Welcome to the second installment of our series on the Cybersecurity Maturity Model Certification (CMMC), a framework required for companies contracting with the US Department of Defense (DoD). In this guide, we’ll break down everything you need to know about CMMC Level 2. For information about other levels of the CMMC, see our guides, levels 1, 3, 4, and 5.
Overview of CMMC Level 2 Requirements
The key to complying with CMMC requirements at all levels is understanding exactly what is required. To that end, this blog (and the whole series) is built around descriptions of all practices for each given level, sourced directly from CMMC Volume 1.02 from March 2020
Like with our article on Level 1, we’ll begin here with an overview (or recap) of the CMMC Framework and all its components — although a bit shorter in scope than the one in the previous installment. Then, the structure below breaks down as follows:
- Breakdown of Level 2
- Guide to Level 2 compliance
Let’s get started!
Recap on CMMC Framework
The CMMC framework is a robust system of cybersecurity controls that an organization must implement to safeguard its data. Its controls are distributed across a network of 17 domains, 43 capabilities, and 171 practices. Practices distribute across the 5 Maturity Levels, each with its own focus.
To work upward to Level 5, an organization must institutionalize processes and implement practices, gradually increasing the depth and breadth of its cyberdefenses.
The CMMC is aimed at DoD contractors that make up the Defense Industrial Base sector (DIB), or the supply chain on which the DoD relies. The particular forms of information that are unique and critical to the DIB, which the CMMC is designed to protect, include:
- Federal Contract Information (FCI) – Pertaining to contracts for government agencies and their strategic partners, not published nor intended for public access.
- Controlled Unclassified Information (CUI) – Various data that’s not been classified, or has lost classified status, but is still protected from access by other laws, statutes, etc.
Rather than introducing radically new ideas, the CMMC incorporates controls from other cybersecurity frameworks into one cohesive system. Requirements for CUI come from National Institute for Standards and Technology (NIST) Special Publication 800-171, itself informed by Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204- 7012. FCI requirements come from Federal Acquisition Regulation (FAR) Clause 52.203-21.
The CMMC is a publication of the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). But they didn’t put it together all alone; the work is a collaboration between various DoD and DIB stakeholders, including especially University Affiliated Research Centers (UARCs) and Federally Funded Research and Development Centers (FFRDs).
Assess your CMMC compliance
Breakdown of CMMC Level 2 Controls
Level 2 is a liminal stage in the cybersecurity maturity and posture of your organization. It builds on many of the basic safeguards begun at Level 1, which constitute “basic hygiene,” moving into “intermediate cyber hygiene,” now, in preparation for Level 3’s “good hygiene.”
Its explicit focus is to “serve as a transition step” to full CUI protection, which occurs 1 level up.
One of the biggest differences between Levels 1 and 2 is that this is the first stage in the maturity process where processes are “documented.” It’s no longer enough to implement practices; certification for Level 2 depends on accurate documentation of your practices’ implementation. That means this is the first level where assessment is formalized.
Of the 55 practices introduced at this level, 48 come from NIST SP 800 171, whereas the other 7 come from various disparate sources. Let’s take a look at each practice, organized by domain.
Level 2 Access Control Practices
There are 10 new AC practices added at Level 2:
- AC.2.005 – Provide notices for privacy and security issues related to CUI, per CUI rules.
- AC.2.006 – Restrict as much as possible the use of all portable storage devices (USB drives, etc.), especially with and in relation to any external systems.
- AC.2.007 – Employ “least privilege” principle unilaterally, regardless of specific privileges and other details of the user account and the functions or assets being accessed.
- AC.2.008 – Use non-privileged accounts when accessing assets or functions unrelated to security concerns or that otherwise do not require privileges for security functions.
- AC.2.009 – Limit the number of unsuccessful login attempts that are allowed before locking the account, regardless of privilege level or other specifications.
- AC.2.010 – Lock sessions, specifically with the pattern-hiding display, to inhibit illicit capture and access to session content outside of (after) an authorized period of access.
- AC.2.011 – Necessitate authorization of wireless access before allowing a connection.
