CMMC Level 2
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a DoD requirement for all defense contractors and subcontractors handling Controlled Unclassified Information (CUI). Level 2 β the most common certification level β aligns directly with NIST SP 800-171 and requires 110 security practices.
Infracast ships 67 automated rules mapped to CMMC Level 2 practices, plus questionnaire-driven attestation workflows (Build 38) for practices that cannot be evaluated by scanning infrastructure alone.
CMMC 2.0 Overviewβ
| Level | Practices | Who Needs It | Assessment |
|---|---|---|---|
| Level 1 | 17 | All DoD contractors | Annual self-assessment |
| Level 2 | 110 | CUI handlers | Triennial 3PAO or self-assessment |
| Level 3 | 110+ | High-priority CUI, critical programs | Government-led assessment |
Most prime contractors and their subcontractors fall under Level 2.
CMMC certification became a contract requirement in 2024. Contracts in the DoD acquisition system now include CMMC clauses (DFARS 252.204-7012, 7019, 7020, 7021).
How Infracast Maps to CMMC Practicesβ
CMMC Level 2's 110 practices map to 14 domains. Infracast provides automated checks across the technically measurable domains:
| Domain | ID | Automated Rules | Description |
|---|---|---|---|
| Access Control | AC | 14 | Least privilege, remote access, CUI access |
| Audit & Accountability | AU | 8 | Logging, audit review, audit protection |
| Configuration Management | CM | 9 | Baseline configs, software restrictions, change control |
| Identification & Authentication | IA | 7 | MFA, password complexity, account management |
| Incident Response | IR | 3 | Incident detection, reporting |
| Maintenance | MA | 2 | Remote maintenance controls |
| Media Protection | MP | 2 | Encryption of media |
| Personnel Security | PS | 0 | Attestation-only |
| Physical Protection | PE | 0 | Attestation-only |
| Risk Assessment | RA | 5 | Vulnerability scanning, risk analysis |
| Security Assessment | CA | 3 | Monitoring, system assessment |
| System & Comms Protection | SC | 10 | Encryption, network boundary, CUI in transit |
| System & Info Integrity | SI | 4 | Malware, patching, alerts |
| Awareness & Training | AT | 0 | Attestation-only |
Sample Automated Rulesβ
| Rule ID | Practice | Description |
|---|---|---|
CMMC-AC.1.001 | AC.1.001 | Limit system access to authorized users |
CMMC-AC.2.005 | AC.2.005 | Provide privacy and security notices |
CMMC-IA.3.083 | IA.3.083 | Require MFA for all accounts |
CMMC-SC.3.177 | SC.3.177 | Encrypt CUI at rest |
CMMC-SC.3.183 | SC.3.183 | Deny by default β allow by exception |
CMMC-SI.2.214 | SI.2.214 | Check for security vulnerabilities in software |
Questionnaire Templates for Non-Automatable Practices (Build 38)β
Many CMMC practices require human evidence: personnel security, physical protection, awareness training, and incident response planning. Infracast provides pre-built questionnaire templates for each domain:
Using Questionnaire Templatesβ
# List available CMMC templates
GET /api/v1/tenants/{tenantID}/questionnaires/templates?framework=cmmc-l2
# Create a questionnaire from the AT (Awareness & Training) template
POST /api/v1/tenants/{tenantID}/questionnaires/from-template
{
"template_id": "cmmc-l2-at",
"title": "CMMC L2 AT Domain Assessment β Q1 2024",
"assignees": ["training-coordinator@company.com"]
}
Pre-Built Templatesβ
| Template | Domain | Practices |
|---|---|---|
cmmc-l2-at | Awareness & Training | AT.2.056, AT.2.057, AT.3.058 |
cmmc-l2-pe | Physical Protection | PE.1.131, PE.1.132, PE.2.135 |
cmmc-l2-ps | Personnel Security | PS.2.127, PS.3.131 |
cmmc-l2-ir | Incident Response | IR.2.092, IR.2.093, IR.2.097 |
cmmc-l2-ma | Maintenance | MA.2.111, MA.2.112, MA.3.115 |
Evidence Workflowβ
Questionnaire Created
β
βΌ
Assigned to Responsible Party
β
βΌ
Respondent Answers + Uploads Evidence
β
βΌ
Reviewer Approves / Requests Changes
β
βΌ
Control Marked Attested (with expiry)
Each attested control contributes to your overall CMMC score alongside automated findings.
