Dictionary

CMMC Level 2 Guide

September 03, 2024

CMMC consists of three (3) levels ranging from Foundational to Expert. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas.

Level 2 (Advanced) is for companies working with CUI. The requirements mirror NIST SP 800-171, and align with the 14 domains and 110 security controls developed to protect CUI.

Certifications

CyberAB RPO Badge 2022 - Transparent BG

CMMC Level 2 Compliance

Level 2 is focusing primarily on protecting, storing and transmitting Controlled Unclassified Information (CUI).  If your organization handles both – FCI and CUI – you will have to meet CMMC Level 2 requirements or higher.

This level aims at fleshing out the base security practices established in Level 1 and increasing the overall security of the organization. Level 2 is a considerable step up that impacts both timeline and cost.

Assessment requirements for Level 2 compliance differ based on whether the CUI data handled is considered critical or non-critical to national security. 

  • Defense Industrial Base organizations with prioritized acquisitions that handle data critical to national security must pass a higher level third-party assessment, conducted by an authorized CMMC Third-Party Assessment Organizations (C3PAO), every 3 years.
  • For non-prioritized acquisitions handling non-critical data to national security, an annual self-assessment is required.

The Department of Defense has stated that roughly 80,000 in the DIB will need to achieve CMMC Level 2 via a C3PAO assessment.

CMMC Level 2 Requirements

Level 2 requires organizations to engage in a set of 110 practices from NIST 800-171. CMMC 2.0  Level 2 focuses on intermediate cyber hygiene, creating a logical but necessary progression for organizations to step from Level 1 to Level 3. In addition to safeguarding Federal Contract Information (FCI), Level 2 begins to include protections of Controlled Unclassified Information (CUI).

Based on Existing Regulations

Based on the 110 controls found in NIST 800-171.

Controlled Unclassified Information (CUI)

Required for any contractor that handles CUI, CTI, or ITAR.

Official Assessment

In most cases, requires a third-party assessment by an authorized C3PAO.

CMMC Level 2 Controls

At level 2, the AC domain adds ten controls. These are geared toward further isolating key systems and defining authorized session privileges.

  • AC.2.005: Communicate security details to users when dealing with CUI
  • AC.2.006: Control which storage devices are used and limit portable mediums
  • AC.2.007: Give users only the privileges necessary to complete a designated task
  • AC.2.008: Use privileged accounts only when necessary
  • AC.2.009: Allow only a set number of login attempts for user accounts
  • AC.2.010: Lock user sessions when inactive for a certain amount of time
  • AC.2.011: Remote connections are validated before they’re allowed
  • AC.2.013: Remote connections are monitored in a controlled environment
  • AC.2.015: Remote connections are routed to managed nodes
  • AC.2.016: CUI is used according to established guidelines

CMMC Level 2 compliance requires strict AC mechanisms to be put in place.

The AU domain has four additional controls for CMMC Level 2 compliance.

  • AU.2.041: Create individual identifiers for each user so activity can be tracked
  • AU.2.042: Maintain records of network activity in case of unlawful use or access of material
  • AU.2.043: Sync internal clocks with a controlled source for accurate timestamps
  • AU.2.044: Continuously monitor and audit logs for common errors

By considering these controls, contractors will have accurate reporting and clear knowledge of their entire system.

There are two additional control practices for meeting the AT domain requirements at Level 2 maturity.

  • AT.2.056: All stakeholders know existing risks associated with their roles and understand best practices for dealing with them
  • AT.2.057: All stakeholders have received the proper training in IT security practices associated with their position

AT maturity involves training and support so that all individuals can handle their assigned roles for CMMC Level 2 compliance.

For those seeking CMMC Level 2 compliance, six control practices have been added to the CM domain.

  • CM.2.061: Have a clear picture of existing assets and system configurations throughout the development process
  • CM.2.062: Internal systems offer only the needed functionality to users
  • CM.2.063: User-level applications and software are tightly controlled
  • CM.2.064: Use a strict security policy for essential IT assets
  • CM.2.065: Control the approval process for changes made to all internal systems
  • CM.2.066: Understand the implications of policy changes before they’re carried out

These controls ensure any changes made can be tracked and managed according to security best practices.

