The CMMC Level 2 requirements are where a defense contract gets serious: 110 controls, an outside assessor, and real evidence. The good news for a small contractor is that most of those controls already live in the Microsoft 365 you run.
However, most guides on this topic just reprint the 110 controls as a dry table. This one is different. Specifically, it shows when Level 2 actually applies, what it demands beyond Level 1, and how much of it your tenant already covers.
Notably, you do not need a compliance team to follow it. The CMMC Level 2 requirements are written here in plain language, with each obligation tied to where it lives in your environment.
In short, treat this as a map of Level 2. By the end you will know whether you need it, what it asks, and the order to close the gaps in.
Not sure the CMMC Level 2 requirements even apply to you?
Wintive gets US small defense contractors ready for the CMMC Level 2 requirements on the Microsoft 365 they already own. We confirm your scope, map the 110 controls to your tenant, build the System Security Plan, and rank the gaps by real risk. The price is a flat monthly fee per user, with no long contract and no setup cost.
📅 Book a Free 30-Min Call | 💬 Chat on WhatsApp | See Our Plans →
๐งญ CMMC Level 2 requirements: the short answer
CMMC Level 2 applies when you handle Controlled Unclassified Information, or CUI. It requires all 110 controls from NIST SP 800-171, grouped into 14 families, and a third-party assessment by a C3PAO every three years, backed by a System Security Plan and a tracked gap list. If you only handle Federal Contract Information, you are Level 1, not Level 2. Most of the technical controls already exist in Microsoft 365; the work is configuration, policies, and evidence.
First, the plain version. The CMMC Level 2 requirements are the full set of safeguards the Department of Defense expects when you hold controlled information, verified by an outside assessor.
Notably, Level 2 is not a different standard from Level 1, but a higher bar. It covers the complete 110 controls of NIST 800-171, where Level 1 covers only 17 basic practices.
Crucially, the trigger is your data, not your size. If a contract gives you Controlled Unclassified Information, the CMMC Level 2 requirements apply, however small your business is.
Above all, Level 2 is demanding but finite. The controls are fixed, the families are known, and a large share already lives in tools you own, so the project is to map, close, and prove rather than to invent.
Notably, the word requirements can sound heavier than the work. Each of the 110 controls is a concrete, checkable item, and many are settings you can confirm in minutes. As a result, the list reads as long but rarely as hard once you start working through it.
๐ What CMMC Level 2 actually is
So, what are we really talking about? Level 2 is the tier of CMMC built around protecting Controlled Unclassified Information. The Department of Defense sets it out on the official DoD CMMC site.
Importantly, the CMMC Level 2 requirements do not invent new controls. They adopt NIST SP 800-171 wholesale, so the 110 controls you must meet are the same ones that standard has defined for years.
Notably, what changes at Level 2 is the proof. You no longer simply attest; a certified assessor checks your controls against evidence, so documentation and records matter as much as settings.
Therefore, think of Level 2 as Level 1 with depth and oversight. The same kinds of controls, taken further, and confirmed by someone outside your business rather than by you alone.
In short, the CMMC Level 2 requirements are a known, fixed target. Once you accept that the list does not change, the work becomes a steady project rather than a moving goalpost.
Above all, that fixed nature is good news for planning. Because the controls are stable, the effort you invest now keeps its value, instead of resetting every time the rules are refined.
Notably, that stability also makes Level 2 easier to budget than it first appears. Because the controls do not move, you can scope the effort once and reuse the estimate across contracts, instead of repricing every time a new bid lands.
๐ช FCI or CUI: which level applies
Next, the question that decides everything. Whether the CMMC Level 2 requirements apply to you comes down to the type of information your contract gives you.
Specifically, Federal Contract Information, or FCI, is information not meant for public release but not especially sensitive. Controlled Unclassified Information, or CUI, is data the government requires you to safeguard, such as technical drawings or export-controlled details.
Notably, FCI puts you at Level 1, while CUI puts you at Level 2. The cards show what each kind of data looks like and where it lands.
Therefore, confirm in writing which data your contract involves before you assume a level. Many small contractors brace for Level 2 when their work only ever touches Federal Contract Information.
