CMMC Level 2 Requirements for Small Business

CMMC Level 2 requires implementation of all 110 security controls from NIST SP 800-171. It is mandatory for DoD contractors and subcontractors that handle Controlled Unclassified Information (CUI). The controls span 14 security families covering access control, incident response, system integrity, and more. Over 300,000 contractors in the defense industrial base are expected to need CMMC certification, with estimated costs ranging from $20,000 to $100,000 for small businesses.

What Is Controlled Unclassified Information (CUI)?

CUI is government-created or government-owned information that requires safeguarding but is not classified. Examples include technical drawings, engineering data, test results, contract performance reports, personnel records, and export-controlled information. CUI is identified by markings on documents or by the CUI Registry maintained by the National Archives (ISOO).

If your DoD contract includes DFARS clause 252.204-7012, you are handling CUI and will need CMMC Level 2 certification. This clause has been in DoD contracts since 2017, requiring compliance with NIST SP 800-171. CMMC formalizes the verification process that was previously based on self-attestation alone.

The key distinction from CMMC Level 1 is scope. Level 1 covers Federal Contract Information (FCI) with only 17 basic controls and allows self-assessment. Level 2 covers CUI with 110 controls and, for most contracts, requires assessment by a certified third-party assessment organization (C3PAO).

What Are the 14 Control Families in NIST 800-171?

The 110 controls in NIST SP 800-171 (and by extension CMMC Level 2) are organized into 14 families. Each family addresses a distinct area of information security:

Access Control is the largest family with 22 controls, covering areas like least privilege, session management, remote access, and wireless restrictions. Small businesses often find this family, along with Audit and Accountability, to be the most challenging to implement fully.

What Does the Assessment Process Look Like?

CMMC Level 2 assessments come in two forms, depending on the sensitivity of the CUI involved:

• Self-Assessment: For contracts involving less critical CUI, you conduct your own assessment against all 110 controls and submit results to the Supplier Performance Risk System (SPRS). You must achieve a score of 110 (all controls met) or document a Plan of Action and Milestones (POA&M) for any gaps.
• C3PAO Assessment: For contracts involving prioritized CUI, a Certified Third-Party Assessment Organization (C3PAO) conducts an on-site evaluation. The C3PAO reviews your System Security Plan (SSP), interviews staff, examines evidence, and tests controls. The assessment typically takes 3 to 5 days on-site for a small organization.

The scoring methodology assigns 1 point per control for a maximum of 110. You may receive a conditional certification with a POA&M if certain controls are not fully implemented, but POA&M items must be closed within 180 days. Some controls are weighted more heavily and cannot be on a POA&M.

RFI Hawk's CMMC Tracker helps you self-assess against all 110 controls, generate your SSP documentation, and track POA&M items with remediation deadlines, so you can prepare for formal assessment with confidence.

How Much Does CMMC Level 2 Cost for a Small Business?

Cost estimates for CMMC Level 2 certification vary widely based on your current security posture, company size, and IT environment complexity. The DoD's regulatory impact analysis estimated costs of $20,000 to $100,000 for small businesses (source: CMMC Final Rule, 32 CFR Part 170). Key cost components include:

• C3PAO Assessment Fee: $30,000 to $60,000 for small organizations (varies by assessor and scope)
• Technology Implementation: $5,000 to $30,000 for multi-factor authentication, encryption, SIEM, endpoint detection
• Consulting and Gap Assessment: $5,000 to $20,000 for initial readiness evaluation and remediation planning
• Ongoing Compliance: $10,000 to $25,000 annually for monitoring tools, training, and documentation maintenance

Companies that already have a mature NIST 800-171 implementation will spend significantly less. The biggest cost driver for most small businesses is moving from partial compliance to full implementation of all 110 controls, particularly in the Access Control and Audit families.

What Is a POA&M and How Does It Work Under CMMC?

A Plan of Action and Milestones (POA&M) documents security controls that are not yet fully implemented, along with specific remediation steps and target completion dates. Under CMMC Level 2, you may receive a conditional certification with open POA&M items, but several important rules apply:

• All POA&M items must be closed within 180 days of the assessment
• Certain high-priority controls cannot be placed on a POA&M and must be fully implemented at assessment time
• You must achieve a minimum score (not all controls can be deferred)
• A follow-up assessment verifies POA&M closure

The POA&M is not a way to avoid compliance. It is a structured remediation plan for controls that are in progress. Assessors and contracting officers will evaluate the credibility of your POA&M milestones. Realistic timelines and demonstrated progress are essential.

Related Resources

Frequently Asked Questions