CMMC Level 2 Controls List: All 110 Requirements
All 110 CMMC Level 2 security requirements from NIST SP 800-171 Revision 2, grouped by family, with the SPRS point weight each carries under the DoD Assessment Methodology. Requirement IDs use the official CMMC Level 2 format. Verified against 32 CFR Part 170 and the current assessment ecosystem, July 2026.
Access Control (AC)
Limit system access to authorized users, processes, and devices, and limit the types of transactions and functions that authorized users are permitted to execute.
Mac angle: identity is the control plane - IdP-bound accounts, MDM screen-lock and session policies, and per-app VPN stand in for the GPO-era controls.
AC.L2-3.1.1 Authorized Access Control 5 pts
AC.L2-3.1.2 Transaction & Function Control 5 pts
AC.L2-3.1.3 Control CUI Flow 5 pts
AC.L2-3.1.4 Separation of Duties 3 pts
AC.L2-3.1.5 Least Privilege 5 pts
AC.L2-3.1.6 Non-Privileged Account Use 3 pts
AC.L2-3.1.7 Privileged Functions 3 pts
AC.L2-3.1.8 Unsuccessful Logon Attempts 3 pts
AC.L2-3.1.9 Privacy & Security Notices 1 pt
AC.L2-3.1.10 Session Lock 3 pts
AC.L2-3.1.11 Session Termination 3 pts
AC.L2-3.1.12 Control Remote Access 5 pts
AC.L2-3.1.13 Remote Access Confidentiality 5 pts
AC.L2-3.1.14 Remote Access Routing 3 pts
AC.L2-3.1.15 Privileged Remote Access 3 pts
AC.L2-3.1.16 Wireless Access Authorization 3 pts
AC.L2-3.1.17 Wireless Access Protection 3 pts
AC.L2-3.1.18 Mobile Device Connection 3 pts
AC.L2-3.1.19 Encrypt CUI on Mobile Devices 3 pts
AC.L2-3.1.20 External Connections 5 pts
AC.L2-3.1.21 Portable Storage Use 3 pts
AC.L2-3.1.22 Control Public Information 3 pts
Awareness and Training (AT)
Ensure that personnel are aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational systems.
Mac angle: platform-neutral - training records and acknowledgments carry this family regardless of endpoint OS.
AT.L2-3.2.1 Role-Based Risk Awareness 3 pts
AT.L2-3.2.2 Role-Based Training 3 pts
AT.L2-3.2.3 Insider Threat Awareness 1 pt
Audit and Accountability (AU)
Create, protect, and retain information system audit records to enable monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity.
Mac angle: the unified log plus MDM/EDR forwarding cover generation; retention off-device is the usual Mac gap.
AU.L2-3.3.1 System Auditing 5 pts
AU.L2-3.3.2 User Accountability 5 pts
AU.L2-3.3.3 Event Review 1 pt
AU.L2-3.3.4 Audit Failure Alerting 3 pts
AU.L2-3.3.5 Audit Correlation 3 pts
AU.L2-3.3.6 Reduction & Reporting 3 pts
AU.L2-3.3.7 Authoritative Time Source 1 pt
AU.L2-3.3.8 Audit Protection 3 pts
AU.L2-3.3.9 Audit Management 3 pts
Configuration Management (CM)
Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles.
Mac angle: MDM configuration profiles and mSCP baselines are the enforcement mechanism; declarative management is the audit trail.
CM.L2-3.4.1 System Baselining 5 pts
CM.L2-3.4.2 Security Configuration Enforcement 5 pts
CM.L2-3.4.3 System Change Management 3 pts
CM.L2-3.4.4 Impact Analysis 3 pts
CM.L2-3.4.5 Access Restrictions for Change 3 pts
CM.L2-3.4.6 Least Functionality 3 pts
CM.L2-3.4.7 Nonessential Functionality 3 pts
CM.L2-3.4.8 Application Execution Policy 3 pts
CM.L2-3.4.9 User-Installed Software 3 pts
Identification and Authentication (IA)
Identify information system users, processes acting on behalf of users, or devices and authenticate the identities of those users, processes, or devices as a prerequisite to allowing access.
Mac angle: Platform SSO and IdP-backed MFA retire the old Macs-cant-do-modern-auth objection.
IA.L2-3.5.1 Identification 5 pts
IA.L2-3.5.2 Authentication 5 pts
IA.L2-3.5.3 Multifactor Authentication 5 pts
IA.L2-3.5.4 Replay-Resistant Authentication 3 pts
IA.L2-3.5.5 Identifier Reuse 3 pts
IA.L2-3.5.6 Identifier Handling 3 pts
IA.L2-3.5.7 Password Complexity 3 pts
IA.L2-3.5.8 Password Reuse 3 pts
IA.L2-3.5.9 Temporary Passwords 3 pts
IA.L2-3.5.10 Cryptographically-Protected Passwords 3 pts
IA.L2-3.5.11 Obscure Feedback 3 pts
Incident Response (IR)
Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
Mac angle: process-heavy family; macOS EDR telemetry feeds detection and the incident record trail.
