CMMC Level 2 Assessment & Compliance Service

CMMC Registered Practitioner

CMMC Level 2 Compliance FAQs

How can a contractor achive CMMC certification for different parts of their network?

To achieve Cybersecurity Maturity Model Certification (CMMC) for different parts of their network, a contractor must approach the process strategically, depending on the types of information they handle in each section of their network.

Handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)

  • Unified Certification Approach: If a contractor processes, stores, or transmits both FCI and CUI across the same domain, they can streamline the process by pursuing a single CMMC certification. This means that when CUI is involved, a minimum of CMMC Level 2 certification is required to meet compliance standards.

  • Separate Certification Approach: In scenarios where CUI and FCI are managed in distinct segments of the network, contractors may opt for separate certifications to align with their specific security needs:

    • FCI Focused Segment: For parts of the network exclusively managing FCI, a CMMC Level 1 self-assessment could suffice. This level covers basic cyber hygiene and is often applicable to broader, enterprise-wide networks.

    • CUI Dedicated Segment: In contrast, sections of the network that handle CUI will require a more robust security protocol. Here, obtaining a CMMC Level 2 certification is advisable, reflecting the greater sensitivity of CUI and ensuring that the necessary safeguards are in place. This often applies to specialized enclaves where sensitive data handling is intensive.

By tailoring their approach according to the data type and network segment, contractors can efficiently achieve the necessary CMMC certifications, ensuring both compliance and optimal security for their operations.

Take our free compliance test to evaluate your readiness. 

Common Scenarios for CMMC Level 2 Compliance

When navigating CMMC Level 2 compliance, the Department of Defense outlines two primary scenarios contractors often encounter. Understanding these scenarios is crucial for ensuring proper certification according to the specific handling of data within a contractor’s network.

  1. Single Network Certification for Both FCI and CUI:

    • If a contractor manages both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the same network scope, they can aim for a single certification.

    • In this case, because CUI is involved, reaching at least CMMC Level 2 is essential. This ensures all necessary safeguards and controls are in place to protect sensitive information.

  2. Dual Assessment Scenarios:

    • When FCI and CUI are managed in distinct network sections, contractors might opt for two separate compliance activities.

    • For handling FCI within one part, like an enterprise network, a CMMC Level 1 self-assessment might suffice. Meanwhile, a distinct enclave dealing with CUI would require a CMMC Level 2 certification.

Breaking these processes into specific scopes allows contractors to address the varied sensitivity and protection needs of different data types efficiently and effectively. Understanding these scenarios helps ensure contractors meet DoD requirements without unnecessary complications.

Take our free compliance test to evaluate your readiness. 

Assessment Schedule for CMMC Level 2

For CMMC Level 2, assessments follow a specific schedule to ensure compliance and security for national-level information.

  • Triennial Third-Party Assessments: Every three years, organizations must undergo evaluations led by independent third-party assessors. These comprehensive assessments ensure that all necessary cybersecurity practices and procedures are implemented effectively to protect sensitive data.

  • Annual Self-Assessments: In addition to the triennial third-party assessments, organizations are required to conduct their own self-assessments every year. This annual practice allows organizations to regularly review and refine their cybersecurity measures, ensuring they maintain compliance continuously between the more extensive third-party evaluations.

This dual-layered assessment process at Level 2 helps balance thorough oversight with consistent, ongoing self-monitoring.

Take our free compliance test to evaluate your readiness. 

Organizations striving to secure Department of Defense (DoD) contracts must navigate a maze of cybersecurity regulations beyond just the Cybersecurity Maturity Model Certification (CMMC). Key regulations alongside CMMC often include:

  • NIST SP 800-171: These guidelines focus on safeguarding controlled unclassified information within non-Federal systems and organizations.

  • Defense Federal Acquisition Regulation Supplement (DFARS): This specifically pertains to safeguarding defense information and cyber incident reporting.

  • International Traffic in Arms Regulations (ITAR): Vital for companies involved in defense-related services and products, controlling the export and import of defense-related articles and services.

Compliance with these regulations is crucial for organizations aiming to not only win but also maintain their contracts with the DoD. Balancing each requirement ensures robust cybersecurity practices and aligns with the stringent expectations of defense contracting.

Take our free compliance test to evaluate your readiness. 

What Distinguishes the Three CMMC Levels?

When examining the three levels of the Cybersecurity Maturity Model Certification (CMMC), you’ll notice four key distinctions:

  1. Volume of Practices Required
    Each level demands a different number of cybersecurity practices, with higher levels encompassing more comprehensive and stringent practices.

