A Guide to CMMC Level 2 Compliance Requirements
The Cybersecurity Maturity Model Certification (CMMC) is an incremental yet important milestone for defense contractors to address. CMMC Level 2 focuses on advanced cyber hygiene, creating a logical but necessary progression for organizations to step from Level 1 to Level 3. In addition to safeguarding federal contract information (FCI), Level 2 includes protection of controlled unclassified information (CUI). Compared to Level 1, the additional sets of practices included in Level 2 position DoD suppliers to better defend against more dangerous cyber threats.
CMMC Level 2 also introduces the process maturity element of the model. At CMMC Level 2, an organization is expected to perform and document key cybersecurity functions. Getting a detailed roadmap in place for CMMC Level 2 compliance is critical for any DoD supplier that exchanges CUI within the DoD supply chain.
Who Needs CMMC Level 2 Compliance?
Contractors and subcontractors currently working with, or planning on working with, the Department of Defense, must demonstrate compliance. If those businesses process, handle, or manage information critical to national security, they will need CMMC Level 2 compliance. In order to achieve CMMC Level 2 compliance, contractors will be required to undergo an extensive CMMC Level 2 third-party assessment.
There are 110 controls for CMMC Level 2 that come directly from NIST 800-171. CMMC Level 2 certification is necessary for those who want to bid on DoD contracts that handle the following:
- Controlled unclassified information (CUI)
- Controlled technical information (CTI)
- ITAR or export-controlled data
How Do I Know if I Have CUI?
CUI is a term used to cover a wide variety of sensitive but unclassified data. This may include personally identifiable information (PII), confidential business information, protected health information (PHI), critical infrastructure and cybersecurity information, and protected information (CJIS) related to law enforcement operations. The purpose of CUI is to ensure that even though data isn’t classified and is considered unclassified, it is still protected and must go through a specific process to ensure it is handled securely and that access is only given to those who need it. CUI includes data that needs to be handled with a high level of security in order to protect it. It is important that all those that handle this data are well trained and knowledgeable about protecting CUI, in order to protect the data from unauthorized access.
CMMC Security Requirements for Email
CMMC Level 2 compliance focuses on establishing intermediate cyber hygiene practices, including email security to protect CUI. An email protection gateway (EPG) is crucial in securing email communications for CUI, making encryption processes transparent to end-users. Implementing an EPG solution helps organizations meet CMMC Level 2 requirements by providing robust email security features like spam filtering, phishing protection, data loss prevention, and secure email encryption. By adhering to these requirements, organizations can protect their sensitive information, reduce cyber threats, and maintain compliance with the evolving cybersecurity landscape.
What Does It Take to Achieve CMMC Level 2 Compliance?
Achieving CMMC Level 2 compliance requires a comprehensive approach to cybersecurity. It encompasses the implementation of policies and procedures, the use of technical controls, and the establishment of a robust education and training channel. For policies and procedures, Level 2 requires organizations to have a system security plan, a media protection policy, a contingency plan, incident response, patch management, and account management procedures in place.
On the technical controls side, organizations must have controls in place for authentication, media labeling, system monitoring, system integrity, virus protection, and auditing. Organizations must also have an approved training and education program in place for personnel with appropriate clearances to adequately understand their role in protecting the environment. Achieving Level 2 compliance requires a well-rounded approach to security that balances the implementation of proactive technical measures, with clear processes and procedures, and a comprehensive education and training program.
Getting Ready for CMMC Level 2: A Checklist
Preparing for CMMC Level 2 compliance involves systematically enhancing your organization’s cybersecurity posture. This CMMC Level 2 checklist can guide you through the process:
- Familiarize yourself with CMMC Level 2 requirements, including the 72 security practices across 17 domains.
- Conduct a comprehensive gap analysis to identify areas needing improvement.
- Develop a remediation plan to address identified gaps and implement necessary controls.
- Allocate resources, such as budget and personnel, to support your compliance efforts.
- Train your staff on CMMC requirements and cybersecurity best practices.
- Implement policies, procedures, and documentation to support compliance initiatives.
- Regularly review and update your cybersecurity practices to maintain compliance.
- Engage with CMMC consultants or C3PAOs for guidance and assessment support.
- Perform a self-assessment to gauge readiness before the official CMMC assessment.
- Schedule your CMMC assessment with an accredited C3PAO to verify compliance.
