CMMC Level 2: Requirements and Solutions for DoD Contractors
What Is CMMC Level 2?
CMMC is the DoD's method for requiring organizations in the DoD supply chain to protect FCI, CUI, and/or ITAR to the appropriate level determined.
CMMC Level 2 compliance is intended for those handling sensitive data and therefore requires organizations to satisfy all 110 security controls from NIST SP 800-171.
CMMC Level 2 certification is necessary for those who want to bid on DoD contracts that handle the following:
-
Controlled Unclassified Information (CUI) / Controlled Defense Information (CDI)
-
Controlled Technical Information (CTI)
If the DFARS 252.204-7012 requirement is in your current contracts, you are most likely in the CMMC Level 2 category.
Here are a few types of data requiring different levels from CMMC Level 1 to CMMC Level 3:
What does it take to achieve CMMC Level 2 Compliance?
A Cyber-AB CMMC Third Party Assessment Organization (C3PAO) will attest that you have fully implemented all assessment objectives for you to receive a CMMC certification.
- When ready, you will be responsible for scheduling your assessment with a C3PAO. An assessment will remain valid for 3 years from the assessment certification.
- Every year a senior company official must re-affirm that all 320 assessment objectives are still being met.
- Every 3 years a C3PAO must re-certify the organization
Expert Insight: Any MSP/MSSP working with the organization must have a Level 2 final certification as well.
How do I know if I have CUI?
When it comes to the CMMC framework, the scope of a CMMC assessment for an Organization Seeking Assessment (OSA) is dictated by the flow of CUI throughout the environment. Properly identifying all the locations where CUI resides within that environment is critical for OSAs who want to successfully pass upcoming CMMC assessments.
Classifying CUI can define the scope of an organization’s assessment so it is critical that it is done properly. For each classification, the amount of CMMC requirements that are applicable to the asset varies, and the determining factor for asset classification is the way in which the asset interacts with sensitive data.
How do DFARS and CMMC Level 2 overlap?
CMMC and DFARS 7012 collectively consist of three basic requirements:
- Adequate Security: NIST SP 800-171's 110 security controls
- Contractual Flowdown: If the prime contractor has to meet DFARS and CMMC requirements and CDI/CUI is passed down to subcontractors, then the sub would be required to meet the same level of CMMC
- Event and Incident Reporting: In response to an incident or cyber event, DFARS 7012 requires your organization to notify the DoD through formal reporting mechanisms. The DoD will need access to your environment - including cloud tenants and other cloud systems handling CUI.
- FedRAMP Compliance for Partners: Since 2016 DFARS clause 252.204-7012 has said that if a contractor puts CUI in the cloud then the contractor needs to require and ensure that the cloud service provider meets security requirements "equivalent" to the FedRAMP Moderate baseline.
On 12/21/23, the DoD released a memo clarifying the stringent requirements of FedRAMP moderate “equivalency”– and it’s effective immediately. DoD Contractors are now on the hook for their Cloud Service Provider’s (CSP) FedRAMP compliance. According to the memo: the DoD requires a lot of contractors with defense data being stored, processed, or transmitted with a FedRAMP Equivalent CSP.
A FedRAMP Moderate Authorized CSP will require considerably less effort by the contractor. You can check if your CSP is Authorized on the FedRAMP marketplace. If you do have an FedRAMP moderate "equivalent” CSP, you might consider switching to a FedRAMP-Tailored Solution. We recommend either Microsoft GCC or GCC High.
How should I prepare for CMMC Level 2 now?
Aerospace and defense contractors should be taking the following measures right now in order to prepare for CMMC Level 2 assessments:
What solution can get me to CMMC Level 2?
The proper configuration of the Microsoft Government suite has the ability to satisfy the controls found in CMMC Level 2. Essentially, there are two options to approach CMMC Compliance.
How do I prepare for a CMMC Level 2 assessment?
To pass a CMMC Level 2 assessment, companies will be assessed by an authorized Cyber-AB C3PAO on their ability to meet and demonstrate all practices to address Levels 1 and 2 in aggregate.
This will include technical architecture and solutions, along with written policies and procedures.
CMMC Events for The DIB
What Is CS2?
CS2, or The Cloud Security and Compliance Series, is an ongoing informational series for contractors in the Defense Industrial Base looking to meet federal compliance mandates. These hybrid events are specifically curated towards aerospace and defense contractors and those in higher education institutions looking for practical approaches to address security threats, invest in the culture of cybersecurity for their organization, and glean best practices for their cloud investments.
Areas of focus for CS2 events include, but are not limited to
- CMMC 2.0
- NIST 800-171
- The DFARS 70 Series (7012, 7019, 7020)
- ITAR regulations
- Handling CUI and FCI