CMMC Level 2 Requirements: A Practical Guide for Small Defense Contractors

Small defense contractors tend to hit the same moment. A prime sends over a new subcontract, the flow-down language mentions CMMC, somebody forwards it to IT, and the room fills with acronyms and bad assumptions. The most common one is that every system in the company has to be hardened at once. It usually doesn’t.

The core task is narrower. A contractor needs to understand the CMMC Level 2 requirements, identify where Controlled Unclassified Information (CUI) resides, build defensible controls around that environment, and collect enough evidence to prove those controls are operating. That is different from trying to turn the whole business into a compliance science project.

Small and mid-sized contractors can pass Level 2 without a dedicated compliance team. The companies that struggle aren’t usually the ones with weak technical staff. They are the ones that scope too broadly, document too late, and treat the assessment like a paperwork event instead of an operating model.

What makes Level 2 feel harder than it is

Most SMBs don’t start from zero. They already have Microsoft 365 or Google Workspace, endpoint protection, MFA in some places, a ticketing process, and someone handling backups. The problem is that these pieces often aren’t configured consistently, aren’t limited to the CUI boundary, and aren’t documented well enough for an assessor.

That creates two separate jobs.

Build the controls. Set the technical and administrative safeguards.
Prove the controls. Produce policies, screenshots, logs, diagrams, procedures, and operating records.

Those jobs overlap, but they are not the same. If a control exists only in someone’s head, it does not exist for assessment purposes.

The workable path for a small contractor

A practical Level 2 effort typically starts with four moves.

Identify the contract and data reality. Confirm whether the organization handles CUI, where it enters the business, and who touches it.
Scope a smaller environment. Keep CUI inside a defined boundary instead of letting it spread across every inbox, shared drive, laptop, and vendor connection.
Map gaps to evidence. Ask what an assessor would examine, interview, and test for each practice.
Build for repeatability. The goal is not a one-time event. It is a program a lean team can sustain.

The contractors who cross the finish line without overspending stay disciplined on scope and ruthless about evidence. Everything below builds on those two principles.

Decoding the CMMC Level 2 framework

CMMC becomes easier to understand once the acronyms are connected to a mental model rather than treated as regulatory vocabulary.

NIST SP 800-171 is the blueprint.
DFARS 252.204-7012 is the contract language that makes the blueprint enforceable.
CMMC Level 2 is the inspection model used to verify the blueprint was built correctly.
CUI is the protected material inside the building.
C3PAO is the authorized inspector.

A contractor that stores, processes, or transmits CUI is subject to the controls. Level 2 is where that foundation is tested in a formal, structured way by an accredited assessor.

Many contractors inherit a messy environment before they inherit a compliance obligation. Email evolved one way, file sharing another, remote access another, subcontractor collaboration another. Then someone asks, “Are we CMMC compliant?” as if that were a yes-or-no setting. It is not. The better question is whether the people, systems, and data handling CUI follow the required practices consistently, and whether the organization can prove it.

The 110 controls, grouped by domain

CMMC Level 2 includes 110 security controls drawn from NIST SP 800-171 Rev. 2, organized into 14 domains. The Department of Defense estimates that roughly 80,000 organizations in the Defense Industrial Base will eventually require a Level 2 certification through a C3PAO.

Domain	Abbreviation	Purpose
Access Control	AC	Defines who can access systems and CUI, and under what conditions.
Awareness and Training	AT	Ensures users understand security responsibilities and risks.
Audit and Accountability	AU	Requires logging, review, and accountability for security-relevant activity.
Configuration Management	CM	Controls how systems are configured and changed over time.
Identification and Authentication	IA	Verifies users and devices are who they claim to be.
Incident Response	IR	Establishes how the organization detects, reports, and handles incidents.
Maintenance	MA	Governs secure maintenance of systems and related access.
Media Protection	MP	Protects CUI on physical and digital media during storage and transport.
Personnel Security	PS	Addresses screening, access changes, and termination actions.
Physical Protection	PE	Limits physical access to systems, facilities, and devices.
Risk Assessment	RA	Requires identifying threats, vulnerabilities, and risk exposure.
Security Assessment	CA	Verifies controls are assessed and tracked over time.
System and Communications Protection	SC	Protects data in transit and system communications.
System and Information Integrity	SI	Detects, corrects, and mitigates flaws, malware, and integrity issues.

