← Custodia

CMMC Level 2: The Complete Plain-English Guide (2026)

Everything a government contractor actually needs to know about CMMC Level 2: the 110 NIST SP 800-171 requirements, what counts as CUI, the 88 rule, self assessment versus C3PAO certification, real 2026 costs, and the 180 day path to filed in SPRS. Written for the executive who never asked to become a cybersecurity expert.

Last updated July 4, 2026~12 minute readPrimary sources cited
110
Requirements (NIST SP 800-171 r2)
320
Assessment objectives (800-171A)
88
Minimum score for Conditional status
Nov 10, 2026
Phase 2: Level 2 hits solicitations

What CMMC Level 2 is, in one paragraph

CMMC Level 2 is how the Department of Defense verifies that a contractor protecting Controlled Unclassified Information (CUI) actually implements the safeguards its contracts have required for years. If a contract carries DFARS 252.204-7012, or the government sends you controlled technical drawings, export controlled specs, or technical data on a defense article, you are in Level 2 territory. The standard is NIST SP 800-171 Revision 2: 110 security requirements across 14 families, each judged at the objective level, scored out of 110, and recorded in SPRS under your CAGE code with an annual affirmation by a senior official.

Level 2 is not paperwork about security. It is a scored, evidence backed statement, with False Claims Act exposure behind it, that your business runs the 110 requirements today. That is exactly why contractors who file a defensible score early keep their contracts and pick up the work of competitors who cannot.

The 110 requirements, in 14 plain-English families

Every requirement comes from NIST SP 800-171 r2. Here is the whole map, what each family actually asks of your business:

AC
Access Control · 22
Who can get in, and what they can touch
AT
Awareness & Training · 3
Your people know the risks
AU
Audit & Accountability · 9
Logs that prove what happened
CM
Configuration Management · 9
Systems set up on purpose, and kept that way
IA
Identification & Authentication · 11
Everyone proves who they are
IR
Incident Response · 3
A plan for when things go wrong
MA
Maintenance · 6
Fixing systems without opening holes
MP
Media Protection · 9
Drives and paper handled safely
PS
Personnel Security · 2
Screening before access, offboarding after
PE
Physical Protection · 6
Locks, escorts, and visitor logs
RA
Risk Assessment · 3
Knowing your weaknesses first
CA
Security Assessment · 4
Checking your own work, in writing
SC
System & Communications Protection · 16
The network boundary, encryption, separation
SI
System & Information Integrity · 7
Patching, malware protection, monitoring

Assessors do not grade the families, they grade the 320 assessment objectives beneath them (NIST SP 800-171A). One unmet objective fails its whole requirement, which is why working at the objective level from day one is the only honest way to build.

The score, the 88 rule, and the POA&M clock

Scoring is arithmetic, defined in 32 CFR 170.24. Start at 110. Every NOT MET requirement subtracts 1, 3, or 5 points by weight. Missing multifactor authentication or FIPS validated encryption carries special deductions, and no System Security Plan means the assessment cannot be completed at all (CA.L2-3.12.4).

You do not need a perfect 110 to file. At 88 or better, with every remaining gap eligible for a Plan of Action and Milestones, you can file with Conditional status, then close every POA&M item within 180 daysor the status expires. Six requirements can never ride a POA&M, including the SSP itself and the physical access trio, and those must be MET on assessment day.

Two tracks use the same 110 requirements: Level 2 (Self), a self assessment filed in SPRS, and Level 2 (C3PAO), certification by an accredited third party assessor where a contract demands it. Build one honest package and it serves both. A status is valid three years, with annual affirmations by your senior official.

How to get CMMC Level 2 filed, in eight steps

  1. 1
    Confirm CMMC Level 2 applies to you

    Check your contracts for DFARS 252.204-7012 and look for information marked CUI, export controlled, or Distribution D. If you find either, Level 2 applies. If your contracts only involve FCI, start with Level 1 instead.

  2. 2
    Map your CUI

    Document every flow of controlled information: what it is, where it comes from, which systems store, process, or transmit it, and where it leaves. This map drives everything that follows.

  3. 3
    Draw the assessment boundary

    Categorize every asset under 32 CFR 170.19: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out of Scope. Determine FedRAMP status for every cloud vendor that touches CUI per DFARS 252.204-7012.

  4. 4
    Work the 110 requirements at the objective level

    Resolve each requirement the way an assessor scores it: every NIST SP 800-171A objective MET or Not Applicable, with evidence behind every MET. Adopted written policies satisfy the documentation objectives.

  5. 5
    Write the System Security Plan and score honestly

    The SSP is mandatory, no SSP means the assessment cannot be completed (CA.L2-3.12.4). Run the official 32 CFR 170.24 scoring: 110 minus 1, 3, or 5 points per gap.

  6. 6
    POA&M what is eligible, fix what is not

    At 88 or better with only POA&M eligible gaps you can file with Conditional status. POA&M items close within 180 days. The six never POA&M requirements and the 5 point items must be MET first.

  7. 7
    File the self assessment in SPRS and affirm

    Record the assessment in SPRS under your CAGE code, and have your Affirming Official, a senior company official, affirm. The status is valid three years with annual affirmations.

  8. 8
    Hold it year round, and certify when a contract demands it

    Keep evidence fresh, close POA&Ms on schedule, review policies annually, and re-affirm every year. When a solicitation requires certification, hand the same assessment package to a C3PAO.

