CMMC Level 2 Advanced Compliance
Last reviewed · By Chad Griffith
CMMC Level 2 Advanced applies to defense contractors and subcontractors that process, store, or transmit Controlled Unclassified Information (CUI). It requires implementation of all 110 controls from NIST Special Publication 800-171 Revision 2 ('Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'). Certification at Level 2 is achieved through either C3PAO third-party assessment (for prioritized CUI) or contractor self-assessment (for non-prioritized CUI), both with senior official affirmation submitted to SPRS.
Who Needs CMMC Level 2
Level 2 applies to any defense contractor that handles Controlled Unclassified Information. CUI categories include defense-related technical data (e.g., specifications, drawings, performance data), personnel information, financial data, procurement information, and many other categories defined in the CUI Registry maintained by the National Archives and Records Administration. The DoD designates whether contracts involve 'prioritized CUI' or 'non-prioritized CUI' based on data sensitivity.
The 110 NIST 800-171 Controls
NIST SP 800-171 r2 organizes 110 security requirements into 14 control families: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI). Each control has both a Basic Security Requirement and one or more Derived Security Requirements.
Assessment Path: C3PAO vs Self-Assessment
The DoD designates each Level 2 contract as either 'C3PAO required' (third-party assessment) or 'self-assessment permitted' based on the sensitivity of the CUI involved. Approximately 80,000+ contractors are estimated to require C3PAO assessment under final rule estimates. C3PAOs are Certified Third-Party Assessor Organizations authorized by Cyber AB. Each C3PAO employs Certified Assessors who evaluate contractor implementation of all 110 controls. Self-assessment is permitted only for the lower-sensitivity 'non-prioritized CUI' designation.
Required Artifacts: SSP and POAM
Two core artifacts: System Security Plan (SSP) — a comprehensive document describing how each of the 110 controls is implemented in the contractor's environment. The SSP names systems in scope, control implementation details, responsible parties, and any deviations or compensating controls. Plan of Action & Milestones (POAM) — documents controls that are not yet fully implemented, with planned remediation actions, responsible parties, target completion dates, and resources required.
Conditional vs Final Certification
Under CMMC 2.0, contractors with most controls implemented but with some controls remaining in POAM status can achieve Conditional CMMC Status. Conditional certification is valid for 180 days during which the POAM items must be completed. After 180 days, contractors must demonstrate full implementation to achieve Final CMMC Status. Failure to complete POAM items within 180 days results in loss of certification and contract eligibility.
Frequently Asked Questions
What is the difference between Level 1 and Level 2?
Level 1 is for contractors handling only Federal Contract Information (FCI) and requires 17 practices aligned with FAR 52.204-21. Level 2 is for contractors handling Controlled Unclassified Information (CUI) and requires 110 controls from NIST SP 800-171 r2. Level 2 also typically requires third-party assessment by a C3PAO rather than self-assessment, depending on CUI prioritization.
How long does CMMC Level 2 certification take?
Typical timeline: 6-18 months from initial gap assessment to certification. The path includes: gap assessment (2-4 weeks), remediation planning (1-2 months), control implementation (3-9 months), pre-assessment readiness review (1 month), C3PAO assessment (1-2 weeks on-site plus reporting), and final certification issuance (1-2 months). Smaller organizations move faster; complex enterprise environments take longer.
What is a POAM?
A Plan of Action & Milestones (POAM) is a formal document listing controls that are not yet fully implemented, with planned remediation actions, responsible parties, target completion dates, and required resources. POAMs allow Conditional CMMC certification but must be completed within 180 days to maintain certification. POAM is also a required artifact under DFARS 252.204-7012 separate from CMMC.
How long is Level 2 certification valid?
Final CMMC Level 2 certification is valid for three years, with annual senior official affirmations during the certification period. After three years, recertification requires a new C3PAO assessment (or self-assessment for non-prioritized CUI). Conditional certification is valid for only 180 days.
Authoritative sources