In short, the data decides, so get clarity on it first. Your prime or your contracting officer can tell you whether controlled information is in scope, and that single answer sets your whole path.
Notably, the line between Federal Contract Information and controlled data is not always obvious, so when in doubt, ask. A prime can usually tell you whether a deliverable counts as controlled, and getting that answer in writing protects you if the scope is ever questioned later.
๐ Level 1 versus Level 2 at a glance
So, how far apart are the two levels really? Side by side, the jump from Level 1 to Level 2 is clear, and it is more about depth and proof than about a different kind of work.
Specifically, Level 1 is 17 practices, self-assessed each year. Level 2 is 110 controls, assessed by a C3PAO every three years, with a documented plan behind it.
Notably, the cloud can change too. Level 1 usually runs fine on commercial Microsoft 365, while Level 2 with controlled data often needs GCC High. The table lays the two out together.
Therefore, use the comparison to place yourself honestly. If controlled information is in scope, plan for the fuller obligations rather than hoping the lighter ones apply.
In short, the gap is real but bounded. Knowing exactly what Level 2 adds over Level 1 lets you budget the extra work instead of being surprised by it late in a bid.
Notably, the comparison also helps you talk to a prime with confidence. When you can explain exactly which level a contract triggers and why, you look like a supplier who takes security seriously, which is increasingly part of winning the work.
๐ What the CMMC Level 2 requirements add
Here is the heart of it: what Level 2 stacks on top of Level 1. Rather than a brand-new rulebook, the CMMC Level 2 requirements add four bigger obligations.
Specifically, you move from 17 practices to the full 110 controls, you bring in a C3PAO for a third-party assessment, you maintain a System Security Plan and a gap list, and, for controlled data, you usually move to GCC High.
Notably, each addition is manageable on its own. Taken in order, they turn an intimidating jump into four clear pieces of work. The diagram stacks them up.
Therefore, tackle the additions one layer at a time rather than all at once. Closing the extra controls first, then the documentation, then the cloud, keeps the project moving.
In short, Level 2 is additive, not alien. You keep everything from Level 1 and build on it, which means the basics you already have are not wasted but reused.
Notably, this additive structure is why starting at Level 1 is never wasted effort. Every practice you put in place for the lighter level counts toward the heavier one, so a contractor who is solid at Level 1 has already closed a meaningful share of Level 2.
๐๏ธ The 14 families behind Level 2
Next, how the 110 controls are organised. The CMMC Level 2 requirements group every control into 14 families, and knowing them keeps the work structured rather than overwhelming.
Specifically, the families run from access control and identification through audit, configuration, incident response, and system protection. Each is a theme with a handful of controls, not a mountain.
Notably, you do not face all 110 at once. You work family by family, scoring where you stand. The tiles show all 14 and how many controls each holds.
Therefore, start with the families that carry the most controls, such as access control and system protection. Closing the heavy families first removes the most risk early.
In short, 14 themes are far easier to hold in your head than 110 line items. The families turn a long list into a structured plan you can assign and track.
Notably, the families also map neatly onto the people who own them. Identity and access sit with whoever runs your tenant, physical protection with facilities, and training with HR, so the 14 themes become a way to share the work rather than pile it on one person.
๐ C3PAO, SSP, and POA&M
So, what proves you meet the CMMC Level 2 requirements? Three things an assessor expects, and they are where Level 2 differs most from Level 1.
Specifically, a C3PAO is the certified third party that assesses you. A System Security Plan, or SSP, describes how you meet each control. A POA&M, or plan of action and milestones, lists any gap with an owner and a date.
Notably, the SSP is the document the assessor reads first, so a clear, current one sets the tone. A limited number of gaps can sit on a POA&M and be closed within a set window after a conditional result.
๐ Documenting the CMMC Level 2 requirements
Wintive insight. The most expensive misread of the CMMC Level 2 requirements we see is treating the System Security Plan as paperwork to write the night before. In a real assessment, the SSP is the spine: it maps every one of the 110 controls to how your tenant meets it, and the assessor works straight from it. When it matches what they see in Microsoft 365, sign-in policies, encryption, audit logs, the assessment moves quickly. When it does not, every mismatch becomes a question. Building the SSP from your live tenant, rather than a template, is the single highest-value thing a small contractor can do, and it is exactly what our Master Audit produces.