  2. Nature of Practices Implemented
    The type of practices varies, with each level building upon the complexity and sophistication of security measures needed to adequately protect information.

  3. Assessment Methodologies
    The approach to assessments differs across levels. Some may allow for self-assessments, while others require evaluations by third-party organizations. In certain cases, assessments must be conducted by government agencies to ensure compliance.

  4. Assessment Regularity
    The frequency of assessments is another differentiator. Depending on the level, assessments could be conducted annually or every three years to verify that standards are maintained consistently over time.

  5. Take our free compliance test to evaluate your readiness. 

Understanding the Purpose of the CMMC Program and Its Levels

The Cybersecurity Maturity Model Certification (CMMC) program is an essential framework designed to bolster the cybersecurity posture of organizations handling federal contracts. Its primary goal is to protect sensitive information, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), by ensuring that contractors and subcontractors meet specific cybersecurity standards.

CMMC Program Structure

The CMMC model organizes cybersecurity practices into three distinct maturity levels, each representing a step up in complexity and security effectiveness:

  1. Level 1 – Foundational
    At this level, organizations are required to implement basic cybersecurity practices. It’s designed to safeguard FCI and establish a baseline of protection against common threats.

  2. Level 2 – Advanced
    Also known as the “Advanced” level, this stage introduces more robust cybersecurity measures. It focuses on safeguarding both FCI and CUI, requiring companies to build on foundational practices with more sophisticated techniques.

  3. Level 3 – Expert
    The highest maturity tier demands rigorous and comprehensive security controls, aiming to counter advanced persistent threats. This level ensures organizations have the capacity to protect CUI from more sophisticated cybersecurity risks effectively.

Purpose of the CMMC Levels

Each CMMC level lays a foundation to support increasingly stringent cybersecurity requirements. The program aims to enhance the overall security posture across the defense industrial base, mitigating risks associated with sensitive information breaches. By achieving the appropriate CMMC level, organizations not only comply with the Department of Defense (DoD) regulations but also demonstrate their commitment to cybersecurity excellence.

Take our free compliance test to evaluate your readiness. 

How Was the CMMC Program Structure Simplified in CMMC 2.0?

In November 2021, the Cybersecurity Maturity Model Certification (CMMC) underwent significant changes aimed at streamlining its framework. The revamped structure now presents three distinct levels that make it more straightforward.

  1. Level 1 – Foundational: This entry-level stage is designed for businesses with basic cybersecurity needs, focusing on fundamental safeguarding practices.

  2. Level 2 – Advanced: The middle tier caters to organizations that deal with Controlled Unclassified Information (CUI). It requires more comprehensive security protocols compared to the foundational level.

  3. Level 3 – Expert: At the top tier, this level is tailored for entities handling highly sensitive information, demanding rigorous security measures.

These changes reduce complexity by clearly defining requirements at each level, making it easier for organizations to understand and comply with the necessary cybersecurity standards.

Take our free compliance test to evaluate your readiness. 

CMMC Level 2 builds upon Level 1, requiring more advanced cybersecurity practices to protect Controlled Unclassified Information (CUI). Here’s a breakdown of the steps to achieve Level 2 compliance:

Understanding CMMC Level 2

CMMC Level 2, known as the “Advanced” tier, is pivotal for safeguarding both Federal Contract Information (FCI) and CUI. As part of the CMMC 2.0 framework, it streamlines cybersecurity requirements into three levels: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).

Key Differences Between CMMC Levels

To grasp the significance of Level 2, it’s essential to compare it with the other CMMC tiers. Here are the four main distinctions:

  • Number of Practices:

    • Level 1: Requires 17 practices.
    • Level 2: Encompasses 110 practices, aligned with NIST SP 800-171.
    • Level 3: Incorporates 110+ practices, adhering to NIST SP 800-172.
  • Type of Practices:

    • Level 2 practices are structured around NIST SP 800-171, focusing on confidentiality for CUI, while Level 3 practices extend this with enhanced requirements from NIST SP 800-172.
  • Type of Assessment:

    • Level 2 demands third-party assessments for national security information and self-assessments for select programs.
    • In contrast, Level 1 involves only self-assessments, and Level 3 necessitates government-led assessments.
  • Frequency of Assessments:

    • Level 2 mandates triennial assessments by third parties for national security information and annual self-assessments for specific programs.
    • Level 1 requires annual self-assessments, whereas Level 3 stipulates government-led assessments.