CMMC 2.0 Level 2 Compliance Requirements
CMMC requirements at Level 2 include 110 controls grouped under 15 domains:
|Domain||Number of controls|
|1. Access Control (AC)||22 controls|
|2. Audit and Accountability (AU)||9 controls|
|3. Awareness and Training (AT)||3 controls|
|4. Configuration Management (CM)||9 controls|
|5. Identification and Authentication (IA)||11 controls|
|6. Incident Response (IR)||3 controls|
|7. Maintenance (MA)||6 controls|
|8. Media Protection (MP)||9 controls|
|9. Personnel Security (PS)||2 controls|
|10. Physical Protection (PE)||6 controls|
|11. Recovery (RE)||2 controls|
|12. Risk Management (RM)||3 controls|
|13. Security Assessment (CA)||4 controls|
|14. System and Communications Protection (SC)||16 controls|
|15. System and Information Integrity (SI)||7 controls|
The controls in each of the 15 domains are as follows:
This family of requirements is the largest. It contains 22 controls. Under Access Control, organizations need to monitor all access events in the IT environment and limit access to systems and data. Under Access Control, the requirements include:
- Implementing the least-privilege principle
- Authorizing and protecting wireless access by use of encryption and authentication
- Separating duties of individuals to help prevent irregular activities
- Monitoring and controlling remote access
- Controlling and restricting the use of mobile devices
- Controlling the flow of CUI within an organization and encrypting it on mobile devices
Audit and Accountability
This family consists of nine controls. It requires organizations to retain audit records to use in security investigations and to keep users accountable for their actions. Organizations must collect and analyze audit logs to detect any unauthorized activity and respond promptly. Several steps can help implement these controls:
- Protect audit systems from unauthorized access
- Review and update audited events
- Report on failures in the audit process
- Generate reports that support on-demand analysis and provide compliance evidence
Awareness and Training
This family of controls requires businesses to ensure that managers, system administrators, and other users know the security risks associated with their activities. They must be familiar with the organization’s security policies and basic cybersecurity practices to recognize and respond to insider and outsider threats.
In requirements under Configuration Management, businesses have to establish and maintain baseline configurations, which involve controlling and monitoring user-installed software and any changes made to your organization’s systems. The compliance requirements under this domain include:
- Blacklisting unauthorized software
- Documenting all events where access was restricted due to changes to IT systems
- Restricting, disabling, or preventing the use of programs, functions, protocols, and services that are not essential
- Employing the principle of least functionality by configuring systems to provide only essential capabilities
Identification and Authentication
The Identification and Authentication family of requirements ensures that only authenticated users can access the organization’s network or systems. It has 11 requirements that cover password and authentication procedures and policies. It also covers the reliable identification of users. Requirements to ensure the distinction between privileged and non-privileged accounts are reflected in network access.
In this family, organizations must have an incident response strategy that allows prompt response to any incident that could result in a data breach. An organization can implement capabilities to detect, analyze, and respond to security incidents and report on these incidents to appropriate officials—and regularly test its incident response plan.
Improper system maintenance may result in the disclosure of CUI, so it poses a threat to the confidentiality of the information. Businesses are required to perform regular maintenance by following requirements, such as:
- Keeping a close watch on individuals and teams that perform maintenance activities
- Ensuring that media containing diagnostic and test programs are free of malicious code
- Ensuring that equipment removed for off-site maintenance does not contain sensitive data
The Media Protection control family requires you to ensure the security of system media containing CUI, including both paper and digital media.
This is a small family of controls that requires businesses to monitor user activities and ensure that all systems containing CUI are protected during and after personnel actions, such as employee terminations and transfers.
Physical Protection includes the protection of hardware, software, networks, and data from damage or loss due to physical events. This domain requires organizations to perform several activities to mitigate the risk of physical damage, such as:
- Controlling physical access devices
- Limiting physical access to systems and equipment to authorized users
- Maintaining audit logs of physical access
Under Recovery, organizations are required to regularly perform and test data back-ups, and to protect the confidentiality of backup CUI at storage locations.
There are two requirements that cover the performance and analysis of regular risk assessments. Organizations are required to regularly scan systems to check for vulnerabilities, keeping network devices and software updated and secure. Regularly highlighting and strengthening vulnerabilities improves the security of the entire system.
An organization must monitor and assess its security controls to determine if it is effective enough to help keep data secure. Organizations need to have a plan describing system boundaries, relationships between different systems, and procedures for implementing security requirements and updating that plan periodically.
System and Communications Protection
This is a rather large family of requirements comprising 16 controls for monitoring, controlling, and protecting information transmitted or received by IT systems. It involves several activities, such as:
- Preventing the unauthorized transfer of information
- Implementing cryptographic mechanisms to prevent any unauthorized disclosure of CUI
- Building sub-networks for publicly accessible system components that are separated from internal networks
- Denying network communications traffic by default
System and Information Integrity
This group of controls requires businesses to quickly identify and correct system flaws and protect critical assets from malicious code. This includes tasks such as:
- Monitoring and promptly acting on security alerts indicating unauthorized use of IT systems
- Performing periodic scans of IT systems and scanning files from external sources when they are downloaded or acted on
- Updating malicious code protection mechanisms as soon as the new versions are available
Cost of CMMC Compliance
The cost of achieving CMMC compliance varies depending on an organization’s size, complexity, and the specific level of certification sought.
