Level 2

CMMC Level 2 is considered a steppingstone to get from Level 1 to Level 3. No RFPs will be issued with CMMC Level 2 certification requirements.

CMMC Level 2 builds from the 17 practices (controls) in Level 1 and adds an additional 55 practices. In addition, Level 2 requires two process – that each of the 72 practices is documented and that an overall cybersecurity policy be written that includes all cybersecurity activities. In other words, you will begin building a quality management system (QMS) for your cybersecurity program to achieve a consistent, quality result.

NOTE: CMMC Level 1 in a Box includes steps to help build a QMS for your cybersecurity program.


1. Since no RFPs will be issued with CMMC Level 2 certification requirements, it does not make financial sense to request a Level 2 audit from a C3PAO – there would be no return on your investment.
2. CMMC Level 1 in a Box can be used as a model for continuing on to Level 2.
3. When determining where to begin in terms of practices, start with the easiest and least costly practices first.
4. If you are considering engaging a cybersecurity consultant, you might want to include Level 3 practices rather than pay a company to assist with Level 2 compliance, then have to engage them again to assist with Level 3 compliance. For a list of cybersecurity consultants to consider, please Click Here.