What’s CMMC Level 2, What It Means for Irys

What Is CMMC Level 2?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) framework for ensuring that contractors safeguard sensitive information across the defense supply chain.

CMMC Level 2 is the critical middle tier, requiring organizations to implement and demonstrate compliance with the 110 practices in NIST SP 800-171. These practices focus on protecting Controlled Unclassified Information (CUI), which includes sensitive but not classified data such as personnel records, mission-critical technical information, and operational details.

Level 2 certification is not optional for most defense contractors—it is a baseline requirement for organizations that handle CUI.

What It Takes to Achieve Level 2

Moving up to Level 2 requires a significant leap in cybersecurity maturity. It involves:

1. Full Implementation of NIST SP 800-171

• Covering 14 domains, including access control, incident response, system integrity, and audit logging.

• Evidence must show practices are not just planned but consistently applied.

2. Formalized Policies and Procedures

• Written policies and documented workflows across the enterprise.

• Training to ensure staff understand and follow these policies.

3. Gap Assessments and Remediation

• Unlike Level 1 (self-assessment), Level 2 requires an independent CMMC Third-Party Assessment Organization (C3PAO) to verify compliance.

4. Culture of Cybersecurity

• Training, awareness, and accountability must be ingrained into day-to-day operations.

Why CMMC Level 2 Is Important in General

• Protecting the DoD Supply Chain: Nation-state actors constantly target contractors. Level 2 ensures sensitive defense data is handled securely.

• Market Access: Starting in 2025, most DoD contracts that involve CUI will require CMMC Level 2 certification. Without it, companies will be excluded from bidding.

• Trust and Credibility: Certification demonstrates maturity, transparency, and commitment to safeguarding national security.

Why CMMC Level 2 Is Critical for Irys

For Irys, CMMC Level 2 is not just a compliance milestone—it’s mission alignment.

1. Supports Our Cyber-Focused Mission

2. Strengthens Irys’ Services and products  

3. Competitive Advantage  

Why It Matters for the Mission

Cybersecurity is national security. For Irys, achieving CMMC Level 2 is more than a regulatory requirement—it’s a commitment to protecting the data, systems, and missions that the warfighter depends on.

By embedding CMMC Level 2 practices across our operations, Irys ensures we can continue to deliver secure, resilient, and innovative solutions to the Department of Defense.