BreachHorizon
compliance

CMMC Level 2: the 110 controls, plotted onto your existing security stack

Laurens VanhaeckeJun 18, 202611 min readReviewed by Laurens Vanhaecke

Most defense contractors chasing CMMC Level 2 already have 60–70% of the required controls deployed — they just can't prove it. That gap between deployed and documented is exactly what assessors exploit, and it's why companies with mature security stacks still fail C3PAO audits.

This article maps all 110 CMMC L2 controls against a realistic SMB stack, identifies where your existing tools already satisfy requirements, and names the specific controls most likely to sink your assessment.

What CMMC L2 actually requires (110 controls, NIST 800-171 mapping)

CMMC Level 2 is a direct implementation of NIST SP 800-171 Rev 2. No more, no less. The 110 practices map one-to-one to the 110 security requirements in 800-171 — there are no CMMC-unique additions at Level 2. If you've been working against a NIST 800-171 self-assessment for DFARS 252.204-7012, you already have the right control catalog. The difference under CMMC 2.0 is enforcement: a third-party C3PAO (Certified Third-Party Assessment Organization) validates your implementation for most contracts, not just your own attestation.

The controls are organized into 14 domains, each containing between 2 and 24 practices. Every practice has an associated NIST source requirement, which links directly to the assessment procedures in NIST SP 800-171A. When a C3PAO shows up, they're working through 800-171A. That document is your actual assessment script.

Two numbers matter before you start mapping: your current SPRS score and your POA&M posture. The Supplier Performance Risk System score is calculated by subtracting point values from 110 for each unimplemented control. Under DFARS, you need to have submitted that score. Under CMMC, a C3PAO validates whether the score you submitted reflects reality. Organizations that submitted inflated SPRS scores are in a worse position than those who never submitted at all — assessors will compare your claimed score against their findings.

The 110 controls break into roughly three tiers of implementation complexity:

  • Configuration-based controls (~40): Satisfied by enabling specific settings in existing tools — Conditional Access policies in Microsoft Entra ID, Defender for Endpoint baselines, BitLocker enforcement.
  • Process-based controls (~45): Require documented procedures, defined roles, and evidence of execution — incident response plans, media sanitization logs, access review records.
  • Architecture-based controls (~25): Require deliberate design decisions — network segmentation, CUI boundary definition, controlled system interfaces.

Most SMBs are strong on configuration, weak on process documentation, and inconsistent on architecture.

The 14 domains and which 4 carry the most assessor attention

The 14 NIST 800-171 / CMMC L2 domains are: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI).

All 14 domains matter. Four generate disproportionate findings.

Access Control (AC) — 22 practices. The largest domain. Assessors spend significant time here because failures are both common and high-impact. The CUI boundary is tested through AC controls — if you can't demonstrate that access to CUI-bearing systems is limited to authorized users with least-privilege roles, you fail here regardless of your MFA posture. Microsoft Entra ID Conditional Access, Privileged Identity Management, and role-based access control in Microsoft 365 address a large portion of AC, but only if they're configured correctly and the configuration is documented as meeting specific control requirements.

Identification and Authentication (IA) — 11 practices. Multi-factor authentication is the headline requirement (IA.3.083), but assessors dig into service accounts, shared credentials, and authenticator management. Organizations running legacy applications with shared admin accounts, or using password-only service principals in Azure, regularly fail IA even when end-user MFA is solid. Duo Security or Microsoft Authenticator covering only the human workforce leaves a gap if privileged automation accounts aren't addressed.

Audit and Accountability (AU) — 9 practices. You need logs. You need to review them. You need to retain them. You need to protect them. CrowdStrike Falcon's event data sits in the vendor's cloud — assessors want to know whether you can query it, retain it for the required period (3 years under DFARS), and demonstrate that someone actually reviews alerts. Shipping logs to a SIEM like Microsoft Sentinel or Elastic satisfies the architectural requirement; showing monthly review records satisfies the process requirement. Many organizations have the former and lack the latter.

System and Information Integrity (SI) — 7 practices. Malware protection, security alerts, patch management. This is where endpoint detection and response (EDR) tools like CrowdStrike Falcon or Microsoft Defender for Endpoint earn their keep — but only if patch cadence is documented and malware protection configurations are hardened against user modification. NinjaOne's patch management module, for example, generates the patch compliance reports that satisfy SI.1.210 evidence requirements directly. Assessors ask for patch reports covering the prior 90 days. If you can't produce them, the EDR license doesn't help you.

