CMMC Level 2 Controls List: All 110 Requirements

Reference

All 110 CMMC Level 2 security requirements from NIST SP 800-171 Revision 2, grouped by family, with the SPRS point weight each carries under the DoD Assessment Methodology. Requirement IDs use the official CMMC Level 2 format. Verified against 32 CFR Part 170 and the current assessment ecosystem, July 2026.

Companion references: the acronym glossary, the key dates timeline, the ecosystem map, and the DFARS clause guide - or browse the full reference shelf. For how each family translates to Apple hardware, start with CMMC for macOS.

Access Control (AC)

Limit system access to authorized users, processes, and devices, and limit the types of transactions and functions that authorized users are permitted to execute.

Mac angle: identity is the control plane - IdP-bound accounts, MDM screen-lock and session policies, and per-app VPN stand in for the GPO-era controls.

AC.L2-3.1.1 Authorized Access Control 5 pts

AC.L2-3.1.2 Transaction & Function Control 5 pts

AC.L2-3.1.3 Control CUI Flow 5 pts

AC.L2-3.1.4 Separation of Duties 3 pts

AC.L2-3.1.5 Least Privilege 5 pts

AC.L2-3.1.6 Non-Privileged Account Use 3 pts

AC.L2-3.1.7 Privileged Functions 3 pts

AC.L2-3.1.8 Unsuccessful Logon Attempts 3 pts

AC.L2-3.1.9 Privacy & Security Notices 1 pt

AC.L2-3.1.10 Session Lock 3 pts

AC.L2-3.1.11 Session Termination 3 pts

AC.L2-3.1.12 Control Remote Access 5 pts

AC.L2-3.1.13 Remote Access Confidentiality 5 pts

AC.L2-3.1.14 Remote Access Routing 3 pts

AC.L2-3.1.15 Privileged Remote Access 3 pts

AC.L2-3.1.16 Wireless Access Authorization 3 pts

AC.L2-3.1.17 Wireless Access Protection 3 pts

AC.L2-3.1.18 Mobile Device Connection 3 pts

AC.L2-3.1.19 Encrypt CUI on Mobile Devices 3 pts

AC.L2-3.1.20 External Connections 5 pts

AC.L2-3.1.21 Portable Storage Use 3 pts

AC.L2-3.1.22 Control Public Information 3 pts

Awareness and Training (AT)

Ensure that personnel are aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational systems.

Mac angle: platform-neutral - training records and acknowledgments carry this family regardless of endpoint OS.

AT.L2-3.2.1 Role-Based Risk Awareness 3 pts

AT.L2-3.2.2 Role-Based Training 3 pts

AT.L2-3.2.3 Insider Threat Awareness 1 pt

Audit and Accountability (AU)

Create, protect, and retain information system audit records to enable monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity.

Mac angle: the unified log plus MDM/EDR forwarding cover generation; retention off-device is the usual Mac gap.

AU.L2-3.3.1 System Auditing 5 pts

AU.L2-3.3.2 User Accountability 5 pts

AU.L2-3.3.3 Event Review 1 pt

AU.L2-3.3.4 Audit Failure Alerting 3 pts

AU.L2-3.3.5 Audit Correlation 3 pts

AU.L2-3.3.6 Reduction & Reporting 3 pts

AU.L2-3.3.7 Authoritative Time Source 1 pt

AU.L2-3.3.8 Audit Protection 3 pts

AU.L2-3.3.9 Audit Management 3 pts

Configuration Management (CM)

Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles.

Mac angle: MDM configuration profiles and mSCP baselines are the enforcement mechanism; declarative management is the audit trail.

CM.L2-3.4.1 System Baselining 5 pts

CM.L2-3.4.2 Security Configuration Enforcement 5 pts

CM.L2-3.4.3 System Change Management 3 pts

CM.L2-3.4.4 Impact Analysis 3 pts

CM.L2-3.4.5 Access Restrictions for Change 3 pts

CM.L2-3.4.6 Least Functionality 3 pts

CM.L2-3.4.7 Nonessential Functionality 3 pts

CM.L2-3.4.8 Application Execution Policy 3 pts

CM.L2-3.4.9 User-Installed Software 3 pts

Identification and Authentication (IA)

Identify information system users, processes acting on behalf of users, or devices and authenticate the identities of those users, processes, or devices as a prerequisite to allowing access.

Mac angle: Platform SSO and IdP-backed MFA retire the old Macs-cant-do-modern-auth objection.

IA.L2-3.5.1 Identification 5 pts

IA.L2-3.5.2 Authentication 5 pts

IA.L2-3.5.3 Multifactor Authentication 5 pts

IA.L2-3.5.4 Replay-Resistant Authentication 3 pts

IA.L2-3.5.5 Identifier Reuse 3 pts

IA.L2-3.5.6 Identifier Handling 3 pts

IA.L2-3.5.7 Password Complexity 3 pts

IA.L2-3.5.8 Password Reuse 3 pts

IA.L2-3.5.9 Temporary Passwords 3 pts

IA.L2-3.5.10 Cryptographically-Protected Passwords 3 pts

IA.L2-3.5.11 Obscure Feedback 3 pts

Incident Response (IR)

Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

Mac angle: process-heavy family; macOS EDR telemetry feeds detection and the incident record trail.

