What Is CMMC Level 2? A Practical Guide for Government Contractors
If you handle Controlled Unclassified Information for the Department of Defense, CMMC Level 2 is the bar you’ll have to clear — and increasingly, the one that decides whether you can compete for and keep DoD work. The requirements come straight from NIST SP 800-171, but plenty of contractors are still unclear on what Level 2 actually demands, how the assessment works, and what to do first. Here’s the executive-level version.
What CMMC is
The Cybersecurity Maturity Model Certification is the DoD’s way of raising — and verifying — cybersecurity across the defense supply chain. Instead of taking contractors’ word for it, CMMC adds assessment and verification, so the controls you claim to have are confirmed to actually be running.
What Level 2 covers
Level 2 applies to organizations that create, process, store, or transmit CUI. It maps to the 110 security requirements in NIST SP 800-171 and exists to keep sensitive government information from being accessed, disclosed, or compromised. For most contractors on programs that involve CUI, Level 2 is the compliance obligation that matters.
What counts as CUI
CUI is government information that needs safeguarding but isn’t classified — technical drawings, engineering data, specifications, contract details, and similar materials the government flags. If you touch CUI under a defense contract, protecting it is now both a business and a compliance responsibility, and Level 2 defines the controls that get you there.
CMMC and NIST 800-171 are the same foundation
A common misconception: that Level 2 is a separate framework. It isn’t. The 110 NIST 800-171 requirements are the foundation, and you have to show those controls are implemented, documented, and working. That means it’s never just a technology purchase — it’s policies, procedures, governance, documentation, and evidence that the controls do what you say.
The 14 security domains
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Together these cover how you manage access, monitor activity, respond to incidents, protect information, and govern the whole program.
Where contractors get stuck
Most organizations aren’t starting from zero. The hard part is proving controls are consistently in place and properly documented. The usual gaps:
- Incomplete or outdated policies and procedures
- Missing System Security Plan (SSP)
- Weak asset inventory and documentation
- Inconsistent multifactor authentication coverage
- Limited logging, monitoring, and audit capability
- Gaps in vulnerability management and patching
- Vague incident response procedures
- Little evidence that controls actually work
Why documentation decides outcomes
Teams over-invest in tools and under-invest in proof. Assessors want evidence that controls are implemented and governed through documented processes — SSPs, policies, procedures, risk assessments, incident response records, training logs, asset inventories, and the operational evidence behind them.
How to prepare
Start well before a formal assessment is on the calendar. Contractors who wait for the contract deadline tend to find gaps that take months to close.
- Identify everywhere CUI lives in your environment
- Measure current controls against the 110 NIST 800-171 requirements
- Build or update your SSP
- Close the highest-priority security and documentation gaps
- Tighten evidence collection and recordkeeping
- Run a readiness review before pursuing assessment
How Mythos helps
We help government contractors see where they actually stand, find the gaps, and build a realistic roadmap to readiness — connecting your controls, Microsoft environment, processes, documentation, and business priorities into one sustainable strategy instead of a last-minute scramble.
Mythos provides CMMC readiness and advisory services. Certification is issued by an authorized C3PAO following a formal assessment.