Home Compliance StandardsCMMC Overview of CMMC Level 2 Requirements
CMMC

Overview of CMMC Level 2 Requirements

by RSI Security
written by RSI Security
CMMC Level 2 requirements

CMMC Level 2 requirements are part of the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) framework and apply to contractors that handle Controlled Unclassified Information (CUI). This guide provides a clear, practical overview of what CMMC Level 2 requires, who it applies to, and how organizations can prepare for compliance.

As the second installment in our CMMC series, this article focuses specifically on Level 2 requirements. If you’re looking for information on other maturity levels, explore our detailed guides on CMMC Levels 1, 3, 4, and 5.


Overview of CMMC Level 2 Requirements

Understanding CMMC Level 2 requirements starts with knowing exactly what the Department of Defense expects from contractors that handle Controlled Unclassified Information (CUI). This article—and the broader CMMC series—is structured around the official practices defined in CMMC Version 1.02 (March 2020), ensuring accuracy and alignment with the source framework.

As with our overview of CMMC Level 1, we’ll begin with a brief recap of the CMMC framework and its core components. From there, this guide focuses specifically on Level 2 and is organized as follows:

  • Breakdown of CMMC Level 2 requirements
  • Step-by-step guide to CMMC Level 2 compliance

Let’s get started.


Recap of the CMMC Framework

The Cybersecurity Maturity Model Certification (CMMC) framework is a structured set of cybersecurity requirements designed to protect sensitive government data within the Defense Industrial Base (DIB). To meet CMMC Level 2 requirements, and ultimately higher maturity levels, organizations must implement and institutionalize defined security practices across the framework.

CMMC organizes cybersecurity controls into 17 domains, 43 capabilities, and 171 practices, which are distributed across five maturity levels. Each level builds on the previous one, requiring organizations to strengthen their processes and expand the scope of their cybersecurity controls over time.

As organizations progress toward higher maturity levels, including Level 5, they are expected to formalize processes and consistently apply practices that increase the depth and resilience of their cyber defenses.


Who the CMMC Applies To

CMMC applies to Department of Defense (DoD) contractors and subcontractors that make up the Defense Industrial Base (DIB)—the supply chain that supports U.S. defense programs. The framework is designed to safeguard the specific types of sensitive information commonly handled within this ecosystem, including:

  • Federal Contract Information (FCI): Information related to government contracts that is not intended for public release.
  • Controlled Unclassified Information (CUI): Unclassified data that requires protection under federal laws, regulations, or government-wide policies.


How CMMC Aligns With Existing Regulations

Rather than introducing entirely new security requirements, CMMC consolidates controls from established federal cybersecurity standards into a single, unified framework. Requirements for protecting CUI are derived from NIST Special Publication 800-171, which is reinforced by DFARS Clause 252.204-7012. Requirements for safeguarding FCI originate from FAR Clause 52.204-21.

The CMMC framework is published by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) and was developed through collaboration with DoD stakeholders across the Defense Industrial Base, including University Affiliated Research Centers (UARCs) and Federally Funded Research and Development Centers (FFRDCs).


Breakdown of CMMC Level 2 Controls

CMMC Level 2 requirements represent a transition point in an organization’s cybersecurity maturity. Building on the foundational safeguards established at Level 1, Level 2 moves organizations from basic cyber hygiene to intermediate cyber hygiene, with a specific focus on preparing for full protection of Controlled Unclassified Information (CUI).

The primary purpose of CMMC Level 2 is to serve as a bridge to CUI protection, which is fully required at Level 3. As a result, organizations must demonstrate not only that security practices are implemented, but that they are repeatable, documented, and consistently followed.

One of the most significant differences between CMMC Level 1 and Level 2 is the introduction of documented processes. At Level 2, it is no longer sufficient to perform security activities informally. Certification depends on maintaining accurate documentation that shows how practices are implemented, managed, and sustained—making Level 2 the first maturity level with a formal assessment requirement.

CMMC Level 2 introduces 55 security practices, the majority of which, 48 practices, are derived directly from NIST Special Publication 800-171, with the remaining practices sourced from other federal cybersecurity standards. The sections below examine each Level 2 practice, organized by domain.

Request a Free Consultation


Level 2 Access Control (AC) Practices

CMMC Level 2 requirements introduce 10 new Access Control (AC) practices focused on restricting access to systems, enforcing least privilege, and protecting Controlled Unclassified Information (CUI) from unauthorized use—especially through portable media and remote connections.

At this level, organizations must demonstrate tighter control over how users access systems, devices, and data, including formal restrictions on remote access and wireless connectivity.

The Level 2 Access Control practices include:

  • AC.2.005: Provide notices addressing privacy and security requirements related to CUI.
  • AC.2.006: Restrict the use of portable storage devices (such as USB drives), particularly when interacting with external systems.
  • AC.2.007: Enforce the principle of least privilege for all users and system functions.
  • AC.2.008: Use non-privileged accounts for routine system access that does not require elevated permissions.
  • AC.2.009: Limit unsuccessful login attempts before locking an account.
  • AC.2.010: Automatically lock sessions after periods of inactivity to prevent unauthorized access.
  • AC.2.011: Require authorization before allowing wireless access.
  • AC.2.013: Monitor and control all remote access sessions.
  • AC.2.015: Route remote access through managed access points.
  • AC.2.016: Control the flow of CUI based on approved authorizations and intended use.


Level 2 Audit and Accountability (AU) Practices

CMMC Level 2 adds four Audit and Accountability (AU) practices designed to ensure organizations can trace user activity, detect suspicious behavior, and investigate security incidents.

These practices emphasize log integrity, monitoring, and time synchronization—key requirements for accountability and incident investigation.

The Level 2 Audit and Accountability practices include:

  • AU.2.041: Ensure system activities can be uniquely traced to individual users.
  • AU.2.042: Generate and retain audit logs sufficient to monitor, investigate, and report unauthorized or unlawful activity.
  • AU.2.043: Synchronize system clocks with authoritative time sources to ensure accurate timestamps.
  • AU.2.044: Regularly review and analyze audit logs and take action based on findings.


Level 2 Awareness and Training (AT) Practices

CMMC Level 2 introduces two Awareness and Training (AT) practices that focus on ensuring personnel understand cybersecurity risks and their responsibilities in protecting sensitive information.

These practices recognize that effective security depends on informed users, not just technical controls.

The Level 2 Awareness and Training practices include:

  • AT.2.056: Ensure all users are aware of cybersecurity risks, rules, standards, and best practices related to system security.
  • AT.2.057: Provide regular training to personnel with responsibilities for protecting sensitive information.


Level 2 Configuration Management (CM) Practices

At Level 2, six Configuration Management (CM) practices are added to ensure systems are securely configured, monitored, and controlled throughout their lifecycle.

These practices help reduce attack surfaces and prevent unauthorized or risky system changes.

The Level 2 Configuration Management practices include:

  • CM.2.061: Maintain baseline configurations and system inventories across system lifecycles.
  • CM.2.062: Apply the principle of least functionality by enabling only essential system capabilities.
  • CM.2.063: Restrict and monitor user-installed software.
  • CM.2.064: Develop and maintain secure configuration standards for all IT products.
  • CM.2.065: Track, review, and log system changes.
  • CM.2.066: Assess the security impact of changes prior to implementation.


Level 2 Identification and Authentication (IA) Practices

CMMC Level 2 adds five Identification and Authentication (IA) practices focused on strengthening credential security and protecting authentication data.

These controls help prevent unauthorized access through compromised or weak credentials.

The Level 2 Identification and Authentication practices include:

  • IA.2.078: Enforce password complexity and minimum character change requirements.
  • IA.2.079: Prevent password reuse across a defined number of generations.
  • IA.2.080: Allow temporary passwords only for initial access, requiring immediate reset.
  • IA.2.081: Protect passwords using cryptographic methods during storage and transmission.
  • IA.2.082: Obscure authentication feedback to prevent credential disclosure.


Level 2 Incident Response (IR) Practices

CMMC Level 2 introduces five Incident Response (IR) practices that require organizations to establish formal incident detection, response, and recovery capabilities.

These practices move organizations beyond ad hoc responses toward structured, repeatable incident management.

The Level 2 Incident Response practices include:

  • IR.2.092: Establish incident management capabilities covering preparation, detection, response, and recovery.
  • IR.2.093: Monitor systems to detect and report security events in real time.
  • IR.2.094: Analyze incidents as they occur and perform triage to support timely resolution.
  • IR.2.096: Execute incident response actions based on predefined plans.
  • IR.2.097: Conduct root cause analysis following incident resolution.


Level 2 Maintenance (MA) Practices

CMMC Level 2 introduces four Maintenance (MA) practices focused on ensuring systems are properly maintained and that maintenance activities, especially remote or third-party maintenance, do not introduce security risks to Controlled Unclassified Information (CUI).

The Level 2 Maintenance practices include:

  • MA.2.111: Perform regular maintenance on organizational systems.
  • MA.2.112: Define and enforce controls governing maintenance activities, including approved tools, techniques, mechanisms, and authorized personnel.
  • MA.2.113: For nonlocal maintenance conducted over external networks:
    • Require multi-factor authentication (MFA)
    • Terminate connections immediately upon completion
  • MA.2.114: Supervise maintenance activities performed by individuals without permanent access authorization or by external service providers.


Level 2 Media Protection (MP) Practices

CMMC Level 2 adds three Media Protection (MP) practices designed to control how system media containing CUI is accessed, stored, and used.

The Level 2 Media Protection practices include:

  • MP.2.119: Physically control and securely store all media containing CUI.
  • MP.2.120: Restrict access to CUI on system media to authorized users only.
  • MP.2.121: Control the use of removable media across all system components.