IR.L2-3.6.1 Incident Handling 5 pts

IR.L2-3.6.2 Incident Reporting 5 pts

IR.L2-3.6.3 Incident Response Testing 1 pt

Maintenance (MA)

Perform timely maintenance on organizational systems and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Mac angle: thin on Macs by design - document vendor service, remote-support rules, and sanitization before repair.

MA.L2-3.7.1 Perform Maintenance 5 pts

MA.L2-3.7.2 System Maintenance Control 3 pts

MA.L2-3.7.3 Equipment Sanitization 3 pts

MA.L2-3.7.4 Media Inspection 3 pts

MA.L2-3.7.5 Nonlocal Maintenance 3 pts

MA.L2-3.7.6 Maintenance Personnel 3 pts

Media Protection (MP)

Protect system media containing CUI, both paper and digital, limit access to CUI on system media to authorized users, and sanitize or destroy system media before disposal or reuse.

Mac angle: FileVault at rest, encrypted externals, and MDM policy over AirDrop/USB media.

MP.L2-3.8.1 Media Protection 5 pts

MP.L2-3.8.2 Media Access 3 pts

MP.L2-3.8.3 Media Disposal 3 pts

MP.L2-3.8.4 Media Markings 3 pts

MP.L2-3.8.5 Media Accountability 3 pts

MP.L2-3.8.6 Portable Storage Encryption 3 pts

MP.L2-3.8.7 Removable Media 3 pts

MP.L2-3.8.8 Shared Media 3 pts

MP.L2-3.8.9 Protect Backups 3 pts

Physical Protection (PE)

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

Mac angle: platform-neutral - facility controls, visitor records, and physical media handling.

PE.L2-3.10.1 Limit Physical Access 5 pts

PE.L2-3.10.2 Monitor Physical Facility 1 pt

PE.L2-3.10.3 Escort Visitors 1 pt

PE.L2-3.10.4 Physical Access Logs 1 pt

PE.L2-3.10.5 Manage Physical Access 1 pt

PE.L2-3.10.6 Alternative Work Sites 1 pt

Personnel Security (PS)

Screen individuals prior to authorizing access to organizational systems containing CUI and ensure that such systems are protected during and after personnel actions.

Mac angle: onboarding/offboarding ties directly to ABM assignment and MDM device lifecycle.

PS.L2-3.9.1 Screen Individuals 1 pt

PS.L2-3.9.2 Personnel Actions 1 pt

Risk Assessment (RA)

Periodically assess the risk to organizational operations, organizational assets, and individuals resulting from the operation of organizational systems and the processing, storage, or transmission of CUI.

Mac angle: macOS vulnerability agents exist - document scan cadence and how findings reach the POA&M.

RA.L2-3.11.1 Risk Assessments 5 pts

RA.L2-3.11.2 Vulnerability Scan 1 pt

RA.L2-3.11.3 Vulnerability Remediation 1 pt

Security Assessment (CA)

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application and develop and implement plans of action to correct deficiencies.

Mac angle: the SSP, POA&M, and periodic self-assessment layer - where the whole system gets written down.

CA.L2-3.12.1 Security Control Assessment 5 pts

CA.L2-3.12.2 Plan of Action 1 pt

CA.L2-3.12.3 Security Control Monitoring 1 pt

CA.L2-3.12.4 System Security Plan 1 pt

System and Communications Protection (SC)

Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of organizational systems.

Mac angle: boundary work - per-app VPN, DNS filtering, TLS in transit, FileVault at rest.

SC.L2-3.13.1 Boundary Protection 5 pts

SC.L2-3.13.2 Security Engineering 3 pts

SC.L2-3.13.3 Role-Based Security 3 pts

SC.L2-3.13.4 Shared Resource Control 3 pts

SC.L2-3.13.5 Public-Access System Separation 3 pts

SC.L2-3.13.6 Network Communication by Exception 3 pts

SC.L2-3.13.7 Split Tunneling 3 pts

SC.L2-3.13.8 Data in Transit 5 pts

SC.L2-3.13.9 Network Disconnect 3 pts

SC.L2-3.13.10 Cryptographic Key Management 3 pts

SC.L2-3.13.11 CUI Encryption 5 pts

SC.L2-3.13.12 Collaborative Device Control 3 pts

SC.L2-3.13.13 Mobile Code 3 pts

SC.L2-3.13.14 Voice over Internet Protocol 1 pt

SC.L2-3.13.15 Communications Authenticity 3 pts

SC.L2-3.13.16 Data at Rest 3 pts

System and Information Integrity (SI)

Identify, report, and correct information and information system flaws in a timely manner; provide protection from malicious code; and monitor information system security alerts and advisories.

Mac angle: Gatekeeper, notarization, and XProtect are built in; EDR plus enforced updates complete the family.

SI.L2-3.14.1 Flaw Remediation 5 pts

SI.L2-3.14.2 Malicious Code Protection 5 pts

SI.L2-3.14.3 Security Alerts & Advisories 5 pts

SI.L2-3.14.4 Update Malicious Code Protection 3 pts

SI.L2-3.14.5 System & File Scanning 3 pts

SI.L2-3.14.6 Monitor Communications for Attacks 3 pts

SI.L2-3.14.7 Identify Unauthorized Use 3 pts

Every requirement above maps to a policy, procedure, or workbook in the CMMC Operator Suite - written Mac-first, cross-referenced by artifact ID. The guides behind each family live in the library.