CMMC Level 2 Advanced
What Is CMMC Maturity Level 2
The Cybersecurity Maturity Model Certification (CMMC) Level 2 in CMMC 2.0 replaces Level 3 in CMMC 1.0, which called for processes to be managed and controls qualified as good cyber hygiene. CMMC Level 2 (Advanced) is a requirement for organizations that want to want to bid on U.S. Department of Defense (DoD) contracts which handle the following types of information.
- Controlled Unclassified Information (CUI)/Controlled Defense Information (CDI)
CUI is a broad category of information the U.S. government or an entity acting on behalf of the government creates or possesses that needs to be safeguarded against misuse or abuse. The term CDI is used, interchangeably, by the DoD to describe CUI.
- Controlled Technical Information (CTI)
CTI is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
- Export-Controlled Information (ECI)
Export-Controlled Information includes information regulated for national security, foreign policy, anti-terrorism, or non-proliferation reasons. This type of data is governed by International Traffic in Arms Regulations (ITAR), and Export Administration Regulations (EAR).
CMMC Level 2 is also mandatory for contracts that include the DFARS 252.204-7012 requirement.
CMMC Level 2 focuses on cyber hygiene and enhanced defenses against cyber threats. The process maturity element is also introduced at CMMC Level 2. To achieve certification for CMMC Level 2, an organization must perform and document extensive cybersecurity capabilities.
Compared to CMMC Level 1, which consists of 15 FAR 52.204-21 requirements, CMMC Level 2 requires organizations to satisfy all 110 security controls from NIST SP 800-171. CMMC Level 2 builds upon the core security practices that are established in Level 1 and is designed to bolster the overall security of the organization. As a result, CMMC Level 2 is a considerable step up from CMMC Level 1 in terms of complexity, timeline, and cost.
CMMC Level 2 Processes
The maturity processes of CMMC measure the degree to which an organization has institutionalized its cybersecurity practices. CMMC Level 2 maturity processes are categorized as Documented. At CMMC Level 2, organizations are required to put policies in place that reflect the objectives and importance of the practices that are included in required domains.
Process documentation for CMMC Level 2 policies should include:
- Definition of the scope of the policy (e.g., enterprise-wide, department-wide, information-system specific)
- Description of the roles and responsibilities of the activities covered by this policy (i.e., the responsibility, authority, and ownership of domain activities)
- Guidance for each of the 17 practice domains
- Message from senior management that:
- Articulates expectations for planning and performing the activities
- Communicates those expectations to the broader organization
- Demonstrates that senior management sponsors and oversees the domain activities
- Procedures to carry out and meet the intent of the policy, including any regulatory guidelines the policy addresses
- Statement of the purpose of the policy
The objectives of CMMC Level 2 process policies are to:
- Achieve expected outcomes
- Enable an organization to execute the CMMC practices in a repeatable manner.
- Establish a foundation for continuous improvement.
How Many Controls are in CMMC Level 2?
CMMC Level 2 introduces 55 new controls for a total of 72 controls, since it includes 17 controls from Level 1 requirements. For CMMC Level 2, these practices are grouped into 15 different domains.
CMMC Level 2 Access Control (AC)
At CMMC Level 2, the AC domain adds ten controls to the four from Level 1, for a total of 14 AC controls. These focus on isolating key systems and defining authorized session privileges to limit access. At a high level, CMMC Level 2 AC controls direct:
- Establishment of system access requirements
- Limits on data access to authorized users and processes
- Restrictions on internal system access
The 14 CMMC Level 2 AC controls are:
1. AC.1.001: Limit information system access to authorized users and processes acting for authorized users or devices (including other information systems).
2. AC.1.002: Limit information system access to the types of transactions and functions authorized users can execute.
3. AC.1.003: Verify and control/limit connections to and use external information systems.
4. AC1.004: Control information posted or processed on publicly accessible information systems.
5. AC.2.005: Provide privacy and security notices consistent with applicable Controlled Unclassified Information (CUI) rules.
6. AC.2.006: Limit the use of portable storage devices on external systems.
7. AC.2.007: Employ the principle of least privilege, including for specific security functions and privileged accounts.
8. AC.2.008: Use non-privileged accounts or roles when accessing non-security functions.
9. AC.2.009: Limit unsuccessful login attempts.
10. AC.2.010: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
11. AC.2.011: Authorize wireless access before allowing such connections.
12. AC.2.013: Monitor and control remote access sessions.
13. AC.2.015: Route remote access via managed access control points.
14. AC2.016: Control the flow of CUI in accordance with approved authorizations.
CMMC Level 2 Awareness and Training (AT)
CMMC Level 2 introduces the AT domain with two controls that require organizations to conduct cybersecurity training for managers, administrators, and users who access organization systems.
At this level, AT controls are in place to ensure that individuals can handle their assigned roles for CMMC Level 2 compliance. At a high level, CMMC Level 2 AT controls direct organizations to:
- Mandate security awareness activities
- Require security training
The Two CMMC Level 2 AT controls are:
1. AT.2.056: Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
2. AT.2.057: Ensure personnel are trained to carry out their assigned information security-related duties and responsibilities.
CMMC Level 2 Audit and Accountability (AU)
At CMMC Level 2, the AU domain is introduced with four controls. CMMC Level 2 AU controls address the need to log system users’ activity and review those logs to provide accurate reporting and clear knowledge of their entire system. At a high level, CMMC Level 2 AU controls:
- Define audit requirements
- Detail how to perform auditing
- Direct how to review and manage audit logs
The Four CMMC Level 2 AU controls are:
1. AU.2.041: Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
2. AU.2.042: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
3. AU.2.043: Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
4. AU.2.044: Continuously monitor and audit logs for common errors.
Configuration Management (CM)
CM controls are added at CMMC Level 2. Six CM controls require the creation and enforcement of configuration settings for all organizational systems, including equipment, software, and documents, and to enforce those settings. The CM controls in CMMC Level 2 ensure that any changes made can be tracked and managed according to cybersecurity best practices. At a high level, CMMC Level 2 CM controls direct how to perform configuration and change management.
The Six CMMC Level 2 CM controls are:
1. CM.2.061: Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
2. CM.2.062: Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
3. CM.2.063: Control and monitor user-installed software.
4. CM.2.064: Establish and enforce security configuration settings for information technology products employed in organizational systems.
5. CM.2.065: Track, review, approve or disapprove and log changes to organizational systems.
6. CM.2.066: Analyze the security impact of changes prior to implementation.
Identification and Authentication (IA)
The IA domain for CMMC Level 2 compliance provides five controls for granting system access to authorized users, bringing the total number of controls to seven. CMMC Level 2 IA controls are focused on limiting access similarly to AC controls. At a high level, CMMC Level 2 CM controls:
- Direct the strategic use of passwords and policies for changing or updating those passwords
- Ensure no one is able to pass for an authorized user if they are not one
- Provide guidance on granting access to authenticated entities
The Five CMMC Level 2 IA Controls are:
1. IA.2.078: Enforce a minimum password complexity and change of characters when new passwords are created
2. IA.2.079: Prohibit password reuse for a specified number of generations.
3. IA.2.080: Allow temporary password use for system logins with an immediate change to a permanent password.
4. IA.2.081: Store and transmit only cryptographically- protected passwords.
5. IA.2.082: Obscure feedback of authentication information.
CMMC Level 2 Incident Response (IR)
CMMC Level 2 introduces IR controls that address existing plans or strategies for dealing with potential I.T. security problems. There are five controls in IR that are directly concerned with discovering, reporting on, and resolving incidents. At a high level, CMMC Level 2 IR controls require organizations to:
- Detect and report events
- Develop and implement a response to a declared incident
- Plan incident responses
The Five CMMC Level 2 IR Controls are:
1. IR.2.092: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
2. IR.2.093: Detect and report events.
3. IR.2.094: Analyze and triage events to support event resolution and incident declaration.
4. IR.2.095: Develop and implement responses to declared incidents according to predefined procedures.
5. IR.2.097: Perform root cause analysis on incidents to determine underlying causes.
CMMC Level 2 Maintenance (MA)
CMMC Level 2 brings four controls under the MA domain. These controls outline the requirements for protecting critical data and services in case of a computer system failure. It provides steps to secure systems when malfunctions or other unexpected incidents occur. At a high level, CMMC Level 2 MA controls require organizations to:
- Be prepared for incidents
- Manage maintenance
The Four CMMC Level 2 MA Controls are:
1. MA.2.111: Perform maintenance on organizational systems.
2. MA.2.112: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
3. MA.2.113: Require multi factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
4. MA.2.114: Supervise the maintenance activities of personnel without required access authorization.
CMMC Level 2 Media Protection (MP)
For the MP domain, CMMC Level 2 adds three controls for a total of four. The MP controls at CMMC Level 2 are associated with protecting and properly disposing of media content. MP at CMMC Level 2 aims to prevent security problems related to using removable media, such as USB drives and external hard drives. At a high level, CMMC Level 2 MP controls to ensure that organizations:
- Protect and control media
- Sanitize media
The Four CMMC Level 2 MP Controls are:
1. MP.1.118: Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.
2. MP.2.119: Protect (e.g., physically control and securely store) system media containing Federal Contract Information, both paper and digital.
3. MP.2.120: Limit access to CUI on system media to authorized users.
4. MP.2.121: Control the use of removable media on system components.
CMMC Level 2 Personnel Security (PS)
Introduced at CMMC Level 2, PS controls deal with protecting CUI during transitions in employee status to ensure that critical CUI is not compromised due to changes in H.R. At a high level, CMMC Level 2 PS directs organizations to:
- Protect FCI and CUI during personnel actions
- Screen personnel
The Two CMMC Level 2 PS Controls are:
1. PS.2.127: Screen individuals before authorizing access to organizational systems containing CUI.
2. PS.2.128: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
CMMC Level 2 Physical Protection (PE)
One control is added to the PE domain at CMMC Level 2. PE controls aim to protect physical infrastructure with an added layer of protection against potential security breaches. At a high level, CMMC Level 2 PE directs organizations to limit physical access to information systems.
The Five CMMC Level 2 PE Controls are:
1. PE.1.131: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
2. PE.1.132: Escort visitors and monitor visitor activity.
3. PE.1.133: Maintain audit logs of physical access.
4. PE.1.134: Control and manage physical access devices.
5. PE.2.135: Protect and monitor the physical facility and support infrastructure for organizational systems.
CMMC Level 2 Recovery (RE)
RE is introduced at CMMC Level 2, directing recovery practices to ensure that CUI is reliably backed up and that the backup is adequately protected. At a high level, CMMC RE Level 2 focuses on the details of data back-up.
The Five CMMC Level 2 RE controls are:
1. RE.2.137: Regularly perform and test data back-ups.
2. RE.2.138: Protect the confidentiality of backup CUI at storage locations.
CMMC Level 2 Risk Management (RM)
CMMC Level 2 introduces RM controls that are primarily concerned with mitigating security threats that could cause data to be compromised. There are three RM controls at CMMC Level 2 that cover managing risk by conducting periodic risk assessments and fixing vulnerabilities.
At a high level, CMMC Level 2 RM directs organizations to:
- Identify and evaluate risk
- Manage risk
The Three CMMC Level 2 RM Controls are:
1. RM.2.141: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
2. RM.2.142: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
3. RM.2.143: Remediate vulnerabilities in accordance with risk assessments.
CMMC Level 2 Security Assessment (CA)
The CA domain introduces three security assessment controls at CMMC Level 2. These CMMC Level 2 controls are defined by the ability of an organization to develop a cohesive system security plan and related mechanisms. They also require organizations to periodically assess their cybersecurity plans and practices to ensure they are working effectively and make necessary updates to remedy deficiencies. At a high level, CMMC Level 2 CA directs organizations to:
- Develop and manage a system security plan
- Define and manage controls
The Three CMMC Level 2 CA Controls are:
1. CA.2.157: Develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
2. CA.2.158: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
3. CA.2.159: Develop and implement plans of action (e.g., POA&M) designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
CMMC Level 2 System and Communications Protection (SC)
Two SC controls carry over to CMMC Level 2 from Level 1. These require I.T. directors and security professionals to clarify their security policies for communication inside and outside the system. The SC controls at CMMC Level 2 focus on user devices and sessions and involve how information should be transmitted or received by informational systems. At a high level, CMMC Level 2 SC directs organizations to:
- Control and monitor communications across the network that are essential for meeting CMMC Level 2 compliance.
