CMMC Level 2 Certification Checklist
CMMC Level 2 certification requires contractors to implement 110 NIST SP 800-171 requirements and complete a third-party conformity assessment
The Cybersecurity Maturity Model Certification (CMMC) is an important milestone for defense contractors to address, measuring cybersecurity maturity at three levels - Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
There is no overlap between CMMC Level 1 and Level 2. CMMC Level 1 is exclusively focused on protecting Federal Contract Information (FCI) and involves 15 FAR 52.204-21 requirements. CMMC Level 2 shifts its focus to protecting Controlled Unclassified Information (CUI) and requires organizations to implement 110 security controls from NIST SP 800-171. As a result, CMMC Level 2 expands on the basic security practices established in Level 1 and is more complex, requiring more time and resources to achieve.
Delve deeper into the CMMC Level 2 compliance requirements with our CMMC Level 2 checklist:
- What is CMMC Level 2
- What is the Difference Between CMMC Level 2 and NIST 800-171?
- CMMC 2.0. Level 2 Control Requirements
- CMMC Level 2 Assessment and Certification
- CMMC Level 2 Compliance Checklist
What is CMMC Level 2?
CMMC Level 2 is an advanced level of CMMC certification. It applies to current and bidding DoD contractors that have the DFARS 252.204-7012 requirements in their contracts that handle CUI, CTI, and ECI:
- Controlled Unclassified Information (CUI) CUI is government-owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies.
Read more about CUI protection requirements for Dod Contractors
- Controlled Technical Information (CTI) is technical information with military or space applications that requires controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
- Export-controlled information (ECI) includes information regulated for national security, foreign policy, anti-terrorism, or non-proliferation reasons.
CMMC Level 2 requirements consist of 110 security controls listed in NIST SP 800-171 distributed across 17 control families.
Read how to determine your CMMC level.
What is the Difference Between CMMC Level 2 and NIST 800-171?
The main difference between NIST 800 171 and CMMC Level 2 is that the former is set by the National Institute of Standards and Technology (NIST) as a security standard for CUI protection. At the same time, CMMC is a certification that is based on meeting the NIST 800-171 requirements.
CMMC Level 2 closely maps to the 110 controls of NIST SP 800-171, with some additional practices. It requires documentation of security practices and policies to be in place and includes maturity elements that assess how well an organization has institutionalized its cybersecurity practices. CMMC Level 2 requires a third-party assessment from an accredited CMMC Third-Party Assessor Organization (C3PAO).
NIST SP 800-171 focuses purely on implementing the 110 technical and operational security controls. It does not include a certification or third-party audit component.
CMMC 2.0. Level 2 Control Requirements
CMMC Level 2 requirements include 110 controls grouped under 17 domains:
Access Control
Access control is the most extensive category within the NIST 800-171 control families. It mandates organizations to oversee all access activities within their IT environment and restrict access to systems and information. Key requirements include:
- Proper account management (proper creating, modifying, disabling, and removing system accounts)
- Controlling the flow of CUI within the organization’s system
- Enforcing the principle of least privilege access
- Impose strict encryption, authorization, and authentication measures
- Overseeing remote access and access termination procedurs
- Managing and limiting the usage of mobile devices
Awareness and Training
Provide security literacy training to managers, system administrators, and other users as part of initial training, when required by system changes, or onexperiencing insider threat, social engineering, and social mining. Provide role-based security training to organizational personnel and regularly update security literacy training content
Audit and Accountability
Audit and Accountability controls require evolve around retaining audit logs and records and keeping users accountable for their actions. Organizations must have audit logs to detect any unauthorized activity by:
- Reviewing and updating audited events
- Reporting on failures in the audit process
- Generating reports that support on-demand analysis and provide compliance evidence
Configuration Management
Configuration management requires businesses have to establish and maintain baseline configurations. These include monitoring user-installed software identifying deviations from established configuration settings, and any trackling any changes in organization’s systems. The compliance requirements include:
- Blacklisting Shadow IT - software installed without the approval of IT team
- Documenting all suspicious access attempts
- Cnfiguring systems to provide only essential capabilities
Identification and Authentication
The identification and authentication control family requires users to verify the identity of users, devices, or systems before granting access to resources within an organization’s IT environment. It ensures that only authorized individuals/entities can access sensitive systems, data, or applications. Some of the best practices under this control family include:
- Implement MFA
- Follow proper password-hygiene procedures
- Implement password management systems that help securely create, store, and rotate passwords.
- Enforce periodic credential updates (e.g., changing passwords every 90 days) and when specific events like breaches or suspicious activity occur.
Incident Response
This control family obligates organizations to have an updated incident response strategy that ensures the incidents are detected, responsed, communicated and addressed timely and effectively. In particulair, orgnizations must:
- Implement capabilities to prepare, detect and analyse, contain, eradicate, and recover from incidents.
- Develop anf implement an incident response plan.
- Track and document systems security incidents
- Report incidents to internal team and external bodies.
- Regularly test the incident respose capability.
- Provide incident response training to system users.
Maintenance
Organizations must implement effective system maintenance practices to safeguard CUI and other sensitive information from potential threats or compromise. Among the activities that organizations must perform as part of systems maintenance are:
- Keep a close eye on how the system maintenance tools are used and by whom.
- Test programs for malicious code before using them.
- Approve nonlocal maintenance and diagnostic activities, require multi-factor authentication with replay resistance, and terminbate sessions when maintenance is complete.
Media Protection
Under the media protection control, orgasnizations must ensure the security of system media containing CUI. Some of the specific activities include, but are not limited to:
- Ensure physical control and securely store system media that contain CUI.
- Restrict access to CUI on system media to authorized personnel or roles.
- Sanitize system media that contain CUI prior to disposal, release out of organizational control, or release for reuse.
- Protect and control media that contain CUI during transportation.
- Protect the confidentiality of backup information.
Personnel Security
This is a small family of controls that requires businesses to properly manage personnel changes such as hiring, transfers, and offboarding. This includes ensuring necessary agreements, identity verifications, background checks, and other personnel controls.
Physical Protection
Physical Protection involves safeguarding hardware, software, networks, and data from damage or loss caused by physical events. This domain requires organizations to take various actions to reduce the risk of physical harm, such as:
- Controll physical access devices.
- Limit physical access to systems and equipment to authorized users only.
- Maint audit logs of physical access.
Risk Assessment
There are two major requirements that cover the performance of regular risk assessments:
- Regularly assess the risk of unauthorized disclosure resulting from the processing, storage, or transmission of CUI.
- Monitor and scan the system for vulnerabilities and when new vulnerabilities affecting the system are
- identified.
Organizations are required to do both to meet this control.
Security Assessment
Organizations must monitor and assess thei security controls to determine if they are effective enough to help keep data secure. Under this control family, organizations are required to:
- Develop and regularly update a plan of action and milestones for the system to document the planned remediation actions to correct weaknesses and/or reduce or eliminate known system vulnerabilities.
- Develop and implement a system-level continuous monitoring strategy that includes ongoing monitoring and security assessments.
System and Communications Protection
This is a broad set of requirements consisting of 16 controls aimed at monitoring, controlling, and securing information transmitted or received by IT systems. Key activities include:
- Preventing unauthorized information transfer
- Using cryptographic methods to safeguard CUI from unauthorized disclosure
- Creating sub-networks for publicly accessible components, isolated from internal networks
- Blocking network traffic by default unless explicitly allowed
System and Information Integrity
This set of controls requires organizations to swiftly detect and fix system vulnerabilities while protecting critical assets from malicious code. Key tasks include:
- Monitoring and quickly responding to security alerts about unauthorized system use
- Regularly scanning IT systems and scanning external files when downloaded or accessed
- Updating malware protection mechanisms as soon as new versions become available
Planning
This control family addresses policies and procedures for the protection of CUI and includes the requirements to:
- Develop, document, disseminate, and regularly update policies and procedures needed to satisfy the security requirements for the protection of CUI.
- Develop a system security plan that includes other relevant information necessary for the protection of CUI such as system components, information types processed, stored, and transmitted by the system, threats to the system, etc.
- Establish rules that describe the responsibilities and expected behavior for system usage and CUI protection.
System and Service Acquisition
Organizations should apply systems security engineering principles to system modifications and development and ensure
- Replacing system components when support for the components is no longer available from the developer, vendor, or manufacturer.
