CMMC Level 2 Guide

At level 2, the AC domain adds ten controls. These are geared toward further isolating key systems and defining authorized session privileges.

• AC.2.005: Communicate security details to users when dealing with CUI
• AC.2.006: Control which storage devices are used and limit portable mediums
• AC.2.007: Give users only the privileges necessary to complete a designated task
• AC.2.008: Use privileged accounts only when necessary
• AC.2.009: Allow only a set number of login attempts for user accounts
• AC.2.010: Lock user sessions when inactive for a certain amount of time
• AC.2.011: Remote connections are validated before they’re allowed
• AC.2.013: Remote connections are monitored in a controlled environment
• AC.2.015: Remote connections are routed to managed nodes
• AC.2.016: CUI is used according to established guidelines

CMMC Level 2 compliance requires strict AC mechanisms to be put in place.

The AU domain has four additional controls for CMMC Level 2 compliance.

• AU.2.041: Create individual identifiers for each user so activity can be tracked
• AU.2.042: Maintain records of network activity in case of unlawful use or access of material
• AU.2.043: Sync internal clocks with a controlled source for accurate timestamps
• AU.2.044: Continuously monitor and audit logs for common errors

By considering these controls, contractors will have accurate reporting and clear knowledge of their entire system.

There are two additional control practices for meeting the AT domain requirements at Level 2 maturity.

• AT.2.056: All stakeholders know existing risks associated with their roles and understand best practices for dealing with them
• AT.2.057: All stakeholders have received the proper training in IT security practices associated with their position

AT maturity involves training and support so that all individuals can handle their assigned roles for CMMC Level 2 compliance.

For those seeking CMMC Level 2 compliance, six control practices have been added to the CM domain.

• CM.2.061: Have a clear picture of existing assets and system configurations throughout the development process
• CM.2.062: Internal systems offer only the needed functionality to users
• CM.2.063: User-level applications and software are tightly controlled
• CM.2.064: Use a strict security policy for essential IT assets
• CM.2.065: Control the approval process for changes made to all internal systems
• CM.2.066: Understand the implications of policy changes before they’re carried out

These controls ensure any changes made can be tracked and managed according to security best practices.

The IA domain for CMMC Level 2 compliance provides five controls for granting system access to authorized users.

• IA.2.078: Have minimum password requirements and require new passwords to be different than previous ones
• IA.2.079: Restrict passwords from being the same for a set number of changes
• IA.2.080: Allow users to log in with a temporary password before requiring a permanent change
• IA.2.081: Use cryptography to protect passwords during storage or transmission
• IA.2.082: Authentication messages are hidden from users

IA focuses primarily on the strategic use of passwords and policies for changing or updating those passwords.

IR addresses existing plans or strategies for dealing with potential IT security problems that may arise. There are five controls in IR that are directly concerned with discovering, reporting on, and resolving incidents.

• IR.2.092: Be prepared to respond to incidents with well-defined management capabilities
• IR.2.093: Actively discover issues and do reporting
• IR.2.094: Resolve incidents with real-time monitoring and detection strategies
• IR.2.095: Outline procedures that will be used for specific incidents
• IR.2.097: Assess the underlying cause of incidents and target the real issue

IR is necessary for CMMC Level 2 compliance because it gives contractors a way to respond to incidents before these incidents cause further harm to existing IT infrastructure.

CMMC Level 2 compliance offers four controls within the MA domain.

• MA.2.111: Perform regular maintenance on systems
• MA.2.112: Maintain control over procedures and processes associated with system maintenance
• MA.2.113: Require multi-factor authentication for remote maintenance sessions and close sessions when complete
• MA.2.114: Maintain physical supervision over individuals who lack the necessary authorization credentials

The MA domain provides steps to secure systems when malfunctions or other unexpected incidents occur.

For the MP domain, CMMC Level 2 compliance has added three controls associated with protecting and properly disposing of media content.

• MP.2.119: Physical and digital media containing CUI is secured and properly stored
• MP.2.120: Only authorized users have access to media containing CUI
• MP.2.121: Limited use of removable drives on authorized equipment

Good media protection practices allow users to safeguard CUI on all organizational systems.

The PS domain for CMMC Level 2 compliance deals with protecting CUI during transitions in employee status. There are two controls associated with PS.

• PS.2.127: Personnel are screened before being given access to CUI
• PS.2.128: Systems are thoroughly assessed when personnel are transferred or fired

These controls ensure that critical CUI won’t be compromised due to changes in HR.

Protecting physical infrastructure is the primary purpose of PE. It adds a single control for CMMC Level 2 compliance.

• PE.2.135: All essential facilities are protected and monitored to maintain the integrity of IT systems

This control provides an added layer of protection against potential security breaches.

RE is a key domain for CMMC Level 2 compliance. There are two controls associated with managing backups.

• RE.2.137: Backups are done on a regular basis and tested for validity
• RE.2.138: Backups remain confidential while in storage

Regularly backing up and storing CUI will ensure you maintain operational requirements for contracts with the DoD.

RM is primarily concerned with mitigating security threats that could cause data to be compromised. RM offers three controls for CMMC Level 2 compliance.

• RM.2.141: Assess dangers posed by ongoing operations associated with CUI
• RM.2.142: Do ongoing scanning for potential vulnerabilities
• RM.2.143: Fix discovered vulnerabilities promptly according to specified rules outlined by the company

Managing security risks quickly is essential for IT directors and security professionals who want to mitigate potential problems down the road.

The CA domain is defined by the ability of an organization to develop a cohesive system security plan and related mechanisms. There are three controls that have to be accounted for.

• CA.2.157: Outline security strategies with clear boundaries that define the operational content and associated requirements
• CA.2.158: Regularly evaluate security management capabilities
• CA.2.159: Create a plan of action for finding vulnerabilities and deploying solutions

With the CA controls in place, companies can remedy deficiencies and get their security infrastructure ready for CMMC Level 2 compliance.

Adhering to the SC domain allows IT directors and security professionals to clarify their security policies for communication inside and outside the system. SC contains two controls dealing with user devices and sessions.

• SC.2.178: Restrict access to collaborative computing systems so that only those physically present are authorized
• SC.2.179: Protect network devices with encrypted sessions

Control and monitoring of communications across the network are essential for meeting CMMC Level 2 compliance.

For SI compliance, contractors must be able to find and mitigate potential security flaws while monitoring the network. There are three controls for attaining CMMC Level 2 compliance.

• SI.2.214: Respond to security events and alerts by taking the necessary actions
• SI.2.216: Assess network communications in real-time for ongoing threats or attacks
• SI.2.217: Discover unauthorized users and purge them from the system

Level 2 SI compliance means preventing data theft, spying, and other illegal activities that may pose a threat to CUI.

A CMMC Level 2 assessment is conducted by an accredited C3PAO to certify that a DoD contractor or subcontractor in possession of Controlled Unclassified Information (CUI) is compliant with the mandated security standard established in the CMMC regulation. Currently, the CMMC Level 2 standard is based on NIST 800-171r2. Contractors are also required to flow down those requirements to any subcontractors that will process or manage CUI.

CMMC Level 2 consists of the 110 security controls specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which pertains to protecting Controlled Unclassified Information (CUI). Contractors must demonstrate compliance with both Level 1 and Level 2 practices to achieve CMMC Level 2 certification.

Contractors requiring CMMC Level 2 certification must have a CMMC Level 2 assessment conducted by an Authorized CMMC Third-Party Assessment Organization (C3PAO).

Before conducting a CMMC assessment, the contractor must specify the CMMC Assessment Scope, which informs which assets within the contractor’s environment will be assessed and the details of the assessment. Assets are categorized into five groups: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. Each category must be carefully considered as described in the CMMC Scoping Guide.

In a CMMC Level 2 assessment, the findings can be categorized as “MET,” “NOT MET,” or “NOT APPLICABLE (N/A)” for each practice. To achieve a specific CMMC level, the contractor needs a “MET” or “N/A” finding on all CMMC practices required for that level as well as for all lower levels.

The assessment methods as defined in the CMMC Assessment Guide include examine, interview, and test. These methods involve reviewing access control policies, procedures, system security plans, conducting interviews with personnel responsible for access enforcement and asking key personnel to demonstrate controls.

Detailed information on each CMMC Level 2 practice, including assessment objectives, methods, objects, discussions, and further explanations, can be found in the CMMC Assessment Guide – Level 2, which is organized by domain, level, and practices. It provides comprehensive guidance for assessing each practice.

Yes, all CMMC levels, including Level 2, are achievable by contractors of various sizes. The CMMC assessment methodology is designed to apply the practices equally, regardless of the contractor’s size, constraints, or complexity.

Organizations can improve compliance by establishing clear policies and procedures, conducting regular assessments, implementing secure technologies, and providing training to their personnel. Continuous monitoring and adjustment of security measures are also key to compliance.

References for CMMC Level 2 assessment include the FAR Clause 52.204-21 (for Level 1) and NIST SP 800-171 Rev 2. These documents provide additional information and requirements related to CMMC assessment practices. The DoD provides comprehensive documentation on CMMC Assessment requirements.