The IA domain for CMMC Level 2 compliance provides five controls for granting system access to authorized users.

  • IA.2.078: Have minimum password requirements and require new passwords to be different than previous ones
  • IA.2.079: Restrict passwords from being the same for a set number of changes
  • IA.2.080: Allow users to log in with a temporary password before requiring a permanent change
  • IA.2.081: Use cryptography to protect passwords during storage or transmission
  • IA.2.082: Authentication messages are hidden from users

IA focuses primarily on the strategic use of passwords and policies for changing or updating those passwords.

IR addresses existing plans or strategies for dealing with potential IT security problems that may arise. There are five controls in IR that are directly concerned with discovering, reporting on, and resolving incidents.

  • IR.2.092: Be prepared to respond to incidents with well-defined management capabilities
  • IR.2.093: Actively discover issues and do reporting
  • IR.2.094: Resolve incidents with real-time monitoring and detection strategies
  • IR.2.095: Outline procedures that will be used for specific incidents
  • IR.2.097: Assess the underlying cause of incidents and target the real issue

IR is necessary for CMMC Level 2 compliance because it gives contractors a way to respond to incidents before these incidents cause further harm to existing IT infrastructure.

CMMC Level 2 compliance offers four controls within the MA domain.

  • MA.2.111: Perform regular maintenance on systems
  • MA.2.112: Maintain control over procedures and processes associated with system maintenance
  • MA.2.113: Require multi-factor authentication for remote maintenance sessions and close sessions when complete
  • MA.2.114: Maintain physical supervision over individuals who lack the necessary authorization credentials

The MA domain provides steps to secure systems when malfunctions or other unexpected incidents occur.

For the MP domain, CMMC Level 2 compliance has added three controls associated with protecting and properly disposing of media content.

  • MP.2.119: Physical and digital media containing CUI is secured and properly stored
  • MP.2.120: Only authorized users have access to media containing CUI
  • MP.2.121: Limited use of removable drives on authorized equipment

Good media protection practices allow users to safeguard CUI on all organizational systems.

The PS domain for CMMC Level 2 compliance deals with protecting CUI during transitions in employee status. There are two controls associated with PS.

  • PS.2.127: Personnel are screened before being given access to CUI
  • PS.2.128: Systems are thoroughly assessed when personnel are transferred or fired

These controls ensure that critical CUI won’t be compromised due to changes in HR.

Protecting physical infrastructure is the primary purpose of PE. It adds a single control for CMMC Level 2 compliance.

  • PE.2.135: All essential facilities are protected and monitored to maintain the integrity of IT systems

This control provides an added layer of protection against potential security breaches.

RE is a key domain for CMMC Level 2 compliance. There are two controls associated with managing backups.

  • RE.2.137: Backups are done on a regular basis and tested for validity
  • RE.2.138: Backups remain confidential while in storage

Regularly backing up and storing CUI will ensure you maintain operational requirements for contracts with the DoD.

RM is primarily concerned with mitigating security threats that could cause data to be compromised. RM offers three controls for CMMC Level 2 compliance.

  • RM.2.141: Assess dangers posed by ongoing operations associated with CUI
  • RM.2.142: Do ongoing scanning for potential vulnerabilities
  • RM.2.143: Fix discovered vulnerabilities promptly according to specified rules outlined by the company

Managing security risks quickly is essential for IT directors and security professionals who want to mitigate potential problems down the road.

The CA domain is defined by the ability of an organization to develop a cohesive system security plan and related mechanisms. There are three controls that have to be accounted for.

  • CA.2.157: Outline security strategies with clear boundaries that define the operational content and associated requirements
  • CA.2.158: Regularly evaluate security management capabilities
  • CA.2.159: Create a plan of action for finding vulnerabilities and deploying solutions

With the CA controls in place, companies can remedy deficiencies and get their security infrastructure ready for CMMC Level 2 compliance.

Adhering to the SC domain allows IT directors and security professionals to clarify their security policies for communication inside and outside the system. SC contains two controls dealing with user devices and sessions.

