%20Icon.svg){kind=small}
If your organization handles sensitive information and aims to work with the Department of Defense (DoD), you must meet the Cybersecurity Maturity Model Certification (CMMC) requirements. These standards protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from cyberthreats.
Here’s a guide to CMMC Level 2 requirements and their importance for DoD contractors. Discover CMMC levels explained in detail, along with essential security controls and step-by-step preparation for certification.
What Is CMMC Compliance, and What’s Level 2?
The CMMC framework is the DoD’s response to changing cybersecurity needs. It has three levels, and Level 2 is intermediate. It includes implementing 110 security controls outlined in NIST SP 800-171 to protect CUI or export-controlled data from unauthorized access. This includes DoD contractors and subcontractors who transmit or store sensitive information.
To comply with CMMC Level 2, you need to undergo an official accreditation by a CMMC Third-Party Assessor Organization (C3PAO). The process also includes a self-evaluation, continuous monitoring, and team training, which we’ll discuss below.
Overview of CMMC Certification Levels
Each of the CMMC framework’s three levels builds upon the previous one. They’re designed to help you gradually enhance your organization's cybersecurity, depending on the type and sensitivity of the information you manage.
CMMC Level 1
At Level 1, the focus is on minimum safeguarding practices for FCI. You must implement 17 controls and practices to establish basic cyber hygiene, like managing passwords and limiting access to physical areas.
This level primarily involves annual self-assessment to ensure compliance, with results reported to the DoD’s Supplier Performance Risk System (SPRS). It’s a starting point for businesses handling less sensitive information.
CMMC Level 2
CMMC Level 2 is where things get more robust, especially if you deal with CUI. This level introduces intermediate cyber hygiene measures, expanding Level 1 by adding controls based on NIST SP 800-171. The goal is to protect CUI more thoroughly by implementing access control, incident response, and system monitoring safeguards.
To verify compliance, you conduct self-assessments or work with a CMMC C3PAO every three years, depending on the specific contract requirements. If you’re aiming to handle contracts that involve CUI, meeting Level 2 is non-negotiable.
CMMC Level 3
Level 3 targets businesses that must defend against Advanced Persistent Threats (APTs). It includes the controls from Level 2 and adds more from NIST SP 800-172.
At this stage, your organization must demonstrate capabilities to deal with advanced threats involving continuous monitoring and more sophisticated defense mechanisms. If your business handles high-value data critical to national security, this is the level of compliance you need.
CMMC Level 2 Compliance Requirements
Achieving CMMC Level 2 compliance is a significant step in enhancing cybersecurity. It involves implementing security controls across 15 domains, which the DoD developed to better organize its standards. These build upon each other to ensure a strong security foundation.
Here’s a brief overview of what you need to accomplish in each domain:
1. Access Control (AC)
Limit access to sensitive data to only authorized users, enforce the least privilege principle, and control remote access and portable storage.
2. Audit and Accountability (AU)
Track user activity with audit logs and monitor them to identify unauthorized actions.
3. Awareness and Training (AT)
Train your team on cybersecurity best practices to make sure everyone understands their role in protecting CUI.
4. Configuration Management (CM)
Document and control changes to system configurations to avoid introducing vulnerabilities.
5. Identification and Authentication (IA)
Enforce strong passwords, multi-factor authentication (MFA), and encryption to secure user credentials.
6. Incident Response (IR)
Have a documented plan for detecting, responding to, and reporting incidents, and test it regularly to stay prepared.
7. Maintenance (MA)
Secure all maintenance activities, especially remote access, with controls like MFA.
8. Media Protection (MP)
Secure digital and physical media containing CUI, limit access, and safely dispose of sensitive information.
9. Personnel Security (PS)
Screen personnel before granting CUI access, and revoke access promptly during employee transitions.
10. Physical Protection (PE)
Control physical access to facilities housing sensitive systems or information and monitor these areas.
11. Recovery (RE)
Regularly back up CUI securely and test backups to make sure data recovery is possible during incidents.
12. Risk Management (RM)
Identify and mitigate security risks proactively with regular assessments and corrective actions.
13. Security Assessment (CA)
Regularly assess your security measures, create a system security plan (SSP), and address gaps.
14. System and Communications Protection (SC)
Use encryption and secure communication protocols to protect data during transmission.
15. System and Information Integrity (SI)
Monitor networks and communications, and address security threats (like unauthorized users) promptly.
Steps To Achieve CMMC Level 2 Compliance
Achieving compliance is easier when you break the process down into clear, actionable steps. Below is a CMMC Level 2 checklist to help you navigate each stage, from assessing your current security to passing the official audit.
1. Make a Gap Analysis
Perform a gap analysis to see where your current cybersecurity practices stand compared to the CMMC requirements. This involves reviewing the controls outlined in NIST SP 800-171 and identifying where you fall short.
A thorough gap analysis gives you a roadmap for which areas need the most attention, allowing you to prioritize your compliance efforts effectively.
2. Create a Remediation Plan
Once you’ve identified the gaps, the next step is to develop a remediation plan—often formalized in a Plan of Action and Milestones (POA&M). This plan outlines your organization's specific actions to improve, sets a timeline for each action, and assigns responsibilities.
3. Implement Necessary Controls
Use the insights from your gap analysis to implement the necessary security controls. This step is about translating plans into action—securely configuring systems, enhancing access control measures, and ensuring your infrastructure meets CMMC Level 2 standards. Focus on both technical measures and administrative policies to cover all bases.
4. Conduct Regular Security Assessments
Regular security assessments are key to maintaining a high level of cybersecurity readiness. Revisit your practices periodically and conduct tests to evaluate your implemented security controls’ effectiveness. It’s also a good idea to bring in a third party for an unbiased review before your formal C3PAO assessment.
5. Develop an SSP
In this document, detail your current security practices, tools, and procedures for protecting CUI. Assessors will review the SSP, so it’s important that it accurately reflects your processes and compliance efforts.
6. Continue Employee Training and Awareness
Your organization’s security posture is only as strong as your team’s awareness. Make sure everyone, from IT staff to general employees, understands their role in protecting CUI. Training sessions should cover the basics of cybersecurity, threat awareness, and the specifics of your internal policies.
7. Get a Third-Party Assessment (C3PAO)
Most organizations aiming for CMMC Level 2 compliance need a formal assessment by a C3PAO. This external evaluation verifies that all required controls are in place and functioning as intended. The assessor will review your SSP, interview key personnel, and make sure all cybersecurity practices align with the CMMC framework.
8. Address Findings and Finalize Compliance
If the assessment uncovers shortcomings, use your POA&M to address them swiftly. You have 180 days to correct any issues and achieve full compliance. Document all actions to remediate gaps and work closely with assessors to confirm progress.
Preparing for CMMC Level 2
Proper preparation helps you meet the controls from NIST SP 800-171 and reduces the risk of setbacks during the formal evaluation, minimizing surprises during the third-party assessment.
Here are some steps to help you get ready:
- Familiarize yourself with the assessment framework, including the standards, criteria, and objectives of CMMC Level 2.
- Make sure all necessary documentation and evidence of compliance, such as your SSP, is current and easily accessible for review.
- Plan the assessment carefully by allocating enough time and resources, including staff dedicated to preparing and facilitating the process.
- Conduct a comprehensive gap analysis to identify improvement areas and develop a remediation plan.
- Train your team on cybersecurity best practices and CMMC-specific requirements to ensure everyone is on the same page.
Let Legit Security Guide Your CMMC Compliance
By implementing the correct security controls, your organization can strengthen its cybersecurity posture and unlock new opportunities.
At Legit Security, we provide the tools to streamline your journey to compliance. Our expertise in compliance automation and continuous monitoring ensures that you stay ahead of the evolving requirements, helping you achieve and maintain CMMC compliance at any level. We make the complex manageable so you can focus on delivering value to federal clients.
Want to see how Legit Security can help with your journey? Contact us today to learn more.