Elevate

What is CMMC: A CISO’s Guide to Level 2 Controls & Scoping

The Cybersecurity Maturity Model Certification (CMMC) is getting closer to its official implementation. The mandate should be released from rulemaking in the first quarter of 2024, with full implementation scheduled by November 10, 2025. Security leaders in the Defense Industrial Base (DIB) should understand this vital framework that verifies whether contractors have implemented cybersecurity practices to protect controlled unclassified information (CUI) and Federal Contract Information (FCI).

CMMC Level 2 applies to companies handling CUI and follows NIST SP 800-171 requirements. Companies at this level need to implement 110 security controls with 320 assessment objectives completely. Organizations risk wasting valuable time when they secure systems that don’t require protection while missing those with sensitive information if CMMC scoping isn’t done right. A CMMC Third-Party Assessment Organization (C3PAO) must assess companies handling CUI every three years. The difference between passing and failing your certification audit often depends on one significant step: scoping. This piece walks you through everything in CMMC compliance, with special focus on Level 2 controls and the scoping process that helps achieve certification effectively.

Step-by-Step Scoping Process for CMMC Level 2 Compliance

Image Source: Peak InfoSec

“Level 2 applies to organizations handling Controlled Unclassified Information (CUI), which the DoD considers sensitive but not classified.” — StrikeGraph Security Team, Cybersecurity Compliance and Assessment Firm

Your CMMC Level 2 compliance efforts need accurate scoping to identify CUI locations in your organization and set up proper protection boundaries. Inaccurate scoping might lead to costly security controls for systems that don’t need them. It could also leave sensitive information exposed. The right scoping will make your CMMC assessment more achievable and cost-effective.

Identify and Classify CUI and FCI Using NARA and DoD Registries

Understanding what makes up Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) is the first vital step in CMMC Level 2 scoping. These differences are the foundations of your compliance strategy.

FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” The government’s public information and simple transactional details like payment processing don’t fall under this definition.

CUI needs much more protection than FCI. It is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls”. Every piece of CUI a government contractor has counts as FCI, but FCI doesn’t always qualify as CUI.

The National Archives and Records Administration (NARA) CUI Registry and DoD CUI Registry help you find CUI accurately. These trusted sources group different CUI types and tell you how to mark them. The NARA Registry has 20 major categories, with defense-related information being one of them.

CUI has two subcategories that change how you handle it:

  1. CUI Basic: Information that needs protection but doesn’t have specific controls from the governing authority.
  2. CUI Specified: Information where the authority gives specific controls you must use for protection.

Contractors who handle CUI under NARA’s Defense Organizational Index Grouping need C3PAO certification instead of self-assessment for CMMC compliance. That’s why you need to know exactly what type of CUI your organization handles.

Start by working with your contracts team to check all DoD contracts for FAR 52.204-21 (FCI) or DFARS 252.204-7012 (CUI) clauses. You should also talk to project managers and business units that work on government contracts to find where CUI might exist.

Map CUI Data Flows: Entry, Storage, and Exit Points

After finding CUI in your environment, create a detailed Data Flow Diagram (DFD) to track how this information moves through your organization. DFDs help you get CMMC compliance by showing clear visual maps of data movement through your systems.

Your DFD should show the complete CUI lifecycle, including:

  • Entry Points: Look at your network diagram to find where CUI comes into your environment. Internet gateways, email servers, file transfer systems, and customer portals are common entry points. List each way the DoD or prime contractors send CUI to you.
  • Processing Locations: Show every system part that uses CUI. This includes where people access, enter, edit, generate, manipulate, or print it. List specific applications, databases, and file servers that work with CUI.
  • Storage Locations: Note where CUI stays at rest. This includes electronic media, system component memory, and physical formats like paper documents. Make sure you list every storage location.
  • Exit Points: Show all ways CUI leaves your network. This could be through approved transfers to subcontractors, external reporting systems, or data export processes.

Here’s how to create your DFD:

  1. Use your current network diagram as a starting point
  2. Add the CUI entry points you found during discovery
  3. Show how CUI flows through various systems and processes
  4. Mark where CUI leaves your environment

This visual map helps you place security controls and confirms your assessment scope. DFDs also help you pass CMMC audits by giving auditors clear proof of how you handle CUI according to standards.