  • SC.2.178: Restrict access to collaborative computing systems so that only those physically present are authorized
  • SC.2.179: Protect network devices with encrypted sessions

Control and monitoring of communications across the network are essential for meeting CMMC Level 2 compliance.

For SI compliance, contractors must be able to find and mitigate potential security flaws while monitoring the network. There are three controls for attaining CMMC Level 2 compliance.

  • SI.2.214: Respond to security events and alerts by taking the necessary actions
  • SI.2.216: Assess network communications in real-time for ongoing threats or attacks
  • SI.2.217: Discover unauthorized users and purge them from the system

Level 2 SI compliance means preventing data theft, spying, and other illegal activities that may pose a threat to CUI.

CMMC Level 2 Checklist

  • Step 1 – Document where CUI lives in your environment.
  • Step 2 – Identify and document CUI, SPA, CRMA, SA and out of scope assets.
  • Step 3 – Use an understanding of CUI dataflows and assets to consider ways to reduce the footprint.
  • Step 4 – Identify tools/methods and stakeholders necessary to track and manage compliance with controls.
  • Step 5 – Review contracts and agreements with 3rd party vendors to ensure their control environments are compliant.
  • Step 6 – Ensure internal stakeholder has the authority to manage the cultural change.
  • Step 7 – Quickly check compliance for each of the 110 controls and 320 assessment objectives against your identified CUI boundary.
  • Step 8 – Create plans of actions and milestones (POAMs) for anything not compliant.
  • Step 9 – Assign authoritative stakeholders to remediate the easiest gaps with timelines.
  • Step 10 – Develop timelines and budgets for addressing more complex gaps such as replacing non-compliant 3rd party vendors.

CMMC Level 2 FAQs

A CMMC Level 2 assessment is conducted by an accredited C3PAO to certify that a DoD contractor or subcontractor in possession of Controlled Unclassified Information (CUI) is compliant with the mandated security standard established in the CMMC regulation. Currently, the CMMC Level 2 standard is based on NIST 800-171r2. Contractors are also required to flow down those requirements to any subcontractors that will process or manage CUI.

CMMC Level 2 consists of the 110 security controls specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which pertains to protecting Controlled Unclassified Information (CUI). Contractors must demonstrate compliance with both Level 1 and Level 2 practices to achieve CMMC Level 2 certification.

Contractors requiring CMMC Level 2 certification must have a CMMC Level 2 assessment conducted by an Authorized CMMC Third-Party Assessment Organization (C3PAO).

Before conducting a CMMC assessment, the contractor must specify the CMMC Assessment Scope, which informs which assets within the contractor’s environment will be assessed and the details of the assessment. Assets are categorized into five groups: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. Each category must be carefully considered as described in the CMMC Scoping Guide.

In a CMMC Level 2 assessment, the findings can be categorized as “MET,” “NOT MET,” or “NOT APPLICABLE (N/A)” for each practice. To achieve a specific CMMC level, the contractor needs a “MET” or “N/A” finding on all CMMC practices required for that level as well as for all lower levels.

The assessment methods as defined in the CMMC Assessment Guide include examine, interview, and test. These methods involve reviewing access control policies, procedures, system security plans, conducting interviews with personnel responsible for access enforcement and asking key personnel to demonstrate controls.

Detailed information on each CMMC Level 2 practice, including assessment objectives, methods, objects, discussions, and further explanations, can be found in the CMMC Assessment Guide – Level 2, which is organized by domain, level, and practices. It provides comprehensive guidance for assessing each practice.

Yes, all CMMC levels, including Level 2, are achievable by contractors of various sizes. The CMMC assessment methodology is designed to apply the practices equally, regardless of the contractor’s size, constraints, or complexity.

Organizations can improve compliance by establishing clear policies and procedures, conducting regular assessments, implementing secure technologies, and providing training to their personnel. Continuous monitoring and adjustment of security measures are also key to compliance.

References for CMMC Level 2 assessment include the FAR Clause 52.204-21 (for Level 1) and NIST SP 800-171 Rev 2. These documents provide additional information and requirements related to CMMC assessment practices. The DoD provides comprehensive documentation on CMMC Assessment requirements.

Get Ready for Level 2 Compliance

Talk to an Expert