CybrIQ for government · CMMC 2.0 Level 2
CybrIQ
Government/Mandates/CMMC 2.0 Level 2
Last reviewed: 2026-05-12. CMMC 2.0 rule, C3PAO program updates, and DFARS clause changes are tracked continuously.
CMMC 2.0 · Level 2 — for defense contractors

CMMC Level 2 assessments are live, and hardware-inventory completeness is where contractors fail the first walkthrough.

The Cybersecurity Maturity Model Certification 2.0 final rule went into effect December 2024. Defense contractors handling Controlled Unclassified Information are being assessed against the 110 NIST SP 800-171 Rev. 2 controls. The recurring early-finding pattern: contractors can produce policy documents and configuration baselines, but cannot produce current evidence that the hardware inventory matches what's actually on the network.

CMMC 2.0 Level 2 controls map showing eight NIST SP 800-171 r2 controls across three families where CybrIQ supplies inventory-side evidence for the C3PAO assessment. Configuration Management family: CM.L2-3.4.1 establish and maintain baseline configurations and inventories (primary control, CybrIQ is the direct source — continuous per-device inventory with vendor, model, MAC, port, VLAN, last-seen; signed CSV / JSON export with SHA-256 hash); CM.L2-3.4.2 establish and enforce security configurations (device-class identification feeds baseline definition); CM.L2-3.4.7 restrict and disable nonessential ports (device-to-port mapping; unauthorized-device events trigger NAC quarantine workflow); CM.L2-3.4.8 deny-by-exception whitelisting (authorization-list policy; deviation events for any device not on the list); CM.L2-3.4.6 least functionality (adjacent, inventory enables assessor review). Identification and Authentication family: IA.L2-3.5.1 identify devices on the network (primary control — Device DNA Layer-1 identification against the 750-million-device library); IA.L2-3.5.2 authenticate or verify device identity (supports NAC policy decision — identification is from physical-layer signal sets that software cannot easily forge). Access Control family: AC.L2-3.1.18 control connection of mobile devices (identification of mobile / BYOD on production VLANs they are not authorized for); AC.L2-3.1.16 authorize wireless access (adjacent). Deliverable for the C3PAO: signed CSV / JSON inventory export plus deviation log plus audit trail — same artifact set the assessor expects under DFARS 252.204-7012 and -7020 obligations.

The two controls hardware completeness lives under

CMMC 2.0 Level 2 inherits the 110 practices of NIST SP 800-171 Rev. 2. Two of them are where device-discovery evidence matters most for first-time assessments:

CM.L2-3.4.1 — Authorized Hardware. Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. The assessment objective requires that hardware currently in the system be reflected in the inventory.

CM.L2-3.4.2 — Baseline Configuration. Establish and enforce security configuration settings for information technology products employed in organizational systems. The control depends on knowing what hardware is in scope; if the inventory is incomplete, the baseline cannot be enforced.

Assessors are not asking for a perfect inventory in the abstract. They are asking for evidence that the inventory matches what is connected to the CUI environment today. The two ways contractors fail this in a first walkthrough are (a) a stale CMDB that doesn't reflect recent moves, adds, and changes, and (b) hardware in the CUI environment that was never inventoried because it was provisioned by a contractor, an integrator, or a building-systems vendor outside the IT acquisition path.

How CybrIQ supports CMMC Level 2 evidence

Switch-derived inventory matched against the contractor's baseline

CybrIQ provides a continuously updated inventory of every device connected to the managed switches in the CUI enclave. Identification comes from switch-side signals matched against a 750-million-device reference library. The output is structured to align with the contractor's existing baseline:

  • Per-device record: identifier, vendor, model class, MAC, switch port, VLAN, last-seen timestamp, confidence score.
  • Deviation alerts when a device appears that is not on the authorized-hardware list (CM.L2-3.4.1 objective).
  • Audit-trail export: every detected device, every change to its state, every authorization-list deviation, exportable for the C3PAO walkthrough.
  • Integration via syslog (RFC 5424) and REST with the contractor's existing SIEM, eMASS, or compliance evidence platform.

CMMC 2.0 controls CybrIQ supports compliance with

  • CM.L2-3.4.1 — Authorized Hardware (NIST 800-171 3.4.1).
  • CM.L2-3.4.2 — Baseline Configuration (NIST 800-171 3.4.2). Input data for the baseline.
  • CM.L2-3.4.3 — Track, Review, Approve/Disapprove, and Audit Changes (NIST 800-171 3.4.3).
  • SI.L2-3.14.6 — Monitor Communications for Attacks (NIST 800-171 3.14.6). Device-level signal contribution.
  • SC.L2-3.13.6 — Network Communications by Exception. Visibility input for deny-by-default.
  • DFARS 252.204-7012 — Safeguarding Covered Defense Information. Evidence layer for the safeguarding requirements.

Deployment posture for C3PAO walkthrough

Customer-installedContractor-owned hardware. RoomIQ and SpacesIQ are software, not vendor appliances introduced into the CUI enclave.
Read-only switch accessSNMP read-only permissions only. No SNMP write. No SPAN, no mirror, no inline tap, no packet inspection.
No agentsNo endpoint software on CUI-handling systems, lab gear, or OT devices.
Air-gap capableDeploy on-premise, in an authorized cloud, or in a fully disconnected CUI enclave. Reference library updates ship as signed offline packages.

CybrIQ is not a CMMC 2.0 Level 2 substitute. It supplies one of the evidence layers a contractor's System Security Plan (SSP) cites for hardware inventory and authorized-hardware control. The contractor maintains the SSP, the POA&M, and the C3PAO relationship; CybrIQ provides the device-discovery data the controls reference.

Forwardable

Sample audit-trail export (CSV) — the shape an SSP-attached evidence file actually takes. Per-device row format with CM.L2-3.4.1 / CM.L2-3.4.2 references, signed SHA-256 hash. Forward to your SSP author or C3PAO walkthrough lead.

Download sample CSV →

Companion: NIST 800-53 control inheritance matrix (CSV) · See all on Takeaways.

Schedule a CMMC L2 briefing

A 30-minute session: we walk the authorized-hardware control objectives against your CUI enclave, the C3PAO assessment patterns we're seeing, and the gap your SSP cannot currently close.

Request briefing