CMMC Level 2 Certification: What Multi-Location Businesses Handling CUI Need to Know

If your company works on Department of Defense (DoD) contracts, there is a very good chance you are already handling Controlled Unclassified Information — commonly called CUI. That might be technical drawings, design specs, manufacturing data, or contract documents. And if your team prints any of that material across multiple facilities, you are staring down one of the more complex compliance challenges in the defense industrial base right now: CMMC Level 2 certification at scale.

CMMC — the Cybersecurity Maturity Model Certification — is the DoD’s framework for ensuring that contractors are protecting sensitive government information appropriately. As of November 2025, it is no longer optional guidance. It is a contractual requirement. And the stakes are simple: no certification, no DoD contracts.

What Is CMMC Level 2?

CMMC has three levels. Level 1 covers basic cyber hygiene for organizations handling Federal Contract Information (FCI). Level 3 is reserved for companies working with the most highly sensitive programs. Level 2 is where most DoD contractors land — and it is the level required whenever your work involves CUI.

Level 2 is built entirely on NIST Special Publication 800-171, which defines 110 security controls across 14 practice domains. These aren’t suggestions — every single one of them must be implemented and verifiable. The domains cover everything from how you control access to your systems, to how you physically protect your facilities, to how you handle and destroy sensitive printed documents:

• Access Control (AC)
• Awareness & Training (AT)
• Audit & Accountability (AU)
• Configuration Management (CM)
• Identification & Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PE)
• Risk Assessment (RA)
• Security Assessment (CA)
• System & Communications Protection (SC)
• System & Information Integrity (SI)

To achieve certification, an accredited Third-Party Assessment Organization — known as a C3PAO — will assess your organization against all 110 controls and their 320 underlying assessment objectives. Pass everything, and you receive a Final Level 2 certificate valid for three years. Fall short but hit at least 80% (with all critical controls in place), and you can receive a Conditional certificate — but you’ll have exactly 180 days to close the gaps before that certification lapses.

Why Printing CUI Is a Bigger Deal Than Most Executives Realize

Here is a common misconception: CMMC is a cybersecurity program, so it mainly applies to IT systems. In reality, any printed document containing CUI is subject to the same protections as digital CUI — and that is where many manufacturing and defense contractor organizations are the most exposed.

Under CMMC Level 2, hardcopy documents — printed technical drawings, engineering specifications, procurement documents — are treated as “media” in the same category as USB drives or laptops. That means the following requirements apply directly to your printers and the documents they produce:

Marking: Every printed CUI document must be visibly labeled as “CUI” per DoD guidelines.

Access control: Only authorized personnel may access CUI printers. Authentication at the device — badge, PIN, or card — is required.

Physical location: CUI printers should be in controlled, access-restricted areas, not open common spaces.

Storage: Printed CUI must be stored in locked cabinets or secure rooms when not in use.

Audit logging: Print jobs must be logged — who printed what, on which device, and when.

Sanitization: Printer memory and internal hard drives must be purged before maintenance or disposal.

Destruction: CUI documents must be destroyed via cross-cut shredding (or stronger), with a destruction record maintained.

Paper is not exempt. If it contains CUI, it is in scope — and every printer, filing cabinet, and shredder that touches it needs to be part of your compliance program.

The Multi-Location Challenge

If your organization operates out of a single location, your CMMC compliance scope is relatively contained. But if you have three facilities, five plants, or a headquarters plus regional offices — and CUI flows through each of them — your scope expands significantly, and so does your complexity.

Here is the key principle: your CMMC scope is defined by wherever CUI lives and flows. Every location where CUI is processed, stored, printed, or transmitted is in scope. That means every one of those locations must meet the same standard, and your C3PAO assessors will verify it.

Your System Security Plan (SSP) — the foundational document for your entire CMMC assessment — must account for all locations. It needs to map where CUI is processed, document the controls in place at each facility, and describe how those controls are consistent and enforced. Gaps at a single location can jeopardize your entire certification.

In multi-site environments, assessors look specifically at whether physical security controls (badge readers, visitor logs, secure rooms) are consistent across all facilities, whether all CUI printers across every location are inventoried, access-controlled, and logged, whether employees at every location have received security awareness training, whether CUI document handling, storage, and destruction procedures are standardized rather than just defined at headquarters, and whether the SSP clearly identifies which controls are centrally managed versus locally implemented at each site.

A critical point for budgeting and planning: C3PAO assessors may conduct separate site visits for each location in scope. Multi-site assessments take longer, require more coordination, and cost more. Organizations that start compliance planning at the enterprise level — not one site at a time — see significantly smoother assessments.

The Certification Process: What to Expect

Getting to CMMC Level 2 certification is not a quick project. For most organizations starting from scratch, the realistic timeline from beginning to final certificate is 12 to 24 months. Here is a high-level view of the process:

1. Gap Assessment & Scoping

Before anything else, you need an honest picture of where you stand against all 110 controls — across every location. This is often done through a readiness assessment with a CMMC consultant or your chosen C3PAO. The output is a clear gap analysis tied to each of your facilities.

2. Remediation & Implementation

This is typically the longest phase. Based on your gaps, you will update policies, implement technical controls, establish physical security measures, train staff, and document everything. Multi-location organizations should plan remediation efforts centrally and roll them out consistently across sites.

3. System Security Plan (SSP) Development

Your SSP must describe how every one of the 110 controls is implemented across your organization — including location-specific details. Think of it as the master record of your security program. It also feeds directly into your assessment, so quality matters.

4. C3PAO Assessment

An accredited C3PAO will conduct a formal assessment — reviewing your documentation, interviewing key personnel, observing security practices, and in the case of multi-site organizations, visiting each location in scope. Assessment itself typically takes one to two weeks, with the final report delivered within two weeks after.

5. Certification & Ongoing Compliance

Upon passing, you receive your certificate — valid for three years. You’ll also submit an annual affirmation of continued compliance and remain prepared for re-assessment if significant changes occur at any of your locations.

The Timeline Pressure Is Real

As of November 2025, CMMC Level 2 self-assessments are already a condition of award for many DoD contracts. Third-party assessments by a C3PAO are expected to become required on a broader range of contracts through 2026 and 2027. By November 2027, the requirement extends to existing contracts — not just new ones.

That means organizations that have not started their compliance journey are already behind. And with demand for C3PAO assessors far outpacing supply, scheduling delays are common. The companies getting certified are the ones that started planning 12 to 18 months ago.

Waiting until a contract requires CMMC certification before starting the process is not a viable strategy. The lead time is too long and the competition for assessors is too steep.

Where to Start

If you are operating multiple locations and handling CUI — especially if your teams are printing technical documents, drawings, or specs — the place to start is a clear-eyed gap assessment. You need to know which of your 110 required controls are already in place, which are partially implemented, and which are missing entirely — and you need that picture across every site, not just headquarters.

From there, the path forward is a prioritized remediation plan, a well-documented SSP, and a realistic timeline that accounts for the complexity of your multi-site environment. The organizations that approach this methodically — treating it as an enterprise-wide program rather than an IT project — are the ones that reach certification without surprises.

---

Have questions about CMMC compliance for your organization? Get in touch — we help defense contractors navigate the path to certification.