CMMC 2.0 Level 2 for CUI: What SMBs Need to Know 

If your company works with the U.S. Department of Defense (DoD), chances are you’ve encountered the term Controlled Unclassified Information (CUI). But what many small and mid-sized businesses (SMBs) don’t realize is that simply handling CUI brings a host of cybersecurity and compliance responsibilities—especially under the Department of Defense’s Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) framework.

CMMC 2.0 is not just another cybersecurity standard. It’s a contractual obligation tied directly to your ability to win and retain DoD contracts. And when CUI is involved, the stakes are even higher. Knowing what level of CMMC compliance is required isn’t just about checking a box—it’s about protecting your business from audits, penalties, and missed opportunities.

This article breaks down exactly what level of CMMC 2.0 is required for handling CUI, why Level 2 is the key compliance threshold, and what your organization needs to do to get there. We’ll also explain the implications of failing to meet this requirement and how to build a compliance roadmap that aligns with your business goals.

Let’s dive into what Level 2 really means—and why it’s essential for contractors and subcontractors working with CUI. 

What Is CUI, and Why Does It Matter? 

Controlled Unclassified Information (CUI) refers to sensitive data that is not classified, but still requires protection under federal law, regulation, or government-wide policy. 

Why CUI Triggers Compliance 

CUI is often created, stored, or transmitted during the course of executing defense contracts. Even if the data seems routine or internal, it may require protection and formal handling procedures defined by the Department of Defense. From a compliance standpoint, handling CUI automatically puts your organization into the CMMC 2.0 Level 2 category. 

Compliance Isn’t Just IT’s Problem 

This obligation extends beyond your IT department. It requires company-wide participation—from HR to operations—because CUI can touch any system or employee workflow. 

CMMC 2.0 Overview: Understanding the Three Levels 

The Cybersecurity Maturity Model Certification (CMMC) was designed to unify and elevate cybersecurity standards across the defense industrial base (DIB). With the release of CMMC 2.0, the Department of Defense streamlined the original five-level model into a more focused three-tiered structure. Each level corresponds to the sensitivity of the information your business handles—and the cybersecurity controls required to protect it. 

Level 1: Foundational 

This level applies to companies that handle only Federal Contract Information (FCI)—data provided by or generated for the government that is not intended for public release. Level 1 includes 17 basic safeguarding requirements pulled directly from FAR 52.204-21. These controls include limiting access to authorized users, protecting physical systems, and ensuring secure information disposal.

Importantly, Level 1 is not sufficient for businesses that handle CUI. If your organization processes CUI in any capacity, even as a subcontractor, Level 1 does not meet DoD expectations. 

Level 2: Advanced 

This is where Controlled Unclassified Information (CUI) comes into play. CMMC 2.0 Level 2 for CUI is based on NIST SP 800-171 and includes 110 security controls organized across 14 families, such as access control, incident response, audit and accountability, and system integrity. Level 2 aligns with the security requirements already written into DoD contracts via DFARS 252.204-7012.

There are two key paths within Level 2:
– Triennial Third-Party Assessments: For companies handling high-priority CUI, a formal CMMC certification from an authorized C3PAO (Certified Third Party Assessor Organization) is required.
– Annual Self-Assessments: For organizations working with low-priority CUI, a self-assessment may be permitted, depending on contract terms. 

Level 3: Expert 

Reserved for contractors that handle Classified Information or support critical DoD programs, Level 3 builds on NIST 800-171 and includes additional practices from NIST SP 800-172. This level is not applicable to most small or mid-sized businesses unless they support intelligence, advanced weapons systems, or critical infrastructure programs. 

The 110 NIST SP 800-171 Controls Required at Level 2 

At the heart of CMMC 2.0 Level 2 for CUI is the full implementation of NIST Special Publication 800-171, which defines 110 cybersecurity controls grouped into 14 control families. These practices are designed to safeguard Controlled Unclassified Information (CUI) within non-federal systems—particularly those used by government contractors.

Unlike Level 1’s basic safeguards, Level 2 compliance requires your organization to demonstrate a systematic, documented, and auditable approach to information security. These are not abstract policies—they’re specific technical and procedural measures that must be actively enforced across your environment. 

Overview of Control Families 

The 14 NIST 800-171 Control Families:
1. Access Control (AC)
2. Awareness and Training (AT)
3. Audit and Accountability (AU)
4. Configuration Management (CM)
5. Identification and Authentication (IA)
6. Incident Response (IR)
7. Maintenance (MA)
8. Media Protection (MP)
9. Personnel Security (PS)
10. Physical Protection (PE)
11. Risk Assessment (RA)
12. Security Assessment (CA)
13. System and Communications Protection (SC)
14. System and Information Integrity (SI) 

Documentation is Non-Negotiable 

For each of these 110 practices, you must be able to provide:
– Policies outlining intent and responsibility
– Procedures detailing how controls are implemented
– Technical evidence such as configurations, screenshots, audit logs, or monitoring tools
– A Plan of Action & Milestones (POA&M) for any gaps that exist prior to full remediation

Under CMMC 2.0, self-attestation is no longer sufficient for most contractors handling prioritized CUI. The DoD is now enforcing these requirements through third-party audits, with assessors evaluating not just your documentation—but also your operational reality. 