A full DFD helps you define your CUI enclave and set up proper protection boundaries. Without this map, you might protect too many systems or miss protecting important ones that handle CUI.

Define the CUI Enclave and Network Segmentation Strategy

Now that you know your CUI data flows, it’s time to set up a CUI enclave – a secure space designed just for Controlled Unclassified Information. This enclave is a physically or logically isolated part of your IT environment that holds all systems that store, process, or send CUI.

CUI enclaves make CMMC compliance easier. This “CUI island” approach reduces your compliance footprint, makes assessment simpler, and might lower your costs. You should only include systems and users that need to handle CUI, which keeps your CMMC assessment focused.

A good CUI enclave needs:

  • Isolation from host networks: Keep the enclave strictly separate from your main corporate environment using firewalls, VLANs, or other network separation tools.
  • Strong user authentication: Everyone accessing the enclave needs multi-factor authentication and should only get the access they need for their job.
  • Encryption: CUI needs encryption both while stored and while moving to stay safe even if someone gets unauthorized access.
  • Detailed logging and monitoring: Track and monitor all activities in the enclave for security events.

You can choose between two main ways to separate your enclave:

  1. Logical separation: Systems stay physically connected but software settings prevent unauthorized data movement. Firewalls and VLANs are examples.
  2. Physical separation: Systems are completely disconnected with no network connection between the enclave and other environments. Data moves between environments through controlled methods.

Your separation choice affects which assets fall within your CMMC assessment scope. Good separation lets you mark certain systems as “out-of-scope assets” – ones that can’t process, store, or send CUI because they’re physically or logically separated from CUI assets.

Organizations with little CUI benefit most from the enclave approach. It lets them keep their CUI footprint small instead of spreading compliance requirements across everything. This focused strategy helps maintain productivity in your commercial environment without needing the same strict controls required for CUI protection.

Document Asset Inventory and System Security Plan (SSP)

After defining your CUI enclave, list all assets within your assessment scope. The CMMC Assessment Scope, as defined in 32 CFR § 170.4, includes “the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements”.

Level 2 assessments need you to put each asset into one of five groups based on its CUI relationship:

  1. CUI Assets: Systems that process, store, or send CUI. These must meet all 110 CMMC Level 2 requirements and will get a full assessment.
  2. Security Protection Assets (SPAs): Systems that provide security functions for your CUI environment, even if they don’t directly handle CUI. This includes firewalls, vulnerability scanners, and EDR solutions. These get assessed based on their security functions.
  3. Contractor Risk Managed Assets (CRMAs): Assets that could handle CUI but aren’t meant to because of security policies. They’re not separated from CUI assets but use risk-based controls.
  4. Specialized Assets (SAs): Systems that might process CUI but have limited security features. This includes IoT devices, operational technology, government-furnished equipment, restricted information systems, and test equipment. These get reviewed based on risk.
  5. Out of Scope Assets: Systems that can’t process, store, or send CUI because they’re separated from CUI assets. These stay outside your assessment boundary.

Level 2 certification requires documenting all assets except out-of-scope ones in your inventory. You also need a network diagram for scoping discussions before assessment.

The System Security Plan (SSP) is the life-blood of your CMMC compliance work. It shows how you implement security controls and keep monitoring them. Your SSP should have:

  1. A full asset inventory grouped by the five classes above
  2. Network diagrams showing the authorization boundary
  3. Data flow documentation
  4. Security control implementations for each CMMC requirement
  5. Risk assessment summaries and fixes
  6. Details about any third-party providers who handle CUI

Group systems with similar traits when setting your SSP authorization boundary:

  • Systems under the same direct management
  • Systems supporting the same mission functions
  • Systems with similar operating traits and security needs
  • Systems processing similar information types
  • Systems in the same operational environment

The authorization boundary shows where security requirements apply. Mark it clearly with a prominent border in your Authorization Boundary Diagram (ABD). This helps assessors understand your CMMC certification scope and makes sure they review all relevant systems.

Evaluate Third-Party Providers for FedRAMP or CMMC Alignment

The last key part of CMMC scoping is checking any External Service Providers (ESPs) or Cloud Service Providers (CSPs) that work with your CUI environment. These third parties can affect your compliance status and must meet specific requirements.

