CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2 is now a mandatory requirement for Department of Defense contractors handling Controlled Unclassified Information (CUI). For Ohio manufacturers and defense contractors in the DoD supply chain, CMMC Level 2 certification is no longer optional — it is required for contract eligibility. This guide explains what Level 2 requires, how assessments work, and what Ohio contractors must do now.
CMMC 2.0 Level 2 aligns to the 110 security practices in NIST SP 800-171. These practices span 14 domains: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
Every one of the 110 practices must be implemented and documented. Unlike Level 1 (which allows self-assessment), Level 2 contracts handling sensitive CUI require a third-party C3PAO assessment — you cannot self-certify.
The cornerstone of CMMC Level 2 compliance is the System Security Plan — a written document describing your organization's information systems, the security requirements applicable to each, and how those requirements are implemented. The SSP must cover every system that stores, processes, or transmits CUI. Without a complete SSP, C3PAO assessors cannot evaluate your environment.
Ohio contractor reality check: Most Ohio manufacturers in the DoD supply chain do not have a completed SSP. This is the highest-priority first step for any contractor beginning their CMMC journey.
If any of the 110 NIST 800-171 practices are not yet fully implemented, they must be documented in a Plan of Action & Milestones (POA&M). The POA&M identifies each open finding, the remediation action, the responsible party, and the target completion date. CMMC regulations allow POA&Ms for some deficiencies, but certain high-priority practices cannot have open POA&Ms at the time of assessment.
Securafy's Comply-CARE tier includes all 110 NIST 800-171 practices implemented and documented, SSP development and maintenance, POA&M management, quarterly automated penetration testing, and C3PAO assessment preparation support. We have supported Ohio defense contractors through the full CMMC readiness process — from initial gap assessment through final assessment preparation.
CMMC 2.0 requirements are being phased into DoD contracts. As of 2025, Level 2 requirements appear in contracts involving CUI. Ohio defense contractors should begin their CMMC journey now — C3PAO assessments take 6–18 months depending on current security posture, and contract opportunities require demonstrated compliance.
CMMC Level 1 requires 17 basic cybersecurity practices and allows annual self-assessment. Level 2 requires all 110 NIST SP 800-171 practices and requires triennial third-party assessment by a certified C3PAO for contracts involving sensitive CUI. Level 2 is significantly more rigorous than Level 1.
A C3PAO (Certified Third-Party Assessment Organization) is an organization authorized by the CMMC Accreditation Body (CyberAB) to conduct official CMMC Level 2 assessments. You can find authorized C3PAOs through the CyberAB marketplace. Securafy can help you prepare your environment for assessment and coordinate with your chosen C3PAO.
The assessment process typically takes 3–6 months from engagement with a C3PAO, depending on the scope of your CUI environment. Preparation — getting your SSP documented, all 110 practices implemented, and your POA&M addressed — typically takes 6–18 months before you are ready for assessment. Starting early is critical.
Start with a free 47-point security and network assessment — no obligation, no upsell.
Book a Free Strategy Call → 📞 (330) 906-8888