Assessment Workflowβ
Full CMMC Level 2 Assessmentβ
- Discovery: Run discovery across your CUI environment (cloud, on-prem via agent/relay)
- Automated scoring: 67 automated rules evaluate your infrastructure posture
- Gap identification: Review the gap report for failing and unattested controls
- Questionnaire completion: Assign domain-specific questionnaires for manual practices
- Evidence collection: Upload policies, training records, physical access logs
- SSP generation: Generate your System Security Plan
# Run the audit engine for CMMC
POST /api/v1/tenants/{tenantID}/findings/run
{
"framework": "cmmc-l2"
}
# Get the gap report
GET /api/v1/tenants/{tenantID}/controls/gaps?framework=cmmc-l2
# Export CMMC compliance report
POST /api/v1/tenants/{tenantID}/reports/generate
{
"type": "framework",
"framework": "cmmc-l2",
"format": "pdf"
}
SPRS Scoreβ
Infracast calculates your Supplier Performance Risk System (SPRS) score β the value you self-report to DoD β based on your automated and attested control results. The score ranges from -203 (maximum deficiencies) to +110 (all practices met).
GET /api/v1/tenants/{tenantID}/compliance/summary?framework=cmmc-l2
# Returns SPRS score alongside control breakdown
{
"framework": "cmmc-l2",
"sprs_score": 87,
"controls_passing": 98,
"controls_failing": 8,
"controls_attested": 12,
"controls_not_assessed": 2
}
Self-reported SPRS scores must be submitted to the Supplier Performance Risk System (SPRS) portal at https://www.sprs.csd.disa.mil. Infracast generates the documentation but does not submit on your behalf.
CUI Environment Scopingβ
CMMC only applies to systems that store, process, or transmit CUI. Use Infracast's application layer to define your CUI boundary:
# Create an application representing your CUI boundary
POST /api/v1/tenants/{tenantID}/applications
{
"name": "CUI Enclave",
"description": "Systems in scope for CMMC assessment",
"tags": ["cmmc-in-scope", "cui"]
}
# Map resources to the CUI enclave
POST /api/v1/tenants/{tenantID}/applications/{appID}/resources
{
"resource_ids": [
"aws:us-east-1:aws.ec2.instance:web-prod-01",
"aws:us-east-1:aws.rds.db_instance:cui-db"
]
}
Compliance scoring and evidence collection can then be scoped to your CUI application boundary.
CMMC Assessment Reportβ
Infracast generates a complete CMMC 2.0 Level 2 assessment report from your discovered infrastructure and NIST 800-171 / CMMC rule pack findings.
Whatβs included:
- 14-domain practice assessment (AC, AT, AU, CM, IA, IR, MA, MP, PE, PS, RA, CA, SC, SI)
- SPRS score auto-calculated (110 minus unimplemented practice weights)
- CUI asset inventory auto-detected from topology tags and node metadata
- Gap analysis with remediation priorities
- Plan of Action outline
Generate via UI: Documents β Generate β CMMC Assessment Report
DocType: cmmc_report
Required questionnaire fields: Organization name, CUI description, enclave boundaries, SPRS target score, assessment date.
Next Stepsβ
- NIST 800-53 Guide β CMMC L2 is aligned to NIST 800-171/800-53
- FedRAMP Guide β For cloud services supporting federal contracts
- API: Findings β Query CMMC findings programmatically