CMMC Level 2: What Municipalities Working with DoD Need to Know

The Short Version

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now rolling out. If your city, county, or municipal agency handles Controlled Unclassified Information (CUI) as part of DoD contracts, you'll need to demonstrate Level 2 compliance.

This isn't optional, and it's not going away.

What Level 2 Actually Requires

Level 2 aligns with NIST SP 800-171, which means 110 security controls across 14 families. The big ones that trip up municipal IT departments:

Access Control — Who can access what, and can you prove it? This means documented policies, not just "we know who has admin rights."

Incident Response — You need a plan, and you need to have tested it. An email chain during the last outage doesn't count.

System Integrity — Patching, monitoring, change management. If you're running EOL systems (we know you probably are), you need a documented plan to address it.

Where Municipalities Struggle

Most municipal IT teams we work with have the technical capability. What they lack is documentation and process formalization.

You're probably already doing 70% of what CMMC requires. The challenge is proving it to an assessor.

Practical Steps

Start with a gap assessment. Not a sales pitch from a vendor — an honest look at where you stand against NIST 800-171.

Document what you already do. You have firewall rules. You have user access processes. Write them down in a format an assessor can review.

Prioritize based on contract timelines. If your DoD work renews in 18 months, you have time to be methodical. If it's 6 months, focus on the high-weight controls first.

Getting Help

We've helped several municipal agencies in the Mid-Atlantic region prepare for CMMC assessments. The goal isn't to build a massive compliance program — it's to formalize what you're already doing and fill genuine gaps.

If you're staring at a CMMC requirement and not sure where to start, reach out. We'll give you an honest read on where you stand.