Circuit hologram against a closeup of a man working on a laptop

CMMC Level 2: 110 Controls and Why You Need a Partner

June 16th, 2026 by admin

A person working at a clean wooden office desk, using a laptop trackpad with one hand and a wireless keyboard with the other.

CMMC Level 2 Is 110 Controls. Here Is Why Most Companies Cannot Get There Alone.

CMMC Level 2 certification is not a checklist you hand to your IT department on a Friday afternoon. It is 110 security controls derived from NIST SP 800-171, a third-party assessment conducted by a certified C3PAO, and a compliance posture that has to be maintained every single day after you earn the certification. Miss any of it, and your DoD contract is at risk.

What CMMC Level 2 Actually Requires

The 110 controls span 14 domains: access control, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Each domain contains multiple controls, and each control requires specific technical implementations, documented policies, and verifiable evidence.

This is not a matter of installing a few tools and checking boxes. Access control alone requires you to limit system access to authorized users, control the flow of Controlled Unclassified Information, enforce separation of duties, employ the principle of least privilege, and restrict access to specific system functions. Each of those requirements translates into specific configurations across your identity provider, your file shares, your SaaS applications, your network infrastructure, and your endpoint management platform.

Then multiply that across all 14 domains. You begin to understand why companies that attempt CMMC without a dedicated compliance partner frequently find themselves six months behind schedule, over budget, and no closer to ready than when they started.

Why Mid-Market Companies Underestimate CMMC

Most companies that attempt this journey underestimate it badly. They read the requirements, assume their existing MSP can handle the technical lift, and discover months later that they are nowhere close to ready. The documentation alone fills binders. The technical controls require architectural changes to how data flows through your environment. And the assessment itself will expose every shortcut and workaround your team has accumulated over the years.

The underestimation happens because the requirements read as straightforward on paper. Limit system access to authorized users. Sounds simple. Until you realize that means conducting a full access review across every system in your environment, documenting who has access to what and why, implementing role-based access controls, configuring conditional access policies, deploying privileged access management, and then maintaining all of it with regular reviews and attestations. That is one control. You have 109 more.

The Structural Gaps That Block Certification

Here is what makes CMMC particularly challenging for businesses between 10 and 500 employees. You do not have a dedicated compliance officer. You do not have a security operations center. You may not even have a clear picture of where Controlled Unclassified Information lives in your environment right now. These are not small gaps. They are structural.

Most companies at this size also lack the documentation infrastructure that CMMC demands. You need a System Security Plan that describes your entire technology environment, how each control is implemented, and where responsibilities are assigned. You need a Plan of Action and Milestones for any controls that are not yet fully implemented. You need evidence artifacts for every control: screenshots, configuration exports, policy documents, training records, testing logs. The documentation burden alone requires dedicated resources that most mid-market companies do not have.

What a Full-Lifecycle CMMC Partner Delivers

The companies that succeed at CMMC share one thing in common: they chose a partner who owns the entire lifecycle. Not a consultant who writes a report and disappears. Not an MSP who can handle the technology but has never touched compliance documentation. A single partner who maps the gaps, builds the compliant infrastructure, prepares your team for the assessment, and then operates as your CMMC-compliant managed service provider on the other side.

A full-lifecycle partner starts with a gap assessment that maps your current environment against all 110 controls. They identify exactly where you stand, where the gaps are, and what it will take to close them. They build a prioritized roadmap that accounts for your timeline, your budget, and what your contract actually requires.

Then they build the compliant infrastructure. Not overbuild it. Right-size it. Every solution is matched to your organization, your timeline, and the specific controls you need to satisfy. They implement the technical controls, draft the documentation, train your team, and prepare your evidence artifacts so that when the C3PAO arrives for your assessment, nothing surprises you.

Certification Is the Starting Line, Not the Finish

That last piece matters more than most companies realize. Certification is not the finish line. It is the starting line. Your compliance posture has to be maintained continuously. Controls drift. Employees change. Technology evolves. Configurations get modified during troubleshooting and never get reverted. New applications get deployed without a compliance review. Without a partner who lives under CMMC compliance every day, your hard-won certification starts eroding the moment the auditor walks out the door.

This is why the ongoing managed service relationship is the most valuable part of the partnership. A CMMC-compliant MSP does not just maintain your systems. They maintain your compliance posture. They catch the configuration drift before it becomes a finding. They update your documentation when your environment changes. They keep your evidence artifacts current. They make sure that when your next assessment comes around, you are ready without a last-minute scramble.

Your Deadline Is Not Moving

Your assessment date is not moving. The 110 controls are not optional. And the difference between passing and losing your contract comes down to whether your partner has done this before or is learning alongside you.

Choose the partner who has built the roadmap. Who knows where the gaps hide? Who can get you to certification at a cost that makes sense for your business? And who will still be there maintaining your posture long after the certificate is framed on the wall?

From the first assessment to certified and protected. That is the only journey that matters.

Start your CMMC journey with a free gap assessment

Posted in: Solutions