CMMC LEVEL 2: AN EXPERT GUIDE TO LEVEL 2 REQUIREMENTS
EXECUTIVE BRIEF
Do you need to achieve CMMC Level 2 compliance?
This guide provides a high-level overview of CMMC Level 2 requirements and helps you determine if it applies to your organization.
- Focuses on Contractors Handling CUI: Level 2 applies to defense contractors who handle Controlled Unclassified Information (CUI).
- Securing the Defense Supply Chain: If your prime contractor is certified at CMMC Levels 2 (C3PAO) or Level 3 (DIBCAC), you will need to be certified at Level 2 (C3PAO) at a minimum.
- Meets All NIST 800-171 Controls: Requires implementation of all 110 security controls outlined in NIST SP 800-171a Rev 2.
Dig deeper and continue reading below.
If you’re a defense contractor gearing up for compliance with the Department of Defense's (DoD) latest Cybersecurity Maturity Model Certification (CMMC), we’re here to help you crack the code. Among the three levels of CMMC 2.0, Level 2 stands out as a critical milestone for most DoD contractors, and understanding its nuances is essential for maintaining competitive advantage.
What Is CMMC Level 2?
CMMC Level 2 focuses on contractors who handle or have to demonstrate the ability to handle Controlled Unclassified Information (CUI). It is expected to apply to roughly 80,000 contractors within the defense supply chain.
Level 2 is divided into two separate levels: Level 2 (Self-Assessment) and Level 2 (CMMC 3rd-Party Assessment Organizations (C3PAO)). Both require the contractor to meet all 110 controls and 320 objectives outlined in NIST SP 800-171a Rev2. The critical difference between the two sub-levels is the method of verification. Level 2 (C3PAO) requires a third-party assessor to certify your organization’s compliance posture.
The Difference Between CMMC Level 1 and Level 2
There are three critical differences between CMMC 2.0 Level 1 and Level 2.
CMMC Level 1 |
CMMC Level 2 |
Adherence to 17 selected controls listed in NIST 800-171A Rev 2 |
Adherence to all 110 controls listed in NIST 800-171A Rev 2 |
Certified through annual self-assessment. |
Certified through triennial assessment (Self or C3PAO*) |
POA&M** is not permitted. |
POA&M** is permitted for conditional certification. However an additional POA&M assessment is needed for final certification. |
* If your prime contractor is Level 2 (C3PAO) or Level 3 (DIBCAC) certified, you will need to be Level 2 (C3PAO) certified.
** Plan of Action & Milestones document.
How to Know If You Need to Achieve Level 2 Compliance
Beginning in the phased rollout of CMMC, the Request for Proposal will indicate which CMMC maturity level certification is needed to be awarded the contract. However, if you’re looking to get ahead of the phased rollout and position your business as an early adopter of CMMC, the three best indicators of needing Level 2 compliance are:
- Does your organization process, store, or handle CUI?
- Do your current contracts contain a DFARS 7012 clause?
- Will your prime contractors be CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) certified?
If you answer yes to any of these questions, you will likely need to become CMMC Level 2 certified to win new contracts and continue working on current contracts.
What Is CUI?
CUI is information created or processed by the Government or by an entity on behalf of the Government, which needs safeguarding or dissemination controls to permit agencies to handle this sensitive information.
Documents considered CUI will have distinct CUI markings on them. The designating agency is in control of determining and marking documents as CUI.
CMMC Level 2 Security Requirements
Level 2 encompasses a comprehensive suite of 110 security controls grouped into 14 categories, each vital for a robust cybersecurity posture. These controls span areas such as:
- Access Control: Limiting information access to authorized users, processes, or devices.
- Incident Response: Establishing protocols for detecting and responding to cybersecurity events.
- Media Protection: Ensuring secure handling and disposal of media containing sensitive data.
The table below outlines these controls and provides clarity, enabling contractors to focus on specific areas of improvement.
CMMC Level 2 and NIST SP 800-171
All three maturity levels of CMMC 2.0 are interconnected with NIST SP 800-171a Rev2. Level 2, in particular, focuses solely on standardizing defense contractors' adhering to all 110 controls of NIST SP 800-171a Rev2. To be certified at Level 2 (Self-Assessment) or Level 2 (C3PAO), contractors must demonstrate compliance with all 110 controls and 320 objectives listed in Rev2.
The 32 CFR final rule provided the opportunity for conditional certification if the contractor:
- Satisfies the listed essential cybersecurity controls
- Achieves a score of at least 80% of the total compliance secure during their assessment
- Addresses any gaps in a POA&M document
Regarding conditional certification, it is essential to note this is a temporary solution. Upon receiving conditional certification, your organization has 180 days to remediate all controls and objectives listed on your POA&M document and pass a POA&M closeout assessment.
