Home/Frameworks/CMMC Level 2
Framework // CMMC Level 2

CMMC Level 2. C3PAO-assessed. 110 controls.

Required for any contractor handling Controlled Unclassified Information (CUI). Third-party assessed by an accredited C3PAO. Since November 2025, self-attestation is over,enforcement is live.

110
Controls under NIST 800-171 Rev 2

Overview

CMMC Level 2 maps directly to NIST SP 800-171 Rev 2's 110 security requirements. Unlike Level 1, certification requires an independent third-party assessment by a C3PAO from the Cyber AB ecosystem. There are roughly 70 authorized C3PAOs in the country and 120,000+ contractors who need them.

Assessments examine every assessment objective under every requirement,roughly 320 individual objectives,using the examine / interview / test methodology in NIST 800-171A. Level 2 is valid for three years, with annual DFARS 7019 affirmations and continuous monitoring expected in between.

Scope

Applies to

Any DoD prime or subcontractor that handles CUI,technical drawings, specifications, source selection sensitive, export-controlled data, PII of personnel under contract.

Flow-down

Primes are contractually required to flow CMMC down to subs. If you touch CUI anywhere in the supply chain, Level 2 will hit you, usually with a short notice window.

Core Requirements

  • 01All 17 Level 1 practices from FAR 52.204-21
  • 0293 additional practices across the 14 NIST 800-171 families (AC, AT, AU, CM, IA, IR, MA, MP, PE, PS, RA, CA, SC, SI)
  • 03A documented System Security Plan (SSP) describing the environment and control implementation
  • 04A Plan of Action & Milestones (POA&M) for any controls not yet met,with a 180-day closeout deadline
  • 05Annual DFARS 7019 affirmation of compliance, signed by a senior official
  • 0672-hour cyber incident reporting under DFARS 252.204-7012(c)
  • 076-year retention of incident artifacts and control evidence
How Tolerance Helps

Level 2 is what Tolerance was built for. The entire platform,gap assessment, SSP generation, evidence vault, monitoring,is designed to produce C3PAO-ready documentation in 9–12 weeks at a fixed price, rather than 6–9 months at $120–300k on hourly billing.

Have a contract requiring this framework?

Book a 30-minute call. We'll scope your obligation and give you a fixed-price proposal the same week.

Book a Scoping Call →