every Met control, they’ll ask to see the evidence that the control is actually in place. Evidence types include:
- Documentation: Policies, procedures, plans (must be current, signed, and communicated)
- Configuration evidence: Screenshots, configuration reports, export data from systems
- Logs: Audit log samples demonstrating the control is operational
- Interviews: Personnel interviews confirming awareness and correct application of procedures
- Technical testing: In some cases, live demonstration of control function
“We have a policy for that” is not sufficient for technical controls. “We just upgraded our systems and that’s now in place” requires evidence of the upgrade and current configuration. The bar is actual implementation, not planned or assumed implementation.
How to Evaluate Your Readiness Against These Requirements
The only reliable way to know where you stand against all 110 controls is a professional gap assessment conducted by a qualified CMMC practitioner. Our CMMC Level 2 timeline guide covers the phase-by-phase preparation process in detail.
The gap assessment produces:
- Control-by-control implementation status (Met / Not Met / Partial)
- Weighted SPRS score calculation
- Remediation roadmap with prioritized gaps
- POA&M structure for controls that require phased remediation
- Timeline estimate based on your actual posture
Start with a Free Readiness Assessment
If you’re evaluating how far your environment is from CMMC Level 2 certification, a free readiness assessment is the most efficient first step. You’ll get a practitioner’s honest read on your posture, the most significant gap areas in your environment, and a realistic timeline and cost estimate — before you commit to any paid engagement.
Schedule your free CMMC readiness assessment →
Frequently Asked Questions
What are the 14 domains of CMMC Level 2?
CMMC Level 2 is based on NIST SP 800-171 Rev 2, which organizes 110 practices across 14 domains: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
What is the difference between CMMC Level 1 and Level 2?
CMMC Level 1 requires implementation of 17 basic safeguarding practices from FAR 52.204-21 and allows annual self-attestation. CMMC Level 2 requires full implementation of all 110 NIST SP 800-171 Rev 2 practices and mandates third-party verification by an authorized C3PAO for contracts involving CUI (Controlled Unclassified Information). The two levels are not interchangeable — Level 1 does not satisfy CMMC Level 2 requirements.
Do all 110 controls apply to every contractor?
Not applicable (N/A) determinations are possible for some controls based on your specific environment and CUI scope — for example, if your environment genuinely has no collaborative computing devices (AC practice 3.13.12), that control may not apply. However, N/A determinations require justification and are subject to C3PAO challenge. Most contractors will find 100+ of the 110 controls apply to their environment.
Can I use Plan of Action & Milestones (POA&M) for controls I haven’t implemented yet?
Yes, with important limitations. CMMC Level 2 assessment allows for POA&M items for controls that are not yet fully implemented, but only for lower-risk practices. High-risk controls (especially those in Identification and Authentication and System and Communications Protection) typically must be implemented before assessment. Your C3PAO will evaluate which POA&M items are acceptable versus which require remediation before the assessment can proceed.
How long does it take to implement all 110 CMMC Level 2 controls?
Timeline varies significantly by starting posture. Contractors with modern cloud-based infrastructure and reasonable existing security controls typically require 6–12 months of active remediation. Contractors with legacy infrastructure, no existing security program, or complex multi-site environments typically require 12–24 months. See our CMMC Level 2 certification timeline guide for a phase-by-phase breakdown.
Related reading:
- CMMC Level 2 Certification Timeline: A Realistic Planning Guide for 2026
- SPRS Score Explained: What Defense Contractors Need to Know Before CMMC
- How Much Does CMMC Certification Cost? 2026 Budget Guide
References: NIST SP 800-171 | CMMC program | 32 CFR Part 170
This content is for informational purposes only and does not constitute legal, compliance, or cybersecurity advice. Consult qualified professionals for guidance specific to your organization.