Achieving CMMC Level 2 Compliance

To achieve CMMC Level 2 compliance, organizations must thoroughly align their practices with the 110 requirements detailed in NIST SP 800-171. This involves preparing for both third-party and self-assessments, ensuring consistent adherence to cybersecurity standards tailored to protect sensitive information effectively.

By understanding these elements, organizations can better navigate the complexities of CMMC Level 2 and its role in enhancing cybersecurity posture within the framework.

Take our free compliance test to evaluate your readiness. 

CMMC Level 2 builds upon Level 1, requiring more advanced cybersecurity practices to protect Controlled Unclassified Information (CUI). CMMC Level 2 practices are aligned with NIST SP 800-171, a set of recommended requirements specifically designed to protect the confidentiality of CUI. In contrast, CMMC Level 3 practices are aligned with NIST SP 800-172, which includes enhanced security requirements that build upon the foundational practices of NIST SP 800-171.

Here’s a breakdown of the steps to achieve Level 2 compliance:

  1. Understand the Requirements:

    • Familiarize yourself with CMMC Level 2: Review the CMMC Model and assessment guides to understand the 110 practices across 14 domains required for Level 2. These practices are derived from NIST SP 800-171.
    • Identify CUI: Accurately determine what information within your organization qualifies as Controlled Unclassified Information. This is essential for scoping your compliance efforts.
  2. Implement Advanced Security Practices:

    • Access Control: Implement more granular access controls, including role-based access control (RBAC). Strengthen authentication with multi-factor authentication and least privilege principles.
    • Audit and Accountability: Enable audit logging and review logs regularly to monitor system activity and detect anomalies.
    • Awareness and Training: Conduct regular cybersecurity awareness training for employees to educate them about threats, vulnerabilities, and best practices.
    • Configuration Management: Establish and maintain secure configurations for systems and devices. Implement change management processes to control modifications.
    • Identification and Authentication: Utilize stronger authentication mechanisms and implement identity management solutions.
    • Incident Response: Develop and implement an incident response plan to handle cybersecurity incidents effectively.
    • Maintenance: Perform regular system maintenance, including patching and vulnerability remediation.
    • Media Protection: Implement stricter controls for handling and storing media containing CUI.
    • Personnel Security: Conduct background checks and provide security awareness training to personnel handling CUI.
    • Physical Protection: Enhance physical security measures to protect areas where CUI is stored or processed.
    • Recovery: Develop and test disaster recovery and business continuity plans to ensure resilience.
    • Risk Assessment: Conduct regular risk assessments to identify and mitigate cybersecurity risks.
    • Security Assessment: Perform periodic security assessments, including vulnerability scanning and penetration testing.
    • System and Communications Protection: Implement advanced network security controls, such as intrusion prevention systems and encryption.
    • System and Information Integrity: Implement measures to ensure data integrity, such as data loss prevention (DLP) and backups.
  3. Document Your Efforts:

    • Develop and maintain a System Security Plan (SSP): Document all your security practices and how you meet the CMMC Level 2 requirements.
    • Create and maintain policies and procedures: Document detailed policies and procedures related to all your security practices.
    • Maintain a Plan of Action & Milestones (POA&M): Document any gaps in your compliance and your plan to address them.
  4. Prepare for Assessment:

    • Regularly review and update: CMMC compliance is an ongoing process. Continuously monitor your systems, update security practices, and adapt to evolving threats.

In summary, while CMMC Level 2 focuses on the foundational security practices outlined in NIST SP 800-171, Level 3 escalates these requirements by aligning with NIST SP 800-172, which introduces additional layers of security to protect CUI more comprehensively. Understanding these differences is crucial for organizations aiming to achieve compliance at both levels.

Take our free compliance test to evaluate your readiness. 

Review the CMMC Model and assessment guides to understand the 110 practices across 14 domains required for Level 2.

To provide a clearer picture, consider the full scope of practices across different CMMC levels:

  • CMMC Level 1 (Foundational): This level requires just 17 practices, focusing on basic safeguarding measures.

  • CMMC Level 2: As mentioned, this level involves 110 practices aligned with NIST SP 800-171, ensuring a more comprehensive security posture.

  • CMMC Level 3 (Expert): This advanced level features 110+ practices, incorporating additional measures aligned with NIST SP 800-172 for enhanced protection.

Understanding these requirements helps gauge the increasing complexity and security needs as you progress from Level 1 to Level 3.

Take our free compliance test to evaluate your readiness. 

