Contact us

CMMC Level 2 and NIST SP 800-171: Protecting CUI the Right Way

by NOXMON Risk Team, Cybersecurity & Risk Management Experts

For defense contractors that handle Controlled Unclassified Information (CUI), CMMC Level 2 is the threshold that matters. Where Level 1 covers 17 basic practices for Federal Contract Information, Level 2 aligns to all 110 security requirements of NIST SP 800-171 and, for most contracts, requires a third-party assessment by a C3PAO. The jump in rigor is substantial—and so is the business at stake.

NOXMON helps contractors clear that bar with the RISKMON platform.

The Scale of Level 2

DimensionCMMC Level 1CMMC Level 2
ProtectsFCICUI
Control source17 FAR practices110 NIST SP 800-171 controls
AssessmentAnnual self-assessmentC3PAO third-party (every 3 years)
ScoringPass/failSPRS score, max 110

Risk-Prioritized Implementation

Trying to implement 110 controls evenly is how programs stall. NOXMON uses RISKMON to map your CUI data flows, model the threats against them, and prioritize the controls that remove the most risk first. That sequencing keeps momentum and gets your SPRS score climbing quickly.

Top tip

Not all 110 controls carry equal weight in the SPRS scoring model—some deduct 5 points if unmet. RISKMON aligns risk-based prioritization with SPRS impact, so your roadmap improves both your security and your score at the same time.

Scoping CUI Precisely

Level 2 assessments hinge on correctly identifying where CUI lives and how it moves. Over-scope and you'll secure systems that never touch CUI; under-scope and you'll fail. NOXMON's RISKMON-driven asset categorization separates CUI assets, security protection assets, and out-of-scope systems with documented justification.

NIST SP 800-171 controls assessed at Level 2
110
C3PAO assessment cycle
3yr
Maximum SPRS score
110

The Bottom Line

CMMC Level 2 is demanding, but it's achievable with the right sequencing and evidence. NOXMON combines defense-sector experience with the RISKMON platform to protect CUI, maximize your SPRS score, and walk into a C3PAO assessment ready.

Prepare for CMMC Level 2 with NOXMON and RISKMON.

More articles

Building a Risk-Based ISMS: The NOXMON Approach to ISO 27001

ISO 27001 certification starts and ends with risk. Here is how NOXMON uses the RISKMON platform to build an Information Security Management System grounded in quantified, defensible risk rather than checklists.

Read more

Right-Sizing NIST 800-53: Control Baselines and the Art of Tailoring

NIST 800-53 has over 1,000 controls. NOXMON explains how to select a baseline and tailor it intelligently using the RISKMON platform—so you implement what reduces risk, not everything in the catalog.

Read more

Tell us about your project

Book ConsultationContact Us

Our offices

  • Houghton
    Houghton, MI 49931
    (212) 913-9184
    info@noxmon.com
  • New York City
    New York, NY 10011
    (212) 913-9184
    info@noxmon.com