CMMC 2.0 will require contractors at Level 2 (its middle grade) to meet 110 security practices to handle Controlled Unclassified Information, but the GAO reports that Defense Department’s own CUI systems were compliant with only 78 percent of these requirements. The Marine Corps and Navy performed marginally better, with the Army, Air Force, Defense Health Agency, and others doing marginally worse.
Source:
