How to Comply with CMMC Level 2
The Cybersecurity Maturity Model Certification (CMMC) Level 2 aligns with NIST SP 800-171 and is required for Department of Defense contractors handling Controlled Unclassified Information (CUI). It includes 110 practices across 14 domains covering access control, audit, configuration management, and incident response.
94%
Coverage
46
Controls Required
3
Not Applicable
Why CMMC Compliance Matters
CMMC Level 2 certification is required for Department of Defense contractors handling Controlled Unclassified Information (CUI). Starting in 2025, contracts will require third-party CMMC assessments. The 110 practices align with NIST SP 800-171, making it essential for defense industrial base organizations to begin preparation early.
Compliance Checklist by Domain
The 46 controls below are mapped to CMMC requirements. Work through each domain to build your compliance program.
Govern (4 controls)
| Control | CMMC References | Also In |
|---|---|---|
| Governance Policy | CA.L2-3.12.1 CA.L2-3.12.4 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Risk Management | RM.L2-3.11.1 RM.L2-3.11.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Roles & Responsibilities | PS.L2-3.9.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Compliance | CA.L2-3.12.1 | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
Identify (5 controls)
| Control | CMMC References | Also In |
|---|---|---|
| Asset Management | CM.L2-3.4.1 CM.L2-3.4.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Risk Assessment | RM.L2-3.11.1 RA.L2-3.11.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Data Classification | MP.L2-3.8.1 MP.L2-3.8.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Vulnerability Mgmt | RA.L2-3.11.2 SI.L2-3.14.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Threat Intelligence | RA.L2-3.11.3 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53 |
Protect (21 controls)
| Control | CMMC References | Also In |
|---|---|---|
| Awareness & Training | AT.L2-3.2.1 AT.L2-3.2.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Access Control | AC.L2-3.1.1 AC.L2-3.1.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Multi-Factor Auth | IA.L2-3.5.3 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Encryption | SC.L2-3.13.8 SC.L2-3.13.11 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Data Protection | MP.L2-3.8.1 SC.L2-3.13.16 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Backup & Recovery | RE.L2-3.8.9 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Privileged Access | AC.L2-3.1.5 AC.L2-3.1.6 AC.L2-3.1.7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Firewall / Net Seg | SC.L2-3.13.1 SC.L2-3.13.5 SC.L2-3.13.6 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Endpoint Protection | SI.L2-3.14.2 SI.L2-3.14.4 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Patch Management | SI.L2-3.14.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Secure Config | CM.L2-3.4.1 CM.L2-3.4.2 CM.L2-3.4.6 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Secure Development | SA.L2-3.16.1 SA.L2-3.16.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, GDPR |
| Email Security | SI.L2-3.14.5 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Web Security | SC.L2-3.13.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Zero Trust | AC.L2-3.1.1 SC.L2-3.13.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Mobile Security | AC.L2-3.1.18 AC.L2-3.1.19 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Cloud Security | SC.L2-3.13.1 AC.L2-3.1.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| DNS Security | SC.L2-3.13.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53 |
| WAF | SC.L2-3.13.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| DLP | MP.L2-3.8.3 SC.L2-3.13.16 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| API Security | SC.L2-3.13.1 SA.L2-3.16.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
Detect (6 controls)
| Control | CMMC References | Also In |
|---|---|---|
| Cont. Monitoring | SI.L2-3.14.6 SI.L2-3.14.7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Logging & Audit | AU.L2-3.3.1 AU.L2-3.3.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Intrusion Detection | SI.L2-3.14.6 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Anomaly Detection | SI.L2-3.14.6 SI.L2-3.14.7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| SIEM / SOC | AU.L2-3.3.1 SI.L2-3.14.6 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Insider Threat | AC.L2-3.1.1 AU.L2-3.3.1 PS.L2-3.9.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
Respond (5 controls)
| Control | CMMC References | Also In |
|---|---|---|
| Incident Response | IR.L2-3.6.1 IR.L2-3.6.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Forensics | IR.L2-3.6.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Communication | IR.L2-3.6.2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Mitigation | IR.L2-3.6.1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Reporting | IR.L2-3.6.2 IR.L2-3.6.3 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
Recover (5 controls)
| Control | CMMC References | Also In |
|---|---|---|
| Recovery Planning | RE.L2-3.8.9 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Business Continuity | RE.L2-3.8.9 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Lessons Learned | IR.L2-3.6.3 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Comms & Restore | IR.L2-3.6.2 | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
| Disaster Recovery | RE.L2-3.8.9 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, 800-53, HIPAA, GDPR |
Controls Not Required by CMMC
These 3 controls are not directly addressed by CMMC but may still be relevant to your security program.
How CMMC Compares
See how CMMC coverage overlaps with other frameworks: