Your Essential Guide to Navigating CMMC 2.0 Level 2

The Cybersecurity Maturity Model Certification (CMMC) represents an evolution in the cybersecurity landscape for DoD contractors. This guide aims to overview CMMC 2.0 Level 2, requirements, an assessment guide, and how DoD contractors and organizations can prepare for certification.

Don’t forget to check out our CMMC Level 1 overview and our Ultimate Guide to CMMC 2.0.

An Introduction to CMMC 2.0

Officially released in November of 2021, CMMC 2.0 is a Department of Defense (DoD) program aimed to grow adoption of cybersecurity best practices throughout the DoD’s entire supply chain. Any organization that is part of the DoD supply chain will become more evolved at proactively identifying, responding, and remedying cyber threats as a result of CMMC.

The CMMC 2.0 model categorizes contractors and suppliers into three levels based on the types of information involved in performing the contracts. 

CMMC 2.0 Level 1 is for any contractor or supplier who receives Federal Contract Information (FCI) and is all about safeguarding FCI.

CMMC 2.0 Level 2, the topic of this post, applies to any contractor or supplier who receives or generates Controlled Unclassified Information (CUI). We’ll cover CUI in more detail below.

Lastly, CMMC 2.0 Level 3 will add a subset of expert requirements from NIST SP 800-172, but is only required for large integrators who receive or generate CUI most critical to national security.

Image credit: Office of the Under Secretary of Defense for Acquisition & Sustainment

In this post, we’ll dive into CMMC 2.0 level 2.

What is Controlled Unclassified Information (CUI)?

Before diving into the nuts and bolts of CMMC Level 2, it’s important to understand what CUI is.

Controlled Unclassified Information (CUI) is a designation that refers to unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies. CUI is information the U.S. government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Under the framework of CMMC 2.0 Level 2, the handling of Controlled Unclassified Information (CUI) is a critical aspect that organizations must navigate with diligence. CUI encompasses a range of sensitive information, which can include Federal Contract Information (FCI) and other unclassified data that still necessitates protection under federal laws, regulations, or executive orders. While not classified at a high security level, CUI requires safeguarding due to its sensitive nature and is not permissible for public release. Notably, CUI does not include information classified under Executive Order No 13526 and the Atomic Energy Act, such as data labeled “classified”, “secret”, or “top-secret”. For organizations dealing with CUI on a limited scale, achieving CMMC compliance might be expedited through the establishment of an "Enclave" – a protected, software-defined perimeter segregated from the main network, purpose-built to handle CUI and similar sensitive data. This approach not only aids in effective CUI management but also circumvents the need for extensive system-wide upgrades.

Understanding CMMC 2.0 Level 2

Compared to CMMC 1.0, CMMC 2.0 Level 2 gives DoD contractors a more streamlined and focused path to certification, aiming to reduce complexities and costs while making it more feasible for organizations to achieve compliance.

CMMC 2.0 Level 2 replaces CMMC’s original Level 3, eliminating 20 requirements, aligning directly with NIST 800-171’s 110 requirements. Along with the drop in requirements, another significant change from CMMC 1.0 Level 3 to CMMC 2.0 Level 2 is assessment flexibility. Organizations handling less sensitive information may be eligible for self-assessments, while others will require third-party assessments.

A Complete List of CMMC 2.0 Level 2 Requirements (Organized by Their Parent Domain)

CMMC 2.0 Level 2 compliance comprises 110 requirements spread across 14 domains.

The 14 CMMC Level 2 domains are:

1. Access Control (AC)
2. Awareness Training (AT)
3. Audit and Accountability (AU)
4. Configuration Management (CM)
5. Identification and Authentication (IA)
6. Incident Response (IR)
7. Maintenance (MA)
8. Media Protection (MP)
9. Personnel Security (PS)
10. Physical Protection (PE)
11. Risk Management (RM)
12. Security Assessment (SA)
13. System and Communications Protection (SCP)
14. System and Information Integrity (SII)
    
    

Below is a list of all 110 requirements of CMMC 2.0 Level 2, organized by their parent domains. These requirements align with the NIST SP 800-171 controls.

