CMMC

CMMC Level 2 Requirements: A Practical Assessment Checklist for Defense Contractors

CMMC Level 2 Requirements: A Practical Assessment Checklist for Defense Contractors

Update, July 13, 2026: The Department of War has suspended CMMC Phase II, the mandate that would have required third-party (C3PAO) Level 2 certification starting November 10, 2026. A 60-day Reform Task Force is now reviewing the program’s future. Self-assessment requirements, SPRS scoring, annual affirmations, and DFARS 252.204-7012 remain fully in force and are still enforced under the False Claims Act.

If your prime contractor requires a Level 2 certificate on its own terms, that requirement has not changed. For everyone else, an accurate, advisor-reviewed self-assessment is now the main compliance requirement. Read what actually changed and what to do next, or talk to a Carbide advisor.


CMMC Level 2 applies to a large share of Department of Defense contracts, and its requirements span everything from access control to system monitoring. The requirements are detailed, but they follow a logical structure once you know where to start.

Here’s a practical breakdown of what CMMC Level 2 requires and how to prepare for it, from scoping through assessment.

When CMMC Level 2 Requirements Apply to Your Contract

CMMC Level 2 applies to contractors who handle Controlled Unclassified Information (CUI) as part of a DoD contract. Level 2 has two distinct paths rather than a single assessment route, and the contract itself determines which one applies:

  • The CMMC Level 2 Self-Assessment, conducted under 32 CFR 170.16, applies to certain acquisitions and allows the organization to assess itself.
  • The CMMC Level 2 Certification Assessment, conducted under 32 CFR 170.17, applies to prioritized acquisitions and requires certification from a Certified Third-Party Assessment Organization (C3PAO).

CUI Scoping and Asset Inventory for CMMC Level 2

Before mapping controls, define where CUI lives. Build an asset inventory that captures every system, application, and storage location that processes, stores, or transmits CUI, along with the people who access it. That inventory sets your assessment boundary and keeps unrelated systems out of scope, which simplifies preparation and the assessment itself.

The 110 CMMC Level 2 Requirements by NIST Control Family

CMMC Level 2 is built on the 110 security requirements in NIST SP 800-171 Revision 2, grouped into 14 control families, including Access Control, Awareness and Training, Configuration Management, Incident Response, Media Protection, Risk Assessment, and System and Information Integrity. Working through each family individually, rather than treating the requirements as 110 disconnected items, makes gap analysis far more manageable and helps prioritize where to focus first.

CMMC Level 2 Assessment Readiness Checklist

Before scheduling any assessment, confirm the following are in place:

  • A System Security Plan documenting how each requirement is met
  • Written policies covering the relevant control families
  • Evidence collection processes tied to each control
  • Plans of Action and Milestones for any unmet requirements
  • Employee training records showing awareness of security responsibilities

If reviewing this CMMC Level 2 checklist surfaces gaps in your documentation or evidence, that’s the moment to close them. Carbide’s advisory team can review your current SSP, policies, and POA&Ms against the CMMC Level 2 requirements and flag what an assessor is likely to catch.

Review Your CMMC Documentation with an Advisor

Meet CMMC Level 2 Requirements with Carbide’s Software & Expert Advisory Team

Working through CMMC Level 2 requirements involves important decisions about scope, evidence, and timing. Carbide’s CMMC compliance platform tracks your evidence in one place and continuously monitors your environment against the 110 requirements in NIST SP 800-171 Revision 2. Our credentialed advisors, in turn, handle the parts that require human judgment: defining your CUI boundary, reviewing policies for completeness, preparing documentation an assessor will want to see, and coordinating with a C3PAO when your contract requires certification.

Schedule a CMMC consultation with a Carbide advisor to map the CMMC Level 2 requirements against your current program and build a clear plan for your assessment path.

Share