Home > Security and Compliance Blog > CMMC Compliance > Set a Course for CMMC Level 2 Compliance: Insights and Tips From an Expert

Set a Course for CMMC Level 2 Compliance: Insights and Tips From an Expert

by Patrick Spencer on August 28, 2023 CMMC Compliance

Reading Time: 7 minutes

On November 4, 2021, the U.S. Department of Defense (DoD) unveiled the updated version of its Cybersecurity Maturity Model Certification (CMMC) 2.0. This new version incorporates a tiered system of CMMC certification levels that is designed to assist suppliers in the Defense Industrial Base (DIB) in evaluating and enhancing their cybersecurity posture. It aims to ensure that all DoD contractors are utilizing suitable cybersecurity measures and protocols to safeguard controlled unclassified information (CUI) and federal contract information (FCI).

CMMC Level 2 is a crucial milestone for defense contractors to achieve. It focuses on intermediate cyber hygiene, serving as a logical progression for organizations to step up from Level 1. In addition to safeguarding federal contract information (FCI), Level 2 also includes protections for controlled unclassified information (CUI). The additional sets of practices included in Level 2 help position organizations to better defend against more severe cyber threats than those covered at Level 1. While Level 1 is self-attestation only, Level 2 requires self-attestation and certification by a certified third party.

CMMC 2.0 Level 2 Compliance: a Primer

But what does CMMC 2.0 Level 2 compliance entail? What are its domains, processes, and practices? And, most importantly, how can your organization attain this compliance?

This tier in CMMC 2.0 signifies a shift from basic cyber hygiene practices to intermediate cybersecurity measures. It requires organizations to establish and document standard operating procedures, policies, and strategic plans for handling sensitive information.

The CMMC 2.0 Level 2 compliance covers 17 domains, each related to a specific aspect of cybersecurity. These domains include Access Control, Asset Management, Audit and Accountability, Risk Management, Security Assessment, System and Communications Protection, and System and Information Integrity, among others. Each domain is broken down further into capabilities and practices, leading to a detailed and layered defense strategy.

Achieving CMMC 2.0 Level 2 Compliance

The path to achieving CMMC 2.0 Level 2 compliance begins with understanding the specific requirements of this certification level. It then moves to performing a gap analysis to identify weak areas in your current cybersecurity practices that need improvement. Next, remediation actions should be taken to address these weaknesses and enhance your cybersecurity posture. Ideally, it would be best to work with experienced cybersecurity professionals who can guide your organization through the process.

Preparing for CMMC 2.0 Level 2 Compliance

Preparation is key when aiming for CMMC 2.0 Level 2 compliance. This involves improving cybersecurity training for employees, reinforcing cybersecurity policies, and establishing a proactive cyber threat detection and response system. Moreover, it’s crucial to document all processes and practices as proof of compliance.

In a recent Kitecast episode, Michael Redman, a Senior Associate with Schellman and CMMC trainer and expert, maps out a successful roadmap to CMMC Level 2 compliance that DoD contractors and subcontractors can leverage and reveals insights and tips that can accelerate the certification process.

Is the Defense Industrial Base Taking CMMC Level 2 Compliance Seriously?

The question of how serious the Defense Industrial Base (DIB) is taking the CMMC Level 2 compliance regulation is multifaceted. The answer to the question is largely dependent on the type of the participant and their respective level of engagement. Redman reveals that while most DIB participants are taking CMMC 2.0 very seriously, some are lagging in building a roadmap to certification. This creates potential risks in the DoD supply chain.

Redman notes that large, mid-sized, and small companies that serve as contractors or subcontractors for the DoD alike are taking the necessary steps to become CMMC compliant. Many even started before it CMMC was officially codified into law. Level 1 requires self-attestation only, while Level 2 requires self-attestation plus certification by an approved third party.

For Level 2 CMMC certification, DoD supply chain participants are approaching the regulation with varied levels of engagement. Some are waiting to see “where the wind blows,” while others are taking their lead from the DoD’s Office of the CIO and the Justice Department, which are actively promoting CMMC.

Sadly, some participants remain in the dark on the importance of CMMC compliance. These participants require the most education, as they have been inundated with a smorgasbord of different opinions and advice, leaving them confused and unmotivated. For those in the DIB feeling overwhelmed, it is important to remember that CMMC is here to stay and it will become codified into law. As such, it is essential to find the right consultants and C3PAOs that can help to guide them in the right direction.

CMMC is a long-term investment that provides numerous benefits to the DIB. From increased ROI to higher security standards and better assessment capabilities, the potential gains are immense. The challenge is to encourage participants to understand the importance of the program and to take the necessary steps, regardless of the size and type of their business, to ensure compliance.

The Challenge of CMMC Self-assessment

The DoD requires the implementation of CMMC for its suppliers. Level 1 and Level 2 compliance require DoD suppliers to self-assess the maturity of their cybersecurity practices based on the controls specified in each level. Level 2 additionally requires certification by a third party.