Self-Assessment vs. Third-Party Certification: What Applies to You? 

Under CMMC 2.0, not all Level 2 compliance paths are the same. While every organization handling CUI must implement the full set of NIST SP 800-171 controls, the way you prove that compliance depends on how the Department of Defense categorizes the sensitivity of the CUI you touch. 

What Triggers a Third-Party Audit? 

If your contract involves high-value or mission-critical CUI, the DoD requires that your organization undergo an official CMMC Level 2 assessment by a Certified Third-Party Assessment Organization (C3PAO). These assessors are authorized by the Cyber AB and will conduct a full audit of your cybersecurity posture, documentation, implementation, and evidence. 

When Is Self-Assessment Allowed? 

For less sensitive contracts, the DoD may allow organizations to conduct an annual self-assessment. This requires scoring your environment using the NIST 800-171 DoD Assessment Methodology, uploading that score to the Supplier Performance Risk System (SPRS), and maintaining supporting documentation. 

How to Prepare for Level 2: Building Your Compliance Plan 

Preparing for CMMC 2.0 Level 2 for CUI is not a one-time IT upgrade—it’s a business-wide transformation. To successfully meet Level 2 requirements, your organization must implement a structured, repeatable, and well-documented cybersecurity program aligned with NIST SP 800-171. 

Step 1: Conduct a Gap Assessment 

Start by identifying where your organization currently stands relative to the 110 required controls. Review technical safeguards, policies, user practices, and existing documentation to uncover gaps. 

Step 2: Build a System Security Plan (SSP) 

An SSP documents how your organization implements each of the 110 controls, including technologies in use, responsible roles, and current implementation status. It must be current, realistic, and aligned with your network architecture. 

Step 3: Create a POA&M 

POA&Ms outline control gaps, planned remediation steps, and target dates. They’re essential for tracking progress—but for certification, all critical controls must be fully implemented. 

Step 4: Implement Technical Controls 

This typically includes MFA, endpoint protection, SIEM, encryption, user access controls, and secure backups. An experienced MSP or MSSP can help you implement these tools strategically and affordably. 

Step 5: Train and Monitor Continuously 

CMMC Level 2 requires user training, incident response testing, and continuous monitoring. You must also document all training activity, audit findings, and security events to stay audit-ready. 

Consequences of Noncompliance: More Than Lost Contracts 

More Than Just Lost Contracts 

At the most basic level, failure to meet Level 2 requirements disqualifies your organization from bidding on or continuing work under any DoD contract involving CUI. 

Legal Exposure Is Real 

In recent years, the U.S. Department of Justice has used the False Claims Act to hold contractors accountable for falsely asserting cybersecurity compliance. Penalties can include civil fines, treble damages, or even debarment from federal contracts. 

Why SMBs Must Act Now—Even if Enforcement Isn’t Immediate 

DFARS Clauses Apply Today 

CMMC 2.0 formal enforcement may not arrive until late 2025 or 2026, but the DFARS clauses it’s built on are already enforceable. Prime contractors are also tightening compliance requirements. 

Compliance Takes Time 

Implementing 110 security controls is a multi-month effort. Starting now ensures your team can plan, remediate, and prepare for audits without scrambling or overspending. 

Conclusion: CMMC 2.0 Level 2 Is a Strategic Requirement for CUI 

For any small or mid-sized business working with the U.S. Department of Defense, the message is clear: handling CUI means meeting CMMC 2.0 Level 2 requirements. This is not a future obligation—it’s a present and pressing requirement tied to national security and contract eligibility.

Unlike general IT frameworks, CMMC 2.0 is enforceable, audit-ready, and increasingly essential for winning and retaining DoD contracts. The good news? You don’t have to do it alone. With expert guidance, your organization can approach Level 2 readiness confidently and competitively. 

✅ Download the CMMC Roadmap Guide → https://hs.rhtg.net/cmmc-roadmap
✅ Request a Proposal and Get Expert Help → https://www.righthandtechnologygroup.com/request-a-proposal

RHTG’s cybersecurity experts help SMBs prepare for Level 2 compliance and beyond. Whether you need a gap assessment, SSP development, or full remediation support, we’re here to help you protect CUI and succeed in the defense marketplace. 

Frequently Asked Questions (FAQ) 

1. What is the difference between CUI and FCI in the context of CMMC?

Controlled Unclassified Information (CUI) is more sensitive than Federal Contract Information (FCI). CUI requires Level 2 compliance, while FCI falls under Level 1. 

 2.Can my company self-assess for CMMC 2.0 Level 2 compliance?

Yes, but only for contracts with low-priority CUI. Most organizations will need a third-party assessment if their CUI is deemed high-priority. 

3.Are the 110 NIST SP 800-171 controls mandatory for all Level 2 companies?

Yes. All 110 controls are required, whether self-assessing or undergoing a third-party audit. 

4. What happens if I fail to comply with CMMC Level 2 while handling CUI?

You could lose contracts, face Department of Justice penalties under the False Claims Act, or suffer a damaging cyber incident. 

5.How long does it take to become CMMC Level 2 compliant?

Most SMBs need 4–12 months depending on existing maturity, staffing, and technology environment. 

6. How can I find out what CUI my organization is handling?

Review your contract documents and talk to your primes. If any sensitive DoD data is being shared, you’re likely handling CUI.