CMMC Level 2 (Advanced): This is where costs begin to escalate, as it requires a triennial third-party assessment for most contractors handling Controlled Unclassified Information (CUI).

 
  • Readiness and Remediation: This is the most variable cost for Level 2. Organizations may need to implement the 110 security controls from NIST SP 800-171, which can be a substantial undertaking. Costs can range from $50,000 to over $150,000 for consulting, technology, and training.

  • C3PAO Assessment: The cost for the formal assessment by a CMMC Third-Party Assessment Organization (C3PAO) is estimated to be in the range of $30,000 to $60,000, although this can fluctuate based on the scope and complexity of the assessment. The DoD has provided its own estimates for the triennial assessment, projecting around $105,000 for a small entity and $118,000 for a larger one, which also includes the cost of two annual affirmations.

Our Pledge

CMMC Level 2 Compliance

Take our free compliance test to evaluate your readiness.  CMMC Level 2 builds upon Level 1, requiring more advanced cybersecurity practices to protect Controlled Unclassified Information (CUI). Here’s a breakdown of the steps to achieve Level 2 compliance:

  1. Understand the Requirements:
    • Familiarize yourself with CMMC Level 2: Review the CMMC Model and assessment guides to understand the 110 practices across 14 domains required for Level 2. These practices are derived from NIST SP 800-171.
    • Identify CUI: Accurately determine what information within your organization qualifies as Controlled Unclassified Information. This is essential for scoping your compliance efforts.
  2. Implement Advanced Security Practices:
    • Access Control: Implement more granular access controls, including role-based access control (RBAC). Strengthen authentication with multi-factor authentication and least privilege principles.
    • Audit and Accountability: Enable audit logging and review logs regularly to monitor system activity and detect anomalies.
    • Awareness and Training: Conduct regular cybersecurity awareness training for employees to educate them about threats, vulnerabilities, and best practices.
    • Configuration Management: Establish and maintain secure configurations for systems and devices. Implement change management processes to control modifications.
    • Identification and Authentication: Utilize stronger authentication mechanisms and implement identity management solutions.
    • Incident Response: Develop and implement an incident response plan to handle cybersecurity incidents effectively.
    • Maintenance: Perform regular system maintenance, including patching and vulnerability remediation.
    • Media Protection: Implement stricter controls for handling and storing media containing CUI.
    • Personnel Security: Conduct background checks and provide security awareness training to personnel handling CUI.
    • Physical Protection: Enhance physical security measures to protect areas where CUI is stored or processed.
    • Recovery: Develop and test disaster recovery and business continuity plans to ensure resilience.
    • Risk Assessment: Conduct regular risk assessments to identify and mitigate cybersecurity risks.
    • Security Assessment: Perform periodic security assessments, including vulnerability scanning and penetration testing.
    • System and Communications Protection: Implement advanced network security controls, such as intrusion prevention systems and encryption.
    • System and Information Integrity: Implement measures to ensure data integrity, such as data loss prevention (DLP) and backups.
  3. Document Your Efforts:
    • Develop and maintain a System Security Plan (SSP): Document all your security practices and how you meet the CMMC Level 2 requirements.
    • Create and maintain policies and procedures: Document detailed policies and procedures related to all your security practices.
    • Maintain a Plan of Action & Milestones (POA&M): Document any gaps in your compliance and your plan to address them.
  4. Prepare for Assessment:
    • Regularly review and update: CMMC compliance is an ongoing process. Continuously monitor your systems, update security practices, and adapt to evolving threats.

Important Notes:

  • Level 2 requires C3PAO assessment: Unlike Level 1, achieving CMMC Level 2 requires a formal assessment by a certified third party.
  • Prioritize NIST SP 800-171: Meeting the requirements of NIST SP 800-171 is fundamental to achieving CMMC Level 2.

Who needs CMMC level 2 Compliance? 

Contractors and subcontractors currently working with, or planning on working with, the Department of Defense, must demonstrate compliance. If those businesses process, handle, or manage information critical to national security, they will need CMMC Level 2 compliance. In order to achieve CMMC Level 2 compliance, contractors will be required to undergo an extensive CMMC Level 2 third-party assessment. Understanding compliance requirements is crucial for contractors and subcontractors to ensure they are adequately prepared for the assessment. This includes implementing necessary security measures, maintaining documentation, and training employees on security protocols. Additionally, staying up-to-date with any changes to compliance requirements is essential for maintaining CMMC Level 2 compliance.

Thank you

Your form has been submitted. We will get back to you shortly.