- Define security requirements for systems and communications.
he Two CMMC Level 2 SC Controls are:
1. SC.2.178: Prohibit remote activation of collaborative computing devices and provide an indication of devices in use to users present at the device.
2. SC.2.179: Use encrypted sessions for the management of network devices.
CMMC Level 2 System and Information Integrity (SI)
There are seven SI controls at CMMC Level 2 that mandate that organizations must be able to find and mitigate potential security flaws while monitoring the network. CMMC Level 2 SI controls require organizations to monitor for possible attacks and unauthorized access to systems. In addition, CMMC Level 2 SI requires that when organizations are made aware of security issues, they must resolve them promptly. At a high level, CMMC Level 2 SI directs organizations to:
- Identify malicious content
- Identify and manage information system flaws
- Perform network and system monitoring
The Seven CMMC Level 2 SI Controls are:
1. SI.1.210: Identify, report, and correct information and information system flaws in a timely manner.
2. SI.1.211: Provide protection from malicious code at appropriate locations within organizational information systems.
3. SI.1.212: Update malicious code protection mechanisms when new releases are available.
4. SI.1.213: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
5. SI.2.214: Monitor system security alerts and advisories and take action in response.
6. SI.2.216: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
7. SI.2.217: Identify unauthorized use of organizational systems.
How Can Your Organization Meet CMMC Level 2 Assessment Objectives?
The CMMC Level 2 certification process is conducted by a Cyber-AB CMMC Third-Party Assessment Organization (C3PAO). Once finalized, an assessment remains valid for three years from the assessment certification.
Understanding CMMC Level 2 assessment procedures is critical to meeting the requirements. Assessment procedures consist of an associated set of methods and objects for each assessment objective. C3PAOs evaluate objectives by applying a method to an assessment object. CMMC Level 2 assessment objects identify items within the scope of the objective, including:
These are protection-related actions for people who support information systems, such as
conducting system backup operations and monitoring network traffic.
These are specific hardware, software, or firmware safeguards used within an information system.
These are document-based artifacts associated with an information system, such as policies, procedures, plans, specifications, and designs.
Assessors will use several assessment methods to evaluate each assessment objective, including requirements to:
Review documents, such as policies, procedures, plans, diagrams, inventories, configurations, rule sets, and system logs.
Talk with key individuals to facilitate understanding, achieve clarification, or identify the location of evidence.
Directly work with systems and networks to identify vulnerabilities and measure levels of compliance in areas such as configuration or patch management and password policy.
Following is an outline of the CMMC assessment process at a high level:
- Organization Seeking Certification (OSC) submits documentation to the assessment team
- Kick-off meeting to review scope, schedule, and process
- Security Assessment Plan drafted to define the assessment steps and identify proposed tools and review techniques
- Rules of Engagement created to define the proposed steps for the assessment, including outside testing, interview conduct, and inspection requirements
- Security Assessment Plan and Rules of Engagement approved
- Assessment conducted
- Key personnel interviewed
- Processes and security controls observed in action
- Security walk-through conducted
- Systems tested with tools defined in Security Assessment Plan
- Findings reviewed with the OSC for interpretation and evaluation to remove any “false positives” that are externally mitigated
- Security Assessment Report drafted
- Security Assessment Report reviewed with the OSC for final remediation
- Certification recommendation delivered with the Security Assessment Report
Uplevel Security and Continuously Improve with CMMC Level 2
While CMMC Level 2 is an arduous undertaking, it remains a mandatory hurdle for organizations that want to bid on Department of Defense (DoD) contracts. But, it brings significant cyber-preparedness benefits to organizations that adhere to its requirements.
CMMC Level 2 compliance establishes robust controls to prevent data theft, unauthorized system access, and other illegal activities that can harm not just DoD agencies, but the organizations that serve them. With CMMC Level 2 compliance, organizations have assurances that their cybersecurity plan involves continuous monitoring and upgrading to thwart potential cyber-attackers who act with malicious intent.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 12th September, 2023