IR.L2-3.6.1 Incident Handling 5 pts
IR.L2-3.6.2 Incident Reporting 5 pts
IR.L2-3.6.3 Incident Response Testing 1 pt
Maintenance (MA)
Perform timely maintenance on organizational systems and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Mac angle: thin on Macs by design - document vendor service, remote-support rules, and sanitization before repair.
MA.L2-3.7.1 Perform Maintenance 5 pts
MA.L2-3.7.2 System Maintenance Control 3 pts
MA.L2-3.7.3 Equipment Sanitization 3 pts
MA.L2-3.7.4 Media Inspection 3 pts
MA.L2-3.7.5 Nonlocal Maintenance 3 pts
MA.L2-3.7.6 Maintenance Personnel 3 pts
Media Protection (MP)
Protect system media containing CUI, both paper and digital, limit access to CUI on system media to authorized users, and sanitize or destroy system media before disposal or reuse.
Mac angle: FileVault at rest, encrypted externals, and MDM policy over AirDrop/USB media.
MP.L2-3.8.1 Media Protection 5 pts
MP.L2-3.8.2 Media Access 3 pts
MP.L2-3.8.3 Media Disposal 3 pts
MP.L2-3.8.4 Media Markings 3 pts
MP.L2-3.8.5 Media Accountability 3 pts
MP.L2-3.8.6 Portable Storage Encryption 3 pts
MP.L2-3.8.7 Removable Media 3 pts
MP.L2-3.8.8 Shared Media 3 pts
MP.L2-3.8.9 Protect Backups 3 pts
Physical Protection (PE)
Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
Mac angle: platform-neutral - facility controls, visitor records, and physical media handling.
PE.L2-3.10.1 Limit Physical Access 5 pts
PE.L2-3.10.2 Monitor Physical Facility 1 pt
PE.L2-3.10.3 Escort Visitors 1 pt
PE.L2-3.10.4 Physical Access Logs 1 pt
PE.L2-3.10.5 Manage Physical Access 1 pt
PE.L2-3.10.6 Alternative Work Sites 1 pt
Personnel Security (PS)
Screen individuals prior to authorizing access to organizational systems containing CUI and ensure that such systems are protected during and after personnel actions.
Mac angle: onboarding/offboarding ties directly to ABM assignment and MDM device lifecycle.
PS.L2-3.9.1 Screen Individuals 1 pt
PS.L2-3.9.2 Personnel Actions 1 pt
Risk Assessment (RA)
Periodically assess the risk to organizational operations, organizational assets, and individuals resulting from the operation of organizational systems and the processing, storage, or transmission of CUI.
Mac angle: macOS vulnerability agents exist - document scan cadence and how findings reach the POA&M.
RA.L2-3.11.1 Risk Assessments 5 pts
RA.L2-3.11.2 Vulnerability Scan 1 pt
RA.L2-3.11.3 Vulnerability Remediation 1 pt
Security Assessment (CA)
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application and develop and implement plans of action to correct deficiencies.
Mac angle: the SSP, POA&M, and periodic self-assessment layer - where the whole system gets written down.
CA.L2-3.12.1 Security Control Assessment 5 pts
CA.L2-3.12.2 Plan of Action 1 pt
CA.L2-3.12.3 Security Control Monitoring 1 pt
CA.L2-3.12.4 System Security Plan 1 pt
System and Communications Protection (SC)
Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of organizational systems.
Mac angle: boundary work - per-app VPN, DNS filtering, TLS in transit, FileVault at rest.
SC.L2-3.13.1 Boundary Protection 5 pts
SC.L2-3.13.2 Security Engineering 3 pts
SC.L2-3.13.3 Role-Based Security 3 pts
SC.L2-3.13.4 Shared Resource Control 3 pts
SC.L2-3.13.5 Public-Access System Separation 3 pts
SC.L2-3.13.6 Network Communication by Exception 3 pts
SC.L2-3.13.7 Split Tunneling 3 pts
SC.L2-3.13.8 Data in Transit 5 pts
SC.L2-3.13.9 Network Disconnect 3 pts
SC.L2-3.13.10 Cryptographic Key Management 3 pts
SC.L2-3.13.11 CUI Encryption 5 pts
SC.L2-3.13.12 Collaborative Device Control 3 pts
SC.L2-3.13.13 Mobile Code 3 pts
SC.L2-3.13.14 Voice over Internet Protocol 1 pt
SC.L2-3.13.15 Communications Authenticity 3 pts
SC.L2-3.13.16 Data at Rest 3 pts
System and Information Integrity (SI)
Identify, report, and correct information and information system flaws in a timely manner; provide protection from malicious code; and monitor information system security alerts and advisories.
Mac angle: Gatekeeper, notarization, and XProtect are built in; EDR plus enforced updates complete the family.
SI.L2-3.14.1 Flaw Remediation 5 pts
SI.L2-3.14.2 Malicious Code Protection 5 pts
SI.L2-3.14.3 Security Alerts & Advisories 5 pts
SI.L2-3.14.4 Update Malicious Code Protection 3 pts
SI.L2-3.14.5 System & File Scanning 3 pts
SI.L2-3.14.6 Monitor Communications for Attacks 3 pts
SI.L2-3.14.7 Identify Unauthorized Use 3 pts