CMMC Level 2 Requirements & Certification Guide (2026)
This guide explains what CMMC Level 2 actually requires, when self-assessment is allowed, how the compliance boundary is established, what the timeline usually looks like, and what organizations should realistically expect in terms of cost and effort.
If your organization handles Controlled Unclassified Information (CUI) for the Department of Defense, CMMC Level 2 is the compliance standard that matters most. It is the level tied to the 110 security requirements in NIST SP 800-171 Rev. 2, and depending on the contract, it may require either a self-assessment or a third-party assessment by a C3PAO.
What is CMMC Level 2?
CMMC Level 2 is the Department of Defense’s assessment level for contractors that handle CUI. The underlying requirements come from NIST SP 800-171 Rev. 2, and the formal rule explains that Level 2 can be verified in one of two ways: Level 2 (Self) or Level 2 (C3PAO). Which path applies is determined by the requirement in the solicitation or contract, not by the contractor’s preference alone.
That distinction matters. Many organizations say “we need Level 2,” but what they really need to know is whether their contract path is self-assessed Level 2 or certified Level 2 through a C3PAO.
When Is a Level 2 Self-Assessment Allowed?
A Level 2 self-assessment is allowed only when the solicitation or contract requires Level 2 (Self). The 32 CFR rule states that the organization seeking assessment must implement the 110 Level 2 requirements, perform the self-assessment in accordance with NIST SP 800-171A, upload results into SPRS, and submit the required affirmation. To remain compliant, the self-assessment must be repeated every three years, with affirmation submitted annually.
The same rule also makes clear that for contract eligibility, the contractor must have a current Conditional Level 2 (Self) or Final Level 2 (Self) status in SPRS and a submitted affirmation before award.
What "self-assessment" does not mean
Self-assessment does not mean partial compliance or informal good-faith effort. The organization still has to implement the same 110 Level 2 requirements, assess them using the prescribed method, maintain evidence, and manage any allowed POA&M items under the rule’s conditions. The DoD also reserves the right to conduct a DIBCAC assessment that can override an existing Level 2 (Self) status if the organization has not actually achieved or maintained compliance.
In Practice
Level 2 self-assessment is appropriate only when the contract specifically permits Level 2 (Self). It is still real compliance, still requires full implementation, and still creates documentation and evidence obligations.
When Is a C3PAO Assessment Required?
A C3PAO assessment is required when the solicitation or contract requires Level 2 (C3PAO). In that case, the organization must hire a Cyber AB-authorized C3PAO to perform the certification assessment. The 32 CFR rule expressly distinguishes Level 2 (C3PAO) from Level 2 (Self) by the method of verification.
The DFARS final rule further confirms that CMMC includes both Level 2 (Self) and Level 2 (C3PAO), and that the required level is determined for the prime contract by the program office or requiring activity and for lower tiers by the prime or next higher-tier subcontractor, consistent with the scoping rules in 32 CFR 170.19.
The practical takeaway
If your work involves meaningful CUI and a contract requires Level 2 (C3PAO), you cannot substitute a self-assessment. You need a formal assessment path, and that means planning for assessor availability, evidence preparation, and the possibility of conditional findings and closeout work
The Compliance Boundary:
What It Is and How It Is Established
The compliance boundary is not just “the computers we care about.” Under the CMMC scoping rule, the Level 2 assessment scope includes:
-
assets that process, store, or transmit CUI,
-
assets that provide security protection for those assets,
-
contractor risk managed assets that can, but are not intended to, process, store, or transmit CUI,
-
and certain specialized assets that must still be documented even if not assessed against all requirements.
The official scoping structure
The rule says Level 2 scoping consists of all assets that process, store, or transmit CUI, plus all assets that provide security protections for those assets. It also explains that contractor risk managed assets must be documented and may receive limited checks, while specialized assets must be documented but are not assessed against all Level 2 requirements.
Why your MSP, ESP, & cloud providers matter
The rule explicitly addresses External Service Providers (ESPs) and cloud service providers. If an ESP provides services used to meet your requirements, its use, relationship, and services must be documented in the SSP, and the services used to meet your requirements are assessed within the scope of your assessment. For cloud and ESP arrangements, the customer responsibility matrix must be documented or referenced in the SSP.
That is why we describe the compliance boundary as including:
-
your technology,
-
your users,
-
your documented processes,
-
your vendors,
-
and the providers that support or secure the environment.
If a provider is involved in protecting, administering, or enabling the in-scope environment, it can affect your compliance position
How the boundary is established in practice
A defensible Level 2 boundary is usually established by:
-
identifying where CUI is processed, stored, or transmitted,
-
identifying the assets that protect those systems,
-
documenting connected systems and contractor risk managed assets,
-
mapping external providers and inherited controls,
-
and reflecting all of that in the asset inventory, network diagram, and SSP.
The 110 Level 2 Requirements, in Plain English
Level 2 is built on the 110 NIST SP 800-171 requirements across 14 control families. On paper, that can sound like a pure technical checklist. In practice, the requirements fall into three broad categories:
Technical safeguards
These are the controls people usually think of first: access control, MFA, logging, endpoint protection, secure configuration, backups, and similar technical measures.
Operational discipline
Level 2 also requires repeatable operating behavior: incident response, account lifecycle management, media handling, training, and change practices that match what the organization says it does.
Documentation and evidence
Assessments are not passed by technology alone. The rule repeatedly ties compliance to evidence, SSP documentation, assessment procedures, artifact retention, affirmation, and closeout requirements.
What the Journey to CMMC Usually Looks Like
Understand the Starting Point
Determine whether the organization is actually handling CUI, what level applies, and whether the contract path points to self-assessment or C3PAO certification.
High Level: What Does CMMC Cost?
There is no universal Level 2 price. A small, tightly scoped environment that is already mature will cost far less than a broad environment with weak documentation, limited security tooling, and multiple external dependencies.
Level 2 C3PAO assessment fees between $30K and $100K+
One-time project fee for readiness, remediation, documentation between $40K and $200K
Ongoing monthly support starts around $350 per user
Common Mistakes Organizations Make
One of the biggest mistakes is assuming Level 2 is mostly a tooling exercise. The official scoping and assessment requirements make clear that this is also a documentation, responsibility, and evidence problem.
Another common mistake is defining the scope too casually. If the boundary is poorly established, the SSP, the inherited control picture, and the assessment evidence all become unstable.
A third mistake is waiting too long to think about assessment logistics. There may not be a single published national queue time, but market signals are clear enough that organizations should not assume they can call a C3PAO the moment they feel “ready” and immediately get a slot.
What should you do next?
If you made it this far, you are probably wondering what you need to do next. Generally speaking, it can help to answer a smaller set of important questions:
-
Are we truly handling CUI? (Learn more about CUI here)
-
Does our contract path point to Level 2 (Self) or Level 2 (C3PAO)?
-
What exactly is our compliance boundary?
-
Which providers and inherited controls are part of that boundary?
-
How far are we from a defensible assessment position?
Those questions determine scope, timeline, cost, and risk. And until they are answered clearly, most organizations are guessing.
Final Note on Accuracy
CMMC is now grounded in formal rulemaking, contract clauses, and published scoping guidance. But market conditions—especially assessor capacity, pricing, and readiness timelines—can change quickly. The official rules are the best source for what is required; market pricing and scheduling should be treated as planning ranges, not guaranteed outcomes.
Stay Ahead With Expert CMMC Knowledge
CMMC requirements continue to evolve, and staying informed is critical to maintaining compliance. Our insights provide practical guidance, regulatory updates, and real-world perspectives to help organizations navigate CMMC with confidence.
