Cybersecurity Maturity Model Certification: SUCCESS’s Guide to Level 2 Compliance

Reading Time: 3 minutes

We previously covered the fundamentals of Cybersecurity Maturity Model Certification (CMMC), a set of compliance standards Department of Defense (DoD) contractors (e.g., manufacturers), need to meet in order to accept supply chain contracts. However, we know that most manufacturing organizations will likely have to adhere specifically to level 2 compliance requirements and might still be a little unsure of what those entail.  

To answer some of your most pressing questions, our experts have provided a more in-depth explanation of who exactly needs to be level 2 compliant, what security requirements and controls need to be met, and where and how you can get started with the assessment process. 

What is CMMC Level 2 compliance and how do I know if it applies to my business? 

Starting as soon as May 2023, Level 2 CMMC compliance will be a requirement for any organization that generates, receives, or has access to DoD contract work containing Controlled Unclassified Information (CUI). CUI consists of data or materials that are not considered confidential but also can’t be seen by the general public. This data could include images, blueprints, or documents your organization obtains through a government contract, and should be labeled as such. 

NOTE: In addition to receiving contracts containing CUI, your organization might also be generating it as well. If that is the case, you’ll need to recognize the data as being controlled unclassified information and label it accordingly. 

What do I need to do to be CMMC level 2 compliant? 

To achieve level 2 compliance, organizations must meet 110 security controls outlined by the NIST 800-171 framework and be assessed by a registered auditor to validate they are abiding by all required practices and processes. These 110 practices are broken down into 14 domain categories: 

  • Access Control (AC): 22 practices 
  • Awareness Training (AT): 3 practices 
  • Audit & Accountability (AU): 9 practices 
  • Configuration Management (CM): 9 practices 
  • Identification & Authentication (IA): 11 practices 
  • Incident Response (IR): 3 practices 
  • Maintenance (MA): 6 practices 
  • Media Protection (MP): 9 practices 
  • Personnel Security (PS): 2 practices 
  • Physical Protection (PE): 3 practices 
  • Risk Assessment (RA): 6 practices 
  • Security Assessment (CA): 4 practices 
  • System & Communications Protection (SC): 16 practices 
  • System & Information Integrity (SI): 7 practices 


Additionally, it’s possible that your organization may have received contracts that have already referenced Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204 7012. This clause requires contractors to: 

  1. Safeguard covered defense information 
  2. Report cyber incidents 
  3. Submit malicious software 
  4. Facilitate damage assessments 

DFARS has not historically been strictly enforced. But, as CMMC starts making an appearance on contracts, organizations will need to prove they’re adhering to this clause, too.  

What is the process for getting assessed? 

To confirm you’re eligible to receive DoD contracts containing CUI and are meeting all required security standards, you must first identify a CMMC third party assessor organization (C3PAO) that is accredited by the CMMC Cyber Accreditation Body and be assessed by either the C3PAO or a certified CMMC assessor (CCA).  

As of now, C3PAOs and CCAs are in short supply, so it’s important to start the assessment process soon. All currently accredited C3PAOs and CCAs are listed in the CyberAB Marketplace. 

Once you’ve contracted a C3PAO to perform your assessment, the process is relatively straightforward. Over the course of about two weeks, the assessing body will review your cybersecurity controls, Plan of Actions and Milestones (POAM) document, and System Security Plan (SSP) to ensure you’re meeting all 110 controls and don’t have any outstanding items to check off on your action or security plans. They may also conduct interviews with your technical personnel. 

What is the cost of an assessment? 

In short, there’s no one price for an assessment, although it’s estimated to cost between 30 and 40 thousand dollars. This may vary, however, depending on the size of your organization and the complexity of your systems and processes.  

And remember, the cost of becoming a CMMC compliant organization may seem like an exorbitant investment, but committing to that investment and adhering to the compliance requirements ensures you can continue normal business operations and accept supply chain contracts containing CUI.  

Starting your level 2 CMMC compliance journey 

It’s important to note that becoming level 2 compliant isn’t a “one-and-done” task you can check off your to-do list. It’s an on-going process that will require regular assessments and updates to your cybersecurity practices. And while it may seem overwhelming, the SUCCESS team is here to help you develop a customized plan for implementing the controls you still need to be considered CMMC compliant.  

Take the first step; schedule a security consultation today and receive a free network assessment that will help you get started.