C3PAOs evaluate hundreds of assessment objectives across these domains using three methods: examine, interview, and test. An assessor will not stop at “we have MFA.” They may ask an administrator how it is enforced, examine configuration evidence, and test whether the setting applies to every system in scope. The same pattern applies to encryption, vulnerability management, account control, and logging.

The domains that usually stretch SMBs the most

Access Control and Identification and Authentication

These two domains are where informal habits show up fast. Access tends to grow organically. An engineer needed a folder. A subcontractor needed quick access. A manager kept a local copy. Over time, CUI becomes accessible in too many places by too many identities.

Acceptable practice is tighter than that:

Users get only the access their role requires.
Shared accounts are avoided or tightly controlled.
MFA is enforced consistently.
Remote access follows a defined process.
Privileged access is limited and reviewed.

If the team still relies on broad shared mailboxes, inherited folder permissions, or admin rights nobody wants to clean up, that is where to start. These issues are visible, assessable, and usually tied directly to the systems touching CUI. For a control-by-control view of what an assessor examines on the email side, see CMMC Level 2 email controls.

Configuration Management

Configuration Management breaks a lot of assessments because SMBs often run on tribal knowledge. One technician remembers how a server was hardened. Another recalls which browser settings were locked down. A consultant set up endpoint policy last year, and nobody documented the baseline.

A workable approach does not need to be elaborate. It needs to be consistent. Use a defined secure baseline for in-scope systems, document approved software, require changes through a tracked process, and keep records showing what changed, who approved it, and how it was verified. If the hardening standard lives only in memory, the control is fragile.

Audit and Accountability

Logging sounds easy until an assessor asks who reviews the logs, how often, and what happens when something suspicious appears. Many SMBs collect logs but do not operationalize them. They have data, not accountability.

For Level 2, logging must be active. Someone reviews relevant events, exceptions are handled, and activity can be connected to a person or system. Strong evidence usually includes policy language, log retention settings, alert records, review procedures, and examples of follow-up on real events.

System and Information Integrity and Risk Assessment

This is where patching, vulnerability management, malware protection, and remediation discipline become visible. Teams typically have scanners and antivirus. The gap is in follow-through. Vulnerabilities pile up, exceptions are not documented, and old systems linger because production cannot tolerate downtime.

A simple remediation rhythm works: scan the in-scope environment, triage findings, assign owners, document exceptions, and verify closure. It will not be glamorous, but it will be assessable.

Defining the CUI scoping boundary

Most small contractors overspend on CMMC because the scope grows without control. The better approach is to treat CUI like material kept in a vault. The vault does not need to be the whole building. It needs to be clearly defined, properly protected, and supported by the systems that make protection work.

The DoD CMMC Scoping Guide separates in-scope assets into categories:

CMMC Assessment Scope (CAS) is the vault itself: assets that store, process, or transmit CUI.
Security Protection Assets (SPAs) are the locks, cameras, and alarms: assets that protect the vault.
Contractor Risk Managed Assets (CRMAs) are parts of the building that may interact with the environment but do not themselves process CUI.

Not every asset in the business should be treated the same way. If every laptop, phone, app, file share, and collaboration workflow is pulled in, the assessment boundary becomes expensive and painful. If CUI is concentrated into a controlled enclave, the work becomes far more manageable.

A failed scoping effort creates paperwork and often forces rework across diagrams, SSP language, system inventories, vendor reviews, and evidence packages. It also tends to expose hidden dependencies, like unmanaged laptops syncing files locally or third-party tools forwarding messages outside the intended enclave.

What smart scoping looks like

Good scoping starts with data flow, not with technology branding. The working questions:

Where does CUI first arrive: email, portal download, customer system, removable media, or a line-of-business application?
Where is it stored on purpose: approved mailboxes, structured repositories, project workspaces, engineering systems?
Who needs access: specific roles, not whole departments?
What protects the boundary: identity, endpoint controls, encryption, monitoring, backups, filtering, administrative procedures?
What stays outside: general office apps, HR systems, marketing tools, and everything else with no valid CUI need?

