If you're a defense contractor and you've heard the term "CMMC" thrown around but aren't sure exactly what it means for your business, this guide is for you. We'll break down what CMMC Level 2 is, who needs it, what it actually requires, and what happens if you don't comply.
CMMC Level 2 certification becomes mandatory for most DoD contractors handling Controlled Unclassified Information (CUI) starting November 2026. If you work with the Department of Defense and handle sensitive data, this affects you.
What is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It's a framework created by the US Department of Defense (DoD) to ensure that defense contractors have adequate cybersecurity practices in place to protect sensitive government information.
Before CMMC, contractors self-attested that they met NIST 800-171 security requirements — essentially saying "trust us, we're secure." CMMC changes that by requiring independent, third-party verification for most contractors.
The three levels of CMMC
CMMC has three levels, each building on the previous:
| Level | Name | Requirements | Assessment type |
|---|---|---|---|
| Level 1 | Foundational | 17 basic cyber practices | Annual self-assessment |
| Level 2 | Advanced | 110 NIST 800-171 practices | Third-party C3PAO assessment |
| Level 3 | Expert | 110+ practices + NIST 800-172 | Government-led assessment |
The vast majority of defense contractors who handle CUI fall into Level 2. This includes prime contractors and subcontractors involved in programs that process, store, or transmit controlled information.
Who exactly needs CMMC Level 2?
You likely need CMMC Level 2 if your company:
- Has a contract with the Department of Defense
- Handles, stores, or transmits Controlled Unclassified Information (CUI)
- Is a subcontractor to a prime contractor who handles CUI
- Provides IT services, engineering, manufacturing, or logistics for defense programs
CUI is a broad category that includes technical data, engineering drawings, contract information, financial data related to defense programs, and much more. If you're unsure whether your work involves CUI, check your contract for references to DFARS clause 252.204-7012 or CUI handling requirements.
The 14 domains of CMMC Level 2
CMMC Level 2 maps directly to the 110 security practices in NIST Special Publication 800-171. These are organized into 14 domains:
| Domain | Code | Controls |
|---|---|---|
| Access Control | AC | 22 |
| Awareness and Training | AT | 3 |
| Audit and Accountability | AU | 9 |
| Security Assessment | CA | 4 |
| Configuration Management | CM | 9 |
| Identification and Authentication | IA | 11 |
| Incident Response | IR | 3 |
| Maintenance | MA | 6 |
| Media Protection | MP | 9 |
| Personnel Security | PS | 2 |
| Physical Protection | PE | 6 |
| Risk Assessment | RA | 3 |
| System and Communications Protection | SC | 16 |
| System and Information Integrity | SI | 7 |
What happens if you don't comply?
Starting November 2026, DoD contracts will require CMMC certification as a condition of award. If you're not certified:
- You cannot bid on new DoD contracts that require CMMC Level 2
- Existing contracts may not be renewed
- As a subcontractor, prime contractors may be required to terminate your subcontract
- False claims of compliance can result in significant legal liability under the False Claims Act
How long does getting certified take?
The timeline varies significantly depending on your current security posture. Companies starting from scratch typically need 6–12 months to implement all required controls. Companies with existing security programs may need 3–6 months to close gaps and prepare documentation.
The actual C3PAO assessment itself takes 2–4 weeks once you're ready. Given that November 2026 is approaching, most contractors should be starting their preparation now.
Find out where you stand today
AuditSolz assesses all 110 NIST 800-171 controls in 20 minutes. You'll know exactly which gaps you need to fix and in what order — without paying for a consultant.
Start your free assessment →What does a CMMC Level 2 assessment involve?
A C3PAO (Certified Third-Party Assessor Organization) will evaluate your implementation of all 110 NIST 800-171 practices. They will review your System Security Plan (SSP), interview your staff, examine your technical configurations, and review evidence that each control is implemented.
Common findings that cause contractors to fail include missing multi-factor authentication, inadequate audit logging, unencrypted sensitive data, no vulnerability scanning program, and missing incident response documentation.
Preparing your SSP and POAM (Plan of Action and Milestones) before the assessment is essential. These documents are required and take most contractors weeks to prepare manually. Tools like AuditSolz generate them automatically from your assessment answers.
The bottom line
CMMC Level 2 is not optional for contractors handling CUI. The November 2026 deadline is firm, and the preparation window is closing. The good news is that most of the 110 controls are practical, achievable requirements — not exotic security measures. With the right tools and a clear roadmap, most contractors can get compliant well before the deadline.
The worst thing you can do is wait. Start your readiness assessment today, understand your gaps, and give yourself enough time to fix them properly.