- AC.2.013 – Monitor and exercise granular control over all remote access sessions.
- AC.2.015 – Ensure remote access is routed through and controlled via access points.
- AC.2.016 – Control flow of CUI according to authorization and other approved uses.
Level 2 Audit and Accountability Practices
The first 4 AU practices are added at Level 2:
- AU.2.041 – Ensure accountability of particular system users by ensuring that actions performed by a user can be (and are) uniquely traced back to that particular user.
- AU.2.042 – Create and maintain system records to the minimum extent necessary to adequately monitor for, investigate, analyze, and report on any unlawful or otherwise unauthorized activity taking place on your systems (including via remote access).
- AU.2.043 – Ensure uniform and accurate timestamps with accurate comparison and synchronization of all internal clocks with authoritative timekeeping sources.
- AU.2.044 – Review audit logs regularly, analyzing, and acting on findings accordingly.
Here are a few more articles to help you learn more about CMMC :
Level 2 Awareness and Training Practices
The first 2 AT practices are added at Level 2:
- AT.2.056 – Ensure that system administrators, managers, and all other users of the organization’s systems are aware of the various security risks involved in their activities, as well as all applicable rules, standards, best practices, etc. related to system security.
- AT.2.057 – Ensure that personnel entrusted with responsibilities or privileges related to protected information are regularly trained and well prepared to maintain security.
Level 2 Configuration Management Practices
The first 6 CM practices are added at Level 2:
- CM.2.061 – Maintain baseline configurations for and inventory of the organization’s systems (software, hardware, firmware, etc.) across all life cycles of systems’ development.
- CM.2.062 – Employ “least functionality” principle; configure all organizational systems to provide only the bare minimum essential capabilities and disallow all other uses.
- CM.2.063 – Restrict, monitor, and otherwise control all user-installed software.
- CM.2.064 – Develop and maintain standards for security configuration settings across all information technology products in use in, around, or near organizational systems.
- CM.2.065 – Monitor (track, review, log, etc.) changes to all organizational systems.
- CM.2.066 – Analyze and understand security impact of changes before implementation.
Level 2 Identification and Authentication Practices
There are 5 new IA practices added at Level 2:
- IA.2.078 – Enforce minimum standards for password complexity, as well as a requirement for changing a given amount of characters when resetting passwords.
- IA.2.079 – Disallow reuse of the same password, or a password containing a given amount of the same characters, for a set number of generations (password resets).
- IA.2.080 – Allow use of temporary passwords for the purpose of logging on and immediately setting a permanent password for future use (until the next required reset).
- IA.2.081 – Ensure cryptographical protection for storage and transmission of passwords.
- IA.2.082 – Obscure any and all feedback about authentication information.
Level 2 Incident Response Practices
The first 5 IR practices are added at Level 2:
- IR.2.092 – Establish one or more incident management capabilities for the organization’s systems, including functionalities of:
- Preparation for incident response
- Detection and analysis of incidents
- Response and recovery protocols
- IR.2.093 – Actively monitor for, detect, and report on events as they occur.
- IR.2.094 – Analyze incidents in real-time as they occur; perform triage methods to facilitate immediate or timely declaration and resolution.
- IR.2.096 – Develop and deploy responses to declared events per predetermined plans.
- IR.2.097 – Perform root-cause analysis (RCA) on incidents after a successful resolution.
Level 2 Maintenance Practices
The first 4 MA practices are added at Level 2:
- MA.2.111 – Perform regular maintenance on all organizational systems.
- MA.2.112 – Specify particular controls and protocols that govern maintenance, including:
- Which tools, techniques, and mechanisms are used
- Which personnel are involved in maintenance procedures
- MA.2.113 – For nonlocal maintenance sessions through external network connections:
- Require multi-factor authentication (MFA) to establish a connection
- Terminate connections and access upon completion of maintenance
- MA.2.114 – Supervise all maintenance activities undertaken by personnel without regular access authorization and external agents granted temporary access to systems.
Level 2 Media Protection Practices
There are 3 new MP practices added at Level 2:
- MP.2.119 – Physically control and securely store any and all system media containing or storing CUI, including both physical and digital copies thereof.
- MP.2.120 – Restrict access to CUI on organizational systems to only authorized users.
- MP.2.121 – Control all use of removable media on any and all system components.
Level 2 Personnel Security Practices
The first 2 PS practices are added at Level 2:
- PS.2.127 – Screen carefully all individuals who are provided access to organizational systems containing CUI — this screening is independent of other such tests.
- PS.2.128 – Ensure protection of systems containing CUI during important transitional events relative to personnel, including but not limited to transfers and terminations.
Level 2 Physical Protection Practice
There is just 1 new PE practice added at Level 2:
- PE.2.135 – Monitor and protect the physical surroundings of organizational information systems, including any and all relevant facilities and support infrastructure.
Level 2 Recovery Practices
The first 2 RE practices are added at Level 2:
- RE.2.137 – Perform regular backups; regularly test backup functionality.
- RE.2.138 – Protect the confidentiality of backup data, including especially CUI, in storage.
Level 2 Risk Management Practices
The first 3 RM practices are added at Level 2:
- RM.2.141 – Assess periodically the risks that processing, storing, or transporting CUI can have, pertaining to the following individuals and areas:
- Organizational operations (mission, functions, reputation, etc.)
- Individuals, including personnel and other stakeholders
- Other organizational assets, and resources
- RM.2.142 – Scan organizational systems and resources periodically for vulnerabilities, both at regular intervals and when new (potential) vulnerabilities are identified.
- RM.2.143 – Address and remediate vulnerabilities as soon as possible, per organizationally defined risk management protocols.
Level 2 Security Assessment Practices
The first 3 CA practices are added at Level 2:
- CA.2.157 – Develop and regularly update security plans describing in detail the parameters of systems protected and relevant logistics, including:
- Boundaries of information systems
- Systems’ environments of operation
- Security implementations and requirements
- Relationships and connections between systems
- CA.2.158 – Assess controls across systems periodically, determining efficacy.
- CA.2.159 – Develop and deploy plans to correct and improve any weaknesses, deficiencies, vulnerabilities, or other system security issues identified.
Level 2 System and Communications Protection Practices
There are 2 new SC practices added at Level 2:
- SC.2.178 – Disable and explicitly disallow remote activation of collaborative computing systems; provide an indication of the device’s user status to users currently present at the device.
- SC.2.179 – Utilize encryption and encrypted sessions for network device management.
Level 2 System and Information Integrity Practices
There are 3 new SI practices added at Level 2:
- SI.2.214 – Monitor any and all alerts related to system security and take immediate, appropriate responsive action, as defined by the organization.
- SI.2.216 – Monitor organizational systems, including but not limited to communications traffic; detect and act upon identified attacks and any indicators of underlying threats.
- SI.2.217 – Identify and act upon any and all unauthorized use of organizational systems.
How to Meet CMMC Level 2 Requirements
As briefly noted above, Level 2’s process requirement is “documented,” meaning you need clear records of implementation across all 55 new practices, as well as those from Level 1 (72 total). These records contribute to the institutionalization of the CMMC by enabling replicability over time and across all staff and sectors of the organization.
The stakes are raised dramatically.
As with all other levels, Level 2 certification is granted by a Certified Third Party Assessment Organization (C3PAO), which in itself has been certified by the CMMC Accreditation Body.
Your best bet at implementing and documenting all required controls is contracting a C3PAO who also doubles as a service provider, walking you through all stages of the process. Enter RSI Security. Our suite of CMMC services makes certification at all levels as easy as possible.
Get Ready for CUI Protection
RSI Security isn’t just your ideal CMMC partner. We help with everything from web filtering to threat management. Our team of experts has provided cybersecurity services to organizations of all shapes and sizes for over a decade. In that time, we’ve helped countless DoD contractors secure their own information so that they can assist the DoD in securing the rest of America. So, for help with CMMC level 2 and all your cyberdefense needs, contact RSI Security today!