CMMC Level 2 Readiness (NIST 800-171)

CMMC Level 2 tends to feel overwhelming because it touches more than technology. It touches process, documentation, and the reality that people and vendors change. The contractor environments that succeed are the ones built around repeatable systems: identity that is enforced, devices that are visible, configurations that are standardized, and a documentation routine that stays current.

The fastest way to waste money is to treat Level 2 like a shopping list. Buying tools without scoping first often leads to unnecessary complexity, uncontrolled access, and “compliance theater” where policies exist but aren’t tied to real behavior.

CUI scoping: where Level 2 wins or loses

Level 2 is usually about Controlled Unclassified Information (CUI). That means the work starts by drawing a boundary around CUI systems and users. If you define scope too broadly, remediation becomes slow and expensive. If you define it too narrowly, you will miss key data paths (shared mailboxes, file shares, vendor portals) and discover gaps late.

We typically map CUI in three layers: storage locations (email, file shares, SaaS), transfer paths (who sends it and how), and access paths (remote access, vendor access, personal devices). Once you can map those, you can design a baseline that matches the real business.

The 4 pillars we focus on first

• Scope: define where CUI lives and which systems are truly in scope
• Identity + access: MFA, least privilege, admin separation, and tight external access
• Device + configuration baseline: known devices, hardened configurations, patching routines
• Evidence: the ability to show what is real, repeatable, and maintained

Evidence that actually helps you

For Level 2, “evidence” is not a binder. It is the ability to answer questions quickly: who has access, how devices are managed, what changed, and what your team does when something goes wrong. The easiest way to make evidence sustainable is to align it with daily operations: onboarding checklists, ticketing, access reviews, patch reporting, and backup/restore logs.

When evidence is operational, it stays current. When evidence is a separate “compliance project,” it decays.

Use this checklist as a practical guide to prioritize work. The goal is not to fix everything at once. The goal is to reduce risk and increase clarity fast.

Scope + boundaries

• Define where CUI is stored and who can access it
• Identify which devices and users are in scope for CUI handling
• Document vendor access paths and tighten them

Identity + access controls

• MFA + conditional access where appropriate
• Least privilege and admin separation
• Shared accounts removed or tightly controlled

Endpoint + configuration baseline

• Known inventory + managed configuration baselines
• Patch reporting + accelerated critical updates
• Secure remote access with logging

Operations + evidence

• Ticketing for changes and incidents (so proof is automatic)
• Backup scope defined + restore tests scheduled
• Access reviews and vendor reviews on a predictable cadence

If you want the fastest starting point, request a risk review. We’ll help you figure out scope and the first remediation phase.