CMMC Level 2 Compliance: The Complete Guide to 110 Controls and C3PAO Assessment

In our experience preparing defense contractors for CMMC, Level 2 is where compliance shifts from a checklist exercise to a genuine security transformation. The 110 controls from NIST SP 800-171 touch every part of your IT environment, your workforce, and your business processes. Organizations that approach Level 2 as a technology project alone consistently fail.

CMMC Level 2 is the certification tier that applies to the majority of defense contractors who handle Controlled Unclassified Information (CUI). It requires the full implementation of all 110 security controls from NIST SP 800-171 Revision 2, verified through either a self-assessment or an independent assessment by a Certified Third-Party Assessment Organization (C3PAO). This is the level that will appear in most DoD contracts involving CUI as the CMMC program phases in through 2025-2028.

This guide provides a comprehensive walkthrough of Level 2: the 14 control families and what they require, the critical distinction between self-assessment and C3PAO assessment, the Plan of Action and Milestones (POA&M) process for conditional certification, and practical guidance for achieving and maintaining Level 2 status.

The 14 Control Families of NIST SP 800-171

The 110 controls that define CMMC Level 2 are organized into 14 families, each addressing a distinct aspect of cybersecurity. Understanding these families is essential for scoping your compliance effort and organizing your remediation work.

Control Family	ID	Number of Controls	Focus Area
Access Control	AC	22	Who can access what, and under what conditions
Awareness and Training	AT	3	Security education for the workforce
Audit and Accountability	AU	9	Logging, monitoring, and audit trail management
Configuration Management	CM	9	Baseline configurations and change control
Identification and Authentication	IA	11	Verifying user and device identities
Incident Response	IR	3	Detecting, reporting, and responding to incidents
Maintenance	MA	6	System maintenance procedures and controls
Media Protection	MP	9	Protecting digital and physical media containing CUI
Personnel Security	PS	2	Personnel screening and access termination
Physical Protection	PE	6	Physical access controls for facilities and systems
Risk Assessment	RA	3	Identifying and evaluating security risks
Security Assessment	CA	4	Evaluating and monitoring security controls
System and Communications Protection	SC	16	Protecting data in transit and at rest, network security
System and Information Integrity	SI	7	Flaw remediation, malicious code protection, monitoring
Total		110

Access Control (22 Controls)

Access Control is the largest family and often the most complex to implement. It covers:

• Account management — Establishing, modifying, disabling, and removing accounts. Every user account in your CUI environment must be managed through a formal process with documented approvals.
• Access enforcement — Implementing the principle of least privilege. Users should have access only to the CUI and systems they need for their specific job function.
• Information flow enforcement — Controlling how CUI moves between systems and network zones. This includes firewall rules, network segmentation, and data loss prevention.
• Separation of duties — Ensuring that no single individual can perform all critical functions, reducing the risk of insider threat and error.
• Remote access — Controlling, monitoring, and encrypting all remote access sessions. With distributed workforces, this family requires particular attention to VPN configurations, remote desktop protocols, and cloud access.
• Wireless access — Protecting and restricting wireless network access. CUI environments should not be accessible over uncontrolled wireless networks.
• Mobile device management — Controlling access from mobile devices, including encryption requirements and remote wipe capabilities.

In our experience, Access Control is where most organizations have the largest number of gaps. The controls are detailed, and many organizations have organic access control practices that have never been formalized or documented.

Awareness and Training (3 Controls)

Only three controls, but they are foundational. Your workforce must:

• Receive security awareness training before accessing systems that process CUI
• Receive role-based training for individuals with specific security responsibilities
• Receive training on recognizing and reporting potential insider threats

What we tell clients: do not treat this as a compliance checkbox. The training must be substantive, documented, and refreshed regularly. Assessors will interview your staff — if employees cannot articulate basic security practices, it reflects poorly on the entire program.

Audit and Accountability (9 Controls)

This family requires you to create, protect, and retain system audit logs sufficient to monitor, analyze, investigate, and report unlawful or unauthorized system activity. Key requirements include:

• Audit logging on all systems that process, store, or transmit CUI
• Correlation and review of audit records to detect anomalous activity
• Protection of audit information from unauthorized modification and deletion
• Audit reduction and report generation capabilities
• Timestamp synchronization across systems (critical for log correlation)

The practical challenge is volume: CUI environments generate enormous quantities of log data. Organizations need a Security Information and Event Management (SIEM) solution or equivalent capability to aggregate, correlate, and review logs effectively. Manual log review is not feasible at scale.

Configuration Management (9 Controls)

Configuration management ensures that your systems are configured securely and that changes are controlled. Key requirements:

• Establish and maintain baseline configurations for all systems in the CUI environment
• Apply security configuration settings (hardening) using industry benchmarks (CIS Benchmarks, DISA STIGs)
• Track, review, approve, and audit all changes to system configurations
• Implement least-functionality by disabling unnecessary services, ports, and protocols
• Restrict and control the use of software that is not authorized

This family intersects heavily with vulnerability management. Systems that are not configured to a secure baseline are systems with known vulnerabilities.

Identification and Authentication (11 Controls)

This family establishes how you verify the identity of users, processes, and devices. Key controls:

• Unique identification for all users (no shared accounts)
• Multi-factor authentication (MFA) for both local and network access
• Replay-resistant authentication mechanisms
• Minimum password complexity and rotation requirements
• Identifier management (provisioning, disabling, removing)
• Authenticator management (password policies, token management)
• Obscuring authentication feedback (no plaintext passwords on screen)

MFA is a non-negotiable requirement for Level 2. Any access to systems that process CUI must use multi-factor authentication. This includes VPN access, cloud application access, and privileged account access.

Incident Response (3 Controls)

Despite having only three controls, incident response is a critical area that assessors examine closely:

• Establish an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities
• Track, document, and report incidents to designated officials and authorities
• Test the organizational incident response capability

You need a documented incident response plan, a trained incident response team, and evidence that you have tested the plan (through tabletop exercises, simulations, or actual incident handling). Simply having a plan on paper is insufficient — assessors want evidence that the plan works in practice.

Media Protection (9 Controls)

Media protection covers both digital and physical media containing CUI:

• Protect, control, and mark media containing CUI
• Limit access to CUI on system media to authorized users
• Sanitize or destroy media before disposal or reuse
• Control the use of removable media (USB drives, external hard drives)
• Encrypt CUI stored on digital media during transport
• Control the use of media in systems connected to the CUI environment

The removable media controls are often underestimated. Many organizations allow unrestricted USB drive use, which creates both data exfiltration risk and malware introduction vectors. Level 2 requires documented policies and technical controls governing removable media.

System and Communications Protection (16 Controls)

The second-largest family, covering data protection in transit and at rest, and network architecture:

• Monitor, control, and protect communications at external and key internal boundaries
• Implement network segmentation between public-facing and internal systems
• Encrypt CUI in transit using FIPS-validated cryptographic mechanisms
• Encrypt CUI at rest on all systems and media
• Deny network traffic by default and allow by exception
• Prevent remote devices from establishing split tunneling connections
• Implement cryptographic mechanisms to protect CUI during transmission
• Control and monitor the use of VoIP technologies
• Protect the authenticity of communications sessions
• Protect CUI at rest

FIPS-validated encryption is a specific requirement that catches many organizations off guard. Standard commercial encryption (like AES-256) is not sufficient on its own — the cryptographic module must be validated under FIPS 140-2 or FIPS 140-3. This affects your choice of VPN, email encryption, disk encryption, and cloud storage solutions.

Remaining Families

The remaining families — Maintenance (6 controls), Personnel Security (2 controls), Physical Protection (6 controls), Risk Assessment (3 controls), Security Assessment (4 controls), and System and Information Integrity (7 controls) — round out the 110-control set. Each addresses a specific dimension of security:

• Maintenance requires controlled, documented maintenance procedures with multi-factor authentication for remote maintenance sessions
• Personnel Security requires screening individuals before granting access to CUI systems and revoking access upon personnel actions (termination, transfer)
• Physical Protection requires limiting physical access to CUI systems to authorized personnel, maintaining visitor logs, and controlling physical access devices (keys, badges)
• Risk Assessment requires periodic risk assessments, vulnerability scanning, and remediation of vulnerabilities
• Security Assessment requires periodic assessment of security controls, monitoring for effectiveness, and a plan to correct deficiencies
• System and Information Integrity requires timely flaw remediation (patching), malicious code protection (antivirus/EDR), and monitoring for unauthorized activity

Self-Assessment vs. C3PAO Assessment

The CMMC 2.0 framework introduced a critical bifurcation at Level 2: not all CUI-handling contractors need a third-party assessment. The assessment type is determined by the contract, based on the sensitivity of the CUI involved.

Level 2 Self-Assessment

When it applies: Contracts involving CUI that the DoD determines is not critical to national security. The solicitation or contract will specify "CMMC Level 2 — Self-Assessment."

How it works:

1. The organization evaluates its implementation of all 110 NIST 800-171 controls
2. Gaps are documented in a POA&M with remediation timelines
3. The organization calculates its SPRS score (110 minus weighted point values of unmet controls)
4. A senior official affirms the results in SPRS
5. Affirmation is renewed annually

Key considerations:

• No C3PAO involvement or assessment fee
• Senior official bears personal accountability for accuracy
• The DoD can verify self-assessments through DIBCAC audits at any time
• False affirmations trigger False Claims Act liability

Level 2 C3PAO Assessment

When it applies: Contracts involving CUI that the DoD determines is critical to national security. The solicitation or contract will specify "CMMC Level 2 — C3PAO Assessment."

How it works:

1. The organization selects a C3PAO from the Cyber AB marketplace
2. The C3PAO conducts an independent assessment against all 110 controls
3. Assessors review documentation, interview personnel, examine evidence, and test controls
4. The C3PAO determines a score and certification recommendation
5. If the organization meets all controls (or qualifies for conditional certification), certification is granted
6. Certification is valid for three years, with annual affirmations required

Key considerations:

• Assessment fees vary by scope — contact accredited C3PAOs for current pricing
• Availability of C3PAOs may be constrained during early CMMC phases
• The C3PAO cannot have provided consulting services to the organization (conflict of interest)
• Assessment results are reported to the CMMC Enterprise Mission Assurance Support Service (eMASS)

How to Determine Which You Need

You generally cannot choose your assessment type — the contract dictates it. However, you can anticipate the likely requirement:

Contract Characteristic	Likely Assessment Type
Involves routine CUI (administrative, logistical)	Self-assessment
Involves technical data for weapons systems	C3PAO assessment
Involves ITAR-controlled technical data	C3PAO assessment
Involves CUI related to critical defense programs	C3PAO assessment
Small-value subcontract with limited CUI	Self-assessment
Prime contract on major defense acquisition program	C3PAO assessment

What we tell clients: if you have any doubt, prepare for C3PAO assessment. Every organization that is ready for C3PAO assessment is also ready for self-assessment. The reverse is not true.

The SPRS Scoring Methodology

Your SPRS (Supplier Performance Risk System) score is the quantitative measure of your compliance with NIST 800-171. Understanding how it is calculated is important for prioritizing remediation.

How Scoring Works

The maximum SPRS score is 110, representing full implementation of all 110 controls. Each unmet control reduces your score by a weighted value of 1, 3, or 5 points, based on the control's importance:

• 5-point controls — The most critical controls. These typically address fundamental security capabilities like multi-factor authentication, encryption, and access control
• 3-point controls — Important controls addressing significant security functions
• 1-point controls — Supporting controls that contribute to overall security posture

The minimum possible score is -203 (if no controls are implemented). The DoD has not published an official "passing" score for CMMC self-assessment, but your contract may specify a minimum acceptable score for award.

Prioritizing by Impact

When planning remediation, prioritize the highest-value controls first:

1. 5-point controls you have not implemented — Each one you remediate adds 5 points to your SPRS score
2. Controls that affect multiple systems — A single control implementation that applies across your environment has compounding value
3. Controls that are prerequisites for other controls — For example, identification and authentication controls must be in place before access control policies can function effectively

The POA&M Process and Conditional Certification

The Plan of Action and Milestones (POA&M) is a formal document that identifies security controls that are not fully implemented, describes the plan to remediate them, and sets a timeline for completion. Under CMMC Level 2, POA&Ms play a specific role in the certification process.

POA&M Rules Under the Final Rule

The CMMC final rule (32 CFR Part 170) establishes clear parameters for POA&M use:

• Not all controls are POA&M-eligible — The rule identifies a subset of controls that cannot be placed on a POA&M. If these controls are not met at the time of assessment, certification is denied. These non-POA&M-eligible controls represent the minimum baseline that must be in place before any certification can be granted.

• Point limits — There is a maximum number of SPRS points that can be on POA&M. If your unmet controls exceed this threshold, conditional certification is not available.

• 180-day remediation window — All POA&M items must be fully remediated within 180 days of conditional certification. This is a hard deadline, not a suggested timeline.

• Verification required — The C3PAO must verify that all POA&M items have been successfully closed. This typically involves a follow-up assessment of the specific remediated controls.

• Failure to close — If POA&M items are not closed within 180 days, the conditional certification is revoked. The organization must start the assessment process over.

What Makes a Good POA&M

For any controls you cannot fully implement before assessment, your POA&M should include:

1. Control identification — The specific NIST 800-171 control number and description
2. Current state — What is currently implemented (if partial) and what is missing
3. Remediation plan — Specific actions to achieve full implementation
4. Resources required — Budget, personnel, and technology needed
5. Milestones — Intermediate checkpoints with specific dates
6. Completion date — Must be within 180 days of conditional certification
7. Responsible party — Named individual accountable for remediation

Strategic POA&M Planning

What we tell clients: your POA&M strategy should be deliberate, not reactive. Identify which controls you cannot fully implement before the assessment date and plan specifically for those:

• Ensure non-POA&M-eligible controls are prioritized and fully implemented before assessment
• Keep your total POA&M point value under the threshold
• Have remediation already in progress for POA&M items so the 180-day window is achievable
• Budget for the C3PAO POA&M closeout assessment (this is typically a separate engagement and fee)

Technical Implementation Priorities

Based on our experience with Level 2 assessments, these are the technical capabilities that organizations most frequently need to build or upgrade:

Multi-Factor Authentication (MFA)

Required for all access to CUI systems. Implement MFA for:

• VPN and remote access
• Cloud applications (email, file storage, collaboration tools)
• Privileged account access (system administrators, database administrators)
• Local workstation login for systems that process CUI

Use FIPS 140-2/140-3 validated authenticators where possible. Common solutions include hardware tokens (YubiKey), mobile authenticator apps, and certificate-based authentication.

