BAE Networks: What You Need to Know About CMMC Level 2

A Guide for Contractors Handling CUI and Higher

If you’re part of the defense industrial base (“DIB”) and your business handles Controlled Unclassified Information (“CUI”), CMMC Level 2 isn’t optional – it’s essential.

As a reminder, Cybersecurity Maturity Model Certification (“CMMC”) is the Department of Defense’s (“DoD”) framework for ensuring its contractors meet cybersecurity standards. Level 2 is a major step up from Level 1, with more rigorous requirements designed to safeguard sensitive information.

This article will walk you through what CMMC Level 2 means, who it applies to, and how your business can prepare, based directly on the DoD’s official guidance.

What is CMMC Level 2?

CMMC Level 2 is designed for contractors and subcontractors who store, process, or transmit CUI. This includes sensitive technical data, engineering drawings, internal reports, and more.

Level 2 requires implementation of 110 cybersecurity practices, directly mapped to NIST SP 800-171. This level is all about ensuring strong cybersecurity hygiene and protecting CUI from unauthorized access and cyber threats.

TL;DR: If you handle CUI, you need to comply with CMMC Level 2.

What are the Requirements?

CMMC Level 2 requires your organization to:

• Implement all 110 practices, which extend across 14 control families, including Access Control, Incident Response, Risk Assessment, and System & Communications Protection.

• Demonstrate a documented and repeatable approach to cybersecurity.

  • This differs from Level 1, which does not require this documentation.

• Conduct a formal self-assessment or third-party assessment, depending on the conditions of the contract.

  
  

Don't worry - we made a chart for a quick visual.

Who Needs to Comply with Level 2?

You need CMMC Level 2 if:

• Your organization handles CUI as part of its DoD contracts.

• You’re a prime contractor or a subcontractor with access to sensitive information.

• Your contract specifies CMMC Level 2 as a requirement.

There are two types of assessments, depending on the information sensitivity:

1. Self-Assessment: For contracts without critical national security information. Annual self-assessments are submitted to the Supplier Performance Risk System (“SPRS”).

2. Third-Party Assessment: For contracts involving more sensitive CUI, a Certified Third-Party Assessment Organization (“C3PAO”) must perform your evaluation once every three years.

The DoD will specify in each contract whether a self-assessment or third-party assessment is required.

How Should You Prepare?

Here’s what your business needs to do to comply with Level 2:

1.     Understand the 110 Requirements

Review the CMMC Level 2 Assessment Guide to familiarize yourself with the required practices.

2.     Define the Scope

Use the CMMC Level 2 Scoping Guide to determine which parts of your IT environment are in scope for the assessment. You'll categorize:

• CUI Assets: Systems that process, store, or transmit CUI.

• Security Protection Assets: Devices and tools that protect CUI assets (e.g., firewalls, endpoint detection).

• Contractor Risk Managed Assets: Assets that may touch CUI but are managed through risk-based decisions.

• Specialized Assets: OT, IoT, and government-furnished equipment with unique requirements.

Accurate scoping ensures you're focused on the right systems and not over-complying unnecessarily.

3.      Document Policies and Procedures

Unlike Level 1, CMMC Level 2 expects formal documentation of how you implement, manage, and maintain your security practices.

4.      Conduct a Gap Assessment

Work with your internal team or a trusted IT partner to assess your current posture against NIST SP 800-171. Identify gaps and build a plan to close them.

5.      Prepare for Your Assessment

• If a self-assessment is allowed, conduct it annually and submit your score to SPRS.

• If a third-party assessment is required, schedule with a C3PAO and prepare by ensuring evidence is well-organized and documentation is up to date.

Why It Matters

Being CMMC Level 2 compliant isn’t just about checking boxes; it’s about protecting our nation’s defense supply chain. Complying means:

• You can compete for DoD contracts involving CUI (or higher).

• You reduce your risk of cyber incidents and data breaches.

• You establish trust with government agencies and prime contractors.

Where to Go From Here

CMMC Level 2 may feel like a big leap from Level 1, but it’s a necessary one if you’re working with CUI. Start early, document everything, and don’t go it alone. There are tools, partners, and guidance available to help you meet the standard without derailing your business operations.

If you want help navigating your CMMC journey, reach out to the team at BAE Networks. Scheduled to be the first MSP in Michigan that is Level 2 certified, we are experts in every step of the process, and want to help you gain an edge for bidding on government contracts.

RESOURCES:

1. CMMC 101 Overview (DoD)

2. CMMC Level 2 Scoping Guide (DoD)

3. CMMC Level 2 Assessment Guide (DoD)

4. FCI is any information “provided by or generated for the Government under a contract” that is “not intended for public release”, per FAR 52.204-21.

5. CUI is defined as information that “an entity creates or possesses for…the Government” that requires the entity to “handle using safeguarding or dissemination controls”, per 32 CFR § 2002.4(h).