The Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 requires defense contractors to implement 110 security controls from NIST SP 800-171 Revision 2. For contractors handling Controlled Unclassified Information (CUI), achieving Level 2 compliance is not optional—it is a prerequisite for competing on Department of War contracts. This comprehensive checklist breaks down the 14 control families and outlines what your organization needs to demonstrate for compliance.
CMMC 2.0 Assessment Pathways
Before diving into the control families, understand the two assessment pathways for Level 2. Self-assessment applies to contracts involving CUI that is not critical to national security. Contractors conduct their own assessment, submit results to the Supplier Performance Risk System (SPRS), and attest to compliance. Third-party assessment (C3PAO) is required for contracts involving CUI critical to national security. An accredited CMMC Third-Party Assessment Organization conducts an independent evaluation of your security controls.
Regardless of the pathway, the technical requirements are identical: full implementation of all 110 NIST 800-171 controls across 14 families.
The 14 NIST 800-171 Control Families
1. Access Control (AC) — 22 Controls
Access Control is the largest family and addresses who can access your systems and data. Key requirements include limiting system access to authorized users and transactions, enforcing approved authorizations for controlling CUI flow, separating duties to reduce risk of malicious activity, employing the principle of least privilege, and controlling remote access sessions. You must implement multi-factor authentication for network access to privileged and non-privileged accounts, encrypt remote access sessions, and control access via wireless and mobile devices.
2. Awareness and Training (AT) — 3 Controls
Ensure all users are trained on security risks associated with their activities. Managers, system administrators, and security personnel must receive role-specific training. Document training records and update training content to reflect evolving threats, particularly social engineering and phishing.
3. Audit and Accountability (AU) — 9 Controls
Create, protect, and retain audit logs sufficient to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Ensure audit logging captures user actions, failed access attempts, and privileged operations. Correlate audit review, analysis, and reporting processes to support investigation. Alert in case of audit process failures and protect audit information from unauthorized access and modification.
4. Configuration Management (CM) — 9 Controls
Establish and maintain baseline configurations for your IT systems. Track, review, and approve changes. Restrict and document the use of nonessential programs, functions, ports, protocols, and services. Apply deny-by-exception policies to prevent unauthorized software execution. Control and monitor user-installed software.
5. Identification and Authentication (IA) — 11 Controls
Identify and authenticate all users, processes, and devices before granting access. Enforce minimum password complexity and change requirements. Implement multi-factor authentication. Store and transmit only cryptographically-protected passwords. Employ replay-resistant authentication mechanisms and prevent the reuse of identifiers for defined periods.
6. Incident Response (IR) — 3 Controls
Establish incident response capabilities including preparation, detection, analysis, containment, recovery, and post-incident activities. Track, document, and report incidents to designated officials and authorities. Test your incident response plan regularly and update it based on lessons learned and evolving threat landscapes.
7. Maintenance (MA) — 6 Controls
Perform timely maintenance on organizational systems. Provide controls on maintenance tools, activities, and personnel. Ensure equipment removed for off-site maintenance is sanitized of CUI. Check media containing diagnostic programs for malicious code before use on organizational systems. Require multi-factor authentication for remote maintenance sessions and supervise maintenance activities of personnel without required access.
8. Media Protection (MP) — 9 Controls
Protect, control, and sanitize information system media containing CUI. Mark media with CUI designations and distribution limitations. Control access to media containing CUI. Sanitize or destroy media before disposal or release. Control the use of removable media on system components and encrypt CUI on digital media during transport.
9. Personnel Security (PS) — 2 Controls
Screen personnel prior to granting access to systems containing CUI. Ensure CUI and systems containing CUI are protected during and after personnel actions such as terminations and transfers. Revoke access promptly when employees depart and conduct exit interviews that address information security obligations.
10. Physical Protection (PE) — 6 Controls
Limit physical access to systems, equipment, and operating environments to authorized personnel. Escort visitors, monitor physical access, and maintain audit logs of physical access. Control and manage physical access devices (keys, badges, cards). Protect and monitor the physical facility and support infrastructure.
