Technology Checklist for CMMC Level 2

Technology Checklist for CMMC Level 2

According to the Cybersecurity Maturity Model Certification (CMMC), all contractors and subcontractors must be certified before they can bid and work for the US Department of Defense. The CMMC framework categorizes contractors into five maturity levels based on the complexity of their cybersecurity policies.

What Is CMMC Level 2?

All DoD contractors and subcontractors are required to be at least Level 1 certified. A Level 1 certification is the foundation upon which other levels are built. Level 2 acts as the bridge to Level 3. Most Level 1 contractors will jump straight to Level 3, but they can only do this by addressing the requirements for Level 2.

CMMC Level 2 is centered on intermediate cyber hygiene. This level includes security measures for protecting controlled unclassified information (CUI). Also, Level 2 certified contractors are required to document and perform critical cybersecurity functions to enhance their defenses against cyberthreats.

What Are the CMMC Level 2 Requirements?

Level 2 of the CMMC framework includes 55 new NIST SP 800-171 controls on top of the 17 implemented at Level 1. The level 2 controls are separated into these 15 different domains:

  1. Access Control

This domain is concerned with limiting system access and includes:

  • Establishing system access requirements
  • Controlling internal system access
  • Controlling remote system access
  • Limiting access to data and process to authorized users only
  1. Audit and Accountability

This domain covers the need for DoD contractors to log and monitor the system activity of their users. This includes:

  • Defining audit requirements
  • Performing audits
  • Identifying and safeguarding audit information
  • Managing and reviewing audit logs
  1. Awareness and Training

This domain requires contractors to conduct cybersecurity awareness training for system administrators, managers, and users with access to organizational systems and CUI.

  1. Configuration Management

All DoD contractors must create configuration settings for their organization, which entails:

  • Establishing baseline configurations for software, hardware, documentation, and firmware
  • Employing the principle of least functionality by removing unnecessary applications and services
  • Controlling and monitoring software installed by users
  • Tracking, reviewing, approving, and logging changes to organizational systems
  • Enforcing cybersecurity configuration settings in organizational systems
  • Analyzing the effects of security changes prior to implementation
  1. Identification and Authentication

This domain is focused on granting access only to authorized users and involves:

  • Implementing the creation of complex passwords
  • Disallowing reuse of old passwords
  • Changing temporary passwords to permanent ones after system access is granted to authorized users
  • Storing and transmitting encrypted passwords
  1. Incident Response

This domain requires contractors to implement an effective incident response plan, which involves:

  • Detecting and reporting network events such as loss in productivity and breakdown in processes
  • Analyzing network events to develop a quick and efficient solution
  • Creating and enforcing incident responses following predefined procedures
  • Performing post-incident reviews to identify the cause of the incident
  1. Maintenance

This domain outlines the processes involved in maintaining your organizational systems such as:

  • Securing and protecting maintenance tools to avoid introducing bugs or viruses into your network
  • Implementing multifactor authentication for nonlocal maintenance work using an external network connection
  • Supervising the maintenance activities of people without proper authorization
  1. Media Protection

This domain aims to prevent security issues by:

  • Securing digital and paper media containing CUI
  • Limiting user access to CUI on system media
  • Controlling the use of removable media such as external hard drives, DVDs, and USB drives
  1. Personnel Security

All employees accessing systems containing CUI must be screened. These systems must also be protected from employees who are transferred or terminated.

  1. Physical Protection

This domain focuses on the security of your data and facility by limiting physical access to areas and systems containing CUI. This is done by using sensors, alarms, and video cameras, and by deploying security guards.

  1. Recovery

This domain deals with backing up your data regularly so you can recover it in the event of a cyberattack, system failure, or natural disaster.  After backing up your data, test it to ensure applications, operating systems, and other files are intact.

  1. Risk Management

This domain is concerned with managing security risks to your company's operations and assets. It entails scanning your applications and organizational systems for weaknesses and developing a remediation plan to fix them.

  1. Security Assessment

This domain requires DoD contractors to create and manage an effective system security plan by:

  • Documenting and updating how security policies and requirements are implemented
  • Reviewing the security controls in place to determine their effectiveness
  1. System and Communications Protection

This domain defines the security requirements for system and communication protection, such as:

  • Disallowing the remote use of collaborative devices and applications (i.e., Slack, Zoom, Teams)
  • Using encrypted sessions to manage network devices
  1. System and Information Integrity

DoD contractors must constantly monitor their systems for signs of a potential attack. They can do this by:

  • Monitoring all inbound and outbound network traffic for signs of a possible attack
  • Reviewing system advisories and alerts to ensure all hardware and software are using the latest patches and firmware

Upon meeting all the CMMC Level 2 requirements, a certified third-party assessor organization (C3PAO) will conduct an audit to ensure your company is CMMC compliant


To help you prepare for the audit, you need the help of a reliable managed IT services provider like Charles IT. We'll conduct a gap assessment to identify potential weaknesses in your infrastructure and provide you with efficient solutions to ensure you pass your CMMC audit. Start your gap assessment now.

New call-to-action