In short, the documentation is not busywork; it is the assessment. Keep the SSP and the POA&M current and tied to your tenant, and you turn a wall of controls into a story an assessor can follow.
๐๏ธ GCC High and the CMMC Level 2 requirements
Next, the cloud question that often comes with Level 2. When controlled information is in play, the CMMC Level 2 requirements usually push you toward Microsoft 365 GCC High.
Specifically, GCC High is the government cloud built to meet data-residency and ITAR rules for controlled data. If your contract names CUI, ITAR, or US-only residency, you most likely need it.
However, not every Level 2 contractor must move on day one, and the migration is a one-way project with real cost. So confirm the trigger before you commit to it.
Therefore, treat GCC High as a decision to verify, not a default to assume. Some Level 2 obligations can be met on commercial Microsoft 365 until controlled data actually arrives.
In short, plan the cloud early if you truly need it. Confirming the trigger and scoping the move keeps GCC High from becoming the bottleneck in your Level 2 timeline.
Notably, GCC High is a commitment as much as a cost, because it is a one-way move. So the contractors who handle it well confirm the trigger first, scope the migration tightly, and treat it as its own project running alongside the control work, not a last-minute switch.
๐ The three-year certification cycle
So, how long does meeting the CMMC Level 2 requirements last? A Level 2 certification runs for three years, but it is not a one-and-done event.
Specifically, a C3PAO assesses you at the start, then you make an annual affirmation that your controls still hold, and you reassess at year three. The cycle keeps your security honest between assessments.
Notably, the yearly affirmation matters as much as the assessment. Letting controls drift after passing puts the certification at risk, so readiness is a habit, not a sprint.
Therefore, build a light quarterly check into your routine so nothing drifts. A tenant kept current passes its affirmation and its reassessment without drama.
In short, certification is a cycle, not a finish line. Plan to keep the controls live, and each year becomes a confirmation rather than a scramble.
Notably, the annual affirmation is also a chance to catch drift early. A short review each year surfaces a lapsed policy or a changed setting while it is still easy to fix, long before it could threaten the certification at the three-year mark.
๐ข How much of Level 2 Microsoft 365 covers
Here is the part the platform vendors skip. A large share of the CMMC Level 2 requirements is already satisfied by the Microsoft 365 you pay for.
Specifically, identity and access map to Entra ID, encryption and data protection to Purview, threat alerts to Defender, and device control to Intune. So many of the 110 controls are one setting or one export away.
However, the gaps that remain are usually written policies and evidence, not missing tools. That is good news, because policies are cheaper to write than platforms are to buy.
Therefore, map each control to where it lives in your tenant before you price anything new. Counting what Microsoft 365 already covers usually shows you are closer to ready than the vendors suggest.
Notably, this mapping is also reusable. A simple table of control, where it lives, and the evidence to export becomes the backbone of your SSP and every future assessment.
In short, your licence does much of the heavy lifting. Use what you own, scope it correctly, and the CMMC Level 2 requirements shrink from a shopping list to a focused set of real gaps.
Notably, leaning on Microsoft 365 also keeps your evidence in one place. Because the proof for many controls already lives in the tenant, you can export it on demand rather than reconstructing it under assessment pressure, which is exactly what an assessor likes to see.
๐ชค Common Level 2 mistakes
Meanwhile, a few mistakes catch small contractors trying to meet the CMMC Level 2 requirements. First, many assume Level 2 when their contract only involves Federal Contract Information, and over-build for no reason.
Furthermore, some buy a compliance platform before checking what Microsoft 365 already covers, then pay twice. Others write a template SSP that does not match their tenant, which an assessor spots immediately.
Finally, a frequent trap is leaving the GCC High decision late. Because the migration takes months, a last-minute move becomes the thing that delays the whole assessment.
Therefore, confirm your level, map controls to your tenant, write the SSP from what is real, and decide the cloud early. As a result, you avoid the four most expensive Level 2 mistakes in one move.
In short, the pattern behind every mistake is the same: guessing instead of confirming. Check your data, use what you own, and document what is true, and the CMMC Level 2 requirements stop being a trap.
