CMMC Level 2

CMMC Level 2 is the Advanced tier of the CMMC 2.0 program. It applies to any defense contractor or subcontractor that processes, stores, or transmits Controlled Unclassified Information (CUI) under a DoD contract.

Level 2 requires implementation of all 110 security requirements in NIST SP 800-171 Rev 2, organized across 14 control families. For prioritized acquisitions, certification requires a third-party assessment by an authorized C3PAO every three years. For a smaller subset of non-prioritized contracts, annual self-assessment is permitted.

Level 2 also requires annual affirmation by a senior company official in SPRS, a current System Security Plan (SSP), and ongoing tracking of any open POA&M items against the 180-day closure window. A failed assessment means no contract award; a knowingly false affirmation creates False Claims Act exposure.