Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Any organization seeking a contract from the United States Department of Defense that requires handling certain types of sensitive information will need Level 2 Cybersecurity Maturity Model Certification. Learn more about meeting the requirements for CMMC Level 2, making an assessment checklist and implementing a continuous monitoring platform to stay compliant with this model.
Find more information on CMMC Level 1 compliance here.
The first version of CMMC framed Level 2 as an intermediate transition level for organizations working towards compliance with Level 3. In CMMC 2.0, Level 2 corresponds to advanced security measures for handling several types of sensitive information:
Organizations that access, use or store any of these types of information on non-federal systems are subject to Level 2 requirements as a condition of contract award. This level of compliance is also applicable for any contracts that include the Defense Federal Acquisition Regulation Supplement or DFARS 252.204-7012 requirement for safeguarding covered defense information and cyber incident reporting.
In CMMC 1.0, Level 2 was a transitional level that did not cover access and use of controlled information. Contracts involving CUI required Level 3 certification, which covered 130 practices, 3 processes and required third-party assessments. In CMMC 2.0, Level 2 covers advanced security controls for handling CUI.
In the second version of CMMC, Level 2 has 110 requirements that align with the National Institute of Standards and Technology Special Publication 100-171 Rev. 2 for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The main distinction between Level 2 and Level 3 in CMMC 2.0 is the addition of enhanced security requirements from the NIST SP 800-172 supplement to SP 800-171 for Level 3 certification.
In CMMC 1.0, Level 2 included 72 practices and two maturity processes. An assessment was not required, as this transitional level prepared organizations for Level 3. In the second version of this model, Level 2 includes 14 domains that cover all 110 requirements and 320 objectives from NIST SP 800-171. If your organization is seeking Level 2 certification, you can reference SP 800-171 to learn more about the controls in this level.
Every domain includes more than one practice, but several domains account for the majority of practices. Taken together, these four domains account for 58 practices. This is more than half of the requirements for CMMC Level 2 certification under the second version of this model:
The Configuration Management and Media Protection domains also include nine practices each. The stakeholders of your organization should review all of the requirements for this level of certification. An all-in-one information security platform can be helpful for implementing controls to prepare for an assessment. It’s also helpful for promoting continuous compliance with this model.
Organizations seeking contracts for non-prioritized acquisitions that are not critical to national security can self-certify for Level 2 compliance. At this level, your organization must conduct a self-assessment every three years and submit affirmations on an annual basis. An affirmation is an attestation made by a senior official. It states that an organization will continue to comply with the requirements of an assessment.
A Level 2 organization with a contract for priority acquisitions that are critical to national security must undergo triennial third-party assessments. They should also submit annual affirmations. The type of contract that your organization is seeking and the level of CUI, CDI or other controlled information that this work will involve can determine whether a contract falls under the category of priority or non-priority acquisitions.
An organization pursuing Level 2 certification can make one or more compliance checklists in preparation for a triennial internal or third-party assessment. Here are a few things to consider before, during and after a Level 2 assessment.
Senior management should decide which version of this model to use. This determines CMMC Level 2 requirements for controls and assessments. Under CMMC 2.0, self-assessments are sufficient for most contracts involving non-prioritized acquisitions. Contracts for prioritized acquisitions require an accredited CMMC Third Party Assessment Organization or C3PAO to conduct triennial assessments.
The CMMC Level 2 assessment phase typically starts with a review of the scope, schedule and process for determining compliance. Internal stakeholders or external assessors develop a plan for examining the security posture of an organization. Then they will examine documentation, interview stakeholders, conduct a security walkthrough and test systems.
A review of findings concludes an assessment and internal or external assessors will prepare a Security Assessment Report. At this stage, a checklist could cover any necessary remediation measures. An Level 2 assessment concludes with either a final report and certification recommendation from a C3PAO or the registration of a self-assessment along with an affirmation.
A continuous compliance platform can strengthen the security posture of your organization in preparation for CMMC Level 2 assessments. Using Compyl to monitor internal systems makes it easier to maintain the practices mandated for DoD contracts that involve handling CUI. Request a demo to find out how Compyl can help your organization meet requirements for the most relevant version and level of CMMC.
