Compliance Frameworks

CMMC 2.0 Level 2: The 110 Controls You Need Before the Door Closes

The Cybersecurity Maturity Model Certification (CMMC) 2.0 final rule went into effect in late 2024, and contractors are now seeing CMMC Level 2 requirements appear in DoD solicitations. If you handle Controlled Unclassified Information (CUI), here is what Level 2 actually demands.

The three CMMC levels

Roughly 80,000 contractors will need Level 2. If you have ever handled CUI – engineering specs, technical drawings, export-controlled data, or research data marked for limited dissemination – Level 2 is the assumption.

What Level 2 actually inherits

CMMC Level 2 is functionally NIST SP 800-171 with teeth. All 110 security requirements from 800-171 Rev 2 are in scope. The change from 800-171 self-attestation to CMMC is the assessment: a Certified Third-Party Assessment Organization (C3PAO) must verify your implementation every three years.

The 14 control families

1. Access Control (22 controls)
2. Awareness and Training (3 controls)
3. Audit and Accountability (9 controls)
4. Configuration Management (9 controls)
5. Identification and Authentication (11 controls)
6. Incident Response (3 controls)
7. Maintenance (6 controls)
8. Media Protection (9 controls)
9. Personnel Security (2 controls)
10. Physical Protection (6 controls)
11. Risk Assessment (3 controls)
12. Security Assessment (4 controls)
13. System and Communications Protection (16 controls)
14. System and Information Integrity (7 controls)

The five controls that fail most assessments

3.5.3 – Multifactor authentication for privileged accounts

You need MFA for local AND network access to privileged accounts, and for network access to non-privileged accounts. Many contractors have MFA on SaaS apps but not on local server administration. That is a finding.

3.13.11 – FIPS-validated cryptography

This is the killer for cloud contractors. CUI in motion or at rest must be protected by FIPS 140-2 (or 140-3) validated cryptographic modules. That means AWS GovCloud, Azure Government, or specific Microsoft 365 GCC High tenants. Commercial AWS is not FIPS-validated for most services by default.

3.1.20 – Connections to external systems

Every external connection (vendor SaaS, integration partner, API consumer) must be documented and risk-assessed. Most contractors lack this inventory.

3.8.3 – Sanitization of media

Drives, tapes, and other media containing CUI must be sanitized per NIST SP 800-88 before disposal. You need certificates of destruction.

3.4.6 – Least functionality

Systems must be configured to provide only essential capabilities. This means hardening baselines, removing unused services, and documenting allowed software lists. CIS Benchmarks satisfy this if implemented.

The System Security Plan and POAM

Two documents the C3PAO will demand on day one:

• System Security Plan (SSP): Comprehensive document describing how each of the 110 controls is implemented. Most SSPs run 80-200 pages.
• Plan of Action and Milestones (POAM): List of unmet controls with target remediation dates. Note: under CMMC 2.0, POAMs are only allowed for a limited subset of lower-weight controls, and only for 180 days.

Timeline and cost

For a small-to-midsize contractor (50-500 employees) starting from a typical baseline, full Level 2 readiness takes 9-18 months. C3PAO assessment fees typically run $30,000-$150,000 depending on scope and complexity. Add internal labor, GovCloud migration, and tooling and the all-in cost is usually $200K-$800K.

How QAE accelerates Level 2

QAE ships pre-mapped to all 110 NIST 800-171 controls with evidence requirements per CMMC assessment guidance. Our SSP generator turns your environment inventory into a draft SSP in hours instead of months. We also integrate with GovCloud-resident logging and SIEM tools so your evidence stays in compliant tenants.