CMMC

Josef Kamara, CPA, CISSP, CISA · Updated May 2, 2026 · 1 minute read

CMMC Level 2

The CMMC tier required for any defense contractor that processes, stores, or transmits Controlled Unclassified Information. Level 2 requires implementation of all 110 controls in NIST SP 800-171 Revision 2, an assessment by a Certified Third-Party Assessment Organization, and a passing score against 320 individual assessment objectives. Reciprocity is allowed for FedRAMP Moderate cloud services hosting CUI.

From the library

The full analysis on CMMC Level 2.

The article is where the term meets the practitioner. Read how this concept actually shows up in audit, in remediation, and in the boardroom.

Read the analysis →
The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.