Many contractors benefit from a contained enclave inside a broader business environment. That can be built with segmented infrastructure, hardened cloud tenancy, or a dedicated collaboration stack. Some teams use Microsoft GCC High. Some build segmented commercial cloud environments with careful controls. Some use unified platforms that keep compliant email, file storage, and collaboration inside a single authorization boundary. Every unnecessary asset pulled into scope creates more controls to implement, more evidence to collect, and more questions an assessor can ask.

Want to map this scoping work to the actual control set? Get the free CMMC Level 2 readiness checklist. 30 items across 11 control families, with what a C3PAO expects to see for each one.

Common evidence gaps for SMBs

A Level 2 assessment is a show-your-work exercise. The general framework (documentation versus artifacts, the SSP as the anchor, interviews that test whether policy matches reality) is covered in what to expect during a CMMC compliance assessment. Below are the gap patterns that show up most often in smaller contractor environments, where evidence tends to exist in people’s heads rather than in a retrievable record.

Logging exists, but nobody reviews it. Define who checks what, how often, and where the review is recorded. Even a lean process works if it is documented and followed.

Change management is informal. A technician updates a firewall rule, a permission set, or installed software directly in production. Put changes into a tracked workflow with approver, date, purpose, and validation step.

Vulnerability management stops at scanning. The scan report exists, but there is no remediation trail. Assign owners to findings, track decisions, document exceptions, and retain closure evidence.

Access reviews are ad hoc. If the honest answer to “who still has access to CUI folders?” is “probably the same people as last quarter,” that is a finding waiting to happen. Schedule periodic reviews for in-scope systems and keep the decision record.

Policies do not match reality. Generic templates say one thing, the environment does another, and staff describe a third version during interviews. Rewrite templates to match the actual process, even if the process is simpler than the template imagined.

After implementation: an operating model, not an event

The Department of Defense began Phase 1 of the CMMC program rollout on November 10, 2025. For prioritized acquisitions, certification happens through a C3PAO assessment every three years. Limited, non-critical gaps may be handled through a Plan of Action and Milestones, with a 180-day grace period for eligible items. See what is a POA&M for the limits on that path.

The assessment itself is not the endpoint. Contractors need to operate in a way that supports annual affirmations, future reassessments, and quick response if a control weakens between audits. Most of the preparation-stage work described above (boundary definition, in-scope toolset, evidence-as-you-go) is reusable for those recurring obligations. For what fieldwork looks like and how the audit actually runs, see what to expect during a CMMC compliance assessment.

Common questions about CMMC Level 2

Do all defense contractors need Level 2?

No. The requirement depends on the contract and the information involved. Level 2 is the concern when the organization handles CUI and the solicitation or flow-down requires that level of protection. The practical first step is to confirm the data type and contract language, then scope the environment around that reality.

Is Level 2 mainly a technology problem?

Partly. The harder half is operating discipline. Most contractors that struggle do not fail because they bought the wrong firewall. They struggle because access is not governed cleanly, procedures are informal, CUI spreads outside the intended boundary, and evidence is assembled too late.

Should a small contractor make the whole business compliant?

Usually not. For most SMBs, that approach is wasteful. A tighter enclave around the people, systems, and workflows that touch CUI is easier to secure and easier to assess. Broad enterprise scope can make sense in some organizations, but it is not the default.

Can a POA&M save a weak assessment?

A POA&M helps with limited, non-critical gaps, but it is not a substitute for readiness. If the control environment is immature, or if scoping and evidence packages are weak, relying on the remediation window is risky. The option was designed for bounded issues that are already understood and can be closed quickly.

What is the fastest way to make this manageable?

Concentrate on three things: define the CUI boundary tightly, standardize the in-scope toolset, and collect evidence as controls are implemented rather than after the fact. That combination does more to reduce friction than buying scattered security products or producing oversized policy binders.

What should leadership ask the internal team right now?

Where does CUI enter and leave the company?
Which assets are in scope today?
What evidence already exists for those assets?
Which controls are operating, and which ones are only documented?
Who owns remediation by domain?

Those questions usually reveal whether the company has a real program or just a pile of activity.