CMMC Level 2
What Is CMMC Level 2?
CMMC Level 2 is a requirement for organizations that want to bid (and win) U.S. Department of Defense (DoD) contracts that include the following types of information:
- Controlled Unclassified Information (CUI)/ Controlled Defense Information (CDI)
CUI is a broad category of information the U.S. government or an entity acting on behalf of the government creates or possesses that needs to be safeguarded against misuse or abuse. The term CDI can be used, interchangeably, by the DoD to describe CUI. - Controlled Technical Information (CTI)
CTI is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. - Export-Controlled Information (ECI)
Export-Controlled Information includes information regulated for national security, foreign policy, anti-terrorism, or non-proliferation reasons. This type of data is governed by International Traffic in Arms Regulations (ITAR), and Export Administration Regulations (EAR).
CMMC Level 2 is also mandatory for contracts that include the DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requirement.
CMMC Level 2 focuses on cyber hygiene and enhanced defense against cyber threats. To achieve certification for CMMC Level 2, an organization must perform and document extensive cybersecurity capabilities.
Compared to CMMC Level 1, which consists of 15 FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) requirements, CMMC Level 2 requires organizations to satisfy all 110 security requirements from NIST SP 800-171 Rev. 2. CMMC Level 2 builds upon the core cybersecurity practices that are established in Level 1 and is designed to bolster the overall security of the organization. As a result, CMMC Level 2 is a considerable step up from CMMC Level 1 in terms of complexity, timeline, and cost.
CMMC Level 2 Processes
CMMC measures the degree to which an organization has institutionalized its cybersecurity practices. CMMC Level 2 maturity processes are categorized as Documented. At CMMC Level 2, organizations are required to put policies in place that reflect CMMC 2.0’s objectives and focus on the practices that are included in its required domains.
Process documentation for CMMC Level 2 policies should include:
- Definition of the scope of the policy (e.g., enterprise-wide, department-wide, information-system specific)
- Description of the roles and responsibilities of the activities covered by the policy (i.e., the responsibility, authority, and ownership of domain activities)
- Guidance for each of the CMMC practice domains
- Ongoing communication from senior management that:
- Articulates expectations for planning and performing the activities
- Communicates those expectations to the broader organization
- Demonstrates that senior management sponsors and oversees the domains’ activities
- Procedures to carry out and meet the intent of the policy, including regulatory guidelines that the policy addresses
- Statement of the purpose of the policy
The objectives of CMMC Level 2 process policies are to:
- Achieve expected cybersecurity outcomes.
- Enable an organization to execute the CMMC practices in a repeatable manner.
- Establish a foundation for continuous improvement.
How Many Requirements are in CMMC Level 2?
CMMC Level 2 includes a total of 110 requirements (also referred to as “controls”). For your convenience, you can find a complete overview of CMMC’s requirements in the CMMC Final Rule documentation from the DoD.
How Can Your Organization Meet CMMC Level 2 Assessment Objectives?
The CMMC Level 2 certification process is conducted by a Certified Third-Party Assessor Organization (C3PAO). Once finalized, an assessment remains valid for three years from assessment certification.
Understanding CMMC Level 2 assessment procedures is critical to meeting the requirements. Assessment procedures consist of an associated set of methods and objects for each assessment objective. C3PAOs evaluate objectives by applying a methodology to each assessment object. In turn, CMMC Level 2 assessment objects identify items within the scope of the objective, including:
- Activities
These are protection-related actions for people who support information systems, such as conducting system backup operations or monitoring network traffic.
- Mechanisms
- These are specific hardware, software, or firmware safeguards used within the organization’s information system.
- Specifications
These are document-based artifacts associated with an information system, such as policies, procedures, plans, and designs.
Assessors will use several assessment methods to evaluate each assessment objective, and they will do the following:
- Examine
Review documents, such as policies, procedures, plans, diagrams, inventory, configurations, rule-sets, and system logs. - Interview
Talk with key individuals to facilitate understanding, achieve clarification, or identify the location(s) of evidence. - Test
Directly work with systems and networks to identify vulnerabilities and measure levels of compliance in areas like configuration/patch management and password policy.
Here’s an outline of the CMMC assessment process:
- The Organization Seeking Certification (OSC) submits documentation to the assessment team.
- Kick-off meeting takes place, to review scope, scheduling, and process.
- Security Assessment Plan is drafted that defines assessment steps and identifies proposed tools and review techniques.
- Rules of Engagement are created to define the proposed steps for the assessment, including outside testing, interview processes, and inspection requirements.
- Security Assessment Plan and Rules of Engagement are approved.
- Assessment is conducted.
- Key personnel are interviewed.
- Processes and security controls are observed in action.
- A security walk-through is conducted.
- Systems are tested with tools that are defined in the Security Assessment Plan.
- Findings are reviewed with the OSC for interpretation and evaluation, in order to remove “false positives” that are externally mitigated.
- Security Assessment Report is drafted.
- Security Assessment Report is reviewed with the OSC for final remediation.
- Certification recommendation is delivered with the Security Assessment Report.
Uplevel Security and Continuously Improve with CMMC Level 2
While CMMC Level 2 is a meticulous undertaking, it remains a mandatory requirement for many organizations that want to maintain their Department of Defense (DoD) books of business. But, CMMC also brings significant cyber-preparedness benefits to organizations that adhere to its requirements- benefits that can extend well beyond their defense-related business lines.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 21st November, 2024