Challenges to Achieving CMMC Level 2
Achieving CMMC Level 2 compliance entails addressing complex challenges that demand strategic planning and resource allocation. Below, we delve deeper into organizations' primary hurdles in this rigorous process, emphasizing the need for a comprehensive and systematic approach.
The Complexity of CMMC Level 2’s Security Control Requirements
CMMC Level 2 introduces a robust framework of 110 security controls distributed across 14 categories. This breadth of requirements necessitates meticulous understanding and implementation, which can prove daunting for many organizations. You must interpret each control accurately and apply each consistently, ensuring compatibility with existing infrastructure and processes. The precise nature of these controls requires organizations to install and continuously manage a wide range of cybersecurity measures, a task often complicated by the ongoing evolution of cybersecurity threats and regulatory standards.
Developing and Maintaining Documentation
Organizations must establish comprehensive documentation that clearly outlines the implementation and risk management of each security control. This includes drafting detailed policies, procedures, audit logs, and system security plans that accurately reflect operational practices. Maintaining this documentation is resource-intensive and requires ongoing updates and precise storage to align with changing compliance requirements and audits. Such thorough documentation satisfies certification demands and empowers organizations to identify and address them systematically.
Ongoing Monitoring and Maintenance
Organizations must implement continuous monitoring systems capable of detecting, recording, and responding to threats in real time. This ongoing maintenance includes regular security audits, vulnerability assessments, and updating backups and security protocols, which are all vital in safeguarding sensitive data. The demand for continual oversight can strain operational resources, necessitating dedicated staff and sophisticated technologies to maintain a robust security posture efficiently.
Resource Constraints
Balancing CMMC Level 2 demands with existing operational responsibilities can be challenging for many organizations, especially smaller ones. Personnel may need additional training to effectively manage and execute compliance requirements, diverting valuable time from their regular duties. While financial constraints are a concern, it is often the human resource aspect—ensuring that skilled personnel are allocated efficiently—that poses a more significant challenge.
Lack of Cybersecurity Expertise
The intricacy of CMMC Level 2’s requirements underscores the need for specialized cybersecurity knowledge, which is not readily available within all organizations. This gap impedes the ability to effectively interpret, implement, and manage security controls. Organizations may need to seek external expertise or invest in upskilling their workforce, both of which require careful planning and possibly significant financial outlay. Building a proficient in-house cybersecurity team or engaging third-party consultants are viable strategies, each offering distinct advantages and challenges.
Integration of Security Practices
The requirements for new cybersecurity practices can disrupt existing workflows and systems, necessitating adjustments that may affect productivity in the short term. Embedding these security measures into the organizational fabric necessitates a cultural shift, aligning everyone from executives to front-line staff with the new security ethos while maintaining business output. Effective change management strategies are essential to minimize operational disruption and ensure a smooth transition to compliance.
CMMC Level 2 Compliance Costs
Compliance with CMMC Level 2 obligations incurs significant costs, encompassing assessment fees, remediation efforts, and ongoing monitoring. While initial assessment costs vary, they are necessary to ensure comprehensive compliance. Remediation efforts may involve upgrading cybersecurity infrastructure, training staff, or hiring consultants, which further add to expenses.
Despite the costs, these investments are crucial for maintaining an organization's competitive standing, particularly in initiatives involving the DoD. Integrating compliance costs into future proposals can offset some financial pressures, helping organizations adapt to the industry's tighter cybersecurity standards and remain attractive to potential DoD partners. The importance of these investments cannot be overstated, as they lay the foundation for a secure, compliant, and competitive enterprise.
A Checklist to Prepare for CMMC Level 2 Assessment
A structured approach is vital to successful certification. Follow this checklist to streamline your preparation.
Perform a NIST 800-171A Self-Assessment
Perform a self-assessment based on NIST SP 800-171A, which outlines methods and procedures for evaluating the implementation of security requirements. This risk assessment is to identify gaps and establish compliance baselines. Although NIST 800-171 and CMMC are complementary standards, they differ in compliance requirements: NIST 800-171 compliance can be achieved through self-assessment, whereas CMMC requires a third-party audit for certification. By completing the NIST 800-171 self-assessment first, you can identify gaps in your current cybersecurity practices in relation to CMMC requirements.
Establish a System Security Plan
A System Security Plan (SSP) outlines an information system’s security requirements and lays out a plan for meeting those requirements. To stay on track for CMMC compliance, develop your business SSP plan to formally document your organization’s cybersecurity practices, policies, and procedures. The SSP should detail how your organization implements the required CMMC practices and controls so you have a detailed account and comprehensive overview of your cybersecurity framework.
Create Your POA&M
As mentioned before, CMMC Level 2 will allow your organization to achieve conditional certification with a POA&M document. However, there are six key cybersecurity requirements that CMMC 2.0 does not allow to be put onto a POA&M. These include:
- AC.L2-3.1.20 External Connections (CUI Data)
- AC.L2-3.1.22 Control Public Information (CUI Data)
- CA.L2-3.12.4 System Security Plan
- PE.L2-3.10.3 Escort Visitors (CUI Data)
- PE.L2-3.10.4 Physical Access Logs (CUI Data)
- PE.L2-3.10.5 Manage Physical Access (CUI Data)
Your organization will then have 180 days to remediate any gaps in your compliance posturing and pass a POA&M closeout assessment before achieving Final Level 2 certification.
Review DoD Assessment and Scoping Guides
Thoroughly examine the DoD's CMMC Assessment Guide and Scoping Guide. These documents provide an authoritative blueprint for understanding the evaluation criteria and scoping boundaries that define the assessment process. Ensure your team comprehensively reviews these guides to pinpoint the specific controls applicable to your organization.
How ISI Helps You Achieve CMMC Level 2 Compliance
At ISI, we are dedicated to guiding defense contractors in the Defense Industrial Base (DIB) through CMMC Level 2 compliance complexities. Our expert team provides tailored solutions, ensuring you remain competitive and compliant. Contact us today for comprehensive support in navigating this critical certification process.
FAQs about CMMC Level 2
Is CMMC only for DoD contractors?
Yes, as of now, CMMC only applies to DoD contractors and subcontractors.
If I only handle FCI, do I still need to meet CMMC Level 2?
No. However, prime contractors can pass additional cybersecurity requirements to their subcontractors. Reviewing your current federal contract information and looking for a DFARS 7012 clause is imperative, as this DFARS clause could be a good indication of what your current primes will be looking for in the future.
Do I need a System Security Plan for CMMC Level 2?
Yes! Not only is an SSP required for Level 2 certification, but it is also one of the six key cyber security requirements not allowed on the POA&M document. Having a well-documented SSP is critically vital to your CMMC assessment.
What is the difference between CMMC Level 2 and Level 3?
There are three key differences between CMMC Level 2 and Level 3:
- CMMC Level 3 primarily applies to prime contractors, as the DoD only expects 600 companies to fall into the Level 3 category
- In addition to satisfying all 110 controls and 320 objectives of NIST SP 800-171A Rev2, Level 3 requires contractors to implement an additional 24 cybersecurity requirements from NIST SP 800-172.
- Level 3 assessments are conducted by the government compared to third-party assessment organizations described in Level 2.
As mentioned, Level 3 is mainly for prime contractors—most defense contractors will fall into either Level 1 or 2 of the CMMC Program.
How long is CMMC Level 2 certification good for?
CMMC Level 2 certification is valid for three years. However, during those three years, an Affirming Official from your organization must provide a yearly affirmation of continuing compliance with the specified security assessment requirements.
The 32 CFR final rule defines the Affirming Official as “a senior representative from your organization who is responsible for ensuring the Organization’s Seeking Assessment (OSA’s) compliance with the CMMC Program requirements and has the authority to affirm the OSA's continuing compliance with the specified security requirements for their respective organizations.”
What are the consequences of failing a CMMC Level 2 assessment?
The most immediate consequence of failing a CMMC Level 2 assessment is your organization will be unable to accept the award of a defense contract, losing out on lucrative business. Technically, Level 2 (Self-Assessment) contract requirements will be rolled out in Phase 1, and Level 2 (C3PAO) contract requirements will begin in Phase 2 (one year after the start of Phase 1). However, the DoD has the right to accelerate the timeline of any maturity level for DoD contracts with particularly sensitive information. So, the requirements for Level 2 contracts for Self-Assessment and C3PAO could begin as early as Q2 2025.
Failing your assessment can also hurt your organization’s reputation with prime contractors. Compliance is much more than a box-checking exercise; CMMC makes compliance a vital component of a contractor’s overall business goals.
While CMMC contract requirements are approaching, our best advice is to take your time and be intentional about identifying and addressing any gaps in your cybersecurity program before going through an audit.
How to find a C3PAO for your CMMC assessment?
C3PAOs are accredited by the CMMC Accreditation Body CyberAB. All accredited C3PAOs are listed on their website (cyberab.org).
Two things to note about C3PAOs:
- Give yourself time to interview at least three C3PAOs. Finding a C3PAO with whom you can build rapport and communicate effectively is important. The audit can be a long process, and having a C3PAO with whom you can work will be worth the time you spend researching.
- A C3PAO’s default position is not to pass or fail any organization. They are there simply to verify cybersecurity practices align with the CMMC program and ensure the behavior of these practices matches your documented policies and procedures. The assessment is not punitive in nature, but it is crucial to prepare and have your ducks in a row.
Schedule a call with an advisor to learn how ISI can support your organization’s compliance journey.