CMMC Level 2 Checklist and Guide

Companies that operate with government data must ensure their cybersecurity capabilities meet specific requirements. Controlled unclassified information (CUI) must be carefully protected to safeguard against misuse or abuse.

Standardized security practices for better protection of CUI are outlined in the Cybersecurity Maturity Model Certification (CMMC).

The Cybersecurity Maturity Model

The CMMC was designed to ensure companies have a clear understanding of the digital safety requirements for becoming government contractors.

In the 2.0 revision, CMMC certification offers three levels of maturity — Foundational, Advanced, and Expert. At Level 2 — Advanced — companies are expected to have an intermediate knowledge of cyber hygiene.

CMMC Level 2 Checklist

CMMC Level 2 compliance consists of 72 controls over 15 domains. Maintaining each control is vital to ensuring CUI isn’t mishandled.

Access Control (AC)

At level 2, the AC domain adds ten controls. These are geared toward further isolating key systems and defining authorized session privileges.

  • AC.2.005: Communicate security details to users when dealing with CUI
  • AC.2.006: Control which storage devices are used and limit portable mediums
  • AC.2.007: Give users only the privileges necessary to complete a designated task
  • AC.2.008: Use privileged accounts only when necessary
  • AC.2.009: Allow only a set number of login attempts for user accounts
  • AC.2.010: Lock user sessions when inactive for a certain amount of time
  • AC.2.011: Remote connections are validated before they’re allowed
  • AC.2.013: Remote connections are monitored in a controlled environment
  • AC.2.015: Remote connections are routed to managed nodes
  • AC.2.016: CUI is used according to established guidelines

CMMC Level 2 compliance requires strict AC mechanisms to be put in place.

Audit and Accountability (AU)

The AU domain has four additional controls for CMMC Level 2 compliance.


  • AU.2.041: Create individual identifiers for each user so activity can be tracked
  • AU.2.042: Maintain records of network activity in case of unlawful use or access of material
  • AU.2.043: Sync internal clocks with a controlled source for accurate timestamps
  • AU.2.044: Continuously monitor and audit logs for common errors

By considering these controls, contractors will have accurate reporting and clear knowledge of their entire system.

Awareness and Training (AT)

There are two additional control practices for meeting the AT domain requirements at Level 2 maturity.

  • AT.2.056: All stakeholders know existing risks associated with their roles and understand best practices for dealing with them
  • AT.2.057: All stakeholders have received the proper training in IT security practices associated with their position

AT maturity involves training and support so that all individuals can handle their assigned roles for CMMC Level 2 compliance.

Configuration Management (CM)

For those seeking CMMC Level 2 compliance, six control practices have been added to the CM domain.

  • CM.2.061: Have a clear picture of existing assets and system configurations throughout the development process
  • CM.2.062: Internal systems offer only the needed functionality to users
  • CM.2.063: User-level applications and software are tightly controlled
  • CM.2.064: Use a strict security policy for essential IT assets
  • CM.2.065: Control the approval process for changes made to all internal systems
  • CM.2.066: Understand the implications of policy changes before they’re carried out

These controls ensure any changes made can be tracked and managed according to security best practices.

Identification and Authentication (IA)

The IA domain for CMMC Level 2 compliance provides five controls for granting system access to authorized users.

  • IA.2.078: Have minimum password requirements and require new passwords to be different than previous ones
  • IA.2.079: Restrict passwords from being the same for a set number of changes
  • IA.2.080: Allow users to log in with a temporary password before requiring a permanent change
  • IA.2.081: Use cryptography to protect passwords during storage or transmission
  • IA.2.082: Authentication messages are hidden from users

IA focuses primarily on the strategic use of passwords and policies for changing or updating those passwords.

Incident Response (IR)

IR addresses existing plans or strategies for dealing with potential IT security problems that may arise. There are five controls in IR that are directly concerned with discovering, reporting on, and resolving incidents.

  • IR.2.092: Be prepared to respond to incidents with well-defined management capabilities
  • IR.2.093: Actively discover issues and do reporting
  • IR.2.094: Resolve incidents with real-time monitoring and detection strategies
  • IR.2.095: Outline procedures that will be used for specific incidents
  • IR.2.097: Assess the underlying cause of incidents and target the real issue

IR is necessary for CMMC Level 2 compliance because it gives contractors a way to respond to incidents before these incidents cause further harm to existing IT infrastructure.

