Organizations that work closely with the US Military as contractors or vendors often come into contact with sensitive information. Compliance with the CMMC 2.0 standard is required to ensure all critical data is protected. Careful scoping, implementation, and assessment are essential.
Is your organization prepared for CMMC 2.0 compliance? Book a consultation to find out!
How to Prepare for CMMC 2.0 Compliance
Defense Industrial Base (DIB) organizations that partner with the Department of Defense (DoD) need to achieve Cybersecurity Maturity Model Certification (CMMC). However, the CMMC is a large and complex framework that is challenging for many to grasp, much less implement.
There are three essential components to effective CMMC 2.0 preparation:
- Understanding the regulatory context and applicability of the framework
- Planning and installing controls required for your CMMC 2.0 Level
- Conducting an official self-, third-party-, or government-led assessment
Working with a CMMC advisory partner will streamline all parts of the process.
Understanding the Regulatory Context
The first step to complying with CMMC is understanding whether and to what extent it may apply to your organization. CMMC is applicable to DoD contractors who come into contact with certain protected types of information—Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Most organizations that process just FCI need CMMC 2.0 Level 1, whereas those that process both FCI and CUI generally need Level 2. Level 3 is reserved for organizations that process the most CUI and/or are subject to the highest levels of risk.
The most recent edition of the CMMC framework, CMMC 2.0 or CMMC v2, was published in December of 2021. It is a comprehensive guide that builds on other governmental texts, such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. All controls in CMMC are adapted from NIST, and implementation at Level 2 includes controls that span all of SP 800-171’s requirements. Level 3 will be based on another framework—see below.
Planning and Implementing Controls
Next up is planning for and installing controls commensurate to the CMMC 2.0 requirements for your desired level. Note that the specific level required may change over time as an entity takes on greater data processing responsibilities. A contract that calls for CMMC Level 1 in the short term may require Level 2 compliance later on or upon renewal. For this reason, preparing for complete implementation is ideal even for organizations that only need Level 1 at present.
See below for a complete list of requirements for each level.
Required Controls for CMMC 2.0 Level 1
CMMC 2.0 Level 1 includes 17 practices adapted from NIST SP 800-171 (v2). The controls correspond to NIST’s “basic security requirements,” breaking down in CMMC as follows:
- Access Control –
-
-
- AC.L1-3.1.1: Access control via authorization
- AC.L1-3.1.2: Control over transaction functions
- AC.L1-3.1.20: Control over external connections
- AC.L1-3.1.22: Control over public information
-
- Identification and Authentication –
-
-
- IA.L1-3.5.1: Identification controls
- IA.L1-3.5.2: Authentication controls
-
- Media Protection –
-
-
- MP.L1-3.8.3: Secure disposal of media
-
- Physical Protection –
-
-
- PE.L1-3.10.1: Limitation of physical access
- PE.L1-3.10.3: Escort of onsite visitors
- PE.L1-3.10.4: Logs for all physical access
- PE.L1-3.10.5: Management of physical access
-
- System and Communications Protection –
-
-
- SC.L1-3.13.1: Protection for all boundaries
- SC.L1-3.13.5: Separation of public access systems
-
- System and Information Integrity –
-
- SI.L1-3.14.1: Remediation of flaws
- SI.L1-3.14.2: Protection from malicious code
- SI.L1-3.14.4: Updates to malicious code protection
- SI.L1-3.14.5: Secure file and system scanning
Required Controls for CMMC 2.0 Level 2
CMMC 2.0 Level 2 covers all controls from NIST SP 800-171 (v2), 110 in total, including all the requirements from Level 1 plus additional practices added in previously untouched categories:
- Access Control –
-
-
- AC.L2-3.1.3: Control over the flow of CUI
- AC.L2-3.1.4: Separation of critical duties
- AC.L2-3.1.5: Control via least privilege
- AC.L2-3.1.6: Control over non-privileged use
- AC.L2-3.1.7: Control over privileged functions
- AC.L2-3.1.8: Limited unsuccessful login attempts
- AC.L2-3.1.9: Provision of security notices
- AC.L2-3.1.10: Session lockout configurations
- AC.L2-3.1.11: Secure session termination
- AC.L2-3.1.12: Control over remote access
- AC.L2-3.1.13: Confidentiality of remote access
- AC.L2-3.1.14: Secure routing of remote access
- AC.L2-3.1.15: Control over remote privileges
- AC.L2-3.1.16: Authorization of wireless access
- AC.L2-3.1.17: Protection of wireless access
- AC.L2-3.1.18: Secure mobile device connections
- AC.L2-3.1.19: Encryption of CUI on mobile devices
- AC.L2-3.1.21: Secure use of portable storage
-
- Awareness and Training –
-
-
- AT.L2-3.2.1: Role-based risk awareness training
- AT.L2-3.2.2: Role-based general security training
- AT.L2-3.2.3: Insider threat awareness training
-
- Audit and Accountability –
-
-
- AU.L2-3.3.1: System auditing practices
- AU.L2-3.3.2: User accountability assurances
- AU.L2-3.3.3: Regular review of events
- AU.L2-3.3.4: Alerts on audit failure
- AU.L2-3.3.5: Audit correlation reporting
- AU.L2-3.3.6: Scope reduction and reporting
- AU.L2-3.3.7: Established authoritative time source
- AU.L2-3.3.8: Protection of audits and records
