Cybersecurity Maturity Model Certification (CMMC) is a tiered model with three levels, ascending from basic to advanced security requirements.
While some Defense Industrial Base (DIB) companies only need to stay at Level 1 and others must climb to Level 3, most need to comply with Level 2. According to Department of Defense (DoD) estimates, roughly 8,350 large and medium-sized organizations need to undergo a CMMC Level 2 certification assessment to be eligible for DoD contract work.
Regardless of business size, there are many controls to understand and implement to achieve CMMC Level 2. Use this guide to start your path to compliance.
CMMC Level 2 is designed to help DIB contractors and subcontractors protect Controlled Unclassified Information (CUI) from cyberattacks. Unlike Level 1, which requires adherence to 15 basic security requirements* listed in Federal Acquisition Regulation (FAR) clause 52.204-21, Level 2 demands more advanced cybersecurity measures. CMMC Level 2 requirements include:
* Previously 17 requirements, three of which the DoD then merged into a single clause.
DIBs needing to achieve Level 2 certification must comply with the 110 security controls of the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171).
NIST SP 800-171 covers critical cybersecurity requirements categorized into 17 families, including Access Control, Incident Response, and Risk Assessment. It helps contractors develop a robust defense against cyberattacks that could threaten national security. From a business perspective, CMMC Level 2 controls allow organizations to bid on or renew DoD contracts and grow in the defense field. It also mitigates the risk of joining the list of companies that has to publicly confess that they have been hacked.
Unlike Level 1, which requires a self-assessment, Level 2 typically demands an official assessment conducted by an authorized CMMC Third Party Assessment Organization (C3PAO).
Qualified C3PAOs are certified by The Cyber AB, the official accreditation body of CMMC and a DoD nongovernmental partner. If a DIB contractor demonstrates it meets all NIST SP 800-171 requirements during a Level 2 assessment, the C3PAO will issue certification and enter the results into the Enterprise Mission Assurance Support Service (eMASS) system, which the DoD can access. The DIB contractor will be eligible for contracts requiring Level 2 certification.
Any 110 security controls not met during a Level 2 assessment are placed on a Plan of Action and Milestones (POA&M), and the contractor receives a “conditional” CMMC status. During conditional status, DIBs can still bid on contracts. However, they must remediate POA&Ms within 180 days of receiving the conditional status. POA&Ms are closed out during a reassessment.
Organizations that achieve CMMC Level 2 must affirm compliance annually in the Supplier Performance Risk System (SPRS) and undergo a C3PAO assessment every three years. It’s important to note that the Level 2 assessment process typically takes several months or longer, depending on an organization’s needs and goals, so starting the journey promptly is recommended.
DIB contractors eligible to self-assess at Level 2 must do so annually and upload their assessment results to the SPRS. They also have 180 days to close out POA&Ms if needed, and the security requirements for Level 2 self-assessments are the same as C3PAO assessments.
Any DIB contractor or subcontractor using a non-federal system to process, transmit, or store CUI must comply with CMMC Level 2 to be eligible for contract awards. Prime contractors are responsible for flowing down CMMC requirements to subcontractors handling CUI and ensuring they meet Level 2 controls before awarding contracts to them.
If a subcontractor handles limited sensitive information, it may not need to comply with CMMC Level 2, even if the prime contractor must comply. CMMC Level 1 may be adequate for the subcontractor depending on the type of information it handles.
CUI includes various types of DoD information that require safeguarding, such as Controlled Technical Information (CTI) like engineering drawings and specifications. Other defense CUI categories include Privileged Safety Information (PSI) and Unclassified Controlled Nuclear Information (DCNI).
The CMMC Scoping Guide provides specific details on assets in scope for a CMMC Level 2 assessment. They include any asset that handles CUI, such as software, servers, networks, and mobile devices. Assets physically or logically separate from CUI are considered out of scope. Organizations must be prepared to explain to CMMC assessors why certain assets are out of scope.
Use the following checklist to prepare for a CMMC Level 2 certification assessment:
If anyone knows CMMC, it’s the team at Business Transformation Institute, Inc. (BTI). We’ve been involved with CMMC Level 2 certification since the DoD initially launched the program, and some of our team members have written critical components of the model.
We understand the complexities of CMMC compliance on all levels for organizations of all sizes. We also bring real-world expertise in cybersecurity controls and process improvement methodologies to our approach.
While it’s important for protecting CUI, achieving CMMC Level 2 compliance can quickly overwhelm a DIB organization. Comprehending NIST SP 800-171 requirements is one thing — implementing them is another. We understand CMMC compliance is a lot to take on, and we’re here to help.
As an official C3PAO and Approved Training Provider, we are qualified to consult, train, or assess DIB businesses needing to comply with CMMC Level 2. Unlike our competitors, our team is authorized to work with information at the highest levels of security, qualifying us to support intelligence committee contractors.
No matter where you are on your CMMC journey, we can help your organization reach compliance efficiently, practically, and cost-effectively. Contact us today.