All companies contracting with the US Department of Defense (DoD) make up the Defense Industrial Base (DIB) sector, which is essential to all Americans’ security, domestic and abroad. It’s critical to protect the DIB. So, companies working with the DoD need to comply with the Cybersecurity Maturity Model Certification (CMMC), a revolutionary set of requirements that scale upward in maturity across five levels. One element of this maturity involves “processes,” which begin being tracked officially at CMMC level 2. This guide will explain what that means.
What is the CMMC Level 2 Process Maturity Dimension?
As we’ll get into in more detail below, process maturity becomes a challenging part of CMMC compliance at level 2 rather than at level 1. While level 2 is itself a transitional stage into level 3, the first important threshold of the whole framework, it’s also the first level at which the onus of documentation is placed on your company. Hence its critical importance to compliance.
If you want to achieve preferred status and develop a lasting relationship with the DoD, you’ll need to reach certification at level 2 and beyond. So, in the sections below, we’ll break down:
- How focus and process maturity operate at each CMMC level
- How process maturity impacts CMMC level 2 requirements
- How to achieve compliance at level 2 — and beyond
By the time we’re done, you’ll be well prepared to achieve compliance and certification at CMMC level 2. But first, let’s start with an overview of what the whole CMMC framework entails.
Overall CMMC Background, Framework, and Scheme
The CMMC is a relatively new framework, with volume 1 published in late January of 2020 and the current volume 1.02 published in mid-March. However, its controls are not new at all: it gathers and consolidates practices from a wide range of existing frameworks, mapping them onto a stepwise system of maturity rather than a one size fits all model.
For example, there are two main forms of information the CMMC protects due to particular requirements of other governmental regulations:
- Federal contract information (FCI) – Data on contracts not intended for public use, as defined and protected in Federal Acquisition Regulation (FAR) Clause 52.203-21.
- Controlled unclassified information (CUI) – Data that is unclassified but protected, per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012
A large portion of the CMMC is based on the protections laid out in the National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171). The 17 security “domains” of the CMMC are based on the “requirement families” of SP 800-171. These domains comprise 43 “capabilities” and house 171 total cybersecurity “practices.”
Focus and Process Maturity Across All 5 CMMC Levels
Notably, there are 171 practices distributed across 5 “maturity levels,” which also comprise “focuses” and “processes.” Focus determines the direction or purpose of a level’s practices. In contrast, process refers to the level of institutionalization or the extent to which practices integrate into the business model and day to day operations of a given company.
The focuses, practices, and purposes of each level break down as follows:
- CMMC maturity level 1 – The focus of level 1 is safeguarding FCI. Practices constitute “basic cyber hygiene,” and processes are only required to be “performed.” As such, ad hoc or partial measures are allowed, and no formal documentation is necessary.
- CMMC maturity level 2 – At level 2, the focus is on transitioning away from just FCI protections into broader CUI protections. Practices build on level 1, moving into “intermediate cyber hygiene,” and processes are “documented” (see below).
- CMMC maturity level 3 – Level 3’s focus is on finalizing the protection of CUI, a culmination of what began at levels 1 and 2. Likewise, practices constitute “good cyber hygiene,” and all processes must be documented and actively “managed.”
- CMMC maturity at levels 4 and 5 – Levels 4 and 5 have a shared focus of continuing to protect CUI while also shifting the priority to “advanced persistent threats” (APT). The process requirement at level 4 is “reviewed,” and practices are “proactive,” whereas level 5’s practices are “advanced/progressive,” and its processes are “optimizing.”
Gradual, stepwise development of maturity sets CMMC apart from other frameworks, like SP 800-171, where all requirements are to be implemented at once.
Now, let’s take a closer look at CMMC level 2 in particular.
Level 2: Documentation, Transition, and Protection
CMMC level 2 is a transitional level to the extent that it sets the stage for level 3’s culmination of cyber hygiene (and full protection of FCI and CUI). However, it’s also a threshold in and of itself. In a sense, it’s the first level at which cybersecurity is measured in an objective, tangible way.
Since level 1’s process requirement is simply “performed,” controls are not measured. The CMMC’s description notes that process maturity is actually “not assessed for Level 1.” In practice, this means that certification at level 1 is relatively simple and thus inconsequential. At level 2, however, practices are measured to enable replication and further development.
While CMMC level 1 presents challenges, these pale compared to those introduced at level 2, where quadruple the documentation coincides with the number of practices.
Another critical factor to consider moving forward is that these process requirements are cumulative; each level adds to the last. For example, at CMMC level 3, institutions don’t stop documenting practices in favor of managing them; instead, documentation becomes part of management, which then evolves into review and optimization at levels 4 and 5, respectively.
Breaking Down CMMC Level 2 Requirements
Process requirements refer not only to the abstract concept of institutionalization but also to particular metrics for the practices that come along with that level. In other words, the process goal of a level is to think about how systems are established and carried out.
