CMMC Level 2.
What it is. What it takes.
No acronym soup. No consultant-nese. Just the honest truth about what CMMC Level 2 requires, why it matters to your contracts, and what it actually looks like to get there — and stay there. From practitioners who carry the same requirements you do.
Let's start simple.
What is CMMC, really?
If your company works with the Department of Defense — or wants to — and you handle information that isn't classified but still sensitive, you are in the Defense Industrial Base. And the DoD has decided that the DIB needs to prove it can protect that information. Not just say it can. Prove it.
CMMC — the Cybersecurity Maturity Model Certification — is the program that makes that proof official. Level 2 is the tier that most small and mid-sized DIB contractors fall under. It covers 110 security practices drawn from NIST SP 800-171. Think of them as 110 things your business needs to be doing, consistently, to protect the information your government contracts depend on.
If you handle Controlled Unclassified Information — CUI — you need CMMC Level 2. If your contracts reference DFARS 252.204-7012 or 7021, you need CMMC Level 2. If you're not sure whether you need it, the answer is almost certainly yes — and finding out now is far better than finding out when a contract you need requires it.
Here is the part most people don't tell you up front: getting certified is hard. Staying certified is harder. The certification doesn't mean you were compliant once. It means you have to stay compliant — continuously, for three years, with annual affirmations that you are still maintaining every control. The frontier doesn't stand still. Neither does the requirement.
Where most contractors are.
And where you need to be.
The path to CMMC Level 2 certification is not a straight line. Here is what it actually looks like — in plain language, in order.
Scoping — Find Your CUI
Before you can protect Controlled Unclassified Information, you have to know where it lives. Which systems touch it? Which people handle it? Where does it flow? Most contractors significantly underestimate their CUI scope on the first pass. Getting scoping right is the foundation everything else is built on.
Gap Assessment — Know Where You Stand
A structured assessment against all 110 NIST SP 800-171 controls. What is implemented? What is missing? What is partially there but not documented? Honest findings ranked by severity. This is where most organizations discover the gap between where they think they are and where they actually are.
SSP & POA&M — Document the Reality
Your System Security Plan documents how you implement each control. Your Plan of Action & Milestones tracks what's not yet implemented and when you'll close it. These are living documents — not a one-time deliverable. The assessor will read them and then look at your environment to see if they match.
Remediation — Close the Gaps
Build what's missing. Harden what's weak. Implement the controls your gap assessment identified. This is where the real engineering work happens — CUI enclave, identity controls, endpoint hardening, logging, monitoring. Not a checklist exercise. A real architecture that a real assessor will test.
C3PAO Assessment — The Formal Exam
A certified Third Party Assessment Organization examines your environment against every applicable control. They review your SSP, test your implementations, interview your people, and verify your evidence. You cannot coach your way through this. Either the controls hold or they don't. Preparation is the only answer.
Certification — and the Watch Begins
You are certified. For three years. With annual affirmations. With the expectation that every control you implemented is still implemented — today, tomorrow, and the day after. This is where most certified contractors start to drift. The pressure of the assessment is gone. The requirement is not.
The 14 control families.
What they actually cover.
NIST SP 800-171 organizes its 110 controls across 14 families. Each family governs a specific security domain. Understanding which families represent your greatest risk — and your greatest gap — is how you sequence remediation intelligently rather than working through a list alphabetically.
Access Control
Who can access what — and under what conditions. User permissions, remote access, CUI system access policy.
22 controlsAwareness & Training
Security awareness training for all personnel and role-based training for those with elevated access or responsibility.
3 controlsAudit & Accountability
System audit logging, log retention, review of audit records, and the ability to trace activity to a specific user.
9 controlsConfiguration Management
Baseline configurations for systems, change control processes, and restrictions on unauthorized software installation.
9 controlsIdentification & Authentication
Multi-factor authentication, password management, and device authentication. One of the highest-risk families for small organizations.
11 controlsIncident Response
Incident response planning, capability, and reporting — including the requirement to report incidents to DoD within 72 hours.
3 controlsMaintenance
Controlled system maintenance, sanitization of equipment removed for maintenance, and oversight of remote maintenance.
6 controlsMedia Protection
Protection, access control, and sanitization of media containing CUI — including portable devices, hard drives, and paper.
9 controlsPersonnel Security
Screening of personnel before access to CUI systems and termination procedures that protect CUI when people leave.
2 controlsPhysical Protection
Physical access controls for systems that store or process CUI. Visitor management, physical monitoring, and access logs.
6 controlsRisk Assessment
Periodic risk assessments, vulnerability scanning, and the remediation processes that close findings on a defined timeline.
3 controlsSecurity Assessment
Periodic assessment of security controls, plans of action for deficiencies, and continuous monitoring of security posture.
4 controlsSystem & Communications Protection
Network segmentation, boundary protection, encryption of CUI in transit, and architectural controls that limit exposure.
16 controlsSystem & Information Integrity
Malicious code protection, security alerting, software and firmware integrity verification, and spam protection.
7 controlsCertified is not the same as compliant.
This is the part the certification process doesn't emphasize enough. The day you receive your CMMC Level 2 certification, every one of those 110 controls is implemented and verified. Thirty days later, your environment has already started to drift — not because anyone made a bad decision, but because environments do what environments do. They change.
The missed patch
A critical CVE drops on a Friday. The patch doesn't get applied over the weekend. By Monday it's in your vulnerability backlog. By next month's assessment prep, nobody remembers it.
The convenience exception
A service gets enabled to make a project easier. Just temporarily. Except temporary became permanent and now it's an open attack surface nobody documented.
The permission creep
A user needs access to one more folder. Then another. Six months later they have access to CUI systems they have no business touching — and nobody noticed.
The stale POA&M
Open findings from the last assessment are still listed as "in remediation." The timeline passed three months ago. Nobody updated the document. The assessor will notice.
"Drift is not a failure of intent. It is a failure of continuous discipline — and discipline at scale requires automation. The Standfast posture loop runs continuously against your environment, catching every one of these scenarios before they become findings. You cannot manually watch 110 controls every day. The platform can. And does."
The assessment is not a surprise quiz.
It is a verification of your reality.
What they examine
Your System Security Plan
They read it. Then they look at your environment to see if it describes the same reality. If it doesn't, that is a finding.
Your implemented controls
They test the controls, not just review the documentation. MFA is either enforced or it isn't. Network segmentation either exists or it doesn't.
Your people
They interview personnel. Your team needs to know the policies and be able to describe how they are implemented — not just that they exist.
Your evidence trail
Logs, scan results, remediation records, training completion, POA&M currency. Evidence that the controls have been running — not just that they were configured once.
What you need to have ready
"The organizations that struggle at assessment are almost never the ones that have bad security. They are the ones that have decent security but cannot prove it. Evidence that was never collected, documentation that doesn't match reality, POA&Ms that haven't been touched since the last assessment. The controls may be running. But without the evidence trail, from the assessor's perspective they aren't."
The Annual Affirmation Requirement
Each year during your 3-year certification cycle, a senior official must affirm that your organization continues to meet all applicable CMMC Level 2 requirements. This is not a formality. It carries legal accountability. Affirming compliance you cannot substantiate is a False Claims Act exposure. The affirmation is only as sound as your evidence.
You know enough to know you need help.
That is exactly where we start. Practitioner to practitioner — no pitch, no pressure.
Tell us where you are and we will tell you what it takes to get where you need to be.