Get to Know CMMC Level 2 Requirements Before Final Rule

Written By Herschel Agrusa

Learn what CMMC Level 2 requirements mean for DoD contractors and subcontractors, what readiness looks like, and why early preparation matters

Credit: Theodor Horydczak

DoD contractors have spent years hearing about CMMC. The timeline is becoming much more real as we approach the end of Phase 1, which runs November 10, 2025 through November 9, 2026. That first phase of the three-year rollout has provided for discretionary inclusion in contracts, mainly based on CMMC Level 1 and 2 self-assessments.

However, as of November 10, 2026, Level 2 (Advanced) Third-Party Certifications will become mandatory in applicable contracts. For a large portion of the Defense Industrial Base (DIB), the final rule for CMMC compliance this November will directly impact eligibility for future contract work.

If your organization handles Controlled Unclassified Information (CUI), take time now to understand CMMC Level 2 requirements and prep for certification. It’s no longer something you can put off until next year, and many of the organizations that help contractors become compliant are already booked up for months.

To earn certification, companies essentially need to accomplish three things:

  • Identify the Data: Perform an inventory of all systems and networks handling FCI or CUI.

  • Conduct a Gap Assessment: Measure existing security controls against the CMMC requirements for the targeted certification level.

  • Register and Report: Upload your assessment scores and affirmations of compliance to the DoD's Supplier Performance Risk System (SPRS).

Dive in to get to know CMMC Level 2 Requirements before the final rule.

Why is CMMC Level 2 Certification Becoming Mandatory?

The purpose of CMMC Level 2 is to protect Controlled Unclassified Information (CUI) throughout the defense supply chain.

The framework is built around the security requirements found in NIST SP 800-171, a publication developed by the National Institute of Standards and Technology. Organizations that handle CUI are expected to implement safeguards that reduce the risk of common issues (unauthorized access, theft, disclosure, and so forth). You can review the official NIST 800-171 publication through NIST's website.

CMMC compliance requirements are best viewed not as a checklist of technical controls, but as a living system for protecting sensitive information as it moves between contractors, subcontractors, suppliers, and government agencies.

‍ ‍Overview of CMMC Level 2 Requirements

There are many finer details to explore, but in general, CMMC requirements for small businesses in the DoD space can be grouped into a few major areas.

Access Control

Your access controls are how you manage who has access to sensitive data and the systems or applications that contain it. Organizations will be required to limit user access to the CUI that’s necessary for their job responsibilities. Strong authentication and account management procedures fall into this category.

System Monitoring

Organizations use security monitoring tools to identify suspicious activity before any CUI is compromised or exposed. You might use solutions like activity logging and other forms of ongoing system oversight to monitor and detect threats, then respond quickly if something unusual occurs.

Training and Awareness

Technology alone will not prevent all incidents. In fact, most of the cybersecurity risks faced by organizations are the product of human actions and error. Data shows that 74% of cyber incidents include some human element (e.g. clicking on a phishing link or other inadvertent errors).

Because employees play a huge part in the security of sensitive information, awareness training should be a top priority for all DoD organizations. Regular training sessions from a trusted cybersecurity expert help users to recognize threats and avoid mistakes that could expose CUI.

Incident Response

No organization can assume attacks will never happen. CMMC 2.0 requirements expect organizations to establish incident response procedures so teams know how to identify, contain, investigate, and recover from security events. It’s important to have a documented plan, but also to practice and test its efficacy through things like hands-on cybersecurity training exercises.

How Will I Know We’re "Ready" For a CMMC Certification Audit?

There’s a common misconception among small business contractors that CMMC readiness is primarily a documentation exercise. Yes, documentation matters, but auditors will be looking for evidence that policies are being followed in practice.

A written policy that few are aware of (or follow) does not improve security. Likewise, a security tool that employees do not understand will not satisfy CMMC 2.0 compliance requirements on its own.

Organizations are only truly prepared when they’ve got alignment between:

  • Security policies

  • Technical controls

  • Employee behavior

  • Operational processes

Readiness is an ongoing preparation process. Seek the guidance of a CMMC expert on how you can improve and demonstrate that your security practices are functioning well throughout the organization.

The Audit Bottleneck Is Real

Many contractors are already waiting longer than they expected or wanted to for their CMMC Level 2 assessments because availability is filling up quickly in advance of the final rule.

There are a limited number of Certified Third-Party Assessment Organizations (C3PAOs) available to conduct formal assessments. At the same time, thousands of organizations throughout the defense supply chain will eventually need certification.

As a result, many assessment providers already have significant scheduling backlogs, with some organizations facing waits measured in months.

Adding to that pressure is the inevitable march towards the November implementation timeline. Contractors who delay preparations now may find themselves competing for very limited assessment availability at the same time as everyone else.

Start ASAP on CMMC Level 2 Requirements

If you’re pursuing CMMC compliance in the coming months, there are generally two types of providers available to help you, and they’re mutually exclusive — one partner cannot serve in both roles:

  • CMMC Prep: Some providers help organizations prepare for assessment readiness through mock assessments, gap analysis, and remediation guidance.

  • CMMC Audit: Other providers conduct the formal audit itself. Due to conflict-of-interest requirements, the same organization typically cannot both prepare a company for certification and perform its official assessment.

The required separation exacerbates the bottleneck — the small list of available expert partners (many of whom can handle either task) are unable to both help you prepare for the audit and then also conduct the audit itself. Plan ahead, because you’ll need to find partners for each.

Are you currently evaluating CMMC Level 2 requirements for the first time? Preparing for an upcoming assessment? The best time to begin is immediately. Preparation takes time, assessment availability is limited, and waiting rarely makes the process easier. Contact Erudio to get started on your path toward CMMC Level 2 compliance.

‍ ‍

Herschel Agrusa