PeregrinoTech

← All guides

CMMC Level 2 in plain English: what a small defense contractor actually needs

June 26, 2026

If you handle Controlled Unclassified Information (CUI) on a Department of Defense contract, CMMC Level 2 is the bar you’ll need to clear. Here’s what that actually means — without the acronym soup.

Why CMMC exists

The defense supply chain was leaking sensitive information. CMMC — the Cybersecurity Maturity Model Certification — is the DoD’s way of requiring contractors to prove they protect that information, rather than just promising they do.

The three levels (and where you fit)

  • Level 1 (Foundational) — protects Federal Contract Information (FCI). 17 basic practices, annual self-assessment.
  • Level 2 (Advanced) — protects CUI. Built directly on NIST SP 800-171 and its 110 security controls. This is where most defense contractors live.
  • Level 3 (Expert) — for the highest-risk programs; adds controls from NIST SP 800-172 and a government-led assessment.

FCI vs. CUI in one line: FCI is information not meant for public release; CUI is more sensitive government information that requires specific safeguarding. If your contract involves CUI, plan for Level 2.

How you’ll be assessed

Depending on the contract and the sensitivity of the CUI, Level 2 is met by either:

  • a self-assessment, or
  • a third-party assessment by a C3PAO (a Certified Third-Party Assessment Organization), typically on a three-year cycle.

Either way, you report a score to the SPRS (Supplier Performance Risk System) — a number out of 110 reflecting how many of the 800-171 controls you’ve fully implemented. Gaps subtract points, so the score can even go negative.

The realistic path for a small contractor

  1. Scope it. Identify exactly where CUI lives — which systems, people, and cloud services touch it. A smaller, well-defined boundary is cheaper to secure.
  2. Write your SSP. A System Security Plan documents how you meet each control. (See the companion guide on the SSP and POA&M.)
  3. Run a gap assessment. Compare reality against all 110 controls.
  4. Remediate. Close the gaps — technical fixes, policies, and evidence.
  5. Assess and report. Self-assess or bring in a C3PAO, then post your score.

The honest truth about cost

Compliance does take real work — but the biggest waste of money comes from over-scoping (trying to secure your entire company instead of just the systems that touch CUI) and from buying tools you don’t need. A tight scope and a clear plan are what keep this affordable. That’s exactly where focused, experienced help pays for itself.

Want help putting this into practice?

I can review or set this up for your business.

Work with me →