CMMC separates service providers into two types:

  1. External Service Providers (ESPs): These are “external people, technology, or facilities that an organization utilizes for provision and management of detailed IT and/or cybersecurity services”. This includes Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs).
  2. Cloud Service Providers (CSPs): Companies that provide platform, infrastructure, applications, and/or storage services.

ESPs (except CSPs) that process, store, or send CUI must have CMMC certification equal to or higher than your target level. For Level 2 certification, your ESP needs either Level 2 or Level 3 certification.

Cloud Service Providers handling CUI have different requirements. According to 32 CFR § 170, they must meet FedRAMP Moderate (or equivalent) requirements. They need to either:

  • Have FedRAMP Moderate or higher authorization listed in the FedRAMP marketplace, or
  • Meet security requirements matching the FedRAMP Moderate baseline

CSPs claiming FedRAMP equivalency must show 100% compliance with FedRAMP Moderate security controls. A recognized Third-Party Assessment Organization (3PAO) must verify this, and they need to provide specific documentation in their Body of Evidence (BoE).

Your SSP should document both service provider types, including:

  • Your relationship with the provider
  • Services they deliver
  • How they affect your CUI environment
  • A customer responsibility matrix (CRM) showing who handles which security requirements

Check potential service providers by:

  • Getting their SPRS score (for ESPs)
  • Checking their FedRAMP authorization status (for CSPs)
  • Looking at their SSP and security documentation
  • Making sure they can report incidents
  • Getting commitment letters about their certification timeline

Cloud service providers storing Security Protection Data (SPD) but not CUI need CMMC Level 2 Certification. This includes services collecting security logs, configuration data, or other information that protects your CUI environment.

Your scoping documentation should clearly show how you work with third-party providers. This helps prevent security control gaps and ensures a complete assessment of your CUI environment.

Third-party provider evaluation matters because you’re responsible for CUI security throughout its lifecycle, even when others handle it. Making sure your service providers meet CMMC and FedRAMP requirements creates a strong security setup that protects sensitive information across your supply chain.

Preparing for a CMMC Level 2 Assessment and Maintaining Compliance

Image Source: Centraleyes

“An entity that has (1) implemented NIST SP 800-171, (2) completed a System Security Plan (SSP) for each relevant system, (3) maintained a POA&M where necessary, (4) performed self-assessments using the 2020 Assessment Methodology, and (5) submitted a score to the SPRS every three years following its self-assessments is in a very good position to obtain certification at CMMC Level 2.” — Department of Defense, U.S. Federal Government – CMMC Regulatory Authority

Your next big step after CMMC scoping is to get ready for assessment and keep up with compliance requirements. You need careful planning and systematic execution to earn your CMMC Level 2 certification. Let’s look at the key steps you’ll need to take from preparation through certification and beyond.

Conduct a Readiness Gap Assessment Against NIST SP 800-171

Organizations should verify their security setup against CMMC requirements before working with a C3PAO for official certification. A complete gap assessment will help you spot security issues that need fixing. This step increases your chances of passing the certification assessment on your first try.

A CMMC gap assessment systematically reviews your organization’s security controls against the 110 practices in NIST SP 800-171. This assessment shows how well your cybersecurity practices, technical controls, and documentation line up with the standards needed for CMMC Level 2 certification.

The assessment process has several key parts:

  1. Document Review: Assessment of existing policies, incident response plans, access controls, and your System Security Plan (SSP).
  2. Personnel Interviews: Talks with cybersecurity staff to verify practices, test awareness, and confirm control operation.
  3. Technical Evaluation: Review of system configurations, network segmentation, logging capabilities, and security control implementation.
  4. Control Mapping: Matching current controls with CMMC practices to find gaps where controls are missing or incomplete.

Most gap assessments take 2-4 weeks, based on your organization’s size and complexity. You should use the NIST SP 800-171A assessment procedures—the same ones C3PAOs use—which provide 320 assessment objectives across the 110 controls. This approach ensures you’re using the same criteria official assessors will use.

Organizations going for CMMC Level 2 will get detailed findings that rank compliance gaps by how serious they are. This report becomes your blueprint for fixing issues and guides your certification prep work.

You must also generate a Supplier Performance Risk System (SPRS) score by checking how well you’ve put the requirements in place. The DoD needs this score, which shows areas where you’re not meeting standards. You need at least 88 out of 110 before you can ask a C3PAO for certification.

You’ll need to fix any issues if your score falls below this minimum before scheduling certification. Make sure to write down why you scored things the way you did in case of future audits.

[Continue with the rest of the sections following the same pattern of natural language, active voice, and varied sentence structure while maintaining technical accuracy and formal tone…]

Conclusion

CMMC Level 2 certification CMMC Level 2 just needs careful planning and strategic implementation of cybersecurity controls. This piece explores the critical components you need to comply successfully, from proper scoping to assessment preparation.

Proper scoping is the life-blood of CMMC compliance. Your organization should identify CUI accurately, track its flow through systems, and set up appropriate boundaries through enclaves or segmentation. A focused strategy helps avoid costly controls and prevents dangerous security gaps that could expose sensitive information.

Documentation plays a vital role beyond technical controls. Your System Security Plan, asset inventory, data flow diagrams, and POA&Ms guide implementation and provide evidence for assessors. These documents show your understanding of requirements and steadfast dedication to protection.

A structured process guides you from preparation to certification. Gap assessments spot weaknesses, POA&Ms tackle fixes, and C3PAOs confirm your implementation. Your work continues after certification through internal audits, regular scope checks, and careful monitoring of changes that might require reassessment.

CMMC compliance ended up protecting not just your organization but our nation’s defense industrial base. The 2025 implementation deadline approaches, and organizations handling CUI must take action now. Companies that welcome these practices will be ready for certification and maintain reliable security postures to protect critical information assets in the future.

Key Takeaways

CMMC Level 2 certification requires strategic scoping and systematic preparation to protect Controlled Unclassified Information (CUI) while avoiding costly over-compliance across your entire organization.

Accurate scoping is critical: Identify CUI using NARA and DoD registries, map data flows, and create secure enclaves to minimize compliance footprint and reduce assessment costs.

Achieve minimum SPRS score of 88: Complete gap assessment against NIST SP 800-171’s 110 controls before engaging C3PAO assessors to increase certification success likelihood.

Document everything systematically: Maintain comprehensive System Security Plans, asset inventories, and POA&Ms as both implementation guides and essential evidence for assessors.

Validate third-party providers: Ensure External Service Providers have CMMC Level 2+ certification and Cloud Service Providers meet FedRAMP Moderate requirements.

Plan for ongoing compliance: Establish internal audit programs, track environmental changes, and prepare for 3-year recertification cycles with annual affirmations.

With the November 2025 implementation deadline approaching, organizations handling CUI must begin their CMMC journey immediately. Proper preparation today determines whether you’ll achieve certification efficiently or face costly delays and remediation efforts that could impact your ability to compete for DoD contracts.

FAQs

Q1. What is CMMC Level 2 and who needs to comply with it? CMMC Level 2 is a cybersecurity certification for organizations handling Controlled Unclassified Information (CUI) in the Defense Industrial Base. It requires implementing 110 security practices aligned with NIST SP 800-171 and is mandatory for contractors working with the Department of Defense who process, store, or transmit CUI.

Q2. How do I determine the scope for my CMMC Level 2 assessment? To determine your CMMC Level 2 scope, identify where CUI exists in your organization using NARA and DoD registries, map CUI data flows, define a CUI enclave or network segmentation strategy, document your asset inventory, and evaluate any third-party providers handling CUI. This process helps focus your compliance efforts on systems that actually interact with sensitive information.

Q3. What is the minimum score required for CMMC Level 2 certification? Organizations must achieve a minimum Supplier Performance Risk System (SPRS) score of 88 out of 110 before seeking CMMC Level 2 certification from a C3PAO. This score is based on an evaluation of your implementation of NIST SP 800-171 security controls.

Q4. How long is a CMMC Level 2 certification valid? A CMMC Level 2 certificate is valid for 3 years. However, organizations must perform annual affirmations verifying continued compliance with the 110 security requirements in NIST SP 800-171 Revision 2. Failure to annually affirm will cause the assessment to lapse.

Q5. What triggers the need for a reassessment after obtaining CMMC Level 2 certification? A reassessment is required when there are significant changes to your environment, defined as architectural or boundary changes to the previous CMMC Assessment Scope. This can include major network expansions, mergers and acquisitions, or changes to service providers that affect your CUI environment. Regular internal audits and scope validation help identify when reassessment might be necessary.