Customer Support
Request Pricing

CMMC Level 2 Explained: What the 110 Controls Actually Require in the Carolinas

CMMC Level 2

If you’re a manufacturer in Charlotte, Greenville, or anywhere across the Carolinas, CMMC is no longer something you can wait on.

We’re seeing it show up in contracts, supplier requirements, and cyber insurance conversations. And most teams are approaching it the same way at first:

They treat the 110 controls like a checklist.

That approach doesn’t hold up.

CMMC Level 2 is about whether your environment operates securely on a daily basis, not whether you can point to tools or policies.

CMMC Level 2 Maps Directly to NIST SP 800-171

At its core, CMMC Level 2 is built on NIST SP 800-171.

That means:

  • The requirements are already defined
  • The structure is already known
  • The expectations are not flexible

What changes with CMMC is enforcement.

Auditors are not asking what you intend to do.
They are asking what is consistently happening in your environment and whether you can prove it.

For manufacturers across North Carolina and South Carolina, especially those tied to defense or aerospace supply chains, that shift matters.

It turns security from a technical discussion into an operational one.

The 14 Control Families Are Interconnected

The 110 controls are grouped into 14 families like:

  • Access Control
  • Audit and Accountability
  • Incident Response
  • Identification and Authentication
  • System and Communications Protection

On paper, that looks manageable.

In reality, these areas depend on each other.

You cannot meet incident response requirements without reliable logging.
You cannot enforce least privilege without strong identity management.
You cannot validate encryption without consistent configuration control.

This is where most organizations in the Carolinas run into trouble.

They try to implement controls one at a time.
Auditors evaluate whether those controls function together.

Where We See Organizations Struggle

Across Charlotte, Columbia, and Greenville, the patterns are consistent.

Controls exist but are not provable

Most companies have already invested in security tools.

They have MFA enabled in some places. Endpoint protection is deployed. Backups are running.

But when it comes time to demonstrate:

  • Where controls are enforced
  • How they are monitored
  • Who is accountable

The answers are incomplete and that gap is what causes failed assessments.

Logging is collected but not operationalized

Logs are often turned on, but what here is what’s missing:

  • Centralized visibility
  • Defined review processes
  • Alerting tied to real risk

 

In manufacturing environments with ERP, MES, and plant systems, this becomes more complex, but it is also where auditors focus.

Incident response is not tested

Most organizations have a written plan, but very few have:

  • Walked through a real scenario
  • Defined roles under pressure
  • Aligned IT and operations

 

A security event is not just an IT issue. It can impact uptime, delivery schedules, and customer commitments.

Access control has drifted

Permissions tend to expand over time.

Former employees retain access.
Administrative rights are granted and not reviewed.
Shared accounts are used for convenience.

In growing organizations across the Carolinas, this happens gradually and often goes unnoticed until an audit forces a review.

The Technical Requirements That Carry the Most Weight

Not all controls have equal impact. A few areas tend to determine whether an environment holds up under assessment.

Multi-Factor Authentication

MFA is expected across:

  • Remote access
  • Privileged accounts
  • Critical systems

 

The issue is not enabling MFA. It is ensuring there are no gaps, especially with legacy systems or service accounts.

Logging and Monitoring

You need:

  • Centralized log collection
  • Defined retention
  • Evidence of review

 

For manufacturers, the challenge is doing this without disrupting production systems. That requires planning, not just enabling features.

Incident Response

Requirements include:

  • A documented plan
  • Assigned responsibilities
  • Evidence of testing

 

Auditors will expect to see that your team has practiced response scenarios and understands how to act.

Encryption

Data must be protected in transit and at rest.

The challenge is understanding where sensitive data exists and how it moves through your environment.

Without that visibility, encryption becomes inconsistent.

Least Privilege

Users should only have access to what they need.

In practice, access expands over time unless it is actively managed.

This requires:

  • Role-based access controls
  • Regular reviews
  • Clear documentation of exceptions

 

Why This Is Hitting the Carolinas Now

Manufacturing across the Carolinas is growing. New contracts, new systems, and new compliance requirements are coming in quickly.

Security maturity does not always keep pace with that growth.

That creates a gap between:

  • Operational demands
  • Compliance expectations

 

CMMC Level 2 is designed to close that gap.

What Actually Works

From what we see, success does not come from adding more tools.

It comes from alignment:

  • Clear ownership of controls
  • Systems that enforce policies consistently
  • Documentation that reflects what is actually happening

 

This is also where most traditional IT models fall short. They manage tools, but they do not manage outcomes or accountability.

What now?

If you are preparing for CMMC Level 2 in Charlotte or anywhere in the Carolinas, focus on this:

The goal is not to implement 110 controls.  The goal is to build an environment that can be explained, validated, and repeated under pressure.  When that is in place, the audit becomes straightforward. And if you need help figuring all of this out, reach out to somebody that has experience with building these environments.

Picture of Jeffrey King
Jeffrey King

President of AT-NET | Managed Technology Solutions Expert | Cybersecurity Specialist

Jeffrey King is an experienced leader in managed technology solutions with more than 20 years of expertise. As President of AT-NET, he oversees a wide range of services including IT support, cloud solutions, cybersecurity, and business risk management.

His work focuses on cybersecurity and network architecture, with hands-on skills across Unix, VMware, Linux, Cisco, and Microsoft systems. Under his leadership, AT-NET delivers solutions in areas such as compliance (HIPAA, CMMC, PCI, SEC, FINRA), vulnerability management, data backup and recovery, email and endpoint security, and IT project management.

Jeffrey also guides initiatives in co-managed IT services, structured cabling, VoIP systems, and integrated security technologies such as cameras and access control.

Get in touch with our experts and get a free consultation

Get in Touch
Recent Posts:
Get a Free Consultation

Contact our experts today

Get in Touch
Recent Posts:
All Resources ⬈
To safeguard your business against the unexpected, contact us for a free consultation.

Together, we can build a resilient future for your business.

Speak to an Expert