CMMC Level 2 Guide

CMMC Level 2 Compliance

Level 2 is focusing primarily on protecting, storing and transmitting Controlled Unclassified Information (CUI).  If your organization handles both – FCI and CUI – you will have to meet CMMC Level 2 requirements or higher.

This level aims at fleshing out the base security practices established in Level 1 and increasing the overall security of the organization. Level 2 is a considerable step up that impacts both timeline and cost.

Assessment requirements for Level 2 compliance differ based on whether the CUI data handled is considered critical or non-critical to national security. 

• Defense Industrial Base organizations with prioritized acquisitions that handle data critical to national security must pass a higher level third-party assessment, conducted by an authorized CMMC Third-Party Assessment Organizations (C3PAO), every 3 years.
• For non-prioritized acquisitions handling non-critical data to national security, an annual self-assessment is required.

The Department of Defense has stated that roughly 80,000 in the DIB will need to achieve CMMC Level 2 via a C3PAO assessment. 

CMMC Level 2 Controls

Access Control (AC)

At level 2, the AC domain adds ten controls. These are geared toward further isolating key systems and defining authorized session privileges.

• AC.2.005: Communicate security details to users when dealing with CUI
• AC.2.006: Control which storage devices are used and limit portable mediums
• AC.2.007: Give users only the privileges necessary to complete a designated task
• AC.2.008: Use privileged accounts only when necessary
• AC.2.009: Allow only a set number of login attempts for user accounts
• AC.2.010: Lock user sessions when inactive for a certain amount of time
• AC.2.011: Remote connections are validated before they’re allowed
• AC.2.013: Remote connections are monitored in a controlled environment
• AC.2.015: Remote connections are routed to managed nodes
• AC.2.016: CUI is used according to established guidelines

CMMC Level 2 compliance requires strict AC mechanisms to be put in place.

Audit and Accountability (AU)

The AU domain has four additional controls for CMMC Level 2 compliance.

• AU.2.041: Create individual identifiers for each user so activity can be tracked
• AU.2.042: Maintain records of network activity in case of unlawful use or access of material
• AU.2.043: Sync internal clocks with a controlled source for accurate timestamps
• AU.2.044: Continuously monitor and audit logs for common errors

By considering these controls, contractors will have accurate reporting and clear knowledge of their entire system.

Awareness and Training (AT)

There are two additional control practices for meeting the AT domain requirements at Level 2 maturity.

• AT.2.056: All stakeholders know existing risks associated with their roles and understand best practices for dealing with them
• AT.2.057: All stakeholders have received the proper training in IT security practices associated with their position

AT maturity involves training and support so that all individuals can handle their assigned roles for CMMC Level 2 compliance.

Configuration Management (CM)

For those seeking CMMC Level 2 compliance, six control practices have been added to the CM domain.

• CM.2.061: Have a clear picture of existing assets and system configurations throughout the development process
• CM.2.062: Internal systems offer only the needed functionality to users
• CM.2.063: User-level applications and software are tightly controlled
• CM.2.064: Use a strict security policy for essential IT assets
• CM.2.065: Control the approval process for changes made to all internal systems
• CM.2.066: Understand the implications of policy changes before they’re carried out

These controls ensure any changes made can be tracked and managed according to security best practices.

Identification and Authentication (IA)

The IA domain for CMMC Level 2 compliance provides five controls for granting system access to authorized users.

• IA.2.078: Have minimum password requirements and require new passwords to be different than previous ones
• IA.2.079: Restrict passwords from being the same for a set number of changes
• IA.2.080: Allow users to log in with a temporary password before requiring a permanent change
• IA.2.081: Use cryptography to protect passwords during storage or transmission
• IA.2.082: Authentication messages are hidden from users

IA focuses primarily on the strategic use of passwords and policies for changing or updating those passwords.

Incident Response (IR)

IR addresses existing plans or strategies for dealing with potential IT security problems that may arise. There are five controls in IR that are directly concerned with discovering, reporting on, and resolving incidents.