- Provide options for risk mitigation or alternative sources for continued support for unsupported components that cannot be replaced.
Supply Chain Risk Management
This control family requires organizations to develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services. Besides this, organizations must :
- Review and update the supply chain risk management plan.
- Protect the supply chain risk management plan from unauthorized disclosure.
- Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and mitigate supply chain risks.
CMMC Level 2 Assessment and Certification
CMMC Level 2 Self-Affirmation Requirements
Every organization with DFARS Clause 252.204-7021 requirements in their contracts is obligated to:
- Conduct an annual CMMC Level 2 Self-Assessment to determine their conformity to protect CUI.
- Submit an annual self-affirmation of the organization’s compliance with the NIST SP 800-171 security requirements to SPRS (as per CMMC §170.22, Affirmation ).
NOTE: If the organization's FCI and CUI boundaries overlap, the CMMC Level 2 annual assessment and self-affirmation letter will be sufficient to meet the Level 1 requirements. Unlike Level 1, CMMC Level 2 allows conditional certification per the Plans of Actions & Milestones (POA&M).
CMMC Level 2 Third-Party Certification Requirements
CMMC Level 2 requires organizations to undergo a third-party CMMC Conformity Assessment once every three years. Only accredited 3rd Party Assessment Organizations (C3PAO) are authorized to conduct the assessments. To fully meet all CMMC Level 2 security requirements, organizations must be either conditionally certified per the POA&M threshold or fully meet all Security Requirements ( §170.17).
CMMC Level 2 Plans of Action & Milestones (POA&M)
POA&M is a formal document used by organizations to identify and manage gaps in their cybersecurity practices. The POA&M outlines specific actions the organization needs to take in order to address and remediate deficiencies or weaknesses discovered during a security assessment, such as non-compliance with CMMC requirements. CMMC POA&Ms is governed by the paragraph §170,21(a)(2).
All organizations are expected to have had and maintain a POA&M for all actions needed to get them into compliance. During a Conformity Assessment, your organization should be able to provide a POA&M completed remediations to address deficiencies.
POA&M guidance is about eligibility for certification and, if so, what kind it is. In short, under CMMC Level 2, the three certification states are:
- Uncertified: An organization is either pending a successful C3PAO Conformity Assessment or failing to meet the POA&M criteria.
- Conditionally Certified: An organization meets POA&M criteria within the 180-day window and has open deficiencies identified in its POA&M.
- Certified: An organization successfully completed a C3PAO Conformity Assessment with a score of 110.
CMMC Level 2 Compliance Checklist
Summing up, here's a concise checklist to help you achieve CMMC Level 2 compliance:
Scope your environment. Determine the types of information your organization handles (e.g., FCI, CUI). Establish which systems, networks, and processes will be included in the assessment. Evaluate any third-party vendors or partners that may impact your compliance.
Understand your requirements. Familiarize yourself with CMMC Level 2 requirements, focusing on the NIST SP 800-171 controls (110 total).
Conduct a gap analysis. Assess your current cybersecurity practices against the NIST SP 800-171 controls to identify gaps where your organization is not meeting the requirements.
Develop a Plan of Action & Milestones (POA&M). Create a document outlining how to address gaps including timelines and responsible personnel for remediation.
Perform annual self-assessments. Conduct annual self-assessments to evaluate compliance with NIST SP 800-171 controls. Document findings and continuously improve practices.
Prepare for external assessments. Prepare for third-party assessments by choosing a C3PAO that is fully authorized by the Cyber AB (CMMC Accreditation body). Gather all documentation, policies, and evidence of compliance for the assessor.
Conduct a third-party conformity assessment and provide a POA&M completed remediations to address deficiencies and become conditionally or fully CMMC certified.
Planet 9 services for CMMC Level 2 Compliance
To reduce your organization’s burden with CMMC 2.0. compliance efforts, engage third-party security and compliance services, such as Planet 9. For CMMC Level 2, Planet 9 can support your organization with the following services:
- Scope your environment;
- Understand requirements;
- Conduct CMMC Level 2 readiness assessment;
- Conduct gap analysis;
- Help address gaps;
- Conduct self-assessment;
- Prepare for a third-party CMMC Conformity assessment.
Book a free consultation to learn more or contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!
