CMMC Level 2 is for CUI- Controlled Unclassified Information in assets that process, store, or transmit CUI.
The DoD requires DIB Contractors to perform a self assessment or engage a C3PAO for an assessment for 110 Security Practices.
There are 4 Phases to the CMMC Asessment Process (CAP).
Level 2 of CMMC draws guidnace from NIST SP 800-171r2: protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
32 CFR 2002 Part IV defines CUI as:
information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide
policy requires or permits an agency to handle using safeguarding or dissemination controls.