A Guide to CMMC Level 2
What does it take to achieve CMMC Level 2 Compliance?
CMMC Level 2 compliance requires organizations to satisfy all 110 security controls from NIST SP 800-171. CMMC Level 2 certification is necessary for those who want to bid on DoD contracts that handle the following:
Controlled Unclassified Information (CUI) / Controlled Defense Information (CDI)
Controlled Technical Information (CTI)
If the DFARS 252.204-7012 requirement is in your current contracts, you are most likely in the CMMC Level 2 category.
The CMMC Level 2 certification process will be conducted by a Cyber-AB CMMC Third Party Assessment Organization (C3PAO). When ready, you will be responsible for scheduling your assessment with a C3PAO. An assessment will remain valid for 3 years from the assessment certification.
For select programs, only an annual self-assessment is required.
Here are the domains within CMMC Level 2 (Level 1 included):
- Access Control (AC)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
How do I know if I have CUI?
When it comes to the CMMC framework, the scope of a CMMC assessment for an Organization Seeking Certification (OSC) is dictated by the flow of CUI throughout the environment. Properly identifying all the locations where CUI resides within that environment is critical for OSCs who want to successfully pass upcoming CMMC assessments.
Classifying CUI can define the scope of an organization’s assessment so it is critical that it is done properly. For each classification, the amount of CMMC requirements that are applicable to the asset varies, and the determining factor for asset classification is the way in which the asset interacts with sensitive data.
How do DFARS and CMMC Level 2 overlap?
CMMC and DFARS 7012 collectively consist of three basic requirements:
- Adequate Security: NIST SP 800-171's 110 security controls
- Contractual Flowdown: If the prime contractor has to meet DFARS and CMMC requirements and CDI/CUI is passed down to subcontractors, then the sub would be required to meet the same level of CMMC
- Event and Incident Reporting: In response to an incident or cyber event, DFARS 7012 requires your organization to notify the DoD through formal reporting mechanisms. The DoD will need access to your environment - including cloud tenants and other cloud systems handling CUI.
How should I prepare for CMMC Level 2 now?
Aerospace and defense contractors should be taking the following measures right now in order to prepare for CMMC Level 2 assessments:
What solution can get me to CMMC Level 2?
The proper configuration of the Microsoft Government suite has the ability to satisfy 77 of the 110 controls found in CMMC Level 2 and NIST SP 800-171.
Technical implementation/mitigation for CMMC Level 2 only covers around 70% of the DoD-defined requirements - typically, this is the biggest expense and time consumption for companies preparing for CMMC assessments.
The deployment of the Summit 7 CMMC Level 2 solution enables organizations to achieve their technical compliance goals while executing their business deliverables. Implementation of the Summit 7 CMMC 2.0 Level 2 Solution can include, but is not limited to:
- Baselining your Microsoft 365 GCC or GCC High tenant
- Configuring Microsoft Security products to meet CMMC / NIST 800-171 technical requirements
- Securing in scope endpoints with Microsoft Intune
- Configuring Identity and Access Management, to include MFA using Azure Active Directory
- Implementing Microsoft Purview Information Protection (MPIP)
- Deploying Microsoft Defender suite products and services for the protection of endpoints, 3rd party cloud applications and platforms, data, and external connection
- Other duties as identified
How do I prepare for a CMMC Level 2 assessment?
To pass a CMMC Level 2 assessment, companies will be assessed by an authorized Cyber-AB C3PAO on their ability to meet and demonstrate all practices to address Levels 1 and 2 in aggregate.
This will include technical architecture and solutions, along with written policies and procedures.
CMMC Events for The DIB
What Is CS2?
CS2, or The Cloud Security and Compliance Series, is an ongoing informational series for contractors in the Defense Industrial Base looking to meet federal compliance mandates. These hybrid events are specifically curated towards aerospace and defense contractors and those in higher education institutions looking for practical approaches to address security threats, invest in the culture of cybersecurity for their organization, and glean best practices for their cloud investments.
Areas of focus for CS2 events include, but are not limited to
- CMMC 2.0
- NIST 800-171
- The DFARS 70 Series (7012, 7019, 7020)
- ITAR regulations
- Handling CUI and FCI
What Is CMMC?
CMMC 2.0 is the DoD's method for requiring organizations in the DoD supply chain to protect FCI, CUI, and/or ITAR to the appropriate level determined.
Here are a few types of data requiring different levels from CMMC Level 1 to CMMC Level 3: