CMMC Level 2: Aligning with NIST SP 800-171 for Advanced Security

Military contractors that work with sensitive information need to prove their security chops through NIST and CMMC compliance. If a contract requires CMMC Level 2, you’ll need to implement the entirety of NIST SP 800-171, including 110 unique cybersecurity practices.

Is your organization ready for CMMC Level 2 compliance? Request a consultation to find out!

 

Achieving CMMC 2.0 Level 2 and NIST Compliance

Organizations working with the Department of Defense (DoD) need to prove that their data processing is secure before they work with sensitive military information. To that effect, they need to implement protections from the National Institute of Standards and Technology (NIST), which are the basis of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program.

In particular, DoD contracts requiring CMMC Level 2 certification require implementing the entirety of NIST’s Special Publication (SP) 800-171. To do that, you need to understand:

• The regulatory context of how CMMC relates to NIST
• The implementation requirements of CMMC Level 2
• The assessment requirements for certification at Level 2

Working with a compliance advisory partner to scope and implement controls and then plan for and conduct your assessment will make it easier and faster to be a preferred DoD contractor.

 

How CMMC 2.0 Relates to NIST DoD Standards

CMMC is a relatively new framework, but the standards that it’s built upon are not. The CMMC program is a way to integrate NIST SP 800-171 and other security practices uniformly across the defense industrial base (DIB). Sooner rather than later, all DoD contracts will require some level of CMMC compliance. Those that deal primarily in lower-stakes sensitive data, such as Federal Contract Information (FCI), will need CMMC Level 1. But those that involve Controlled Unclassified Information (CUI) need CMMC Level 2, which corresponds to all of SP 800-171.

Additionally, some organizations that process large quantities of CUI or are subject to more dangerous risk environments may need CMMC Level 3. This highest level includes all 110 of SP 800-171’s controls, along with 24 from the supplementary framework NIST SP 800-172.

 

Implementation Requirements at CMMC Level 2

If your organization needs to achieve CMMC Level 2 certification, you’ll need to implement the 15 requirements of Level 1 and then upgrade to the full suite of 110 for Level 2. In other words, this includes all of SP 800-171’s requirements. After all controls are installed, you can prepare for an assessment (see below).

Note that the CMMC 2.0 levels differ slightly from earlier versions of the framework. If you were targeting CMMC Level 3 in version 1, you may need to achieve Level 2 in the new schema.

 

 

CMMC Level 1 Prerequisites

CMMC Level 1 comprises 15 controls adapted from NIST SP 800-171. They are fundamental in scope and provide basic safeguarding of FCI. However, they’re not sufficient for CUI protection.

The Level 1 requirements that need to be in place prior to Level 2 implementation are:

• Level 1 Access Control

• • • AC.L1-3.1.1: Authorized access controls for FCI
    • AC.L1-3.1.2: Transaction and function controls for FCI
    • AC.L1-3.1.20: External connection security for FCI
    • AC.L1-3.1.22: Control over publicly accessible FCI

• Level 1 Identification and Authentication

• • • IA.L1-3.5.1: FCI identification
    • IA.L1-3.5.2: FCI authentication

• Level 1 Media Protection

• • • MP.L1-3.8.3i: Secure FCI disposal  

• Level 1 Physical Protection

• • PE.L1-3.10.1i: Limit physical access to FCI
  • PE.L1-3.10.3: Limit visitors and physical access to FCI
  • PE.L1-3.10.4: Physical access logs
  • PE.L1-3.10.5: Manage physical access

• Level 1 System and Communications Protection

• • SC.L1-3.13.1: Boundary protections around FCI
  • SC.L1-3.13.5: System separation for publicly accessible FCI

• Level 1 System and Information Integrity

• • SI.L1-3.14.1: FCI data flaw remediation
  • SI.L1-3.14.2: Malicious code protection in FCI
  • SI.L1-3.15.4: Update FCI malware protections
  • SI.L1-3.14.5: FCI data system and file scanning

More granular information can be found in the DoD’s CMMC Level 1 assessment guide.

 

CMMC Level 2 Requirements

CMMC Level 2 comprises 110 total requirements, building on Level 1’s safeguards and expanding them to account for the scope and stakes of CUI protection. At Level 2, DoD contractors work with more sensitive data and therefore need more robust assurances.

The full suite of controls aligning CMMC Level 2 and NIST breaks down as follows: 

• Level 2 Access Control

• • • AC.L2-3.1.1: Authorized access controls for CUI
    • AC.L2-3.1.2: Transaction and function controls
    • AC.L2-3.1.3: Controls for the flow of CUI
    • AC.L2-3.1.4: Separation of duties
    • AC.L2-3.1.5: Least privilege principle for access
    • AC.L2-3.1.6: Non-privileged account controls
    • AC.L2-3.1.7: Control over privileged functions
    • AC.L2-3.1.8: Limited unsuccessful login attempts
    • AC.L2-3.1.9: Privacy and security notices
    • AC.L2-3.1.10: Session lockout controls
    • AC.L2-3.1.11: Session termination protocols
    • AC.L2-3.1.12: Control over remote access
    • AC.L2-3.1.13: Remote access confidentiality
    • AC.L2-3.1.14: Secure routing for remote access
    • AC.L2-3.1.15: Privileged remote access controls
    • AC.L2-3.1.16: Wireless access authorization
    • AC.L2-3.1.17: Wireless access protections
    • AC.L2-3.1.18: Secure mobile device connections
    • AC.L2-3.1.19: CUI encryption on mobile devices
    • AC.L2-3.1.20: External connection security for CUI
    • AC.L2-3.1.21: Secure use of portable storage
    • AC.L2-3.1.22: Control over publicly accessible CUI

• Level 2 Awareness and Training

• • • AT.L2-3.2.1: Role-based risk awareness
    • AT.L2-3.2.2: Role-based training exercises
    • AT.L2-3.2.3: Insider threat awareness

• Level 2 Audit and Accountability

• • • AU.L2-3.3.1: System-wide auditing
    • AU.L2-3.3.2: User accountability
    • AU.L2-3.3.3: Security event review
    • AU.L2-3.3.4: Audit failure alerts
    • AU.L2-3.3.5: Audit correlation tracking
    • AU.L2-3.3.6: Harm reduction and reporting
    • AU.L2-3.3.7: Authoritative time source
    • AU.L2-3.3.8: Audit protection controls
    • AU.L2-3.3.9: Audit management systems

• Level 2 Configuration Management

• • • CM.L2-3.4.1: Secure system baseline
    • CM.L2-3.4.2: Security configuration enforcement
    • CM.L2-3.4.3: System-wide change management
    • CM.L2-3.4.4: Security incident impact analysis
    • CM.L2-3.4.5: Access restrictions on changes
    • CM.L2-3.4.6: Least functionality principle
    • CM.L2-3.4.7: Nonessential functionality minimization
    • CM.L2-3.4.8: Application execution policies
    • CM.L2-3.4.9: User-installed software security

• Level 2 Identification and Authentication

• • • IA.L2-3.5.1: Secure identification for CUI
    • IA.L2-3.5.2: Secure authentication for CUI
    • IA.L2-3.5.3: Multifactor authentication (MFA)
    • IA.L2-3.5.4: Replay-resistant authentication
    • IA.L2-3.5.5: Limits on identifier reuse
    • IA.L2-3.5.6: Secure identifier handling
    • IA.L2-3.5.7: Minimum password complexity
    • IA.L2-3.5.8: Limits on password reuse
    • IA.L2-3.5.9: Temporary passwords
    • IA.L2-3.5.10: Encrypted passwords
    • IA.L2-3.5.11: Obscured auth feedback

• Level 2 Incident Response

• • • IR.L2-3.6.1: Secure incident handling
    • IR.L2-3.6.2: Secure incident reporting
    • IR.L2-3.6.3: Incident response testing

• Level 2 Maintenance

• • • MA.L2-3.7.1: Regular maintenance activities
    • MA.L2-3.7.2: System maintenance controls
    • MA.L2-3.7.3: Equipment sanitization protocols
    • MA.L2-3.7.4: Regular media inspection
    • MA.L2-3.7.5: Secure nonlocal maintenance
    • MA.L2-3.7.6: Maintenance security personnel

• Level 2 Media Protection

• • • MP.L2-3.8.1: Media Protection practices
    • MP.L2-3.8.2: Media access controls
    • MP.L2-3.8.3: Secure CUI media disposal
    • MP.L2-3.8.4: Consistent media markings
    • MP.L2-3.8.5: Media accountability assurance
    • MP.L2-3.8.6: Encryption for portable storage
    • MP.L2-3.8.7: Secure removable media
    • MP.L2-3.8.8: Secure shared media
    • MP.L2-3.8.9: Protected backups