• IR.2.092: Be prepared to respond to incidents with well-defined management capabilities
• IR.2.093: Actively discover issues and do reporting
• IR.2.094: Resolve incidents with real-time monitoring and detection strategies
• IR.2.095: Outline procedures that will be used for specific incidents
• IR.2.097: Assess the underlying cause of incidents and target the real issue

IR is necessary for CMMC Level 2 compliance because it gives contractors a way to respond to incidents before these incidents cause further harm to existing IT infrastructure.

Maintenance (MA)

CMMC Level 2 compliance offers four controls within the MA domain.

• MA.2.111: Perform regular maintenance on systems
• MA.2.112: Maintain control over procedures and processes associated with system maintenance
• MA.2.113: Require multi-factor authentication for remote maintenance sessions and close sessions when complete
• MA.2.114: Maintain physical supervision over individuals who lack the necessary authorization credentials

The MA domain provides steps to secure systems when malfunctions or other unexpected incidents occur.

Media Protection (MP)

For the MP domain, CMMC Level 2 compliance has added three controls associated with protecting and properly disposing of media content.

• MP.2.119: Physical and digital media containing CUI is secured and properly stored
• MP.2.120: Only authorized users have access to media containing CUI
• MP.2.121: Limited use of removable drives on authorized equipment

Good media protection practices allow users to safeguard CUI on all organizational systems.

Personnel Security (PS)

The PS domain for CMMC Level 2 compliance deals with protecting CUI during transitions in employee status. There are two controls associated with PS.

• PS.2.127: Personnel are screened before being given access to CUI
• PS.2.128: Systems are thoroughly assessed when personnel are transferred or fired

These controls ensure that critical CUI won’t be compromised due to changes in HR.

Physical Protection (PE)

Protecting physical infrastructure is the primary purpose of PE. It adds a single control for CMMC Level 2 compliance.

• PE.2.135: All essential facilities are protected and monitored to maintain the integrity of IT systems

This control provides an added layer of protection against potential security breaches.

Recovery (RE)

RE is a key domain for CMMC Level 2 compliance. There are two controls associated with managing backups.

• RE.2.137: Backups are done on a regular basis and tested for validity
• RE.2.138: Backups remain confidential while in storage

Regularly backing up and storing CUI will ensure you maintain operational requirements for contracts with the DoD.

Risk Management (RM)

RM is primarily concerned with mitigating security threats that could cause data to be compromised. RM offers three controls for CMMC Level 2 compliance.

• RM.2.141: Assess dangers posed by ongoing operations associated with CUI
• RM.2.142: Do ongoing scanning for potential vulnerabilities
• RM.2.143: Fix discovered vulnerabilities promptly according to specified rules outlined by the company

Managing security risks quickly is essential for IT directors and security professionals who want to mitigate potential problems down the road.

Security Assessment (CA)

The CA domain is defined by the ability of an organization to develop a cohesive system security plan and related mechanisms. There are three controls that have to be accounted for.

• CA.2.157: Outline security strategies with clear boundaries that define the operational content and associated requirements
• CA.2.158: Regularly evaluate security management capabilities
• CA.2.159: Create a plan of action for finding vulnerabilities and deploying solutions

With the CA controls in place, companies can remedy deficiencies and get their security infrastructure ready for CMMC Level 2 compliance.

System and Communications Protection (SC)   

Adhering to the SC domain allows IT directors and security professionals to clarify their security policies for communication inside and outside the system. SC contains two controls dealing with user devices and sessions.

• SC.2.178: Restrict access to collaborative computing systems so that only those physically present are authorized
• SC.2.179: Protect network devices with encrypted sessions

Control and monitoring of communications across the network are essential for meeting CMMC Level 2 compliance.

System and Information Integrity (SI)

For SI compliance, contractors must be able to find and mitigate potential security flaws while monitoring the network. There are three controls for attaining CMMC Level 2 compliance.

• SI.2.214: Respond to security events and alerts by taking the necessary actions
• SI.2.216: Assess network communications in real-time for ongoing threats or attacks
• SI.2.217: Discover unauthorized users and purge them from the system

Level 2 SI compliance means preventing data theft, spying, and other illegal activities that may pose a threat to CUI.