CMMC Level 2: The Complete Plain-English Guide (2026)
Everything a government contractor actually needs to know about CMMC Level 2: the 110 NIST SP 800-171 requirements, what counts as CUI, the 88 rule, self assessment versus C3PAO certification, real 2026 costs, and the 180 day path to filed in SPRS. Written for the executive who never asked to become a cybersecurity expert.
What CMMC Level 2 is, in one paragraph
CMMC Level 2 is how the Department of Defense verifies that a contractor protecting Controlled Unclassified Information (CUI) actually implements the safeguards its contracts have required for years. If a contract carries DFARS 252.204-7012, or the government sends you controlled technical drawings, export controlled specs, or technical data on a defense article, you are in Level 2 territory. The standard is NIST SP 800-171 Revision 2: 110 security requirements across 14 families, each judged at the objective level, scored out of 110, and recorded in SPRS under your CAGE code with an annual affirmation by a senior official.
Level 2 is not paperwork about security. It is a scored, evidence backed statement, with False Claims Act exposure behind it, that your business runs the 110 requirements today. That is exactly why contractors who file a defensible score early keep their contracts and pick up the work of competitors who cannot.
The 110 requirements, in 14 plain-English families
Every requirement comes from NIST SP 800-171 r2. Here is the whole map, what each family actually asks of your business:
Assessors do not grade the families, they grade the 320 assessment objectives beneath them (NIST SP 800-171A). One unmet objective fails its whole requirement, which is why working at the objective level from day one is the only honest way to build.
The score, the 88 rule, and the POA&M clock
Scoring is arithmetic, defined in 32 CFR 170.24. Start at 110. Every NOT MET requirement subtracts 1, 3, or 5 points by weight. Missing multifactor authentication or FIPS validated encryption carries special deductions, and no System Security Plan means the assessment cannot be completed at all (CA.L2-3.12.4).
You do not need a perfect 110 to file. At 88 or better, with every remaining gap eligible for a Plan of Action and Milestones, you can file with Conditional status, then close every POA&M item within 180 daysor the status expires. Six requirements can never ride a POA&M, including the SSP itself and the physical access trio, and those must be MET on assessment day.
Two tracks use the same 110 requirements: Level 2 (Self), a self assessment filed in SPRS, and Level 2 (C3PAO), certification by an accredited third party assessor where a contract demands it. Build one honest package and it serves both. A status is valid three years, with annual affirmations by your senior official.
How to get CMMC Level 2 filed, in eight steps
- 1Confirm CMMC Level 2 applies to you
Check your contracts for DFARS 252.204-7012 and look for information marked CUI, export controlled, or Distribution D. If you find either, Level 2 applies. If your contracts only involve FCI, start with Level 1 instead.
- 2Map your CUI
Document every flow of controlled information: what it is, where it comes from, which systems store, process, or transmit it, and where it leaves. This map drives everything that follows.
- 3Draw the assessment boundary
Categorize every asset under 32 CFR 170.19: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out of Scope. Determine FedRAMP status for every cloud vendor that touches CUI per DFARS 252.204-7012.
- 4Work the 110 requirements at the objective level
Resolve each requirement the way an assessor scores it: every NIST SP 800-171A objective MET or Not Applicable, with evidence behind every MET. Adopted written policies satisfy the documentation objectives.
- 5Write the System Security Plan and score honestly
The SSP is mandatory, no SSP means the assessment cannot be completed (CA.L2-3.12.4). Run the official 32 CFR 170.24 scoring: 110 minus 1, 3, or 5 points per gap.
- 6POA&M what is eligible, fix what is not
At 88 or better with only POA&M eligible gaps you can file with Conditional status. POA&M items close within 180 days. The six never POA&M requirements and the 5 point items must be MET first.
- 7File the self assessment in SPRS and affirm
Record the assessment in SPRS under your CAGE code, and have your Affirming Official, a senior company official, affirm. The status is valid three years with annual affirmations.
- 8Hold it year round, and certify when a contract demands it
Keep evidence fresh, close POA&Ms on schedule, review policies annually, and re-affirm every year. When a solicitation requires certification, hand the same assessment package to a C3PAO.
What CMMC Level 2 really costs in 2026
Consultant readiness engagements run $35,000 to $150,000 over six months to a year, and the method leaves with the consultant. A full time compliance hire runs about $78,420 a year (Bureau of Labor Statistics), and one person cannot hold 320 objectives in their head. C3PAO assessment fees, when a contract requires certification, come on top of either path.
Custodia's platform is $1,499 a month ($14,990 a year with two months free), and it includes the complete Level 1 platform, the living Policy Center, the Audit Room, contract opportunity matching, and the 180 Day Accelerator: a Custodia compliance officer working CMMC with you for your first 180 days so your team learns the platform and the method stays yours. Filed in 180 days, or we work free until you are. If you want a credentialed human officer managing your compliance year round, that is $2,499 a month.
CMMC Level 2, the honest answers
What is CMMC Level 2?+
Who needs CMMC Level 2?+
How many requirements are in CMMC Level 2?+
Is CMMC Level 2 self-assessed or third-party assessed?+
What is the CMMC Level 2 score and the 88 rule?+
What can never go on a CMMC Level 2 POA&M?+
What does CMMC Level 2 cost in 2026?+
How long does CMMC Level 2 take?+
What's the difference between CMMC Level 1 and Level 2?+
What happens if I misrepresent my CMMC Level 2 posture in SPRS?+
The contractors who file first keep the contracts.
Phase 2 puts Level 2 in solicitations on November 10, 2026. Start free, no credit card, and a Custodia officer works CMMC with you for your first 180 days.
Level 1 and Level 2 platforms included · Filed in 180 days or we work free · Cancel anytime