Plain-English summary

A careful introduction to CMMC Level 2, CUI, and assessment paths for small contractors. This page is for orientation only. Always verify the official source, contract language, solicitation instructions, and qualified professional advice before making commitments.

Why Level 2 feels different

CMMC Level 2 is tied to broader protection of Controlled Unclassified Information. The official CMMC overview describes Level 2 as involving either a self-assessment or an authorized third-party assessment every three years, as specified in the solicitation, plus annual affirmation. It also references 110 security requirements from NIST SP 800-171 Revision 2 in the CMMC context. NIST SP 800-171 Revision 3 is the current NIST publication, so contractors should verify which version their contract and official program materials require.

The information drives the conversation

Level 2 is not just Level 1 with more paperwork. It is generally about systems that process, store, or transmit CUI. If a small contractor handles drawings, specifications, technical data, contract attachments, reports, or other government-related information, the key question is not whether the file “looks secret.” The key question is how the customer, agency, contract, markings, and applicable rules identify and control that information.

Self or third-party assessment can matter a lot

The assessment path can affect cost, schedule, evidence, documentation, and who is allowed to perform the assessment. A contractor should not assume that a consultant’s review equals an authorized CMMC third-party assessment. It should also not assume that a self-assessment is available unless the solicitation or official requirement supports that path.

Small-contractor reality

For a small shop, Level 2 may require stronger documentation, clearer system boundaries, tighter access control, evidence of how controls work, incident response planning, configuration management, audit logging, training, and oversight of service providers. This site explains the vocabulary, but a business facing a real Level 2 requirement should use qualified legal, contract, security, and IT help before making commitments.

Key takeaways

  • Level 2 is generally associated with CUI protection.
  • CMMC materials may reference NIST SP 800-171 Rev. 2 while NIST Rev. 3 is current as a NIST publication.
  • The solicitation or contract determines important details.
  • Consultants, IT providers, and official assessors have different roles.

Official sources to verify

Use these official sources for current requirements. This page is educational and may not reflect every contract-specific detail.

Related reading

U.S. Contractor Information Protection

How CMMC Relates to NIST SP 800-171

A simple explanation of the relationship between CMMC and NIST SP 800-171 without treating them as the same thing.