- AU.L2-3.3.9: Secure management of audits
-
- Configuration Management –
-
-
- CM.L2-3.4.1: Secure system baselines
- CM.L2-3.4.2: Enforcement of secure configuration
- CM.L2-3.4.3: Management of system changes
- CM.L2-3.4.4: Analysis of security impact
- CM.L2-3.4.5: Access restrictions on changes
- CM.L2-3.4.6: Control via least functionality
- CM.L2-3.4.7: Control over nonessential functions
- CM.L2-3.4.8: Policy for application execution
- CM.L2-3.4.9: Control over user-installed software
-
- Identification and Authentication –
-
-
- IA.L2-3.5.3: Multifactor authentication (MFA)
- IA.L2-3.5.4: replay-resistant auth controls
- IA.L2-3.5.5: Restricted identifier re-use
- IA.L2-3.5.6: Secure identifier handling
- IA.L2-3.5.7: Minimum password complexity
- IA.L2-3.5.8: Restricted password reuse
- IA.L2-3.5.9: Secure temporary passwords
- IA.L2-3.5.10: Cryptographic protections
- IA.L2-3.5.11: Obscured feedback
-
- Incident Response –
-
-
- IR.L2-3.6.1: Secure incident handling
- IR.L2-3.6.2: Secure incident reporting
- IR.L2-3.6.3: Secure response testing
-
- Maintenance –
-
-
- MA.L2-3.7.1: Maintenance of performance
- MA.L2-3.7.2: Maintenance of control
- MA.L2-3.7.3: Maintenance of sanitization
- MA.L2-3.7.4: Maintenance of media inspection
- MA.L2-3.7.5: Maintenance of nonlocal concerns
- MA.L2-3.7.6: Maintenance of personnel
-
- Media Protection –
-
-
- MP.L2-3.8.1: Protection of all media
- MP.L2-3.8.2: Secure access to media
- MP.L2-3.8.4: Markings across all media
- MP.L2-3.8.5: Accountability for all media
- MP.L2-3.8.6: Encryption of portable storage
- MP.L2-3.8.7: Protection of removable media
- MP.L2-3.8.8: Secure media sharing
- MP.L2-3.8.9: Protection for backups
-
- Personnel Security –
-
-
- PS.L2-3.9.1: Screening for all individuals
- PS.L2-3.9.2: Secure personnel actions
-
- Physical Protection –
-
-
- PE.L2-3.10.2: Facility monitoring
- PE.L2-3.10.2: Alternate worksite security
-
- Risk Assessment –
-
-
- RA.L2.3.11.1: Regular risk assessments
- RA.L2.3.11.2: Regular vulnerability scans
- RA.L2.3.11.3: Remediation of vulnerabilities
-
- Security Assessment –
-
-
- CA.L2-3.12.1: Assessment of security controls
- CA.L2-3.12.2: Planning for remediation
- CA.L2-3.12.3: Monitoring of security controls
- CA.L2-3.12.4: Planning for system management
-
- System and Communications Protection –
-
-
- SC.L2-3.13.2: Engineering security
- SC.L2-3.13.3: Separation of roles
- SC.L2-3.13.4: Control over shared resources
- SC.L2-3.13.6: Exception controls for communication
- SC.L2-3.13.7: Protection via split tunneling
- SC.L2-3.13.8: Protection of data in transit
- SC.L2-3.13.9: Secure termination of connections
- SC.L2-3.13.10: Management of cryptographic keys
- SC.L2-3.13.11: Encryption across all CUI
- SC.L2-3.13.12: Control over collaborative devices
- SC.L2-3.13.13: Control over mobile code
- SC.L2-3.13.14: Voice over internet protocol protections
- SC.L2-3.13.15: Authentication of communications
- SC.L2-3.13.16: Protection of data at rest
-
- System and Information Integrity –
-
- SI.L2-3.14.3: Security advisories and alerts
- SI.L2-3.14.6: Communication monitoring
- SI.L2-3.14.7: Unauthorized use identification
Likely Requirements for CMMC Level 3
The specific controls for CMMC 2.0 Level 3 have not yet been determined. However, the DoD has made it known that these controls will be adapted from NIST SP 800-172, much like Level 1 and Level 2 are adapted from NIST SP 800-171. That framework comprises 35 “enhanced” security requirements that build on the protections outlined across NIST SP 800-171. Any organizations that figure to need CMMC 2.0 Level 3 should prepare to implement all 35.
Conducting an Official CMMC Assessment
The final step of CMMC 2.0 preparation involves planning for the assessment that will actually grant certification. As with implementation, the specific requirements vary greatly be level.
At CMMC Level 1, organizations are eligible to self-assess annually for compliance. The DoD provides self-assessment guidance, and Level 1 entities are generally not required to work with an outside assessor or advisor. However, working with a provider can facilitate the audit.
At CMMC Level 2, some entities can self-assess. However, most are required to work with a certified third-party assessment organization (C3PAO) triennially. The DoD provides guidance on Level 2 assessments for preparation, but you’ll need to find a C3PAO to certify—it’s the only way to certify for organizations at Level 2 that do not qualify for self-assessment. RSI Security is a C3PAO fully recognized and listed by the CyberAB; we can facilitate your certification process.
At CMMC Level 3, organizations need to conduct triennial government-led assessments. The specific scope of these assessments is not yet known, but it will likely mirror that of Level 2.
Streamline Your CMMC 2.0 Prep Today
Ultimately, preparing for CMMC 2.0 compliance starts with understanding what the rules are, whether they apply, and how they’ve changed. Then, you’ll need to create and execute a plan for implementation. And assessment, whether self-led or assisted, will grant certification.
RSI Security helps DIB organizations prepare for long-term DoD compliance. As a C3PAO and advisor, we understand that discipline now will unlock the freedom to grow in the future. And we’re committed to helping you rethink cyberdefenses for seamless, long-term compliance.
To learn more about our CMMC 2.0 DoD compliance services, contact RSI Security today!