CMMC Level 2 Requirements
All 110 NIST SP 800-171 Revision 2 security practices required for CMMC Level 2 certification, organized by the 14 security domains.
How Bedrock CMMC Helps
Bedrock CMMC has all 110 NIST 800-171r2 practices built into the platform, organized by these 14 domains. For each practice, you can track your implementation status (MET / NOT MET / N/A), attach evidence artifacts, and generate your SSP — so you always know exactly where you stand.
See a live compliance dashboardThe 14 Security Domains
Limit system access to authorized users, processes, and devices. Control CUI flow and enforce separation of duties.
Key Practices
- •Limit system access to authorized users
- •Limit access to the types of transactions and functions authorized users are permitted to execute
- •Control CUI flow in accordance with approved authorizations
- •Separate duties of individuals to reduce risk
- •Employ the principle of least privilege
- •Use non-privileged accounts for non-security functions
Ensure personnel are aware of security risks and trained in their responsibilities for protecting CUI.
Key Practices
- •Ensure managers and users are aware of security risks
- •Ensure personnel are trained to carry out assigned security responsibilities
- •Provide security awareness training on recognizing social engineering and insider threats
Create, protect, and review system audit logs. Ensure individual accountability through unique user identification.
Key Practices
- •Create and retain system audit logs
- •Ensure actions can be traced to individual users
- •Review and analyze audit logs for indicators of compromise
- •Reduce audit information to support analysis
- •Protect audit information and tools from unauthorized access
- •Alert in the event of an audit logging process failure
Establish and maintain baseline configurations. Track, control, and analyze changes to organizational systems.
Key Practices
- •Establish and maintain baseline configurations
- •Establish and enforce configuration change control
- •Track, review, approve, and log changes
- •Analyze security impact of changes
- •Define and enforce physical/logical access restrictions for change
- •Restrict, disable, or prevent nonessential programs and functions
Identify and authenticate users, devices, and processes before granting access to systems and CUI.
Key Practices
- •Identify and authenticate system users, processes, and devices
- •Enforce multi-factor authentication for network and privileged access
- •Use replay-resistant authentication mechanisms
- •Prevent reuse of identifiers for a defined period
- •Enforce minimum password complexity and change requirements
- •Store and transmit only cryptographically-protected passwords
Establish incident handling capability. Detect, report, and respond to cybersecurity incidents.
Key Practices
- •Establish operational incident-handling capability
- •Track, document, and report incidents
- •Test organizational incident response capability
Perform timely maintenance on systems. Control maintenance tools and personnel performing maintenance.
Key Practices
- •Perform maintenance on organizational systems
- •Provide controls on tools and personnel performing maintenance
- •Ensure equipment removed for maintenance is sanitized
- •Check media containing diagnostic programs for malicious code
- •Require MFA for establishing nonlocal maintenance sessions
- •Supervise maintenance activities of personnel without required access
Protect, control, sanitize, and destroy media containing CUI. Mark media with CUI markings.
Key Practices
- •Protect system media containing CUI
- •Limit access to CUI on system media
- •Sanitize or destroy media before disposal or reuse
- •Mark media with CUI markings and distribution limitations
- •Control access to media containing CUI during transport
- •Implement cryptographic mechanisms to protect CUI on portable storage
Limit physical access to systems, equipment, and environments. Protect and monitor the physical facility.
Key Practices
- •Limit physical access to authorized individuals
- •Protect and monitor the physical facility and support infrastructure
- •Escort visitors and monitor visitor activity
- •Maintain audit logs of physical access
- •Control and manage physical access devices (keys, cards, combinations)
- •Enforce safeguarding measures for CUI at alternate work sites
Screen individuals before granting access. Protect CUI during personnel actions such as terminations and transfers.
Key Practices
- •Screen individuals prior to authorizing access to CUI systems
- •Ensure CUI is protected during and after personnel actions (terminations, transfers)
Assess risk to organizational operations, assets, and individuals. Scan for vulnerabilities periodically.
Key Practices
- •Periodically assess risk to organizational operations and assets
- •Scan for vulnerabilities periodically and when new vulnerabilities are identified
- •Remediate vulnerabilities in accordance with risk assessments
Assess security controls periodically. Develop and implement plans of action to address deficiencies.
Key Practices
- •Periodically assess security controls to determine effectiveness
- •Develop and implement plans of action to correct deficiencies
- •Monitor security controls on an ongoing basis
- •Develop, document, and update system security plans (SSPs)
Monitor, control, and protect communications at system boundaries. Implement cryptographic protections for CUI.
Key Practices
- •Monitor, control, and protect communications at external boundaries
- •Implement subnetworks for publicly accessible components
- •Use FIPS-validated cryptography for CUI protection
- •Prohibit remote activation of collaborative computing devices
- •Control and monitor use of mobile code
- •Protect authenticity of communications sessions
Identify and correct system flaws. Protect against malicious code. Monitor system security alerts.
Key Practices
- •Identify, report, and correct system flaws in a timely manner
- •Provide protection from malicious code at system entry/exit points
- •Update malicious code protection mechanisms when new releases are available
- •Perform periodic and real-time scans of the system
- •Monitor system security alerts and advisories and take action
- •Monitor organizational systems for unauthorized connections and use
Frequently Asked Questions
How many controls are in CMMC Level 2?
CMMC Level 2 requires implementation of all 110 security practices from NIST SP 800-171 Revision 2, organized across 14 security domains (families). These range from Access Control (22 practices) to System and Information Integrity (7 practices).
What is the hardest CMMC Level 2 domain to implement?
Most organizations find System and Communications Protection (SC) and Audit and Accountability (AU) the most challenging. SC requires encrypted communications and network segmentation. AU requires comprehensive logging, log protection, and log review processes. Configuration Management (CM) is also frequently challenging due to baseline documentation requirements.
Can I get CMMC Level 2 with a POA&M?
Yes, conditional certification is possible with a limited number of practices on a Plan of Action and Milestones (POA&M). However, certain practices cannot be on a POA&M, and all POA&M items must be remediated within 180 days of the conditional certification. Bedrock CMMC includes a dedicated POA&M tracker that monitors remediation deadlines and status so nothing slips through the cracks.
Continue Learning
Continuous Monitoring
How to maintain compliance after certification with ongoing monitoring and evidence refresh.
Read GuideESP Management for CMMC
How to manage External Service Providers, FedRAMP requirements, and control inheritance.
Read GuideTrack All 110 Controls in One Platform
Bedrock CMMC manages every NIST 800-171r2 practice with built-in evidence tracking, gap analysis, and SSP generation. See exactly where you stand across all 14 domains.