CMMC 2.0 Level 2 Requirements: A Checklist for Connecticut Defense Manufacturers
What Is CMMC 2.0 Level 2 and Why Does It Matter for Connecticut Defense Manufacturers?
If your Connecticut business works with the U.S. Department of Defense (DoD), CMMC 2.0 compliance is no longer optional. The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a federal requirement that ensures defense contractors properly protect Controlled Unclassified Information (CUI).
Connecticut is home to one of the most active defense manufacturing sectors in the country. Companies across Hartford, New Haven, Bridgeport, and the entire state supply parts, systems, and services to the DoD. If your business handles CUI, you must meet CMMC 2.0 Level 2 requirements to continue working on federal contracts.
At Pronto System Solutions, we help Connecticut defense manufacturers understand, prepare for, and achieve CMMC 2.0 Level 2 compliance, so your business stays eligible for DoD contracts without disruption.
Who Needs CMMC 2.0 Level 2 Certification?
CMMC 2.0 has three levels. Level 1 covers basic cyber hygiene. Level 3 is for the most sensitive programs. Level 2 sits in the middle and applies to most defense contractors that handle CUI.
You likely need Level 2 certification if your Connecticut business:
Manufactures or supplies components for defense systems, processes technical data or engineering drawings from the DoD, provides IT, logistics, or professional services to prime contractors, or is a subcontractor in the defense supply chain that receives or stores CUI.
The DoD has made it clear that CMMC requirements will be included in contracts across the defense industrial base. Failing to comply means losing contract eligibility.
CMMC 2.0 Level 2: The Core Framework
CMMC 2.0 Level 2 is based on NIST SP 800-171, which contains 110 security controls organized across 14 domains. Every one of these controls must be implemented or have an active plan of action to work toward implementation.
Here is a clear breakdown of each domain and what Connecticut manufacturers need to do.
CMMC 2.0 Level 2 Checklist for Connecticut Defense Manufacturers
1. Access Control (AC)
Limit access to your systems and CUI to only authorized users. This means setting up user accounts with the least privilege necessary, enforcing multi-factor authentication (MFA), controlling remote access, and logging who accesses what and when.
Checklist action: Review all user accounts, remove unused ones, and enforce MFA for all remote access connections.
2. Awareness and Training (AT)
Your employees are often the first line of defense. CMMC Level 2 requires that all staff who handle CUI understand cybersecurity risks and their responsibilities.
Checklist action: Implement annual cybersecurity awareness training for all employees. Document training completion records.
3. Audit and Accountability (AU)
You must log system activity, review those logs regularly, and protect them from tampering. This allows you to detect suspicious behavior and trace security incidents.
Checklist action: Enable audit logging on all systems that store or process CUI. Set up alerts for unusual activity and retain logs for at least 90 days.
4. Configuration Management (CM)
All systems must have a documented baseline configuration. Unauthorized software or changes to system settings must be prevented or flagged.
Checklist action: Create and maintain a configuration baseline for all workstations and servers. Use endpoint management tools to enforce those settings.
5. Identification and Authentication (IA)
Every user and device must be uniquely identified before accessing CUI. Passwords must meet complexity requirements, and MFA is required for privileged accounts.
Checklist action: Enforce strong password policies and deploy MFA across all accounts, especially admin and remote access accounts.
6. Incident Response (IR)
You must have a documented plan for responding to cybersecurity incidents. This includes detection, containment, recovery, and reporting to the DoD when required.
Checklist action: Write and test an incident response plan. Make sure your team knows their roles during a security event.
7. Maintenance (MA)
Any maintenance performed on your systems, especially remotely, must be controlled and documented. Maintenance tools must be authorized and tracked.
Checklist action: Keep a log of all maintenance activities. Ensure remote maintenance sessions are monitored and secured.
8. Media Protection (MP)
CUI stored on physical media such as USB drives, hard drives, or printed documents must be protected, labeled, and securely disposed of when no longer needed.
Checklist action: Inventory all removable media, restrict USB use where possible, and document a media sanitization process.
9. Personnel Security (PS)
Screen individuals before granting access to systems that hold CUI. Establish processes for revoking access when employees leave or change roles.
Checklist action: Implement pre-employment screening practices and an offboarding checklist that includes immediate account deactivation.
10. Physical Protection (PE)
Physical access to systems that store CUI must be restricted to authorized personnel. This includes server rooms, workstations, and any location where CUI is processed.
Checklist action: Install access controls such as key card systems or locks on server rooms. Log physical access to sensitive areas.
11. Risk Assessment (RA)
Conduct regular risk assessments to identify vulnerabilities in your environment. Scan for known vulnerabilities and address them promptly.
Checklist action: Schedule quarterly vulnerability scans and document a risk assessment at least once per year.
12. Security Assessment (CA)
Periodically evaluate your security controls to make sure they are working as intended. Document any gaps and create a Plan of Action and Milestones (POA&M) to address them.
Checklist action: Conduct an internal security assessment or engage a third-party assessor. Maintain your POA&M with realistic remediation timelines.
13. System and Communications Protection (SC)
Protect CUI as it moves across your network and the internet. Use encryption for data in transit, segment your network, and monitor communications for threats.
Checklist action: Deploy TLS encryption for email and web traffic. Segment your internal network to isolate CUI systems from general business systems.
14. System and Information Integrity (SI)
Keep your systems clean of malware and up to date with security patches. Monitor systems for unauthorized changes and respond quickly to threats.
Checklist action: Deploy endpoint detection and response (EDR) tools, enable automatic patching where possible, and monitor for malware activity daily.
Do Connecticut Defense Manufacturers Need a Third-Party Assessment
CMMC 2.0 Level 2 allows some contractors to self-attest, meaning you confirm your own compliance. However, DoD contracts that involve higher-priority programs may require a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).
Understanding which path applies to your Connecticut business is critical. Pronto System Solutions can help you determine your specific assessment requirements and prepare your documentation so you are ready for either scenario.
How Pronto System Solutions Helps Connecticut Manufacturers Achieve CMMC Compliance
Pronto System Solutions is a trusted IT and cybersecurity partner serving defense manufacturers across Connecticut. We understand the unique challenges facing small and mid-sized manufacturers in the state’s defense supply chain.
Our CMMC compliance services include gap assessments against all 110 NIST SP 800-171 controls, system security plan (SSP) development, POA&M creation and management, employee cybersecurity training, and ongoing managed security services to maintain compliance over time.
We work with manufacturers in Hartford County, New Haven County, Fairfield County, and throughout Connecticut to implement practical, cost-effective solutions that meet DoD requirements without disrupting your operations.
Start Your CMMC 2.0 Compliance Journey Today
Connecticut defense manufacturers cannot afford to wait on CMMC compliance. DoD contracts are increasingly requiring certification, and the process takes time to complete properly.
Contact Pronto System Solutions today to schedule a free CMMC readiness consultation. We will assess your current posture, identify gaps, and give you a clear roadmap to Level 2 certification.
Visit us at prontosystemsolutions.com or call us to speak directly with a Connecticut cybersecurity expert.