Home/Frameworks/CMMC Level 2
Framework // CMMC Level 2

CMMC Level 2. C3PAO-assessed. 110 controls.

Required for any contractor handling Controlled Unclassified Information (CUI). Third-party assessed by an accredited C3PAO. Since November 2025, self-attestation is over — enforcement is live.

110
Controls under NIST 800-171 Rev 2

Overview

CMMC Level 2 maps directly to NIST SP 800-171 Rev 2's 110 security requirements. Unlike Level 1, certification requires an independent third-party assessment by a C3PAO from the Cyber AB ecosystem. There are roughly 70 authorized C3PAOs in the country and 120,000+ contractors who need them.

Assessments examine every assessment objective under every requirement — roughly 320 individual objectives — using the examine / interview / test methodology in NIST 800-171A. Level 2 is valid for three years, with annual DFARS 7019 affirmations and continuous monitoring expected in between.

Scope

Applies to

Any DoD prime or subcontractor that handles CUI — technical drawings, specifications, source selection sensitive, export-controlled data, PII of personnel under contract.

Flow-down

Primes are contractually required to flow CMMC down to subs. If you touch CUI anywhere in the supply chain, Level 2 will hit you, usually with a short notice window.

Core Requirements

  • 01All 17 Level 1 practices from FAR 52.204-21
  • 0293 additional practices across the 14 NIST 800-171 families (AC, AT, AU, CM, IA, IR, MA, MP, PE, PS, RA, CA, SC, SI)
  • 03A documented System Security Plan (SSP) describing the environment and control implementation
  • 04A Plan of Action & Milestones (POA&M) for any controls not yet met — with a 180-day closeout deadline
  • 05Annual DFARS 7019 affirmation of compliance, signed by a senior official
  • 0672-hour cyber incident reporting under DFARS 252.204-7012(c)
  • 076-year retention of incident artifacts and control evidence
How Tolerance Helps

Level 2 is what Tolerance was built for. The entire platform — gap assessment, SSP generation, evidence vault, monitoring — is designed to produce C3PAO-ready documentation in 6–8 weeks at a fixed price, rather than 6–9 months at $120–300k on hourly billing.

Have a contract requiring this framework?

Book a 30-minute call. We'll scope your obligation and give you a fixed-price proposal the same week.

Book a Scoping Call →