Level 2 Personnel Security (PS) Practices

At Level 2, two Personnel Security (PS) practices are introduced to reduce insider risk and protect systems during workforce changes.

The Level 2 Personnel Security practices include:

  • PS.2.127: Screen individuals prior to granting access to systems containing CUI.
  • PS.2.128: Protect systems containing CUI during personnel actions such as transfers and terminations.


Level 2 Physical Protection (PE) Practices

CMMC Level 2 adds one Physical Protection (PE) practice focused on securing facilities and infrastructure that support organizational systems.

  • PE.2.135: Monitor and protect the physical environment of information systems, including facilities and supporting infrastructure.


Level 2 Recovery (RE) Practices

Level 2 introduces two Recovery (RE) practices that require organizations to ensure data availability and protect backups containing sensitive information.

The Level 2 Recovery practices include:

  • RE.2.137: Perform and test regular system backups.
  • RE.2.138: Protect the confidentiality of backup data, including CUI.


Level 2 Risk Management (RM) Practices

CMMC Level 2 adds three c (RM) practices that formalize how organizations identify, assess, and remediate cybersecurity risks.

The Level 2 Risk Management practices include:

  • RM.2.141: Periodically assess risks associated with processing, storing, or transmitting CUI.
  • RM.2.142: Conduct vulnerability scans at defined intervals and when new threats are identified.
  • RM.2.143: Remediate identified vulnerabilities in accordance with documented risk management procedures.


Level 2 Security Assessment (CA) Practices

At Level 2, three Security Assessment (CA) practices are introduced to ensure controls are assessed, documented, and continuously improved.

The Level 2 Security Assessment practices include:

  • CA.2.157: Develop and maintain security plans that define system boundaries, operating environments, and security requirements.
  • CA.2.158: Periodically assess the effectiveness of implemented security controls.
  • CA.2.159: Develop and execute plans of action to remediate identified weaknesses.


Level 2 System and Communications Protection (SC) Practices

CMMC Level 2 introduces two System and Communications Protection (SC) practices focused on securing network communications and management interfaces.

The Level 2 System and Communications Protection practices include:

  • SC.2.178: Disable remote activation of collaborative computing devices and provide user status indicators.
  • SC.2.179: Use encryption for network device management sessions.


Level 2 System and Information Integrity (SI) Practices

Finally, three System and Information Integrity (SI) practices are added at Level 2 to ensure systems are monitored and protected against threats.

The Level 2 System and Information Integrity practices include:

  • SI.2.214: Monitor security alerts and take timely, appropriate action.
  • SI.2.216: Monitor system activity and communications to detect attacks and indicators of compromise.
  • SI.2.217: Identify and respond to unauthorized system use.


How to Meet CMMC Level 2 Requirements

Meeting CMMC Level 2 requirements depends on more than implementing technical controls. Level 2 introduces a documented” process maturity requirement, meaning organizations must maintain clear, consistent documentation showing how all practices are implemented, managed, and sustained.

In total, organizations must document compliance with 55 Level 2 practices, in addition to the 17 practices inherited from Level 1, for a total of 72 practices. This documentation enables repeatability across personnel, systems, and operational changes, an essential requirement for formal assessment.

CMMC Level 2 certification is awarded by an authorized Certified Third-Party Assessment Organization (C3PAO). For many organizations, working with a C3PAO that also provides advisory and readiness support simplifies implementation, documentation, and assessment preparation.

RSI Security supports organizations through every stage of the CMMC process, from readiness assessments to documentation and certification support—helping streamline compliance with CMMC Level 2 requirements


Get Ready for CUI Protection

Meeting CMMC Level 2 requirements is a critical step toward protecting Controlled Unclassified Information (CUI) and maintaining eligibility for Department of Defense contracts. As organizations transition into documented, assessable security practices, expert guidance can significantly reduce risk and complexity.

RSI Security supports organizations throughout the CMMC Level 2 journey, from readiness assessments and documentation to control implementation and assessment preparation. With over a decade of experience delivering cybersecurity and compliance services, our team has helped DoD contractors strengthen their security posture and align with federal requirements.

If your organization needs support meeting CMMC Level 2 requirements or preparing for CUI protection, contact RSI Security to begin building a defensible path to certification.

Download Our CMMC Checklist 



0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

What are the CMMC Level 1 Controls?

January 26, 2026

What is CUI Specified?

March 20, 2023

How to Find the Right CMMC Consulting Partner

January 28, 2026

CMMC vs. NIST 800-171 Mapping  

December 23, 2020

Understanding the Interplay Between CMMC, NIST, and DFARS

February 24, 2025

Who Needs CMMC Certification? Do You Need It?

February 3, 2022

CMMC DoD Certification Requirements

January 14, 2026

How much does CMMC Certification Cost?

August 14, 2020

Regulatory Comparison: CMMC vs. FedRAMP

February 1, 2026

Top Challenges to Attaining CMMC Certification

February 2, 2026

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More