11. Risk Assessment (RA) — 3 Controls
Periodically assess the risk to organizational operations, assets, and individuals resulting from the processing, storage, and transmission of CUI. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities are identified. Remediate vulnerabilities in accordance with assessed risk.
12. Security Assessment (CA) — 4 Controls
Periodically assess the security controls to determine effectiveness. Develop and implement plans of action to correct deficiencies and reduce vulnerabilities. Monitor security controls on an ongoing basis. Develop, document, and update system security plans that describe boundaries, environments, how controls are implemented, and relationships with other systems.
13. System and Communications Protection (SC) — 16 Controls
Monitor, control, and protect communications at system boundaries. Employ architectural designs, software development techniques, and systems engineering principles that promote information security. Separate user and system management functionality. Prevent unauthorized and unintended transfer of information via shared resources. Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission and at rest.
14. System and Information Integrity (SI) — 7 Controls
Identify, report, and correct system flaws in a timely manner. Implement malicious code protection at appropriate locations. Monitor system security alerts and advisories and take appropriate action. Update malicious code protection mechanisms. Perform periodic and real-time scans of the information system and monitor inbound and outbound communications for anomalies.
Building Your Plan of Action and Milestones (POA&M)
Few organizations achieve perfect compliance on the first assessment. CMMC 2.0 allows limited use of Plans of Action and Milestones (POA&Ms) for controls that are not fully implemented at the time of assessment. However, there are restrictions—certain critical controls cannot be placed on a POA&M, and all POA&M items must be closed within 180 days of assessment.
The key is to start early, document thoroughly, and prioritize the controls that address your highest-risk gaps. A well-structured System Security Plan (SSP) and POA&M demonstrate to assessors that your organization takes compliance seriously and has a clear path to full implementation.
How Zapata Technology Supports CMMC Compliance
Zapata Technology maintains full NIST 800-171 compliance across our own operations and helps defense contractors achieve and maintain their CMMC readiness. Our CMMC compliance services include gap assessments, SSP and POA&M development, security control implementation, and continuous monitoring. With deep experience operating in classified environments for the Department of War, we understand the practical realities of implementing these controls in defense-focused organizations.
Whether you are preparing for a self-assessment or a C3PAO evaluation, the time to begin is now. CMMC requirements are being phased into Department of War contracts, and organizations that delay compliance risk losing access to the defense market entirely.
Frequently Asked Questions
What is the difference between CMMC Level 1 and Level 2?
CMMC Level 1 requires basic cyber hygiene with 17 practices based on FAR 52.204-21, focused on protecting Federal Contract Information (FCI). Level 2 is significantly more rigorous, requiring implementation of all 110 security controls from NIST SP 800-171 to protect Controlled Unclassified Information (CUI). Level 2 also requires third-party assessment by an accredited C3PAO for critical programs, whereas Level 1 only requires annual self-assessment.
When does CMMC 2.0 go into effect for defense contracts?
The Department of War has begun phasing CMMC requirements into new contract solicitations. The rollout is incremental, with CMMC clauses appearing in select contracts first and expanding over time. Contractors should begin preparing now, as achieving full compliance typically takes 12 to 18 months, and organizations without certification will be ineligible to bid on affected contracts.
Does Zapata Technology provide CMMC assessment services?
Yes. Zapata Technology offers comprehensive CMMC compliance support including gap assessments, remediation planning, SSP development, and preparation for C3PAO assessments. With 18+ years of experience operating in classified Department of War environments and ISO 9001:2015 certification, we help defense contractors navigate every phase of CMMC readiness. Learn more at our CMMC Compliance Services page.
What happens if a contractor fails a CMMC assessment?
If a contractor fails a CMMC assessment, they will not receive certification and will be ineligible for contracts requiring that CMMC level. The contractor can remediate the identified deficiencies and request a reassessment. However, reassessment timelines and costs can be significant, which is why thorough preparation before the initial assessment is critical. Zapata Technology helps organizations identify and close gaps before the formal C3PAO evaluation. Contact our CMMC team to get started.