Above all, do not let the size of the list push you into buying your way out. The contractors who struggle most are usually the ones who bought a platform before mapping their tenant; the ones who do best map first, then spend only on the genuine gaps that remain.
๐ค Who faces Level 2, and when
Of course, not every contractor faces the CMMC Level 2 requirements. So decide by your contracts and your data, not by fear.
Specifically, you are Level 2 when a contract hands you Controlled Unclassified Information. The requirement flows down the supply chain, so even a small subcontractor can be in scope if a prime passes controlled data to it.
Notably, the timing is set by the contract, and the rules are rolling out in phases. The safest move is to be ready before a bid asks for it, not after.
๐ When the CMMC Level 2 requirements reach you
In short, let the data and the contract decide. The moment controlled information lands in scope, the CMMC Level 2 requirements apply, and early preparation gives you a head start.
Therefore, watch your pipeline, not just your current work. A single new defense opportunity involving controlled data can move you from Level 1 to Level 2 overnight, so it pays to know your path in advance.
In short, the requirement follows the data down the chain, so your position can change with a single new contract. Knowing in advance whether controlled information would put you at Level 2 means you can prepare deliberately instead of reacting once a questionnaire lands.
โ Your CMMC Level 2 requirements recap
Condensed, here is the Level 2 plan to keep on hand.
- Confirm whether your contract involves Controlled Unclassified Information.
- If it does, you are Level 2: the full 110 controls apply.
- Group the work into the 14 NIST 800-171 families.
- Map each control to where it lives in Microsoft 365.
- Write a System Security Plan from your real tenant.
- Track every gap on a POA&M with an owner and a date.
- Decide on GCC High early if controlled data requires it.
- Keep controls current for the annual affirmation.
Notably, none of the CMMC Level 2 requirements need to be faced alone or all at once. Worked family by family, mapped to the tenant you already run, and tracked on a simple plan, the 110 controls become a project a small team can finish, and then keep current each year with very little ongoing effort from the team.
Ultimately, at Wintive we get US small contractors ready for the CMMC Level 2 requirements on the Microsoft 365 they already run, as part of our managed security services. So we confirm your scope, map the 110 controls to your tenant, build the SSP, and show you the gaps and the budget. As a result, you reach Level 2 with a plan you can defend. To get started, contact us for a free consultation. It is quick, and we do the rest.
📚 More for Growing Businesses
๐ See exactly where your Microsoft 365 stands for CMMC Level 2
The M365 Master Audit is a full Microsoft 365 security audit for a US small contractor. Specifically it reviews your identity, email, device, and data controls, maps them to the CMMC and NIST 800-171 requirements, builds the System Security Plan, and ranks the fixes by real risk. As a result you get a written report, a clear action plan, and the evidence to show a C3PAO.
❓ Frequently Asked Questions
They are the 110 security controls from NIST SP 800-171, grouped into 14 families, plus a C3PAO assessment every three years and a documented System Security Plan. Level 2 applies when you handle Controlled Unclassified Information.
There are 110 controls, drawn from NIST SP 800-171 and organised into 14 families. That is far more than the 17 basic practices at Level 1, but most of the technical controls already live in Microsoft 365.
Level 1 covers 17 practices for Federal Contract Information and is self-assessed each year. Level 2 covers all 110 controls for Controlled Unclassified Information and is assessed by a C3PAO every three years.
Usually, if you handle Controlled Unclassified Information or your contract names ITAR or US-only data residency. If controlled data is not yet in scope, some Level 2 work can be done on commercial Microsoft 365 first.
It covers a large share of the technical controls. Access, multi-factor sign-in, encryption, logging, and threat protection all map to Entra ID, Purview, and Defender. The remaining gaps are usually policies and evidence.
Confirm your data and scope, map the 110 controls to Microsoft 365, write a System Security Plan from your real tenant, track gaps on a POA&M, and decide on GCC High early. Then close the gaps before the C3PAO arrives.
๐งญ Your next step
Want to know exactly where you stand against the CMMC Level 2 requirements? First, book a short call. Then we confirm your scope, map the 110 controls to your Microsoft 365, build the SSP, and show you the gaps and the budget. To start, contact Wintive. It is quick, and we do the rest.