Maintenance (MA)

CMMC Level 2 compliance offers four controls within the MA domain.

  • MA.2.111: Perform regular maintenance on systems
  • MA.2.112: Maintain control over procedures and processes associated with system maintenance
  • MA.2.113: Require multi-factor authentication for remote maintenance sessions and close sessions when complete
  • MA.2.114: Maintain physical supervision over individuals who lack the necessary authorization credentials

The MA domain provides steps to secure systems when malfunctions or other unexpected incidents occur.

Media Protection (MP)

For the MP domain, CMMC Level 2 compliance has added three controls associated with protecting and properly disposing of media content.

  • MP.2.119: Physical and digital media containing CUI is secured and properly stored
  • MP.2.120: Only authorized users have access to media containing CUI
  • MP.2.121: Limited use of removable drives on authorized equipment

Good media protection practices allow users to safeguard CUI on all organizational systems.

Personnel Security (PS)

The PS domain for CMMC Level 2 compliance deals with protecting CUI during transitions in employee status. There are two controls associated with PS.

  • PS.2.127: Personnel are screened before being given access to CUI
  • PS.2.128: Systems are thoroughly assessed when personnel are transferred or fired

These controls ensure that critical CUI won’t be compromised due to changes in HR.

Physical Protection (PE)

Protecting physical infrastructure is the primary purpose of PE. It adds a single control for CMMC Level 2 compliance.

  • PE.2.135: All essential facilities are protected and monitored to maintain the integrity of IT systems

This control provides an added layer of protection against potential security breaches.

Recovery (RE)

RE is a key domain for CMMC Level 2 compliance. There are two controls associated with managing backups.

  • RE.2.137: Backups are done on a regular basis and tested for validity
  • RE.2.138: Backups remain confidential while in storage

Regularly backing up and storing CUI will ensure you maintain operational requirements for contracts with the DoD.

Risk Management (RM)

RM is primarily concerned with mitigating security threats that could cause data to be compromised. RM offers three controls for CMMC Level 2 compliance.

  • RM.2.141: Assess dangers posed by ongoing operations associated with CUI
  • RM.2.142: Do ongoing scanning for potential vulnerabilities
  • RM.2.143: Fix discovered vulnerabilities promptly according to specified rules outlined by the company

Managing security risks quickly is essential for IT directors and security professionals who want to mitigate potential problems down the road.

Security Assessment (CA)

The CA domain is defined by the ability of an organization to develop a cohesive system security plan and related mechanisms. There are three controls that have to be accounted for.

  • CA.2.157: Outline security strategies with clear boundaries that define the operational content and associated requirements
  • CA.2.158: Regularly evaluate security management capabilities
  • CA.2.159: Create a plan of action for finding vulnerabilities and deploying solutions

With the CA controls in place, companies can remedy deficiencies and get their security infrastructure ready for CMMC Level 2 compliance.

System and Communications Protection (SC)   

Adhering to the SC domain allows IT directors and security professionals to clarify their security policies for communication inside and outside the system. SC contains two controls dealing with user devices and sessions.

  • SC.2.178: Restrict access to collaborative computing systems so that only those physically present are authorized
  • SC.2.179: Protect network devices with encrypted sessions

Control and monitoring of communications across the network are essential for meeting CMMC Level 2 compliance.

System and Information Integrity (SI)

For SI compliance, contractors must be able to find and mitigate potential security flaws while monitoring the network. There are three controls for attaining CMMC Level 2 compliance.

  • SI.2.214: Respond to security events and alerts by taking the necessary actions
  • SI.2.216: Assess network communications in real-time for ongoing threats or attacks
  • SI.2.217: Discover unauthorized users and purge them from the system

Level 2 SI compliance means preventing data theft, spying, and other illegal activities that may pose a threat to CUI.

Reach CMMC Level 2 compliance with Touchstone Security

Do you need guidance for CMMC Level 2 compliance? At Touchstone Security, we’re experienced in securing digital information. Our CMMC compliance services will ensure you conform to cybersecurity standards.

Touchstone Security is redefining how companies approach cybersecurity. Our tailored solutions to digital threat detection and mitigation will give you the flexibility you need to meet whatever compliance standards you’ve set your sites on. We’ve helped numerous companies meet their CMMC requirements.

Contact Touchstone for a CMMC Assessment today!