Under the Cybersecurity Maturity Model Certification (CMMC), all DoD contractors are required to be evaluated on the maturity and reliability of their cybersecurity infrastructure, earning certifications ranging from Level 1 (basic cyber hygiene) to Level 5 (advanced security). The five CMMC certification levels are tiered, so the requirements and processes for each level builds upon the previous. Future DoD contracts will indicate the certification level required to bid, and only companies certified to the level specified or higher will be allowed to submit a proposal for those contracts.

Focused on intermediate cyber hygiene, the CMMC Level 2 certification is the transitional phase between basic security measures and the protection of controlled unclassified information (CUI). Level 2 requires that organizations establish and document practices and policies to guide the implementation of their CMMC efforts. Practices are no longer performed ad hoc like in Level 1, but they are not measured against a standard, either (that happens at Level 3). The CMMC Level 2 certification is an important step for defense contractors to take, as its purpose is to create a bridge for organizations to go from Level 1 to Level 3.

In the second installment of our five-part series, Exploring the Five Certification Levels of the CMMC, we’ll take a closer look at the CMMC Level 2 certification, steps for achieving compliance, and how to use this level to propel your organization to a higher certification.

Need a quick refresher on the requirements of the CMMC Level 1 certification?

Check out this blog for a closer look.

Learn More


CMMC Level 2 Certification

As discussed in the first part of this series, processes are not required at the CMMC Level 1 certification. With the introduction of documentation requirements, policies, and the strategic implementation of cybersecurity capabilities, Level 2 is a slightly more advanced version of Level 1. By properly documenting processes and practicing them accordingly, organizations can develop more mature capabilities and better defend against threats when handling sensitive federal information. Practices can then be carried out in a consistent and repeatable manner since individuals can review the established policies.

In addition to safeguarding Federal Contract Information (FCI), the practices found in Level 2 begin to reference the protection of CUI. A total of 72 practices are required at Level 2, adding 55 on top of the 17 Level 1 practices. Level 2 covers 15 of the CMMC’s 17 domains. The only two domains not found at Level 2 are asset management and situational awareness, which begin at Level 3. Reaching CMMC Level 2 indicates that a company not only has basic cyber hygiene, but is also taking the steps necessary to protect CUI.

CMMC Level 2 Domains

Access Control

Audit and Accountability

Awareness and Training
Configuration Management Identification and Authentication Incident Response

Media Protection

Personnel Security
Physical Protection Recovery

Risk Management

Security Assessment Systems and Communications Protection

System and Information Integrity


CMMC Level 2 Process Guidelines

The CMMC model consists of five maturity processes that span Levels 2 through 5 (remember, Level 1 doesn’t have any processes). In Level 2, there are two processes that apply to 15 domains. Let’s take a closer look at both below:

Process 1: Establish a policy that includes [DOMAIN NAME]

For this process, organizations are required to develop and publish a policy for the 15 domains covered by Level 2. Organizations are able decide how they want to structure and document their policies; therefore, they do not need to have 15 individual policies. According to the CMMC, a policy is a “high level statement from an organization’s senior management that documents the requirements for a given activity.” In the policy, the organization’s expectations for planning and performing the process should be established, and these expectations should be communicated throughout the organization.

The policies created should:

  • Clearly state the purpose of the policy;
  • Clearly define the scope of the policy (e.g., enterprise-wide, department-wide, or information-system specific);
  • Describe the roles and responsibilities of the activities covered by this policy: the responsibility, authority, and ownership of [DOMAIN NAME] domain activities; and,
  • Establish or direct the establishment of procedures to carry out and meet the intent of the policy. Include any regulatory guidelines this policy addresses.

Process 2: Document the CMMC practices to implement the [DOMAIN NAME]

For this process, in order to implement the policies for each domain, the practice needs to be established, documented, and followed. For the CMMC Level 2 certification, all Level 1 and Level 2 practices must be documented. Documentation must include the practices that satisfy the intent of the related policy and define the specific activities involved to meet the policy requirements.  

The documented practices should inform those performing the task that they can do so in a repeatable way. As long as the practice is documented, the level of detail in these policies can vary from a handwritten desk procedure to a formal organizational standard operating procedure that is managed and controlled.

CMMC Level 2 Certification and Future Contracts

Despite requiring more mature capabilities than Level 1, the Level 2 certification may not be widely used in future DoD contracts. When Level 2 was created, it was designed to serve as a steppingstone between Level 1 to Level 3. A Level 2 certified company is able to demonstrate that they are effectively documenting and reviewing cybersecurity practices across the business. However, the practices in Level 2 are simply baby steps in the protection of CUI; they do not safeguard it.

Therefore, only smaller companies typically supplying products to the government would look towards achieving a Level 2 certification. For example, if a contractor is selling a hammer to the DoD, there is not any specific intellectual property involved, nor is there any sensitive government information being shared, which would require a level 3 certification or higher. The contractor selling the “hammer” would only need basic security measures in place, and that can be achieved by simply earning a Level 1 certification instead.

Why Earn a CMMC Level 2 Certification

Even though the likelihood of DoD contracts requiring Level 2 is low, a Level 2 certification has its advantages.

Competitive Advantage

The CMMC certification levels are progressive and build upon each other. A contractor cannot earn a Level 2 certification without first having the practices in place required by Level 1. If the DoD releases a contract requiring Level 1 controls, but a company bidding has a Level 2 certification, that company would be considered more qualified and have a higher chance of winning the contract. A Level 2 certification is also a reflection of more advanced cyber hygiene and is advantageous when it comes to reporting to the board, executives, and potential investors.

Stepping Stone to a Level 3 Certification

According to the CMMC Accreditation Body (AB), a CMMC maturity level certificate is valid for three years and full implementation of the CMMC will take roughly five years. In addition, planning for certification should start at least 6 months prior. Earning a Level 2 certification will allow companies to still bid on contracts, while maturing their security in order to be authorized to protect CUI starting at Level 3.

Furthermore, the CMMC maturity levels serve as a way to measure an organization’s process institutionalization, or the extent to which an activity is embedded or ingrained into the operations of an organization. Process institutionalization provides assurance that the processes within each level are implemented effectively. At Level 2, policies are documented, but these take time fully execute into daily operation. Level 2 provides an organization the ability to implement standard operating procedures and verification of their process institutionalization, ultimately helping in certification efforts to a higher level in the future.

Achieving compliance with the controls and practices at CMMC Level 2 is an important milestone for any defense contractor. Activities need to be documented and policies need to be put into place that encompass those activities – necessary measures for protecting CUI and strengthening cyber security at your company. Although advancing from Level 1 compliance to Level 2 should not take an excessive amount of effort, Level 2 should not be the end goal. Instead, if your company starts implementing the requirements for Level 2 now, you’ll be in strong position to progress to a CMMC Level 3 certification with ease.


Want more cybersecurity insights in your inbox?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.