Access Control (AC)

The Access Control domain is essential in managing who has access to specific data within the organization. The controls here aim to limit and monitor access to critical information. The 25 Access Control requirements are:

1. Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other systems).
2. Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3. Control the flow of CUI in accordance with approved authorizations.
4. Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
5. Employ the principle of least privilege, including for specific security functions and privileged accounts.
6. Use non-privileged accounts or roles when accessing nonsecurity functions.
7. Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
8. Limit unsuccessful logon attempts.
9. Provide privacy and security notices consistent with applicable CUI rules.
10. Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
11. Terminate (automatically) a user session after a defined condition.
12. Monitor and control remote access sessions.
13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
14. Route remote access via managed access control points.
15. Authorize remote execution of privileged commands and remote access to security-relevant information.
16. Authorize wireless access prior to allowing such connections.
17. Protect wireless access using authentication and encryption.
18. Control connection of mobile devices.
19. Encrypt CUI on mobile devices.
20. Verify and control/limit connections to and use of external systems.
21. Limit use of organizational portable storage devices on external systems.
22. Control information posted or processed on publicly accessible systems.
23. Enforce a minimum password complexity and change of characters when new passwords are created.
24. Prohibit password reuse for a specified number of generations.
25. Allow temporary password use for system logons with an immediate change to a permanent password.

Awareness and Training (AT)

The Awareness and Training domain aims to ensure employees are aware of potential security risks associated with their activities. The 3 Awareness and Training requirements are:

1. Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
2. Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
3. Provide security awareness training on recognizing and reporting potential indicators of insider threat.

Audit and Accountability (AU)

Audit and Accountability practices include mechanisms to track actions performed on the system and review them for potential security risks. The 9 Audit and Accountability requirements are:

1. Create, protect, and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
2. Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
3. Review and update audited events.
4. Alert in the event of an audit process failure.
5. Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful or unauthorized system activity.
6. Provide audit reduction and report generation to support on-demand analysis and reporting.
7. Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
8. Protect audit information and audit tools from unauthorized access, modification, and deletion.
9. Limit management of audit functionality to a subset of privileged users.

Configuration Management (CM)

The Configuration Management domain focuses on maintaining the integrity and security of system configurations. The 9 Configuration Management requirements are:

1. Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
2. Establish and enforce security configuration settings for information technology products employed in organizational systems.
3. Track, review, approve or disapprove, and audit changes to organizational systems.
4. Analyze the security impact of changes prior to implementation.
5. Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
6. Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
7. Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
8. Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
9. Control and monitor user-installed software.

Identification and Authentication (IA)

The Identification and Authentication domain ensures the secure verification of user identities. The 11 Identification and Authentication requirements are:

1. Identify system users, processes acting on behalf of users, and devices.
2. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems.
3. Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
4. Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
5. Prevent reuse of identifiers for a defined period.
6. Disable identifiers after a defined period of inactivity.
7. Enforce a minimum password complexity and change of characters when new passwords are created.
8. Prohibit password reuse for a specified number of generations.
9. Allow temporary password use for system logons with an immediate change to a permanent password.
10. Store and transmit only cryptographically-protected passwords.
11. Obscure feedback of authentication information.

Incident Response (IR)

The Incident Response domain is focused on preparing for, detecting, and responding to cybersecurity incidents. The 3 Incident Response requirements are:

1. Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
2. Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
3. Test the organizational incident response capability.

Maintenance (MA)

The Maintenance domain aims to keep all systems in optimal condition. The 6 Maintenance requirements are:

1. Perform maintenance on organizational systems.
2. Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
3. Ensure equipment removed for off-site maintenance is sanitized of any CUI.
4. Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
5. Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
6. Supervise the maintenance activities of maintenance personnel without required access authorization.

Media Protection (MP)

The Media Protection domain aims to ensure the secure storage and access of media containing CUI. The 7 Media Protection requirements are:

1. Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
2. Limit access to CUI on system media to authorized users.
3. Sanitize or destroy system media containing CUI before disposal or release for reuse.
4. Mark media with necessary CUI markings and distribution limitations.
5. Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
6. Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
7. Control the use of removable media on system components.

Personnel Security (PS)

The Personnel Security domain is focused on ensuring that individuals who are provided access to organizational systems containing CUI are properly screened. The 2 Personnel Security requirements are:

1. Screen individuals prior to authorizing access to organizational systems containing CUI.
2. Ensure that CUI and systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Physical Protection (PE)

The Physical Protection domain is focused on securing the physical environment where the organization's information systems are located. The 5 Physical Protection requirements are:

1. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
2. Protect and monitor the physical facility and support infrastructure for organizational systems.
3. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
4. Enforce safeguarding measures for CUI at alternate work sites.
5. Employ security controls to protect the confidentiality of CUI at alternate work sites.

Risk Assessment (RA)

The Risk Assessment domain is focused on identifying and managing potential risks that could harm the organization. The 3 Risk Managements requirements are:

1. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
2. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
3. Remediate vulnerabilities in accordance with assessments of risk.

Security Assessment (SA)

The Security Assessment domain is focused on evaluating the effectiveness of the organization's security measures. The 4 Security Assessment requirements are:

1. Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
2. Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
3. Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
4. Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

System and Communications Protection (SCP)

The System and Communications Protection domain is focused on protecting the organization's information systems from external threats. The 16 System and Communications Protection requirements are:

1. Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
2. Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
3. Separate user functionality from system management functionality.
4. Prevent unauthorized and unintended information transfer via shared system resources.
5. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
6. Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
7. Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
8. Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
9. Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
10. Establish and manage cryptographic keys for cryptography employed in organizational systems.
11. Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
12. Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
13. Control and monitor the use of mobile code.
14. Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
15. Protect the authenticity of communications sessions.
16. Protect the confidentiality of CUI at rest.

System and Information Integrity (SII)

The System and Information Integrity domain is focused on ensuring the integrity and accuracy of the organization's information systems. The 7 System and Information Integrity requirements are:

1. Identify, report, and correct system flaws in a timely manner.
2. Provide protection from malicious code at appropriate locations within organizational systems.
3. Monitor system security alerts and advisories and take action in response.
4. Update malicious code protection mechanisms when new releases are available.
5. Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
6. Monitor organizational systems including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
7. Identify unauthorized use of organizational systems.

Steps to CMMC Level 2 Compliance

Understand CMMC Level 2 Requirements

First and foremost, it’s important to familiarize yourself and understand the 110 security requirements we outlined above. For reference, these requirements are aligned with NIST 800-171 controls.

It is also important that you understand where in your organization Controlled Unclassified Information (CUI) is handled.

Conduct Internal CMMC Self Assessment

Once you have a firm grasp on the 110 security requirements, it’s time to perform a thorough self assessment. Your self assessment should ultimately measure your organization’s cyber posture against the CMMC Level 2 requirements. Identify and document gaps and areas where your organization has opportunity to better conform to each requirement.

Remediate Gaps

After identifying the gaps between your current cyber posture and the CMMC Level 2 requirements, you need to prioritize remediation. This involves developing and implementing a strategy to address deficiencies, which could range from simple process tweaks to more complex technological deployments. Continuous monitoring and improvement are key, as the cyber threat landscape is always evolving.

Implement Required CMMC Controls

Following your organization’s self assessment, it’s time to implement any controls, which again, are primarily focused on protecting CUI which we covered earlier. This often includes the deployment of technology, processes, and practices. During implementation, it’s important to ensure that the measures deployed aren’t simply viewed as “add-ons” but rather integrated parts of your organizational processes.

Document Policies and Practices

With CMMC compliance, documentation – specifically, documented policies and practices – is a must. Creating a System Security Plan (SSP) which is documentation outlining your organization’s cybersecurity strategy and how it’s managed will be important. Additionally, a Plan of Action and Milestones (POA&M) will outline and address how your organization manages any gaps identified during your self assessment.

Employee Training and Awareness

When it comes to employee training and awareness, organizations should look at it as an ongoing process, never a one-time event for the sake of certification. As humans are often at the center of cyberattacks, it’s important to ensure all employees receive regular training, updated regularly to reflect the latest in cyberthreats, attacks, and best practices. Reference materials like Zog’s small business cybersecurity guide, updated frequently to include actionable insights.

Select a C3PAO

Selecting a CMMC Third-Party Assessment Organization (C3PAO) is a crucial step in achieving CMMC Level 2 compliance. Select a C3PAO accredited by the CMMC Accreditation Body (CMMC-AB) with expertise in your particular industry. They’ll ultimately evaluate your compliance with CMMC requirements.

Schedule and Undergo Assessment

Now that you have your C3PAO selected, it’s time to schedule your assessment which will involve a thorough evaluation of your organization’s compliance with the 110 security requirements we reviewed earlier. The C3PAO will require access to your facilities, systems, and documentation needed to verify the required controls are in place and operating as they should be. We’ll dive deeper into the assessment process in the following section.

CMMC Level 2 Assessment Process

Pre-Assessment

Before your organization’s formal CMMC Level 2 evaluation begins, your C3PAO will undergo a preliminary review of your SSP and other documentation outlining your organization’s cybersecurity framework. This pre-assessment phase is important because it lays the foundation for the remainder of the certification process and typically begins with a meeting to discuss the scope of the assessment and expectations. This is also an ideal time to address any questions your organization might have about the assessment, before the in-depth assessment begins.

Onsite Assessment

The onsite assessment is crucial as it’s the time in which assessors ensure whether or not your organization has the necessary cybersecurity measures in place to align with CMMC standards. To start, your C3PAO will contract a third-party assessor or assessment firm to review your cybersecurity strategy. The effectiveness of your strategies will be determined by way of employee interviews and real-time observation.

Testing Controls

Next, your C3PAO will test the effectiveness of your security controls in protecting from cyberthreats. Through use of automated scanning tools, a meticulous examination process, simulations, and other methods, the goal of testing is to ensure controls operate as intended.

Reporting

Following your assessment, the assessment team will prepare a detailed report, documenting compliance with each CMMC Level 2 requirement. In addition to documenting compliance, the report will also overview any gaps, highlighting a detailed roadmap for remediation.

Post-Assessment

In the event gaps are identified during assessment, you’ll be required to remedy them immediately. Depending on the severity of the gaps identified, a reassessment may be required. Once all issues are resolved, your C3PAO will submit a final assessment report to the CMMC Accreditation Body (CMMC-AB).

Certification

Assuming the CMMC-AB is satisfied with the final report, at this point you’ll be issued your CMMC Level 2 certification. This is your official recognition of your commitment to cybersecurity and is valid for three years. Throughout the three years, your organization is subject to periodic audits to ensure continued compliance.

Cost of Achieving CMMC Level 2

The cost of CMMC Level 2 compliance and certification varies based on size and complexity of the scope of the assessment. It is estimated for cost to range between $18,058 to $482,874.

CMMC Level 2 FAQs

How does CMMC 2.0 Level 2 address the evolving cyber threats faced by the defense industrial base?

CMMC 2.0 Level 2 has been designed to address the evolving cyber threats that the defense industrial base encounters. By examining the progression from Level 1 to Level 2 in the framework, it becomes evident that there's an emphasis on meticulous handling of information, especially when communicating with external organizations.

Are there any recommended tools, software, or platforms that can assist in achieving and maintaining CMMC 2.0 Level 2 compliance?

While the market offers a plethora of tools, it's paramount to choose those that provide compliance tracking capabilities. At Zog, we give preference to tools that can address multiple compliance frameworks, enabling contractors to handle various audits and compliance requirements efficiently.

How frequently will assessments or audits for CMMC 2.0 Level 2 compliance be required for DoD Contractors?

While assessments or audits for CMMC 2.0 Level 2 compliance are generally expected at least annually, certain components might require more frequent updates or different timelines for review.

What training or certifications are recommended for IT Professionals to understand and implement CMMC 2.0 Level 2 requirements effectively?

IT professionals aiming to comprehend and implement CMMC 2.0 Level 2 requirements should consider obtaining certifications such as CSSIP and Ethical Hacker. It's also beneficial to have skilled documenters who are organized. Several organizations, like Zog, specialize in preparing entities for CMMC 2.0, while other firms are authorized to audit such preparations. It's wise to collaborate with a partner matching your organization's scale and having a C3PAO certification. Proper preparation is critical, and companies should initiate this process 12-18 months in advance to ensure all required elements are in place. Implementing enclaves to segregate federal information is paramount; it ensures comprehensive protection while taking into account the specific limitations of the enclave. Microsoft 365's GCC High, for instance, offers enclave support but can be costly. Achieving a DIB CAC Joint Surveillance voluntary assessment, administered by US personnel, positions a company well for CMMC 2.0 readiness. For those handling a significant amount of CUI and anticipating the need for CMMC 2.0 compliance, it's advisable to begin preparations now, even if audit dates are yet to be announced, due to the increasing demand for audit bookings.

Conclusion

Achieving CMMC Level 2 compliance requires an investment in time, resources, and expertise. Having a clear understanding of CMMC Level 2 requirements and a plan to ensure your organization’s cybersecurity practices align to these requirements, it is not by any means an unattainable certification.

For support on your compliance journey, reach out to Zog’s cybersecurity experts. We’re here to help you achieve compliance!