• Level 2 Personnel Security

• • • PS.L2-3.9.1: Screening for all individuals
    • PS.L2-3.9.2: Secure personnel actions

• Level 2 Physical Protection

• • • PE.L2-3.10.1: Limit physical access to CUI
    • PE.L2-3.10.2: Monitor facilities housing CUI
    • PE.L2-3.10.3: Escort visitors to CUI environments
    • PE.L2-3.10.4: Log access to CUI environments
    • PE.L2-3.10.5: Manage physical access to CUI
    • PE.L2-3.10.6: Secure alternative work sites

• Level 2 Risk Assessment

• • • RA.L2-3.11.1: Regular risk assessments
    • RA.L2-3.11.2: Periodic vulnerability scans
    • RA.L2-3.11.3: Vulnerability remediation protocols

• Level 2 Security Assessment

• • • CA.L2-3.12.1: Regular security control assessments
    • CA.L2-3.12.2: Formal operational plans for action
    • CA.L2-3.12.3: Ongoing security control monitoring
    • CA.L2-3.12.4: Formal system-wide security plans

• Level 2 System and Communications Protection

• • • SC.L2-3.13.1: Boundary protections for CUI
    • SC.L2-3.13.2: Security engineering practices
    • SC.L2-3.13.3: Separation of roles and responsibilities
    • SC.L2-3.13.4: Control over shared resources
    • SC.L2-3.13.5: Separation of publicly accessible systems
    • SC.L2-3.13.6: Permit network communication by exception
    • SC.L2-3.13.7: Split tunneling for networks containing CUI
    • SC.L2-3.13.8: Protection of CUI data in transit
    • SC.L2-3.13.9: Secure connection termination
    • SC.L2-3.13.10: Secure key management
    • SC.L2-3.13.11: Encryption for CUI data
    • SC.L2-3.13.12: Control over collaborative devices
    • SC.L2-3.13.13: Secure mobile code deployment
    • SC.L2-3.13.14: Secure Voice over Internet Protocol (VoIP)
    • SC.L2-3.13.15: Communication authenticity assurance
    • SC.L2-3.13.16: Protection of CUI data at rest

• Level 2 System and Information Integrity

• • SI.L2-3.14.1: Flaw remediation for CUI data
  • SI.L2-3.14.2: Malicious code protection for CUI
  • SI.L2-3.14.3: Security alerts and advisories
  • SI.L2-3.14.4: Updated malware protection for CUI
  • SI.L2-3.14.5: System and file scanning for CUI
  • SI.L2-3.14.6: Communication attack monitoring
  • SI.L2-3.14.7: Unauthorized use identification

For more granular information, see the DoD’s CMMC Level 2 assessment guide.

 

 

Assessment Requirements at CMMC Level 2

Implementation alone does not confer CMMC certification. Organizations also need to conduct formal assessments to prove that their control deployment is effective. Beyond implementation, the biggest difference when comparing CMMC Level 1 vs Level 2 is the assessment method. The former allows self-assessments, while the latter generally requires certified assessments through a third party. Crucially, while some contractors qualify for self-assessment at Level 2, the vast majority need to work with a Certified Third Party Assessment Organization (C3PAO) vetted by the Cyber AB.

Working with a C3PAO ensures the highest level of scrutiny and fidelity in audit practices. The best C3PAO partners will also help you prepare for the audit to succeed swiftly and efficiently.

 

Optimize Your CMMC Compliance Practices

If your organization needs to achieve CMMC Level 2 compliance for an existing or potential DoD contract, you’ll need to align fully with the NIST SP 800-171 framework. This means first implementing all 110 required controls and then preparing for a rigorous C3PAO assessment.

RSI Security has helped countless organizations prepare for and achieve DoD compliance through NIST and CMMC implementation. We are a C3PAO listed by the Cyber AB, and we assist in all parts of the compliance process. We know that discipline upfront helps unlock greater freedom to grow in the long run, and we’ll help you rethink your security to that effect.

To learn more about our CMMC compliance services, contact RSI Security today!

 

Contact Us Now!