Skip to content

CMMC 2.0 Level 2


Hello, and welcome back to this next TomCast from Iron Bow Technologies; we are a leading global IT solution provider dedicated to innovation with integrity. We successfully transform today's technology challenges into business opportunities, helping our clients meet their missions while gaining a competitive edge. 

Today we’re going to continue the discussion on the Cybersecurity Maturity Model Certification, otherwise known as CMMC version 2.0, and what is required for level 2 certification.

As mentioned during the last TomCast, there are three levels of certification within CMMC version 2.0, and Level 2 is the Advanced level. Level 2 (advanced) contains 110 security control requirements and requires both annual self-assessments and triennial third-party assessments to specific subsets of acquisitions that involve critical information to national security. What does this mean in more depth?

The following information was pulled directly off of the Department of Defense website regarding CMMC, and that site URL is

“Overview of Assessments

CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Upon implementation of CMMC 2.0: Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards. Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments. The highest priority, most critical defense programs (Level 3) will require government-led assessments.

Third-Party Assessments

Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC Level 2 assessment for a subset of acquisitions that involve information critical to national security.

The CMMC Accreditation Body (The Cyber AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on The Cyber AB Marketplace. The Defense Industrial Base (DIB) company will be fully responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will upload the assessment report into CMMC EMASS, which DoD can access.

As part of the CMMC 2.0 implementation, the DoD will approve all Cyber AB conflict of interest related policies that apply to the CMMC ecosystem. Additionally, the Cyber AB must achieve compliance with the ISO/IEC 17011 standard prior to accrediting C3PAOs and a CAICO. Separately, C3PAOs will be required to comply with ISO/IEC 17020 and the CAICO will be required to comply with ISO/IEC 17024 requirements.”

So, organizations that meet the criteria necessitating third-party-assessments are going to be assessed against clearly articulated cybersecurity standards. But wait, what are those standards? Those standards are found also on that same site, the site (search for CMMC 2.0 level 2). Now, as of the composition of this TomCast (I say that because the entire CMMC process is currently being reviewed and changes could be made), level 2 requires passing assessments that span across all fourteen of the NIST 800-171 security control families.  Those security control families are:

  • AC, or Access Control
  • AT, or Awareness and Training
  • AU, or Audit and Accountability
  • CM, or Configuration Management
  • IA, or Identification and Authentication
  • IR, or Incident Response
  • MA, or Maintenance
  • MP, or Media Protection
  • PS, or Personnel Security
  • PE, or Physical Protection
  • RA, or Risk Assessment
  • CA, or Security Assessment
  • SC, or Systems and Communication Protection, and
  • SI, or Systems and Information Integrity

Level 2 also breaks out the assets of the organization seeking certification into 5 specific categories. Those categories are:

  • Controlled Unclassified Information (CUI) assets
  • Security Protection assets
  • Contractor Risk-Managed assets
  • Specialized assets
  • Out-Of-Scope assets

Each category of assets contains their own assessment requirements, and those requirements can be found on the Department of Defense website . Open the link to the CMMC level 2 scoping guidance to learn more.

So, as you have heard, CMMC version 2.0 level 2 certification will require annual self-assessments and triennial assessor-led assessments on the controls laid out in the fourteen  specified control families in the NIST Special Publication 800-171. Use your web browser of choice, fire up your search engine of choice, and type in CMMC version 2.0 level 2 certification. There are quite a few results that will pop up, for the definitive information you will need look for the Department of Defense sites to get clear information on what you will need.

If you have any questions surrounding CMMC, reach out to us over here at Iron Bow Technologies. We have the expertise to help you understand the requirements of the Department of Defense and how CMMC will benefit you and your organization. We’re also here to help any way we can to ensure your organization remains as secure as possible.

We here at Iron Bow thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on Or, if you would like more information on what Iron Bow can do for you, head on over to and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!