🛡️

CMMC 2.0 Level 2 (NIST SP 800-171)

Cybersecurity Maturity Model Certification 2.0 Level 2 — the controls (derived from NIST SP 800-171) that U.S. defense contractors must meet to handle Controlled Unclassified Information (CUI). EchelonGraph live-scores the technical practices against your cloud posture so you enter the assessment with evidence, not spreadsheets.

1 critical11 high

AC.L2-3.1.1high

Authorized Access Control

Limit system access to authorized users and processes.

AC.L2-3.1.5high

Least Privilege

Employ least privilege, including for privileged accounts.

AC.L2-3.1.12critical

Monitor & Control Remote Access

Monitor and control remote-access sessions.

AU.L2-3.3.1high

System Auditing

Create and retain system audit logs.

IA.L2-3.5.3high

Multifactor Authentication

Use MFA for local and network access to privileged accounts.

SC.L2-3.13.8high

Data in Transit

Use cryptography to protect CUI in transit.

SC.L2-3.13.11high

FIPS-Validated Cryptography

Employ FIPS-validated cryptography to protect CUI.

SC.L2-3.13.16high

Data at Rest

Protect the confidentiality of CUI at rest.

SI.L2-3.14.1high

Flaw Remediation

Identify, report, and correct system flaws timely.

CM.L2-3.4.1high

System Baselining

Establish and maintain baseline configurations.

AU.L2-3.3.8high

Audit Information Protection

Protect audit information from unauthorized modification.

RA.L2-3.11.2high

Vulnerability Scanning

Scan for vulnerabilities periodically and on new disclosures.