CMMC Level 2

CMMC Level 2

Processes: Documented
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.

Level 2 Required Processes:
ML.2.999: Establish a policy that includes [DOMAIN NAME].
o Reference: CERT RMM v1.2 GG2.GP1 subpractice 2
o Publicly Available Resources (Templates/Guides/Examples/etc.)

ML.2.998: Document the CMMC practices to implement the [DOMAIN NAME] policy.
o Reference: CERT RMM v1.2 GG2.GP2 subpractice 2
o Publicly Available Resources (Templates/Guides/Examples/etc.)

Practices: Intermediate Cyber Hygiene
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices reference the protection of CUI.

Achieving CMMC Level 2 requires the implementation of the practices listed below plus CMMC Level 1 Practices