CMMC Level 2
Without CMMC Level 2 certification, your organisation cannot bid on or retain US Department of Defense contracts involving Controlled Unclassified Information.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the US Department of Defense's framework for protecting Controlled Unclassified Information (CUI) across the defence industrial base. Level 2 aligns directly with the 110 security requirements of NIST SP 800-171 Revision 2.
For UK-based suppliers to the US DoD, CMMC compliance is increasingly a contractual prerequisite. The challenge is significant: the 110 requirements span access control, audit and accountability, configuration management, identification and authentication, incident response, and more.
StremarControl engineers and operates the Microsoft-native controls required for CMMC mandates, translating NIST 800-171 requirements into Microsoft 365 GCC configurations—implementing controls that satisfy each requirement, producing structured evidence, and maintaining compliance through continuous monitoring to enable UK defence suppliers to compete for US DoD contracts.
Why This Matters Now
If your organisation handles Controlled Unclassified Information (CUI) as part of the US defence supply chain - whether as a prime contractor or a Tier 2/3 supplier - CMMC Level 2 certification will be a contractual requirement embedded in DoD solicitations. Without it, you cannot bid on or renew contracts involving CUI. For UK-based defence suppliers, this creates a dual compliance burden: UK Cyber Essentials Plus for MOD contracts and CMMC Level 2 for US DoD work. The appropriate Microsoft cloud depends on the data type, contractual requirements, and export-control scope. GCC High commonly supports CMMC Level 2/3 and ITAR-sensitive scenarios when configured appropriately.
Framework Metadata
Scope & Applicability
CMMC Level 2 applies to any organisation in the Defence Industrial Base (DIB) that processes, stores, or transmits Controlled Unclassified Information (CUI) as defined by NIST SP 800-171. This includes prime contractors, subcontractors at all tiers, and suppliers who handle CUI even incidentally. The scope encompasses all information systems, network segments, and endpoints that process CUI. For M365 environments, the CUI enclave must be architecturally isolated - typically via M365 GCC or GCC High with dedicated Conditional Access policies, sensitivity labels, and DLP rules scoped to CUI data types.
Core Obligations
Access Control
Limit system access to authorised users, processes, and devices. Control CUI flow, employ least privilege, and enforce separation of duties.
Audit and Accountability
Create, protect, and retain system audit records. Ensure actions can be uniquely traced to individual users.
Identification and Authentication
Identify and authenticate users, devices, and processes. Use multi-factor authentication for network and privileged access.
Media Protection
Protect, control, sanitise, and account for media containing CUI. Encrypt CUI on digital media during transport.
System and Communications Protection
Monitor, control, and protect communications at system boundaries. Employ FIPS-validated cryptography.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
AC.L2-3.1.1 - Authorised Access
Conditional Access requiring compliant device + MFA. Hardware security keys (YubiKey 5 FIPS) for all CUI-accessing users. Session controls limiting token lifetime.
CA policy exports, hardware key registration report, session control configuration.
AU.L2-3.3.1 - Audit Logging
Unified Audit Log configured for extended retention (where applicable licenses and policies are deployed). Sentinel log aggregation with immutable storage. All admin actions logged with user identity, timestamp, and affected resource.
Audit log retention policy, Sentinel data connector status, sample audit query results.
MP.L2-3.8.1 - Media Protection
BitLocker with FIPS 140-2 compliant encryption. 30-day automated key rotation. Endpoint DLP blocking transfer of labelled CUI to removable media.
BitLocker compliance report, key rotation logs, DLP policy match report for removable media.
SC.L2-3.13.1 - Boundary Protection
Defender for Endpoint network protection. Conditional Access blocking access from non-compliant networks. Information barriers preventing CUI cross-contamination between clearance levels.
Network protection event logs, CA policy evaluation logs, information barrier status report.
Implementation Timeline
Related Frameworks
ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.
Without Cyber Essentials certification, your firm is excluded from UK government contracts involving sensitive data and faces higher insurance premiums.
Ready to get CMMC-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against CMMC requirements, close gaps, and produce audit-ready evidence.