Thus, the impact of process requirements on practices at level 2 is twofold:
- It requires a particular policy that includes a given practice in name.
- It requires documentation of particular practices implemented in response.
Just like with processes, practices are also cumulative across all five levels. That means that maturing process requirements retroactively correspond to how an institution is implementing all practices up to and including those introduced at a given level. Even though level 1 practices aren’t required to be documented at level 1, they must be at level 2.
What this means in practice is that to understand the process requirements at CMMC level 2 fully, it is, therefore, necessary to understand all of the practices added and required at level 2.
CMMC Level 2 Controls (Practices) by Domain
All in all, CMMC level 2 adds 55 new practices, building on the 17 “basic cyber hygiene” controls introduced at level 1 for a total of 72. These controls are distributed across 15 of the 17 security domains (excluding Asset Management and Situational Awareness), as follows:
- Access Control (AC) – Limiting access to sensitive data to only authorized users, per 4 capabilities. Level 2 adds 10 AC practices to the four from level 1 for a total of 14.
- Audit and Accountability (AU) – Defining frequency of and protocols for regular audits and logging thereof, per 4 capabilities. Level 2 introduces the first 4 AU practices.
- Awareness and Training (AT) – Specifying the need for and defining particular personnel training qualities, per 2 capabilities. Level 2 introduces the first 2 AT practices.
- Configuration Management (CM) – Defining baseline security settings required across all software and hardware, per 2 capabilities. Level 2 introduces the first 6 CM practices.
- Identification and Authentication (IA) – Further specifying requirements for user access, per 1 capability. Level 2 adds 5 IA practices to the two from level 1 for a total of 7.
- Incident Response (IR) – Detailing requirements for a systematic approach for responding to incidents, per 5 capabilities. Level 2 introduces the first 5 IR practices.
- Maintenance (MA) – Specifying frequency of and other protocols for both routine and special case maintenance, per 1 capability. Level 2 introduces the first 4 MA practices.
- Media Protection (MP) – Detailing protections for all media containing CUI and FCI, per 4 capabilities. Level 2 adds 3 MP practices to the one from level 1 for a total of 4.
- Personnel Security (PS) – Requiring particular screening and other measures to prevent insider threats, per 2 capabilities. Level 2 introduces the first 2 PS practices.
- Physical Protection (PE) – Restricting physical access to FCI and CUI systems, per 1 capability. Level 2 adds 1 PE practice to the four from level 1 for a total of 5.
- Recovery (RE) – Detailing the protocols required for a successful recovery after an attack or security event, per 2 capabilities. Level 2 introduces the first 2 RE practices.
- Risk Management (RM) – Specifying requirements and protocols for the company’s approach to risk mitigation, per 3 capabilities. Level 2 introduces the first 3 RM practices.
- Security Assessment (CA) – Detailing the frequency of and other regular assessment requirements, per 3 capabilities. Level 2 introduces the first 3 CA practices.
- Systems and Communications Protection (SC) – Protecting all communications, per 2 capabilities. Level 2 adds 2 SC practices to the two from level 1 for a total of 4.
- System and Information Integrity (SI) – Detailing requirements for system integrity, per 4 capabilities. Level 2 adds 3 SI practices to the four from level 1 for a total of 7.
Ultimately, the process maturity goal of CMMC level 2 is full implementation and documentation of all 72 of these practices, constituting “intermediate cyber hygiene” on the way to level 3.
That means every control must be included, by name, in a policy followed by the company. Each control must document its implementation, including all relevant metrics that assess the extent of implementation.
Certification at CMMC Level 2 Maturity
As described above, level 2 is the first stage at which certification is contingent upon a measure of process maturity. To achieve certification, your organization must not just document all of its practices but also contract a Certified Third Party Assessment Organization (C3PAO) to assess compliance. All C3PAOs are themselves qualified by the CMMC Accreditation Body.
The very best C3PAOs are willing to come in and assess your compliance and work with you every step of the way, preparing you for the test and helping you complete it.
RSI Security is just such a C3PAO. Our suite of CMMC services includes advisory and infrastructural work with your IT department. We will work with your personnel to help develop a plan that works for your company, or even deliver a strategy, whole cloth, that we will help you implement from start to finish. Once it’s clear you’re ready for assessment, at each level, we will walk you through the certification process and ensure you maintain compliance long term.
Professionalize Compliance and Cybersecurity
Here at RSI Security, our talented team of experts is happy to help you achieve CMMC certification and, ultimately, help the DoD keep all American citizens safe. We know how critical compliance is to that goal, but we also know it’s not the end of your security; it’s just the start.
That’s why we’re also happy to help with all elements of your cyberdefense. Whether you’re just starting up and need help developing and implementing a security architecture, or you’re working on fine-tuning aspects of your cloud security, web filtering, or third-party risk management, our broad suite of managed IT and security services is your best option.
To see just how simple certification and compliance can be, at CMMC level 2 and beyond, as well as with any other cybersecurity frameworks you need, contact RSI Security today!