CMMC Level 2 Assessment Guide: Updated for the CMMC 2.0 Framework

For contractors and subcontractors in the defense sector, CMMC compliance is essential for winning federal contracts. Having the Cybersecurity Maturity Model Certification (CMMC) demonstrates that you meet the US Department of Defense’s high standards for protecting sensitive government information from cyber threats, whether those threats take the form of accidental leaking or malicious exfiltration.

Recently, the cyber compliance game has changed with the introduction of new CMMC 2.0 requirements. The new framework simplifies the CMMC model from five levels of progressively more thorough cybersecurity best practices to three levels and sets new standards for achieving certification.

As the DoD gradually incorporates CMMC 2.0 compliance requirements into its new contracts, contractors and subcontractors face the challenge of preparing for their next assessments and ensuring they can continue meeting these requirements.

With years of experience helping federal contractors and subcontractors align their cybersecurity practices with CMMC requirements, Cask is here to put you on the path to success in the Defense Industrial Base with our updated CMMC 2.0 assessment guide. Read on to learn more about what a CMMC assessment entails, especially for contractors who are required to adhere to CMMC Level 2 standards.

Understanding CMMC Level 2 Compliance

Under the new CMMC 2.0 framework, there are three levels of cyber compliance. Each one builds upon the previous level with more required cybersecurity practices to reflect the need for more thorough protections for more sensitive information.

For example, Level One: Foundational is for contractors who only handle Federal Contract Information (FCI). This first level includes 17 basic cybersecurity practices, as outlined in Federal Acquisition Regulation (FAR) 52.204-21. Level 2: Advanced is for organizations that handle Controlled Unclassified Information (CUI), such as personally identifiable information, protected health information, or critical information related to defense infrastructure or law enforcement operations. Since this class of information is more sensitive than FCI, CMMC L2 mandates 110 cybersecurity best practices, including the 17 basic practices from L1.

Level 3: Expert requires extra cybersecurity practices on top of those 110 to ensure the protection of even more sensitive data from highly sophisticated Advanced Persistent Threats. Very few contractors are required to meet Level 3 standards. For the vast majority of contractors and subcontractors across the Defense Industrial Base, DoD contracts that involve CUI, Controlled Technical Information (CTI), and ITAR or export-controlled data will require CMMC L2 compliance; L3 is rare and only for the most sensitive and at-risk defense industry data.

What are CMMC 2.0 Level 2 requirements?

The 110 cybersecurity practices included in CMMC L2 are divided up into the following fifteen requirements:

1. Access Control: 22 cybersecurity practices intended to monitor access events in your network and limit access to systems and data to authorized personnel only.
2. Audit and Accountability: Nine best practices for collecting, retaining, and analyzing audit records to ensure that unauthorized activity is detected quickly and responded to swiftly.
3. Awareness and Training: Three best practices for ensuring that managers, system administrators, and other users know your security policies and can act appropriately in the event of insider or outsider cyber threats.
4. Configuration Management: Nine cybersecurity practices for controlling, monitoring, and maintaining baseline configurations for software and systems.
5. Identification and Authentication: Eleven best practices for password and authentication policies to ensure only authorized users can access your network and systems.
6. Incident Response: Three best practices for creating and maintaining an incident response strategy that allows you to swiftly respond to and mitigate damage from potential data breaches.
7. Maintenance: Six controls to ensure that your systems are properly and regularly maintained to prevent accidental CUI disclosure.
8. Media Protection: Nine controls to ensure that both paper and digital media containing CUI
9. Personnel Security: Two controls to ensure that user activities are properly monitored and that systems containing CUI are protected while employees are onboarded, transferred, or terminated.
10. Physical Protection: Six practices to protect network hardware containing CUI from physical damage that can lead to data loss.
11. Recovery: Two best practices for creating and periodically testing data backups and physically securing backup storage locations.
12. Risk Management: Three best practices for performing risk assessments and strengthening cybersecurity vulnerabilities.
13. Security Assessment: Four best practices for monitoring and assessing your organization’s security controls.
14. System and Communications Protection: 16 controls for preventing the unauthorized transfer of information and disclosure of CUI by monitoring, controlling, and protecting network communications.
15. System and Information Integrity: Seven controls to ensure that organizations can quickly identify and correct flaws in their systems and protect CUI from cyber attacks.

To demonstrate adherence to CMMC 2.0 requirements, your organization must demonstrate that all 110 of these best practices and controls are being followed. For more details about all 110 controls, you can consult NIST SP 800-171 Rev. 3, the standard from which CMMC L2 requirements were derived. Regular CMMC assessments are required in order to prove that your organization meets CMMC 2.0 L2 requirements.

How does CMMC L2 assessment work?

If your current DoD contracts or future contracts you bid for in the future require CMMC L2 compliance, you are required to have your organization assessed by a third-party organization. Third-party assessment provides the federal government with an objective and unbiased perspective on how well-positioned your organization is to protect CUI, CTI, and ITAR or export-controlled data. To that end, assessments must be carried out by an authorized CMMC Third-Party Assessor Organization (C3PAO).

C3PAOs receive their authorization from The Cyber AB, a not-for-profit corporation solely responsible for providing CMMC licensing and certification. In addition to training and authorizing C3PAOs, The Cyber AB also licenses and certifies CMMC training providers, instructors, and assessors who assist organizations in evaluating their CMMC readiness and preparing for their assessments.

Every three years, an authorized C3PAO takes a magnifying glass to your organization’s security practices to evaluate your compliance with CMMC 2.0 requirements. If they see fit to certify your CMMC compliance, you can use your certification for the next three years to demonstrate to the DoD that you meet the requirements laid out in the contracts you bid for.

The Costs and Benefits of CMMC 2.0 Compliance

Implementing such a wide range of specific, exacting cybersecurity policies and procedures across your entire organization can demand significant upfront investments of time, labor, and potentially even upgraded hardware or software if you have legacy systems that contain significant vulnerabilities to modern cyber threats.

However, if you do contracting or subcontracting work within the defense sector, whether it comes in the form of working directly with US defense agencies or performing services for defense contractors who do, noncompliance can lock you out of a significant amount of business with the government and other contractors and limit your ability to access new revenue streams. After all, the federal government and other defense sector businesses cannot expect you to securely handle CUI if you cannot demonstrate CMMC L2 compliance.

CMMC 2.0 requirements aren’t just for businesses in the defense sector anymore, either. As universities conduct more and more research in partnership with the DoD and other federal agencies such as the Department of Health and Human Services that handle sensitive information, they too are under increasing pressure to meet CMMC L2 standards.

While ensuring compliance may involve significant investments in time, labor, and capital, in the long term, it enables you to do more varied and high-value business with the Defense Industrial Base.

What happens if you fail a CMMC L2 assessment?

If you do not pass your CMMC L2 assessment, but you have existing federal contracts or contracts you are currently bidding on that require compliance with CMMC 2.0 L2 requirements, your organization will not automatically lose your contract. Rather than stop work immediately, you will have the opportunity to present the DoD with a Plan of Action and Milestones (POA&M). A POA&M is a document that identifies where your current security practices fall short, lists the resources you need to reach CMMC 2.0 compliance, and sets a timeline for accomplishing compliance.

Five Steps to Prepare for a CMMC L2 Assessment

With the help of our CMMC L2 assessment guidance, you can streamline your assessment process and maximize your chances of achieving and maintaining your CMMC L2 certification. To prepare for your third-party assessment:

1. Review NIST SP 800-171 Rev. 3 in depth to familiarize yourself with the 110 cybersecurity controls that comprise the CMMC L2 requirements.
2. Perform an internal audit to assess how much of the 110 best practices and controls your organization currently observes. You can also hire a third-party CMMC consultant to audit your cybersecurity practices for you, as long as the consultant is not the same third party responsible for performing your CMMC L2 assessment.
3. If an audit shows any gaps in your cybersecurity practices, take steps to fill them and make sure your efforts are fully documented. If you cannot shore up these vulnerabilities in time for your assessment, documentation of your efforts can help you develop a POA&M.
4. Ensure your IT staff are prepared to answer any questions they may be asked by your auditor during the assessment.
5. Conduct an internal review ahead of the assessment to ensure your cybersecurity controls are active, documented, and effective.

This may be a lot of work to accomplish on your own. Experienced CMMC consultants can help you by providing pre-assessment consulting services, which may include analyzing the gaps in your security posture for any CMMC 2.0 requirements you do not meet, documenting your security controls, drafting a POA&M, or performing mock assessments to prepare you for the real thing.

Should You Get a Mock CMMC L2 Assessment?

One of the most effective ways to prepare for a CMMC assessment is to undergo an assessment. A mock assessment is carried out by expert CMMC consultants, and while it does not carry the same weight as a formal assessment, it emulates the rigor and scope of a formal assessment, allowing your staff to familiarize themselves with the assessment process ahead of time.

Mock assessments can also identify any issues that might stand in the way of compliance so you can have time ahead of your formal assessment to rectify them. Cask’s CMMC Readiness Program leverages our experienced team of CMMC assessors to familiarize you with the assessment process and provide you with the best opportunity to achieve a flawless score on your formal assessment with no POA&Ms.

We hope this CMMC Level 2 assessment guide has provided you with the insight you need to start preparing for your formal assessment. For support from our team of CMMC experts to make your next formal assessment a success, contact us today to schedule a CMMC readiness consultation.