May 1, 2025

CMMC Level 2: Understanding CUI Assessment Requirements

Manna Doyle - April 21, 2025
Back to News

In December 2024, the 48 Code of Federal Regulation (CFR) Rule went into effect. This made CMMC LVL 2 certification a requirement for organizations seeking Department of Defense (DoD) contracts and also started a four-phase rollout plan for certification requirements moving forward. During Phase 1 of the rollout plan, solicitations require LVL 1 and LVL 2 self-assessments, where applicable. Phase 2 begins in December 2025 and will require LVL 2 certification. In this article, I want to focus on CMMC LVL 2 certification.

Article content
Phases of CMMC Implementation

CMMC Level 2 Certification

CMMC LVL 2 certification is primarily obtained through a third-party certification by a CMMC Third Party Assessor Organization (C3PAO). While an organization can perform a self-assessment if the Controlled Unclassified Information (CUI) they handle is outside the defense organizational grouping, they will need to meet all 110 requirements (320) objectives and upload the results into the Supplier Performance Risk System (SPRS). Therefore, third party certification is the typical and recommended route for CMMC LVL 2 certification.

Self-Assessment vs. Third Party Certification

What differentiates self-assessment and third-party certification? The answer lies in the type of CUI your company handles. CUI is split into two types: one is CUI basic, and the other is CUI specified. However, the real distinction is based on the organizational index grouping found in the CUI registry. (CUI Registry).

Understanding CUI Registry

The CUI Registry groups CUI categories into organizational “buckets”. If your company handles CUI in the defense category, including controlled technical information, DoD critical infrastructure security information, naval nuclear propulsion information, privileged safety information, and unclassified controlled nuclear information – defense, then you will need to get your company certified by a C3PAO. If your company is handling CUI that falls outside the National Archives CUI Registry Defense Organizational grouping, then you can perform a self-assessment for Level 2 compliance, ensuring your company meets 100% of NIST-SP-800-171 R2 requirements.

Making the Right Choice

Understanding the CUI Registry is essential for determining the appropriate Level 2 path. If you are confused about CMMC and which level your company needs, consult your local APEX Accelerator or sign up for our free services by emailing empireapex@nystec.com

Share
Read More
AAPI Enterprise Empowerment MWBE Certification Initiative
Read More
Federal vs. State vs. Local Contracting Opportunities: What’s the Difference?
Read More
Small Business Size Standards and Affiliation
close
Close

Cookies

This site uses cookies. By accepting cookies, you optimize your viewing experience. For more information, see our Privacy Policy.

Allow Decline close