SIEM and Log Management

Audit and Accountability controls require centralized log collection, correlation, and review. A SIEM solution should:

• Collect logs from all systems in the CUI environment (servers, workstations, network devices, cloud services)
• Correlate events across systems to detect anomalous patterns
• Generate alerts for security-relevant events
• Retain logs for the required period (typically 12 months active, with longer archival)
• Protect log integrity from unauthorized modification

Endpoint Detection and Response (EDR)

Traditional antivirus is generally insufficient for Level 2. EDR solutions provide:

• Real-time monitoring of endpoint behavior
• Automated detection and response to malicious activity
• Forensic capabilities for incident investigation
• Integration with SIEM for centralized visibility

Encryption

FIPS-validated encryption is required for CUI at rest and in transit:

• At rest — Full-disk encryption on all endpoints and servers; encrypted databases and file storage
• In transit — TLS 1.2+ for web traffic, FIPS-validated VPN for remote access, encrypted email for CUI transmission
• Media — Encrypted removable media if USB drives are permitted

Network Segmentation

Isolate the CUI environment from general corporate networks:

• Define a CUI enclave with clearly documented boundaries
• Implement firewall rules controlling traffic between the CUI enclave and other network segments
• Deny traffic by default and allow only necessary communications
• Monitor boundary traffic for anomalous activity

Documentation Requirements

Level 2 requires comprehensive documentation. Assessors evaluate your documentation alongside your technical controls. The primary documents include:

System Security Plan (SSP)

The SSP is your master compliance document. It describes:

• The system boundary and scope of the CUI environment
• How each of the 110 controls is implemented
• Roles and responsibilities for security management
• Network architecture and data flow diagrams
• Hardware and software inventory
• Interconnections with external systems

The SSP is typically 50-200+ pages depending on environment complexity. It must be accurate, current, and specific to your organization — generic templates will not pass assessment.

Plan of Action and Milestones (POA&M)

Documented above — this tracks unmet controls and remediation plans.

Policies and Procedures

Each control family should be supported by documented policies and procedures:

• Access Control Policy
• Audit and Accountability Policy
• Configuration Management Policy
• Incident Response Plan
• Media Protection Policy
• System and Communications Protection Policy
• And others as appropriate

Evidence Artifacts

For C3PAO assessment, prepare evidence for each control:

• Screenshots of system configurations
• Excerpts from policies and procedures
• Audit log samples
• Training records
• Vulnerability scan reports
• Change management records
• Physical access logs

Maintaining Level 2 Compliance

Achieving certification is the beginning, not the end. Level 2 compliance must be maintained continuously:

• Annual affirmation — A senior official affirms continued compliance each year
• Continuous monitoring — Ongoing monitoring of security controls, logs, and vulnerabilities
• Change management — Any significant change to the CUI environment (new systems, network changes, personnel changes) must be evaluated for compliance impact
• Incident response — Security incidents must be handled, documented, and reported per your incident response plan
• Triennial reassessment — After three years, a full reassessment is required for re-certification

Organizations that invest in building compliance into their operational processes — rather than treating it as a periodic assessment event — find that maintenance is manageable and sustainable. Those that let compliance drift between assessments face costly remediation efforts before each reassessment.

Getting Started

If you are beginning your Level 2 journey, start here:

1. Identify your CUI — Map where CUI exists in your environment
2. Conduct a gap assessment — Evaluate your current state against all 110 controls
3. Calculate your SPRS score — Understand your starting position
4. Build a remediation plan — Prioritize based on SPRS point values and non-POA&M-eligible controls
5. Review the CMMC requirements in detail
6. Understand the NIST 800-171 control set that defines Level 2
7. Plan for assessment — Determine whether you need self-assessment or C3PAO assessment and budget accordingly

Level 2 is demanding, but it is achievable. Thousands of defense contractors have implemented NIST 800-171 controls under existing DFARS requirements. CMMC adds the verification layer, but the underlying security requirements are the same. Organizations that have been diligently implementing NIST 800-171 are well-positioned for Level 2 certification. Those that have not should start immediately — the phased rollout timeline is not as distant as it may seem.