Essential Facts About CMMC Level 2: What Contractors Need to Know

CMMC Level 2 is the gate for handling Controlled Unclassified Information (CUI). If your contracts involve CUI, this level determines whether you can compete.

Types of Level 2 Assessments

There are two paths under CMMC Level 2, depending on how the DoD designates the contract:

• Self-Assessment
  Allowed for certain Level 2 efforts. Organizations assess against NIST SP 800-171, submit results to SPRS, and provide annual senior-official affirmations.

• Third-Party Assessment
  Required for designated Level 2 contracts. A CMMC Third Party Assessment Organization (C3PAO) validates compliance before award.

The assessment type is driven by the contract, not contractor preference.

Scope and Certification

Level 2 scope includes:

• CUI assets

• Assets that protect CUI

• Risk-managed assets as defined in 32 CFR § 170.19

Certifications may allow limited POA&Ms, but they are tightly scoped and time-bounded. All open items must be closed within defined timelines or certification is at risk.

Controls and Supply Chain Impact

Level 2 aligns to NIST SP 800-171, assessed using the 800-171A methodology. Requirements apply not only to primes but also flow down to any subcontractor that handles CUI.

Why This Matters

If a contract requires CMMC Level 2 and you do not meet the requirement, you cannot bid. There is no exception and no grace period once the clause appears.

What to Do Now

Update your System Security Plan, validate control implementation, and determine whether your work is likely to require a self-assessment or C3PAO assessment. Waiting for a solicitation leaves no room to recover.

CMMC Level 2 is not optional. It is eligibility.