CMMC Level 2 Compliance: 110 Controls, Third-Party Assessment, and What to Document

CMMC Level 1 is self-assessed. Level 2 is not. If your organisation handles Controlled Unclassified Information (CUI) for the Department of Defense, you need Level 2 certification — and that means a third-party assessment by a CMMC Third-Party Assessment Organisation (C3PAO).

The jump from Level 1 to Level 2 is substantial. Level 1 covers 17 practices focused on basic cyber hygiene with a self-assessment. Level 2 implements all 110 security requirements from NIST SP 800-171 Rev. 2 across 14 control families, and your documentation must withstand scrutiny from an external assessor.

What Changes at Level 2

Level 1 protects Federal Contract Information (FCI). Level 2 protects Controlled Unclassified Information (CUI), which requires significantly more rigorous controls because of the sensitivity of the data involved.

The scope expands from 6 domains to 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

The assessment model changes too. Most Level 2 organisations require a C3PAO assessment every three years. The assessor evaluates three things for each requirement: whether the control is documented in policy, whether procedures exist to implement it, and whether evidence demonstrates the control operates as described.

The Documentation Structure Assessors Expect

C3PAO assessors follow a structured methodology. They evaluate each of the 110 requirements against three criteria: the control is defined (policy), the control is implemented (procedure), and the control is effective (evidence). Missing any of these for a given requirement results in a finding.

System Security Plan

The SSP is the foundational document. It describes your system boundary, the CUI data flows, all 110 controls and how each is implemented, and any Plans of Action and Milestones (POA&Ms) for controls not yet fully implemented.

Unlike the SOC 2 system description, which is narrative-focused, the SSP is control-by-control. Each of the 110 requirements needs a description of how your organisation satisfies it, who is responsible, and what system components are involved.

An incomplete or vague SSP is the single most common reason assessments stall. If the assessor can’t understand your implementation from the SSP, they’ll spend the entire engagement asking clarifying questions.

Policies by Control Family

Each of the 14 control families needs governing policy. Access Control policy, Audit and Accountability policy, Configuration Management policy, and so on. These policies must reference the specific NIST 800-171 requirements they address and establish the organisational rules that procedures will implement.

Level 2 policies need more specificity than Level 1. “Access is restricted to authorised users” is insufficient. “Access to CUI systems requires multi-factor authentication, is approved by the system owner via documented request, and is reviewed quarterly with evidence retained for three years” gives the assessor something to verify.

Procedures for Each Requirement

The 110 requirements translate into operational procedures. Some requirements share procedures — access provisioning and deprovisioning might cover multiple AC requirements. Others need dedicated procedures, particularly in technical families like System and Communications Protection.

Procedures must be specific enough that someone could follow them and produce the same result consistently. The assessor will compare what your procedure says against what your evidence shows. Gaps between documented procedure and actual practice are findings.

Evidence and Artefacts

Level 2 assessment is evidence-based. For each control, the assessor expects to see artefacts demonstrating the control operates. Audit logs showing logging is configured. Screenshots of MFA enforcement. Access review records with dates and decisions. Configuration baselines with change tracking. Training completion records with dates and employee names.

The evidence collection strategy should be embedded in your procedures, not bolted on before the assessment. If your vulnerability scanning procedure doesn’t specify where scan results are saved and how long they’re retained, you’ll scramble to locate evidence when the assessor requests it.

POA&Ms: What You Can and Cannot Defer

CMMC Level 2 allows limited use of Plans of Action and Milestones for requirements not yet fully implemented. However, the rules are strict. POA&Ms must have defined completion dates, allocated resources, and interim risk mitigation measures. Some requirements cannot be deferred at all.

The strategic decision is which requirements to prioritise for full implementation before the assessment and which to manage through POA&Ms. Getting this wrong — deferring too many controls or deferring critical ones — can result in assessment failure regardless of your other documentation quality.

The 14 Families: Documentation Scope

The control families vary significantly in documentation complexity:

High complexity — Access Control (22 requirements), System and Communications Protection (16 requirements), and Audit and Accountability (9 requirements) collectively represent nearly half of all controls and require the most detailed documentation.

Medium complexity — Configuration Management (9 requirements), Identification and Authentication (11 requirements), and Incident Response (3 requirements) need solid technical procedures and evidence collection processes.

Lower complexity — Personnel Security (2 requirements), Physical Protection (6 requirements), and Maintenance (6 requirements) are more straightforward but still require documented policies and procedures with evidence.

Level 1 to Level 2: Leveraging Existing Documentation

If you already have Level 1 documentation, you have a foundation covering basic access control, identification, media protection, physical protection, system protection, and integrity controls. Level 2 builds on this but adds requirements in every family and introduces entirely new families — Audit and Accountability, Awareness and Training, Configuration Management, Incident Response, Maintenance, Risk Assessment, and Security Assessment.

Roughly 30% of Level 2 content extends from Level 1 foundations. The remaining 70% is new documentation that addresses the increased rigour CUI protection demands.

Assessment Preparation Timeline

For organisations starting from an established Level 1 posture:

Months 1–2: Gap assessment against all 110 requirements. Identify which controls exist, which are partially implemented, and which are missing entirely.

Months 3–5: Documentation development. Policies, procedures, and SSP updates for all 14 control families. This is the most documentation-intensive phase.

Months 6–8: Implementation of missing technical controls and establishment of evidence collection processes.

Months 9–10: Pre-assessment readiness review. Internal audit of all 110 requirements against the documentation and evidence.

Months 11–12: C3PAO engagement. The assessment typically takes one to two weeks of active fieldwork plus preparation and report writing.

Pre-built documentation packages aligned to NIST 800-171 compress the months 3–5 phase significantly. The gap assessment and implementation phases still require organisation-specific effort, but starting from structured templates rather than blank pages eliminates the most time-consuming bottleneck.

Ridgeline Cyber Defence provides the CMMC Level 2 Compliance & Operations Suite — 116 deliverables covering all 110 NIST SP 800-171 controls across 14 families. Includes SSP template, POA&M tracker, policy suite, procedures, evidence collection guidance, and self-assessment workbook.

Related Reading

• CMMC Level 1 Compliance Documentation Guide
• Security Policy Documentation: Enterprise Quality