Reference · Phase 2 enforcement 10 Nov 2026
Every CMMC Level 2 requirement,
plain English.
110 controls. 14 families. The questions assessors actually ask, the gaps that fail companies, and the fixes that work. No padding, no marketing pretending to be guidance.
Where to start
Three ways in. Pick the one that matches where you are.
Most readers fall into one of three buckets. Every section of this site is built around one of them.
I'm new to CMMC.
Start here if you don't yet know what CMMC is, what level you need, what CUI is, or why this is suddenly on your plate. Foundations explains the framework before it asks you to implement any of it.
I'm hunting a specific control.
Search by name (FIPS, MFA, POA&M) or jump straight to the family. Every requirement page has the same eight sections — no cross-referencing, no "see also."
I'm preparing for assessment.
The C3PAO date is on the calendar. You need to know what the four phases look like, what evidence the assessor will examine, and what a finding-free assessment day actually requires.
Anatomy of a requirement page
One page per requirement. No cross-referencing.
Every one of the 110 requirement pages follows the same eight-section structure. Once you've read one, you can scan any of them in under two minutes.
The One-Liner
Instant pass/fail gut check. If you can't say yes to this, the rest of the page tells you why.
What It Actually Means
The requirement in plain English. No jargon, no quoting NIST verbatim and calling it explained.
Pass or Fail
The yes/no checklist your assessor walks through. If any answer is "no," you fail the requirement.
What to Have Ready
The documents, people, and live demos the assessor will ask for. Build the binder against this list.
The Assessor's Playbook
The actual questions — verbatim. Have the answers ready before the C3PAO walks in the door.
Where Companies Trip Up
Named failure patterns and the fixes that work. Most findings cluster around the same five mistakes.
How to Talk About It
CEO/Board version and Engineering version. Same control, two audiences, two registers.
Implementation
Cloud platform steps for AWS, Azure, GCP, and Microsoft 365. Client access only.
The 14 families
All 110 controls, by family.
NIST 800-171 Rev 2 organises the 110 requirements into 14 security families. Click any family to browse its requirement pages. Sage dot marks families with at least one Level 1 control (also applicable to FCI).
Companion tools
When you need to do, not just read.
This site is the reference. The implementation work — configuring controls in your tenant, writing the CRM, running the gap assessment — happens on ancitus.com.
Shared Responsibility Matrix.
All 110 requirements mapped against AWS GovCloud, Azure Government, GCP Assured, and Microsoft 365 GCC High. Inherited / Shared / Customer / N/A status per control. Downloadable XLSX.
Open the matrixReadiness Assessor.
Score yourself against the 110 controls before a C3PAO does it for you. Identifies the gaps that fail companies most often and produces an SPRS-style score with no email gate.
Run the self-assessmentCMMC Grants Finder.
State and federal funding for assessment and remediation costs. 12 states with active programmes, plus FAR Part 31 cost recovery for federal contractors. Verified quarterly.
Find fundingGet the controls configured.
We configure customer-side controls inside your tenant — Conditional Access, audit, DLP, identity — and write the CRM your assessor will ask for. 30-minute scoping call to start.
Book a discovery call