For small and medium-sized businesses (SMBs), the cost of compliance can be significant. Initial investments may include implementing security controls, hiring or training staff to manage cybersecurity, and procuring tools to support these efforts. Organizations might also need to allocate resources for maintaining compliance, such as regular security audits, software updates, and employee training.
CMMC Level 1 compliance, which focuses on basic cyber hygiene practices, typically requires a lower investment than higher levels. As organizations aim for CMMC Level 2 or CMMC Level 3, the costs escalate due to the need for more advanced controls, documentation, and continuous monitoring.
Organizations must perform a comprehensive risk assessment and gap analysis to identify the required security measures and estimate the associated costs. Engaging a CMMC Third Party Assessor Organization (C3PAO) or a Registered Provider Organization (RPO) can help guide the organization through the process and ensure a smoother transition toward compliance.
How Should My Organization Prepare for a CMMC Level 2 Assessment?
CMMC Level 2 (Advanced) requires triennial third-party assessments for DoD contractors that send, share, receive, and store critical national security information. These third-party assessments are conducted by a CMMC Third Party Assessor Organization (C3PAO) authorized and certified by the CMMC Accreditation Body (CMMC-AB) to conduct assessments of contractors and subcontractors seeking certification to demonstrate compliance with the CMMC standard.
To ensure that the process is successful, it is important to be adequately prepared. The following steps should be taken to ensure successful preparation:
- Understand the assessment framework and requirements, including standards, criteria, and objectives
- Have relevant documents and evidence of compliance readily accessible and up to date
- Properly plan the assessment by scheduling sufficient time and resources to meet requirements
- Allocate personnel to facilitate the assessment, schedule the assessment in a suitable location, and have the right equipment and materials
- Ensure that all relevant stakeholders are adequately prepared through comprehensive training sessions
Achieving CMMC Level 2 Compliance
Achieving CMMC Level 2 compliance involves implementing intermediate cyber hygiene practices that protect controlled unclassified information (CUI) and federal contract information (FCI). Organizations must meet 72 security practices across 17 domains, building upon the basic cyber hygiene established in Level 1. Key steps include conducting a thorough gap analysis, developing a remediation plan, implementing required security controls, and providing staff training. Engaging with CMMC consultants or Third Party Assessor Organizations (C3PAOs) can help organizations navigate the process, ensure proper implementation, and verify compliance, ultimately bolstering their cybersecurity posture.
Who Is Responsible for Full CMMC Assessments?
CMMC Third Party Assessor Organizations (C3PAOs) are responsible for conducting complete CMMC assessments. These organizations are accredited by the CMMC Accreditation Body (CMMC-AB) and consist of certified assessors who evaluate an organization’s cybersecurity practices and controls against the CMMC framework. C3PAOs impartially verify an organization’s compliance with the required CMMC level, ensuring it meets security standards to safeguard sensitive information and maintain contracts within the Department of Defense (DoD) supply chain.
CMMC 2.0 Self-assessment Criteria & Scoring Systems
CMMC 2.0, an updated version of the original CMMC framework, simplifies compliance by allowing organizations to conduct self-assessments. The criteria evaluate an organization’s adherence to essential cybersecurity practices and controls. Based on the degree of implementation, scoring systems provide a quantitative measure of an organization’s cybersecurity maturity. A higher score signifies a better cybersecurity posture. Leveraging self-assessment templates and tools, organizations can identify areas for improvement, develop a plan to address gaps, and track progress toward achieving the desired level of CMMC 2.0 compliance.
How Does a C3PAO Fit Into CMMC 2.0 Level 2 Compliance?
A C3PAO is critical to achieving CMMC 2.0 Level 2 compliance. C3PAO assessors evaluate an organization’s existing policies, processes, and controls against the CMMC requirements. They review existing security documentation, conduct interviews, and perform on-site inspections of systems and physical security. After assessing the organization’s current level of compliance, the C3PAO provides a report on their findings. This report will be submitted to the CMMC Accreditation Body for review, evaluation, and certification.
Kiteworks Accelerates Time to Achieve CMMC 2.0 Compliance for DoD Suppliers
The Kiteworks Private Content Network is FedRAMP Authorized for Moderate Level Impact. Due to its FedRAMP certification, Kiteworks supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box. Technology providers without FedRAMP Authorized certification are unable to achieve this level of compliance. Kiteworks, as a result, accelerates the time it takes DoD suppliers to achieve CMMC Level 2 compliance. Using a content-defined zero-trust approach, Kiteworks protects sensitive communications of CUI and FCI content across numerous communication channels—including email, file sharing, managed file transfer, web forms, and application programming interfaces (APIs).
Schedule a custom demo tailored to see how the Kiteworks Private Content Network enables DoD contractors and subcontractors to accelerate and simplify their CMMC certification process.
Get email updates with our latest blogs news