CMMC Level 2

The newly implemented Cybersecurity Maturity Model Certification (CMMC) framework is impacting all businesses seeking contracts with the U.S. Department of Defense (DoD). Companies can no longer self-report their cybersecurity practices. Instead, a certified third-party assessor organization (C3PAO) must conduct an audit to determine a business’s preparedness and ensure it complies with the guidelines.  The CMMC framework includes a tiered system consisting of five certification levels. The requirements and processes for each step are cumulative and range from basic to highly advanced regarding processing cybersecurity maturity requirements and hygiene practices. 

Get Started Today

What Are the CMMC Level 2 Requirements?

While CMMC Level 1 provides a solid foundation for basic cybersecurity applications, Level 2 focuses on implementing intermediate cyber hygiene practices. Instead of limiting the protection requirements to Federal Contract Information (FCI), Level 2 begins to emphasize safeguarding Controlled Unclassified Information (CUI). Consequently, this step serves as a bridge to Level 3.

Additionally, Level 2 requires organizations to provide more documentation regarding the implementation of CMMC practices and policies. While Level 1 lists a set of mandatory cybersecurity practices, the next level takes it further by mandating that companies outline their processes for enacting them. 

Level 2 also encompasses nine additional domains in addition to the six in the preceding level. These include:

  • Configuration Management
  • Maintenance
  • Security Assessment
  • Audit and Accountability 
  • Recovery
  • Awareness and Training
  • Risk Management
  • Incident Response
  • Personnel Security

The mandated Level 2 processes include:

Establishing Policies Addressing the Domains

To ensure that organizations are implementing sufficient CMMC Level 2 controls, they must create policies that encompass the 15 domains. They do not need to establish an individual policy for each one. Instead, they can produce a high-level statement from senior management that documents the requirements for specific activities. They must also communicate their expectations for planning and executing the processes throughout the organization. 

The policy components should complete the following actions:

  • States the policy’s purpose
  • Defines the policy’s scope
  • Describes the roles and responsibilities of the policy’s covered activities
  • Establishes a set of procedures to execute the policy and fulfill its intent

Documenting CMMC Implementation of CMMC Level 2 Practices

Level 2 also requires contractors to document the practices used to implement each domain. All listed practices must demonstrate that they meet the intent of the policy and detail the specific activities employed to fulfill the requirements. 

The documented practices must also demonstrate repeatability when the activities are performed to ensure consistent results. Both formal and informal methodologies can meet the documentation requirements. 

Coalfire Federal Can Help You Protect the Mission

Does your organization need to comply with Level 2 or any of the other CMMC compliance steps? Coalfire Federal offers a suite of comprehensive advisory services that provide a pathway to certification. We’ll conduct a thorough assessment to determine your degree of preparedness and identify opportunities for improvement. We can also offer training that helps you get where you need to be. 

Contact us online for more information.