Defense contractors handling sensitive information must demonstrate strong cybersecurity through both NIST and CMMC compliance. To meet CMMC Level 2 requirements, organizations must fully implement NIST SP 800-171, which includes 110 security controls designed to protect Controlled Unclassified Information (CUI).
If your contract requires CMMC Level 2 certification, your organization must be prepared to meet these requirements and pass a formal assessment.
Achieving CMMC Level 2 Requirements and NIST SP 800-171 Compliance
Organizations working with the Department of Defense (DoD) must ensure their systems can securely process sensitive data before handling military information. To meet CMMC Level 2 requirements, contractors must implement security controls defined by the National Institute of Standards and Technology (NIST), which form the foundation of the Cybersecurity Maturity Model Certification (CMMC) framework.
For contracts requiring CMMC Level 2 certification, organizations must fully implement NIST SP 800-171. To achieve compliance, you need to understand:
- How CMMC aligns with NIST standards
- The full scope of CMMC Level 2 requirements
- Assessment and certification expectations at Level 2
Working with an experienced compliance partner can help streamline implementation, reduce risk, and accelerate your path to certification.
How CMMC 2.0 Aligns with NIST SP 800-171
While CMMC is a newer framework, it is built directly on established NIST standards. Specifically, CMMC integrates NIST SP 800-171 requirements across the Defense Industrial Base (DIB) to ensure consistent cybersecurity practices.
Most DoD contractors will eventually need to meet a CMMC level:
- CMMC Level 1 applies to organizations handling Federal Contract Information (FCI)
- CMMC Level 2 applies to those handling Controlled Unclassified Information (CUI) and requires full implementation of NIST SP 800-171
Organizations facing higher risk environments or handling large volumes of CUI may need to meet CMMC Level 3, which includes additional controls from NIST SP 800-172.
Implementation Requirements for CMMC Level 2
To meet CMMC Level 2 requirements, organizations must:
- Implement all 15 Level 1 foundational controls
- Deploy the full set of 110 security controls from NIST SP 800-171
Once these controls are in place, organizations can prepare for a formal assessment to validate compliance.
It’s important to note that CMMC 2.0 simplifies earlier versions of the model. Organizations that previously targeted Level 3 under CMMC 1.0 may now fall under Level 2 requirements.
CMMC Level 1 Prerequisites for Level 2 Compliance
Before meeting CMMC Level 2 requirements, organizations must first implement the foundational controls from Level 1.
CMMC Level 1 includes 15 basic security controls adapted from NIST SP 800-171. These controls focus on protecting Federal Contract Information (FCI) but are not sufficient for safeguarding Controlled Unclassified Information (CUI).
Key Level 1 Control Domains
To prepare for Level 2, organizations must implement controls across the following areas:
- Access Control (AC) – Limit and manage access to FCI
- Identification and Authentication (IA) – Verify user identities
- Media Protection (MP) – Secure storage and disposal of FCI
- Physical Protection (PE) – Restrict physical access to systems
- System & Communications Protection (SC) – Secure network boundaries
- System & Information Integrity (SI) – Detect and address system threats
These foundational controls must be fully implemented before advancing to CMMC Level 2.
CMMC Level 2 Requirements (NIST SP 800-171 Controls)
CMMC Level 2 requirements include 110 security controls based on NIST SP 800-171. These controls expand on Level 1 and are designed to protect Controlled Unclassified Information (CUI).
At this level, organizations must demonstrate a higher level of cybersecurity maturity and be prepared for a formal assessment.
Core Control Domains in CMMC Level 2
Instead of listing all 110 controls (which hurts readability and SEO), structure them like this:
1. Access Control (AC)
Controls how users access systems and CUI:
- Least privilege access
- Remote access security
- Session management
- Secure use of mobile devices and external systems
2. Awareness and Training (AT)
Ensures employees understand security risks:
- Role-based training
- Insider threat awareness
3. Audit and Accountability (AU)
Tracks and monitors system activity:
- Logging and monitoring
- Audit reviews and alerts
4. Configuration Management (CM)
Maintains secure system configurations:
- Baseline configurations
- Change management controls
5. Identification and Authentication (IA)
Verifies users and devices:
- Multifactor authentication (MFA)
- Password policies
6. Incident Response (IR)
Prepares organizations to respond to threats:
- Incident detection and reporting
- Response testing
7. Maintenance (MA)
Secures system maintenance processes:
- Controlled maintenance access
- Equipment sanitization
8. Media Protection (MP)
Protects physical and digital media:
- Secure storage and transport
- Media disposal and encryption
9. Personnel Security (PS)
Manages user access risks:
- Background screening
- Access termination procedures
10. Physical Protection (PE)
Secures facilities and infrastructure:
- Facility access controls
- Visitor monitoring
11. Risk Assessment (RA)
Identifies and mitigates risks:
- Vulnerability scanning
- Risk remediation
12. Security Assessment (CA)
Evaluates control effectiveness:
- Security control assessments
- Continuous monitoring
13. System and Communications Protection (SC)
Protects data in transit and networks:
- Encryption of CUI
- Secure network architecture
14. System and Information Integrity (SI)
Ensures system reliability and threat detection:
- Malware protection
- System monitoring and alerts
Assessment Requirements for CMMC Level 2
Meeting CMMC Level 2 requirements involves more than implementing security controls. Organizations must also undergo formal assessments to verify that those controls are properly deployed and effective.
One of the key differences between CMMC Level 1 and Level 2 is the assessment process:
- CMMC Level 1 allows for self-assessments
- CMMC Level 2 typically requires a third-party assessment
In most cases, contractors must work with a Certified Third Party Assessment Organization (C3PAO) authorized by the Cyber AB.
While some organizations may qualify for self-assessment at Level 2, the majority will need an independent audit to achieve certification.
Working with a qualified C3PAO ensures a thorough evaluation and helps your organization prepare for a successful assessment.
Simplify Your CMMC Level 2 Compliance Journey
Achieving CMMC Level 2 compliance requires full alignment with NIST SP 800-171, including implementation of all 110 security controls and successful completion of a formal assessment.
Without proper planning, this process can be complex, time-consuming, and costly.
That’s where expert guidance makes the difference.
RSI Security supports organizations through every stage of the process—from gap assessments and control implementation to audit preparation and certification.
As a C3PAO authorized by the Cyber AB, RSI Security delivers the expertise needed to help you meet CMMC Level 2 requirements efficiently and with confidence.
Ready to get started? Contact RSI Security today to begin your CMMC Level 2 journey.
Download Our CMMC Checklist