masthead-background-img

A Guide to CMMC Level 2 Compliance

01 A Guide To Cmmc Level 2 Compliance

Cybersecurity Maturity Model Certification (CMMC) is a tiered model with three levels, ascending from basic to advanced security requirements.

While some Defense Industrial Base (DIB) companies only need to stay at Level 1 and others must climb to Level 3, most need to comply with Level 2. According to Department of Defense (DoD) estimates, roughly 8,350 large and medium-sized organizations need to undergo a CMMC Level 2 certification assessment to be eligible for DoD contract work.

Regardless of business size, there are many controls to understand and implement to achieve CMMC Level 2. Use this guide to start your path to compliance.

What Is CMMC Level 2?

CMMC Level 2 is designed to help DIB contractors and subcontractors protect Controlled Unclassified Information (CUI) from cyberattacks. Unlike Level 1, which requires adherence to 15 basic security requirements* listed in Federal Acquisition Regulation (FAR) clause 52.204-21, Level 2 demands more advanced cybersecurity measures. CMMC Level 2 requirements include:

* Previously 17 requirements, three of which the DoD then merged into a single clause. 

110 NIST SP 800-171 Controls

DIBs needing to achieve Level 2 certification must comply with the 110 security controls of the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171).

NIST SP 800-171 covers critical cybersecurity requirements categorized into 17 families, including Access Control, Incident Response, and Risk Assessment. It helps contractors develop a robust defense against cyberattacks that could threaten national security. From a business perspective, CMMC Level 2 controls allow organizations to bid on or renew DoD contracts and grow in the defense field. It also mitigates the risk of joining the list of companies that has to publicly confess that they have been hacked.

C3PAO Assessment

Unlike Level 1, which requires a self-assessment, Level 2 typically demands an official assessment conducted by an authorized CMMC Third Party Assessment Organization (C3PAO).

Qualified C3PAOs are certified by The Cyber AB, the official accreditation body of CMMC and a DoD nongovernmental partner. If a DIB contractor demonstrates it meets all NIST SP 800-171 requirements during a Level 2 assessment, the C3PAO will issue certification and enter the results into the Enterprise Mission Assurance Support Service (eMASS) system, which the DoD can access. The DIB contractor will be eligible for contracts requiring Level 2 certification.

Any 110 security controls not met during a Level 2 assessment are placed on a Plan of Action and Milestones (POA&M), and the contractor receives a “conditional” CMMC status. During conditional status, DIBs can still bid on contracts. However, they must remediate POA&Ms within 180 days of receiving the conditional status. POA&Ms are closed out during a reassessment. 

Organizations that achieve CMMC Level 2 must affirm compliance annually in the Supplier Performance Risk System (SPRS) and undergo a C3PAO assessment every three years. It’s important to note that the Level 2 assessment process typically takes several months or longer, depending on an organization’s needs and goals, so starting the journey promptly is recommended. 

02 Dib Contractrors Eligible

DIB contractors eligible to self-assess at Level 2 must do so annually and upload their assessment results to the SPRS. They also have 180 days to close out POA&Ms if needed, and the security requirements for Level 2 self-assessments are the same as C3PAO assessments. 

Who Needs CMMC Level 2 Certification?

Any DIB contractor or subcontractor using a non-federal system to process, transmit, or store CUI must comply with CMMC Level 2 to be eligible for contract awards. Prime contractors are responsible for flowing down CMMC requirements to subcontractors handling CUI and ensuring they meet Level 2 controls before awarding contracts to them.

If a subcontractor handles limited sensitive information, it may not need to comply with CMMC Level 2, even if the prime contractor must comply. CMMC Level 1 may be adequate for the subcontractor depending on the type of information it handles.

What Does CUI Include?

CUI includes various types of DoD information that require safeguarding, such as Controlled Technical Information (CTI) like engineering drawings and specifications. Other defense CUI categories include Privileged Safety Information (PSI) and Unclassified Controlled Nuclear Information (DCNI). 

The CMMC Scoping Guide provides specific details on assets in scope for a CMMC Level 2 assessment. They include any asset that handles CUI, such as software, servers, networks, and mobile devices. Assets physically or logically separate from CUI are considered out of scope. Organizations must be prepared to explain to CMMC assessors why certain assets are out of scope.

How Do You Prepare for CMMC Level 2 Certification?

Use the following checklist to prepare for a CMMC Level 2 certification assessment:

  • Know your CMMC level: Determine whether your organization handles CUI or Federal Contract Information (FCI). If it handles highly sensitive CUI, you may need a Level 3 assessment. Review the contract you currently hold or are bidding on — it should say which level you need.
  • Review NIST SP 800-171 requirements: If you determine your organization needs to comply with CMMC Level 2, familiarize yourself with NIST SP 800-171. That way, you’ll know what your business must do to prepare for an assessment. You can review NIST SP 800-171 requirements here.
  • Perform assessment scoping: You must identify in-scope assets before your assessment. You must also document these assets in a System Security Plan (SSP). An SSP provides a high-level overview of the security controls your organization has implemented or plans to implement to safeguard in-scope assets. 
  • Conduct a gap analysis: A gap analysis assesses your existing cybersecurity framework against NIST SP 800-171 requirements to identify deficiencies. Consider partnering with an experienced CMMC consultant to perform a gap analysis and ensure you’re prepared for an official assessment.
  • Remediate gaps: Address the vulnerabilities you’ve uncovered during the gap analysis, which may include implementing new software or tools. A consultant can help you develop and implement a practical and effective remediation plan.
  • Perform a readiness assessment: After closing cybersecurity gaps, consider performing a readiness assessment to ensure all vulnerabilities were adequately addressed. A readiness assessment can help your company save time and resources during the actual CMMC assessment process.
  • Hire a reliable C3PAO: Once you’re ready for an official assessment, it’s time to partner with an authorized C3PAO. Your C3PAO cannot be the same organization that provided CMMC consulting services due to conflict-of-interest rules. You can search for authorized C3PAOs through The Cyber AB’s marketplace

Why Trust Business Transformation Institute?

If anyone knows CMMC, it’s the team at Business Transformation Institute, Inc. (BTI). We’ve been involved with CMMC Level 2 certification since the DoD initially launched the program, and some of our team members have written critical components of the model.

We understand the complexities of CMMC compliance on all levels for organizations of all sizes. We also bring real-world expertise in cybersecurity controls and process improvement methodologies to our approach. 

03 Contact Bti For Cmmc Level 2 Certification Services

Contact BTI for CMMC Level 2 Certification Services

While it’s important for protecting CUI, achieving CMMC Level 2 compliance can quickly overwhelm a DIB organization. Comprehending NIST SP 800-171 requirements is one thing — implementing them is another. We understand CMMC compliance is a lot to take on, and we’re here to help.

As an official C3PAO and Approved Training Provider, we are qualified to consult, train, or assess DIB businesses needing to comply with CMMC Level 2. Unlike our competitors, our team is authorized to work with information at the highest levels of security, qualifying us to support intelligence committee contractors. 

No matter where you are on your CMMC journey, we can help your organization reach compliance efficiently, practically, and cost-effectively. Contact us today.

Previous ArticleA Guide to CMMI™ Maturity Levels Next ArticleHow Much Will CMMC 2.0 Certification Cost?