CMMC Level 2:
Advanced Cybersecurity
CMMC Level 2 applies to DoD contractors that handle Controlled Unclassified Information (CUI). It encompasses all 110 security practices of NIST SP 800-171 r2 across 14 domains — and requires a formal third-party assessment by a Cyber-AB accredited C3PAO.
Galaxy Consulting has achieved CMMC Level 2 certification. This accomplishment gives us direct, first-hand insight into exactly what your organization will face.
Who Needs CMMC Level 2?
CMMC Level 2 is required for any DoD contractor or subcontractor that handles Controlled Unclassified Information (CUI) — a category of sensitive but unclassified federal data that requires protection under law, regulation, or government-wide policy.
CUI includes export-controlled technical data, defense technical information, personally identifiable information (PII), and other sensitive categories defined by the CUI Registry maintained by the National Archives and Records Administration (NARA).
If your DoD contract includes a DFARS 252.204-7012 clause or references NIST SP 800-171 compliance, you almost certainly need CMMC Level 2. As the DoD phases CMMC into solicitations, non-compliant companies will be ineligible to bid.
Key Facts About CMMC Level 2
Understanding the Difference
Level 1 vs. Level 2 — What Changes?
CMMC Level 1
- 17 security practices across 6 domains
- Protects Federal Contract Information (FCI)
- Annual self-assessment — no third party required
- Based on FAR 52.204-21
- Required for all DoD contractors with FCI
CMMC Level 2
- 110 security practices across 14 domains
- Protects Controlled Unclassified Information (CUI)
- Formal C3PAO third-party assessment required
- Based on NIST SP 800-171 r2
- Required for contractors that handle CUI
CMMC Level 2 is a superset of Level 1 — all 17 Level 1 practices are included within the 110 Level 2 practices.
The Requirements
The 14 CMMC Level 2 Domains
All 110 practices from NIST SP 800-171 r2 are organized into 14 security domains. Every organization seeking Level 2 must demonstrate compliance across all domains. Key representative practices are shown below.
Access Control
22 practicesLimit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).
Control the flow of CUI in accordance with approved authorizations. Enforce information flow policies between interconnected systems.
Employ the principle of least privilege, including for specific security functions and privileged accounts.
Monitor and control remote access sessions. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Protect wireless access using authentication and encryption. Identify and authenticate wireless users prior to granting access.
Verify and control/limit connections to external information systems. Prohibit the use of portable storage devices on external systems without verifiable controls.
Showing representative practices — AC domain contains 22 total practices in NIST SP 800-171 r2.
Awareness & Training
3 practicesEnsure personnel are aware of the security risks associated with their activities and of applicable policies, standards, and procedures related to CUI.
Ensure personnel are trained to carry out their assigned information security responsibilities. Provide role-based security training before authorizing access.
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Showing representative practices — AT domain contains 3 total practices in NIST SP 800-171 r2.
Audit & Accountability
9 practicesCreate and retain system audit logs to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity.
Ensure the actions of individual users can be traced to those users so they can be held accountable for their actions.
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious activity.
Showing representative practices — AU domain contains 9 total practices in NIST SP 800-171 r2.
Configuration Management
9 practicesEstablish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation).
Establish and enforce security configuration settings for information technology products used in organizational systems.
Configure systems to provide only essential capabilities, prohibiting or restricting functions, ports, protocols, and services not required.
Showing representative practices — CM domain contains 9 total practices in NIST SP 800-171 r2.
Identification & Authentication
11 practicesIdentify and authenticate organizational users, processes acting on behalf of users, and devices before allowing access to organizational systems.
Use multi-factor authentication for local and network access to privileged accounts and remote access to non-privileged accounts.
Enforce minimum password complexity and change requirements. Prohibit password reuse for a specified number of generations.
Showing representative practices — IA domain contains 11 total practices in NIST SP 800-171 r2.
Incident Response
3 practicesEstablish an operational incident-handling capability including preparation, detection, analysis, containment, recovery, and user response activities.
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Test the organizational incident response capability including testing of roles and responsibilities.
Showing representative practices — IR domain contains 3 total practices in NIST SP 800-171 r2.
Maintenance
6 practicesPerform maintenance on organizational systems. Approve and monitor all maintenance activities, whether performed on site or remotely.
Provide controls on the tools, techniques, mechanisms, and personnel that perform maintenance on organizational systems.
Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections, and terminate such connections when maintenance is complete.
Showing representative practices — MA domain contains 6 total practices in NIST SP 800-171 r2.
Media Protection
9 practicesProtect system media (both paper and digital) containing CUI, both paper and digital. Mark media with necessary CUI markings and distribution limitations.
Sanitize or destroy system media before disposal or reuse. Use NIST SP 800-88 guidelines for media sanitization.
Control the use of removable media on system components. Prohibit use of portable storage without an identifiable owner.
Showing representative practices — MP domain contains 9 total practices in NIST SP 800-171 r2.
Physical Protection
6 practicesLimit physical access to organizational systems, equipment, and operating environments to authorized individuals.
Protect and monitor the physical facility and support infrastructure for organizational systems.
Enforce safeguarding measures for CUI at alternate work sites. Apply appropriate protections for individuals working in telework environments.
Showing representative practices — PE domain contains 6 total practices in NIST SP 800-171 r2.
Personnel Security
2 practicesScreen individuals prior to authorizing access to organizational systems containing CUI. Review and verify personnel security clearances and background investigations.
Ensure that CUI and system access are properly terminated upon employee departure. Conduct exit interviews, retrieve all access media, and disable all accounts.
Showing representative practices — PS domain contains 2 total practices in NIST SP 800-171 r2.
Risk Assessment
3 practicesPeriodically assess the risk to organizational operations, assets, and individuals resulting from the operation of organizational systems and the associated processing of CUI.
Scan for vulnerabilities in organizational systems and applications periodically. Remediate vulnerabilities in accordance with risk assessments.
Remediate vulnerabilities in accordance with risk assessments. Develop and implement a plan for vulnerability remediation and tracking.
Showing representative practices — RA domain contains 3 total practices in NIST SP 800-171 r2.
Security Assessment
4 practicesPeriodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Develop and implement plans of action (POA&Ms) designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
Develop, document, and periodically update system security plans that describe the system boundaries, system operating environments, and how security requirements are implemented.
Showing representative practices — CA domain contains 4 total practices in NIST SP 800-171 r2.
System & Communications Protection
16 practicesMonitor, control, and protect communications (transmissions of CUI) at the external boundaries and key internal boundaries of organizational systems.
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission, unless otherwise protected by alternative physical safeguards.
Establish and manage cryptographic keys for required cryptography employed in organizational systems. Protect against both disclosure and modification of cryptographic keys.
Protect the authenticity of communications sessions. Implement cryptographic mechanisms to protect the integrity of information during transmission and at rest.
Showing representative practices — SC domain contains 16 total practices in NIST SP 800-171 r2.
System & Information Integrity
7 practicesIdentify, report, and correct information and information system flaws in a timely manner.
Provide protection from malicious code at appropriate locations within organizational information systems.
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Showing representative practices — SI domain contains 7 total practices in NIST SP 800-171 r2.
The Process
The CMMC Level 2 Assessment Process
Unlike Level 1, contracts which include levels of CUI require CMMC Level 2 or CMMC Level 3 assessments. Acquisition with higher sensitivity and risk require CMMC Level 2 or CMMC Level 3 formal third-party assessments led by a Cyber-AB an accredited Certified Third-Party Assessment Organization (C3PAO). Preparation is everything — organizations that go into the assessment without proper readiness risk costly delays and remediation cycles.
Gap Assessment & Readiness Review
Galaxy's RPs evaluate your environment against all 110 NIST SP 800-171 r2 practices, identify gaps, and deliver a prioritized remediation roadmap.
Remediation & Control Implementation
Implement required technical and administrative controls to close gaps — from MFA and encryption to access control policies and incident response plans.
Documentation — SSP & POA&M
Develop your System Security Plan (SSP), Policies and Procedures, and a Plan of Action & Milestones (POA&M) for any residual gaps accepted by the DoD.
SPRS Score Submission
Contractors must calculate and submit NIST SP 800-171 self-assessment scores to the Supplier Performance Risk System (SPRS). Submissions made in support of acquisitions with high sensitivity and risk levels will require a follow-on C3PAO assessment.
C3PAO Assessment
A Cyber-AB accredited C3PAO (Third-Party Assessment Organization) conducts the official assessment of your environment against all 110 practices.
Certification & eMASS Entry
Upon successful completion, your certification is recorded in the DoD's Enterprise Mission Assurance Support Service (eMASS). Level 2 certification is valid for 3 years.
How Galaxy Consulting Helps
As a CMMC RPO that has undergone a CMMC Level 2 certification, Galaxy Consulting brings direct, current experience to your Level 2 journey. Our Registered Practitioners guide you through gap assessment, control implementation, SSP and POA&M development, SPRS submission, and C3PAO assessment coordination — so you walk into your assessment fully prepared.
See Our CMMC ServicesUnderstanding CUI
What is Controlled Unclassified Information (CUI)?
CUI is information the U.S. Government creates or possesses that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy — but is not classified.
The DoD uses CUI designations for technical data, engineering drawings, export-controlled information, sensitive acquisition information, proprietary business information, and much more.
If your contract includes a DFARS 252.204-7012 clause — Safeguarding Covered Defense Information — you are already legally obligated to protect CUI. CMMC Level 2 formalizes and verifies that obligation.
Common CUI Categories in Defense Contracting
Ready to Start Your Level 2 Journey?
Galaxy Consulting offers a free initial consultation to assess your current CMMC Level 2 posture, identify critical gaps, and give you a clear roadmap to C3PAO assessment.