CMMC Level 2

Documented, Intermediate Cyber Hygiene

Designed to be a transition step from Level 1 to Level 3, CMMC Level 2 requires the documentation of cybersecurity practices as well as the implementation of a systems security plan to aid in CMMC adoption efforts. CMMC Level 2’s universally accepted cybersecurity best practices and processes set the groundwork needed for full Level 3 compliance, specifically for companies who create, house or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). 

How many controls fall under CMMC Level 2?
CMMC Level 2 includes the 17 practices from level one in addition to 55 new practices and 2 new processes.

What focus falls under CMMC Level 2?
The primary focus of CMMC Level 2 is to ensure cybersecurity efforts are documented and available for reference.

How do I know if I need to be compliant under CMMC Level 2?
If performing nonsensitive work, contractors will only need to reach CMMC Level 2 in most circumstances.

What is the difference between CMMC Level 2 and 3? 

A key difference between CMMC Level 2 and Level 3 is that while Level 3 requires the on-going management of a systems security plan, CMMC Level 2 only requires the setup and documentation of one. Certain practices and procedures required in CMMC Level 2 serve to establish baseline cybersecurity hygiene and create a solid foundation. They are not involved in the on-going or optimizing of cybersecurity efforts.


CMMC Level 2

Key actions of CMMC Level 2 adoption:

  • Monitor and control remote access sessions for employees.
  • Make managers and administrators aware of cybersecurity risks and appropriate policies.
  • Establish an incident handling capability for organizational systems.
  • Detect and report events.
  • Provide maintenance and supervise maintenance of third-party contractors.
  • Follow proper practices to protect CUI and FCI, both paper and digital.
  • Regularly perform and test data backups.
  • Perform risk assessments on a regular basis.

Learn more about CMMC and explore the other four levels.

What is CMMC?

Learn more about CMMC and explore the other four levels.

What is CMMC?

Frequently Asked Questions

How do I prepare for a CMMC Level 2 audit?


Preparing for a CMMC Level 2 audit starts by taking a hard, thorough look at what cybersecurity measures your business currently performs and whether or not those processes are properly documented. From there, understand what gaps you have — both in terms of practice and documentation — based on what is required for Level 2 certification and begin to remedy those gaps. Once those gaps have been filled and an internal audit performed as a final check, then your business is ready to submit to a third-party auditor.

What processes and practices fall under CMMC Level 2?


Practices that provide for a basic cybersecurity foundation and a systems security plan are the meat of CMMC Level 2. Training personnel on cybersecurity best practices and procedures, creating and maintaining system audit logs, limiting the use of portable storage devices and tracking access back to individual users to create accountability are some of the controls required in Level 2. 

Getting Your Business to CMMC Level 2 and Beyond

Whether CMMC Level 2 is your goal or just a stepping stone onto a higher level of cybersecurity, the experts at Hyper Vigilance are ready to help you prepare for your CMMC audit. Through tailored, time-saving, cost-effective strategies, we’ll create and implement a systems security plan that meets your cybersecurity needs and readies your business for the threats of the modern world. Contact Hyper Vigilance today to get started.

Contact Us