The Cybersecurity Maturity Model Certification (CMMC) framework was developed by the DoD to ensure that contractors and subcontractors implement robust cybersecurity practices.
What is CMMC Level 2?
CMMC Level 2 represents a significant step up from Level 1, introducing advanced requirements to protect controlled unclassified information (CUI). This type of information requires safeguarding or dissemination controls pursuant to federal law, regulation, or government-wide policy.
CMMC Level 2 applies to organizations in the Defense Industrial Base (DIB) that work with sensitive technical data, engineering drawings, specifications, or other forms of CUI. These companies must demonstrate a higher level of cyber maturity and operational discipline.
To meet Level 2 requirements, many businesses rely on managed service providers (MSPs) and cybersecurity vendors like Field Effect, who tailor their solutions to align with CMMC protocols. These providers offer tools such as managed detection and response (MDR), endpoint protection, and continuous monitoring to help organizations meet the rigorous demands of Level 2.
“CMMC Level 2 is where cybersecurity becomes a strategic priority,” says Matt Lewis, Chief Security Officer at Field Effect. “It’s not just about checking boxes—it’s about building a resilient security posture that can withstand sophisticated threats.”
CMMC Level 2 includes 110 cybersecurity practices
These practices are based on the NIST SP 800-171 framework and cover a wide range of security domains, including:
- Using antivirus software
- Access control
- Incident response
- Risk assessment
- System and communications protection
- Security awareness training
- Configuration management
Unlike Level 1, Level 2 requires third-party certification from a CMMC Third Party Assessment Organization (C3PAO) for contractors that handle CUI. This formal assessment ensures that the organization has implemented and documented all required practices.
Who needs to comply with CMMC Level 2?
Any company that stores, processes, or transmits CUI as part of a DoD contract must meet CMMC Level 2 requirements. This includes:
- Defense contractors involved in R&D, manufacturing, or engineering of military systems
- Technology firms developing software or hardware for DoD use
- Subcontractors who receive CUI from prime contractors, such as component manufacturers or testing labs
- Professional services firms (e.g., legal, accounting, consulting) that access CUI through their support of DoD projects
Examples include:
- A software company building mission-critical applications for the DoD
- A metal fabrication shop producing parts based on sensitive design files
- A consulting firm reviewing internal DoD documentation containing CUI
Why CMMC Level 2 compliance matters
CMMC Level 2 is essential for protecting sensitive information that, if compromised, could impact national security. It ensures that companies across the DIB adopt consistent and effective cybersecurity practices.
As CMMC 2.0 continues to evolve, organizations must prepare for formal assessments and ongoing compliance. Failure to meet Level 2 requirements can disqualify a company from bidding on contracts involving CUI, making cybersecurity readiness a competitive advantage.
