CMMC Level 2 Requirements Checklist (Mapped to NIST SP 800-171)

​

What are the requirements for CMMC Level 2?

CMMC Level 2 requires organizations to implement the 110 security requirements defined in NIST SP 800-171 to protect Controlled Unclassified Information (CUI).

​

If your organization handles CUI under a DoD contract, Level 2 is the most common requirement for subcontractors.

CMMC Level 2 is not just a policy exercise — controls must be implemented, documented, and operating effectively.

 

What is CMMC Level 2 aligned to?

CMMC Level 2 is directly aligned with NIST SP 800-171 Revision 2
“Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”

 

That means the 110 security requirements in NIST 800-171 form the foundation of Level 2 compliance.

CMMC adds assessment rigor and validation on top of those requirements.

​

CMMC Level 2 Checklist by NIST 800-171 Control Family

Below is a simplified checklist organized by control family. This is not the full 110-item list, but a structured overview to help subcontractors assess readiness.

​

1. Access Control (AC)

You must:

• Limit system access to authorized users

• Implement multi-factor authentication (MFA)

• Enforce least privilege

• Control remote access

• Restrict access to CUI environments

 

Common gaps:

• Shared accounts

• Incomplete MFA coverage

• Poorly defined CUI boundaries

 

2. Awareness and Training (AT)

You must:

• Provide security awareness training

• Train users on handling CUI

• Maintain training records

​

Common gaps:

• No documented training plan

• No evidence of completion

​

3. Audit and Accountability (AU)

You must:

• Enable logging on systems handling CUI

• Protect audit logs from modification

• Review logs regularly

 

Common gaps:

• Logging enabled but never reviewed

• Logs not retained long enough

 

4. Configuration Management (CM)

You must:

• Maintain an inventory of systems

• Establish secure configuration baselines

• Control changes to systems

​

Common gaps:

• No documented baseline

• No formal change management

​

5. Identification and Authentication (IA)

You must:

• Uniquely identify users

• Enforce strong password controls

• Implement MFA for privileged and remote access

​

Common gaps:

• Weak password policies

• Admin accounts without MFA

​

6. Incident Response (IR)

You must:

• Develop an incident response plan

• Train personnel on response procedures

• Report cyber incidents as required

​

Common gaps:

• No formal plan

• No testing or tabletop exercises

​

7. Maintenance (MA)

You must:

• Control and monitor system maintenance

• Restrict remote maintenance sessions

​

Common gaps:

• Unmonitored vendor remote access

​

8. Media Protection (MP)

You must:

• Protect physical and digital media containing CUI

• Sanitize media before disposal

• Restrict portable storage use

​

Common gaps:

• No documented media handling procedures

​

9. Personnel Security (PS)

You must:

• Screen individuals before granting access

• Remove access promptly upon termination

​

Common gaps:

• Delayed deprovisioning

​

10. Physical Protection (PE)

You must:

• Limit physical access to CUI systems

• Maintain visitor control procedures

​

Common gaps:

• No visitor logs

• Shared office access without restrictions

​

11. Risk Assessment (RA)

You must:

• Conduct periodic risk assessments

• Scan for vulnerabilities

• Remediate identified risks

​

Common gaps:

• No documented risk assessment process

• Vulnerability scans not reviewed

 

12. Security Assessment (CA)

You must:

• Periodically assess security controls

• Develop Plans of Action and Milestones (POA&Ms)

• Monitor remediation efforts

​

Common gaps:

• No formal internal assessment

• POA&Ms not tracked

​

13. System and Communications Protection (SC)

You must:

• Encrypt CUI in transit

• Segment networks appropriately

• Monitor boundary protections

​

Common gaps:

• Flat networks

• Missing encryption enforcement

​

14. System and Information Integrity (SI)

You must:

• Identify and remediate vulnerabilities

• Deploy anti-malware protections

• Monitor for malicious activity

​

Common gaps:

• Patch management delays

• No formal vulnerability remediation timeline

​

What documentation is required for CMMC Level 2?

At minimum, you should maintain:

• System Security Plan (SSP)

• Asset inventory

• Network diagrams

• Policies and procedures aligned to each control family

• Incident response documentation

• Risk assessment records

• POA&M (if gaps exist)

Documentation must reflect what is actually implemented — not just written intentions.

 

Do all 110 controls have to be fully implemented?

For Level 2 certification, all applicable requirements must be implemented.  Temporary gaps may be tracked in a POA&M depending on contract requirements, but significant deficiencies can delay certification.

​

How subcontractors should use this checklist

Use this checklist to:

1. Identify obvious gaps

2. Scope your CUI environment clearly

3. Prioritize high-risk controls first

4. Prepare for formal assessment

​

Many subcontractors underestimate the documentation and evidence requirements more than the technical controls themselves.

​

How Security Pursuit supports CMMC Level 2 readiness

Security Pursuit assists subcontractors with:

• NIST 800-171 gap assessments

• CMMC Level 2 readiness reviews

• Policy and documentation alignment

• Penetration testing aligned to CUI environments

• Assessment preparation and evidence review

​

Our approach focuses on practical, defensible compliance — not unnecessary bureaucracy.

​

Last updated: February 2026

​

FAQ

Frequently Asked Questions About CMMC Level 2 Requirements

​

How many requirements are in CMMC Level 2?

CMMC Level 2 includes 110 security requirements, which are directly aligned with NIST SP 800-171 Revision 2.

 

Is CMMC Level 2 the same as NIST 800-171 compliance?

CMMC Level 2 is based on NIST 800-171, but it adds structured assessment and validation requirements. Unlike prior self-attestation models, CMMC requires formal verification depending on contract type.

 

Do small subcontractors have to implement all 110 controls?

Yes. If CMMC Level 2 applies to your contract and you handle CUI, all applicable 800-171 requirements must be implemented. Company size does not reduce the control requirements.

 

What documentation is required for CMMC Level 2?

At minimum, organizations should maintain a System Security Plan (SSP), policies and procedures aligned to each control family, risk assessment documentation, incident response documentation, asset inventories, and a POA&M if gaps exist.

 

Can we pass CMMC Level 2 with a POA&M?

It depends on contract requirements and the severity of the gaps. Minor deficiencies may be tracked in a Plan of Action and Milestones, but significant gaps can delay certification or contract eligibility.

 

Is multi-factor authentication required for CMMC Level 2?

Yes. Multi-factor authentication is required for privileged accounts and remote access under NIST 800-171 requirements.

 

Does CMMC Level 2 require encryption?

Yes. CUI must be protected in transit using encryption mechanisms that meet federal standards. Encryption at rest may also be required depending on system design and risk.

 

How long does it take to become CMMC Level 2 compliant?

Timelines vary, but most small and mid-sized subcontractors require several months to implement controls, document policies, remediate gaps, and prepare evidence for assessment.

 

Do we need a third-party assessment for Level 2?

Most Level 2 contracts require assessment by a Certified Third-Party Assessment Organization (C3PAO), while others may allow self-assessment. The requirement depends on contract sensitivity.

 

What is the biggest challenge subcontractors face with Level 2?

The most common challenges include clearly scoping CUI environments, documenting policies accurately, maintaining evidence, and aligning technical controls with written procedures.