What CMMC Level 2 really costs in 2026

Consultant readiness engagements run $35,000 to $150,000 over six months to a year, and the method leaves with the consultant. A full time compliance hire runs about $78,420 a year (Bureau of Labor Statistics), and one person cannot hold 320 objectives in their head. C3PAO assessment fees, when a contract requires certification, come on top of either path.

Custodia's platform is $1,499 a month ($14,990 a year with two months free), and it includes the complete Level 1 platform, the living Policy Center, the Audit Room, contract opportunity matching, and the 180 Day Accelerator: a Custodia compliance officer working CMMC with you for your first 180 days so your team learns the platform and the method stays yours. Filed in 180 days, or we work free until you are. If you want a credentialed human officer managing your compliance year round, that is $2,499 a month.

CMMC Level 2, the honest answers

What is CMMC Level 2?+
CMMC Level 2 is the tier of the Department of Defense's Cybersecurity Maturity Model Certification program for contractors that handle Controlled Unclassified Information (CUI). It requires implementation of all 110 security requirements from NIST SP 800-171 Revision 2, assessed against 320 assessment objectives from NIST SP 800-171A, scored out of 110 under 32 CFR 170.24, and recorded in the Supplier Performance Risk System (SPRS) with an annual senior official affirmation.
Who needs CMMC Level 2?+
Any organization whose DoD contracts flow down DFARS 252.204-7012, or that receives, creates, or handles Controlled Unclassified Information: controlled technical drawings, export controlled specs, technical data on defense articles, research deliverables marked CUI. If your contracts only involve Federal Contract Information (FCI) and never CUI, CMMC Level 1 covers you instead.
How many requirements are in CMMC Level 2?+
110 security requirements, straight from NIST SP 800-171 Revision 2, spread across 14 families. Assessors evaluate them against 320 assessment objectives from NIST SP 800-171A: every objective under a requirement must be MET or Not Applicable, or the whole requirement is NOT MET.
Is CMMC Level 2 self-assessed or third-party assessed?+
Both tracks exist, same 110 requirements. Level 2 (Self) is a self-assessment filed in SPRS with an annual affirmation, accepted where the solicitation allows it. Level 2 (C3PAO) is a certification assessment by an accredited third party assessor organization, required where the contract demands it. A status is valid for three years with annual affirmations either way.
What is the CMMC Level 2 score and the 88 rule?+
Scoring starts at 110 and subtracts 1, 3, or 5 points for every NOT MET requirement per 32 CFR 170.24. Missing multifactor authentication or FIPS validated encryption carries special 3 or 5 point deductions, and having no System Security Plan means the assessment cannot be completed at all. You can achieve Conditional status at 88 or better only if every remaining gap is eligible for a Plan of Action and Milestones (POA&M), and POA&M items must close within 180 days or the status expires.
What can never go on a CMMC Level 2 POA&M?+
Six requirements can never ride a POA&M: 3.1.20 (external connections), 3.1.22 (public content control), 3.12.4 (the System Security Plan itself), and 3.10.3, 3.10.4, 3.10.5 (visitor escort, physical access logs, physical access devices). Those must be MET on assessment day, and all 5 point requirements except FIPS encryption at partial credit must be too.
What does CMMC Level 2 cost in 2026?+
Consultant readiness engagements typically run $35,000 to $150,000 and take six months to a year, before any C3PAO assessment fees. A full time compliance hire runs about $78,420 a year per the Bureau of Labor Statistics. Custodia's platform is $1,499 a month ($14,990 a year with two months free) including the complete Level 1 platform and the 180 Day Accelerator, a Custodia officer working CMMC with you for your first 180 days, or $2,499 a month with an officer managing your compliance year round.
How long does CMMC Level 2 take?+
It depends on how mapped your CUI already is. A contractor with a clean cloud environment and its CUI flows understood can reach a defensible self assessment inside Custodia's 180 Day Accelerator; many finish faster. Traditional consultant led builds run six months to a year. The clock that matters is CMMC Phase 2, November 10, 2026, when Level 2 requirements begin appearing in applicable solicitations as a condition of award.
What's the difference between CMMC Level 1 and Level 2?+
Level 1 protects Federal Contract Information with 15 FAR 52.204-21 safeguards, self attested annually, binary MET or NOT MET. Level 2 protects Controlled Unclassified Information with all 110 NIST SP 800-171 requirements, a numeric score out of 110, POA&M rules, and either a self assessment or C3PAO certification. Contractors handling CUI almost always handle FCI too, which is why Custodia's Level 2 plan includes both platforms.
What happens if I misrepresent my CMMC Level 2 posture in SPRS?+
A false SPRS score or affirmation is a federal false statement under 18 U.S.C. 1001 and actionable under the False Claims Act (31 U.S.C. 3729). The Department of Justice's Civil Cyber Fraud Initiative has settled multiple cases against contractors for overstated NIST 800-171 postures, from hundreds of thousands to over nine million dollars. The senior official who affirms is personally exposed, which is why an honest, evidence backed score matters more than a high one.

The contractors who file first keep the contracts.

Phase 2 puts Level 2 in solicitations on November 10, 2026. Start free, no credit card, and a Custodia officer works CMMC with you for your first 180 days.

Level 1 and Level 2 platforms included · Filed in 180 days or we work free · Cancel anytime

Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)