The challenge of CMMC self-assessment is twofold. First, there is a disconnect between the self-assessment of companies and the assessment done by the DoD. Although 71% of organizations believe they are compliant with the Level 2 practice requirements, the DoD in a study found only 29% of them are compliant. This means that organizations are not accurately measuring their own compliance and therefore unable to adequately prepare for their CMMC assessment.

The second challenge of CMMC self-assessment is the language of the standards. Many of the controls are written in a way that can be interpreted in different ways. With this fuzzy language, an organization’s CEO may think they are compliant based on their own definition of the word “implemented,” when it actually requires much more than that for compliance. This can lead to organizations feeling overconfident about their level of compliance, when in reality they are not compliant, leading to substandard assessments from the DoD.

It is essential for organizations to take the self-assessment process seriously and to understand the expectations of the DoD in order to be successful in their CMMC assessment. Organizations need to gain clarity on the definitions of the compliance requirements, and be prepared to demonstrate full compliance in order to pass the DoD assessment. It is only through a thorough understanding of the requirements, and accurate self-assessment, that companies will be able to bridge the disconnect between self-assessment and DoD assessment.

Understanding the Phased Implementation of CMMC 2.0

The DOD recently announced that they will be skipping the interim rule step in the implementation of new CMMC 2.0 and going straight to the final rule. This is a big deal, as this means that when the final rule is released in June, CMMC 2.0 will become a reality.

Though the ramp-up period is expected to take at least eight months, organizations that have not yet attained their CMMC certification will still be subject to compliance with 2.0. The DoD can and will conduct random audits to ensure that these organizations are in compliance with the necessary standards. It is important that companies understand that the federal government is not playing around with this, and organizations that are found to have not met the necessary requirements may face having their contracts shut down.

The Role of C3PAOs on the CMMC Certification Process

The CMMC has been designed to protect federal contract information (FCI) and controlled unclassified information (CUI) from cyberattacks. The introduction of the CMMC also resulted in the creation of CMMC Third Party Assessor Organizations (C3PAOs) overseen by the CMMC Accreditation Body (CMMC-AB).

C3PAOs are responsible for ensuring DoD contractors and subcontractors meet the requirements of the CMMC. C3PAOs are responsible for providing independent inspections, assessments, and recommendations, which enable the DoD to determine whether a supplier has the necessary security controls in place.

C3PAOs help the DoD to ensure that the contractor’s information system is secure and that the contractor is in compliance with the CMMC practice requirements. Further, C3PAOs provide guidance to the DoD on the implementation of the CMMC and verification that their cybersecurity practices adhere to National Institute of Standards and Technology (NIST) 800-171 standards—which are mirrored in CMMC Level 2.

Consider the Cost of CMMC 2.0 Level 2 Compliance

The cost of obtaining CMMC 2.0 Level 2 compliance can often appear daunting, especially for small to medium-sized businesses. However, this investment should not be viewed as an unnecessary expense, but rather a crucial step towards ensuring your organization’s data security. It’s important to remember that the cost will vary significantly depending on several factors, including the size of your organization, the complexity of your information systems, and the current state of your cybersecurity infrastructure.

The first major cost component of CMMC 2.0 Level 2 compliance relates to preparation. Initially, organizations might need to spend on cybersecurity assessments to identify current vulnerabilities and gaps in their systems. This process, however, helps to provide a clear roadmap for necessary improvements.

The second substantial cost involves implementing the required security controls and solutions. This includes the purchase, installation, and maintenance of necessary hardware and software. It may also demand onboarding of cybersecurity personnel or outsourcing services from cybersecurity firms.

Lastly, the third considerable cost is the certification process itself, which involves hiring a Certified 3rd Party Assessment Organization (C3PAO) to audit and confirm your compliance.

Again, the cost of compliance with CMMC 2.0 Level 2 can differ greatly from one organization to another based on their specific circumstances. Therefore, it’s advisable to conduct a thorough cost-benefit analysis before embarking on this journey of compliance. Nonetheless, the cost is justified considering the potential adverse impacts of non-compliance, which may include significant penalties or loss of business opportunities due to decreased trust from customers and partners.

In total, though achieving CMMC 2.0 Level 2 compliance presents its financial challenges, it is an essential investment in the future cybersecurity health of your organization. By safeguarding your systems and data from potential threats, you are, in turn, protecting your company’s reputation and sustaining its growth in the long run.

Kiteworks Accelerates CMMC 2.0 Level 2 Compliance

The Kiteworks Private Content Network supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box, more than any other sensitive content communications provider in the industry. One of the reasons for Kiteworks’ leadership position when it comes to CMMC is the fact that the Private Content Network is FedRAMP Authorized to Moderate Level Impact for consecutive years running. It also touts compliance with other industry standards such as FIPS 140-2, ISO 27001, 27017, 27018, SOC 2, and others.

And with a hardened virtual appliance enveloping the Kiteworks Private Content Network, file and email data communications for public and private sector organizations—both that sent internally and to third parties—is kept private and remains confidential.

To understand how Kiteworks can help your organization accelerate CMMC compliance, schedule a custom demo today.

Additional Resources