CMMC Level 2 Essentials

We previously described Cybersecurity Maturity Model Certification (CMMC) level 1 as the foundation for a sound security posture. Level 2 can most accurately be described as a bridge to level 3. Most defense contracts will have either level 1 requirements or jump to level 3. However, there are additional controls that need to be addressed in level 2 before level 3 can be assessed.

​

What Is CMMC Level 2 And How Does It Compare With Level 1?

CMMC level 2 is an incremental yet important milestone for defense contractors to address. CMMC level 2 focuses on intermediate cyber hygiene, creating a logical but necessary progression for organizations to step from level 1 to 3. In addition to safeguarding Federal Contract Information (FCI), level 2 begins to include protections of Controlled Unclassified Information (CUI). Compared to level 1, the additional sets of practices included in level 2 position the organization to better defend against more dangerous cyber threats.

CMMC level 2 also introduces the process maturity element of the model. At CMMC level 2, an organization is expected to perform and document key cybersecurity functions.

 

What Are The Requirements Of Level 2?

CMMC level 2 introduces 55 new practices for a total of 72 total practices since it also includes level 1 requirements. These practices are grouped into 15 different domains. Let’s look at the basics of what level 2 requires:

• Domain AC: Access Control requirements for level 2 include various ways to limit access. Some examples include employing the principle of least privilege and carefully monitoring remote access sessions.

• Domain AT: Awareness and Training requires organizations to conduct cybersecurity training for managers, administrators and users who access organization systems.

• Domain AU: Audit and Accountability covers the need to log system users’ activity and review these logs for monitoring purposes.

• Domain CA: Security Assessment requires a defense contractor organization to periodically assess their cybersecurity plans and practices to make sure they’re working effectively. If there are problems, they should create new action plans to address the deficiencies.

• Domain CM: Configuration Management calls for creating configuration settings for all organizational systems, including equipment, software and documents, and to enforce these settings. If you need to make changes to configurations, you must first consider the security implications.

• Domain IA: Identification and Authentication is focused on limiting access in a similar way as Domain AC. Domain IA is more focused on ensuring no one is able to pass for an authorized user if they are not one. This means strategic password practices, for example, are critical.

• Domain IR: Incident Response requires your organization to have a plan in place to handle security incidents that could occur in the future and to handle these incidents carefully.

• Domain MA: Maintenance controls outline the requirements for protecting critical data and services in the event of a computer system failure.

• Domain MP: Media Protection is aimed at preventing security problems as a result of the use of removable media, such as flash drives. For instance, you must sanitize or destroy any media that includes Federal Contract Information before you release, reuse or dispose of it.

• Domain PE: Physical Protection says you must consider the physical security of your facility and your data. Practices like escorting visitors and screening personnel can help prevent security breaches.

• Domain RE: Recovery practices deal with keeping your data reliably backed up and protecting that backup CUI.

• Domain RM: Risk Management, as the name suggests, is targeted at managing security risks. This means conducting periodic risk assessments and fixing any vulnerabilities you uncover.

• Domain SC: Systems and Communications Protection involves the way information should be transmitted or received by your informational systems. Your organization should monitor and control this communication.

• Domain SI: System and Information Integrity says you should monitor for potential attacks and unauthorized access to your systems. When you are made aware of security issues, you should resolve them promptly.