Plotting the controls onto common SMB stacks (M365 + EDR + MFA + backup)

A typical defense contractor SMB stack running Microsoft 365 Business Premium, CrowdStrike Falcon Go or Microsoft Defender for Endpoint, Duo Security or Entra MFA, and a backup solution like Veeam or Acronis actually satisfies roughly 65 of the 110 controls — provided the tools are properly configured and that configuration is evidenced. Here's how the mapping breaks down across the major technology layers.

Microsoft 365 / Entra ID covers the majority of AC, IA, and portions of AU:

  • AC.1.001 (authorized access control) → Entra ID RBAC + Conditional Access
  • AC.2.006 (control CUI on mobile) → Intune MAM/MDM policies
  • IA.3.083 (MFA) → Entra MFA or Conditional Access requiring phishing-resistant MFA
  • AU.2.041 (user activity audit logs) → Unified Audit Log in Microsoft Purview
  • AU.3.045 (review audit logs) → This requires a process, not just the tool

The critical gap in M365 deployments: Purview audit logging defaults to 90-day retention on E3 licenses. DFARS requires 3-year retention. You either need Microsoft 365 E5 or Purview Compliance, or you need to ship logs out to Azure Monitor or a third-party SIEM immediately.

CrowdStrike Falcon / Microsoft Defender for Endpoint covers SI and portions of CM:

  • SI.1.210 (malware protection) → Falcon's prevention policies or Defender AV
  • SI.2.214 (security alerts) → Falcon Insight detections
  • CM.2.061 (baseline configurations) → Defender's attack surface reduction rules, CIS benchmarks applied through Intune
  • CM.3.068 (least functionality) → Application control via Defender or Falcon's application blocking

Gap: Neither CrowdStrike nor Defender generates the vulnerability scan reports required by RA.2.141. You need a separate vulnerability scanner — Tenable Nessus, Qualys, or even Microsoft Defender Vulnerability Management (included in Defender for Endpoint Plan 2) — to close this.

Backup (Veeam, Acronis, Azure Backup) covers portions of IR and SC:

  • IR.2.092 (incident response capability) → Partial; backup is one component of IR, but you still need a documented IR plan
  • SC.3.177 (cryptographic protection) → Azure Backup encrypts at rest using AES-256; Veeam requires explicit configuration of backup encryption

Gap: Backup alone doesn't satisfy IR. You need a written incident response plan, defined roles, and evidence of at least one tabletop exercise per year. Every IR failure in assessments is a documentation failure, not a technology failure.

Cloudflare (used by many SMBs for DNS, Zero Trust, and DDoS protection) addresses SC domain controls around boundary protection and remote access:

  • SC.1.175 (communications protection) → Cloudflare Zero Trust for remote access replaces VPN and satisfies controlled system interfaces
  • SC.3.187 (cryptographic key management) → Cloudflare manages TLS certificates; you still own key management for data at rest

NinjaOne or equivalent RMM covers CM and portions of MA:

  • CM.2.062 (configuration management) → NinjaOne's configuration policies and drift detection
  • MA.2.111 (maintenance controls) → Remote maintenance session logs from NinjaOne satisfy this with proper configuration
  • SI.1.210 patch evidence → NinjaOne patch compliance reports are audit-ready if exported and retained

The controls that fail most assessments (5 specific ones)

These five controls appear repeatedly in C3PAO findings. None of them require expensive tools. All of them require discipline.

1. AC.2.005 — Provide privacy and security notices. System banners. Login warnings. Every CUI-bearing system needs a banner stating authorized use, monitoring, and consent. It sounds trivial. Assessors check every system individually — workstations, VPNs, remote desktop gateways, admin consoles. Organizations that have banners on Windows login but not on their Cisco firewall management interface or their NAS admin panel fail this control on those systems.

2. AC.2.013 — Monitor and control remote access sessions. You need to log remote sessions, terminate idle sessions, and demonstrate control. A Cloudflare Zero Trust or Zscaler Private Access deployment satisfies this architecturally. An always-on VPN without session logging and idle timeout policies does not. Assessors ask for remote access policy documentation and then verify the technical controls enforce what the policy says.

3. MP.2.120 — Control access to CUI on portable storage. USB control. USB ports must be disabled or controlled on CUI systems. Microsoft Intune's device control policies or CrowdStrike's USB device blocking handles this technically. The failure mode is scope: organizations block USB on managed workstations but leave printers, copiers, and conference room machines unaddressed. If those systems process, store, or transmit CUI, they're in scope.

4. CA.2.157 — Conduct periodic assessments of security controls. You need to assess your own controls periodically and document the results. An annual internal audit with findings and remediation tracking satisfies this. Most organizations either skip the assessment entirely or conduct one but don't retain the evidence. This control is also the legal and contractual anchor for why inflated SPRS scores create liability — your CA.2.157 assessment is supposed to be the basis for that score.

5. IR.2.093 — Test the incident response capability. Tabletop exercise, documented results, lessons learned, plan updates. Once per year minimum. This is pure process — no tool satisfies it. Assessors ask for the exercise agenda, participant list, scenario used, findings, and evidence that the IR plan was updated based on lessons learned. Organizations that have IR plans but have never tested them fail this every time.

Self-assessment vs C3PAO — when which applies

CMMC 2.0 created three paths to compliance based on contract requirements:

Annual self-assessment with senior official affirmation applies to contracts where the DoD program office has determined Level 2 self-assessment is sufficient. This is a minority of L2 contracts. You complete your own assessment against all 110 controls, calculate your SPRS score, upload it to SPRS, and have a senior official (C-suite level) affirm the accuracy. False affirmations carry False Claims Act liability — that's not theoretical, it's been prosecuted.

C3PAO third-party assessment is required for contracts involving critical national security programs, which in practice means most contracts where the government specifically cares about CUI protection. The C3PAO must be accredited by the Cyber AB (formerly CMMC Accreditation Body). As of mid-2026, there are fewer than 80 active C3PAOs. Lead times for assessments run 3–6 months. Plan accordingly.

Government-led assessment applies to companies operating under a Federal Contract Information or CUI agreement directly with certain agencies. Rare for SMB subcontractors.

If your contract solicitation references DFARS 252.204-7021 with a Level 2 C3PAO requirement, self-assessment doesn't satisfy it. Period. If it references 252.204-7012 only, you're still in the pre-CMMC enforcement world with SPRS self-assessment. Check the specific DFARS clauses in your contract — don't guess.

For primes flowing down requirements to subcontractors: you are contractually obligated under 252.204-7012 to ensure your subs handle CUI appropriately. That means knowing their SPRS score and, once CMMC enforcement is in full effect, their certification status. Primes that ignore sub compliance are themselves non-compliant.

90-day prep sprint

Ninety days is enough time to close most gaps if you already have a reasonable stack deployed. It's not enough time to deploy new tooling, document everything, and remediate architectural issues simultaneously. Prioritize ruthlessly.

Days 1–15: Boundary and inventory. Define your CUI boundary with precision. Which systems process, store, or transmit CUI? Draw the network diagram. List every system in scope. This drives everything else — controls only apply to in-scope systems. Shrinking scope by isolating CUI to a defined enclave is the single highest-leverage action you can take before an assessment. Use Microsoft Purview Information Protection or manual classification to identify where CUI actually lives.

Days 16–30: Configuration baseline. Run a NIST 800-171 gap assessment using your existing tools. Microsoft Secure Score provides a starting point for M365 posture. CrowdStrike's configuration assessment module covers endpoint baselines. Export results, map them to 800-171 control numbers, and build your gap list. Every gap needs an owner and a remediation date.

Days 31–60: Documentation sprint. Write or update the System Security Plan (SSP) — required by CA.2.158 and the primary artifact a C3PAO reviews before on-site work begins. Write the IR plan, the configuration management plan, the media protection policy, and the user access review procedure. These documents don't need to be long. They need to be accurate and specific to your environment. Generic templates downloaded from the internet that don't match your actual systems are a liability, not an asset.

Days 61–75: Evidence collection. For every configuration-based control, capture screenshots or configuration exports with dates. For every process-based control, collect the most recent execution evidence — last access review record, last patch report, last vulnerability scan. Build an evidence library organized by control number. This is what a C3PAO will request in their evidence request list (ERL) before the assessment begins.

Days 76–90: Internal mock assessment. Walk through the 800-171A assessment procedures for your highest-risk controls — the five listed above, plus your AC and IA controls. Identify remaining gaps. File POA&M entries for anything not remediated. A POA&M with realistic remediation dates is acceptable under CMMC; undisclosed gaps found by an assessor are not.

One tactical note on POA&Ms: under CMMC 2.0 final rules, certain controls are not POA&M-eligible. MFA (IA.3.083) must be fully implemented at time of assessment. No exceptions, no credit for partial implementation. Treat MFA, encryption of CUI at rest, and audit logging as hard requirements that must be green before you invite a C3PAO through the door.


The companies that pass C3PAO assessments on the first attempt aren't necessarily the most technically sophisticated — they're the ones who mapped their existing stack to specific control requirements and built evidence before the assessor arrived. Your tools are probably closer to compliant than you think. Your documentation almost certainly isn't.

Run the free Exposure Report and validate public-surface findings — see which of your external-facing assets are visible, how they're categorized, and where they intersect with CMMC scope before an assessor or adversary finds them first.

See what attackers see — before they do.

Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.