With a looming target date for CMMC Level 2 compliance among DoD contractors, the urgency cannot be overstated.
For businesses that have yet to embark on this critical journey, time is of the essence, as the path to compliance can span up to three years for certain organizations.
In this article, we provide clarity, direction, and actionable insights for meeting each of the 110 controls in NIST 800-171 and CMMC 2.
This guidance provides a comprehensive approach that is essential for any company, especially small to midsize businesses, handling Controlled Unclassified Information (CUI).
We aim to offer clarity, direction, and actionable insights so that you can start your compliance journey today, safeguarding your role in the defense contracting landscape.
CMMC is a complex regulation and may undergo changes in the future.
The following document is meant for informational purposes only. It is not meant to serve as definitive CMMC guidance.
You should always follow the official CMMC Assessment Guide.
CMMC Level 2 represents a significant leap in cybersecurity readiness for organizations working with the U.S. Department of Defense (DoD).
This intermediate level strikes a crucial balance between basic safeguarding (Level 1) and the more complex security requirements of Level 3.
At its core, CMMC Level 2 is all about enhancing your cybersecurity practices to protect Controlled Unclassified Information (CUI) without overwhelming your organization with complexity.
To best answer this, you’re going to want to either review your client contracts or talk to the purchasing managers at your customers.
If you handle or receive Controlled Unclassified Information (CUI), then you’ll need to be Level 2. If not, then you can likely aim for Level 1. Your client purchasing managers should be able to tell you what level you’ll need.
Level 3 places a higher emphasis on protecting Controlled Unclassified Information (CUI), and is unlikely to apply to the small and mid-sized businesses that this resource guide aims to help.
CMMC Level 2 isn't optional for contracts that include the DFARS 252.204-7012 requirement.
Compared to Level 1, which consists of 15 basic requirements, Level 2 demands compliance with all 110 security controls from NIST SP 800-171.
This resource guide is focused on complying with Level 2.
No, the Cybersecurity Maturity Model Certification (CMMC) is not yet a final regulation from the Department of Defense (DoD) as of 2024.
The proposed rule for CMMC, unveiled on December 26, 2023, outlines a plan to gradually implement CMMC requirements over three years, with complete adoption targeted by October 1, 2026.
Following its announcement, the rule awaits finalization after a public commentary period ending on February 24, 2024. Until the rule becomes official, DoD program managers have the discretion to include CMMC requirements in contracts, setting the stage for a phased integration of these standards into contracts involving controlled unclassified information (CUI) or federal contracting information.
This entire regulation has been built to safeguard Controlled Unclassified Information (CUI). CUI is a broad term that the Department of Defense (DoD) uses to identify information that is sensitive enough that we don’t want it to fall into an enemy’s hands, but is not classified.
This is an important question because CMMC only applies to systems that contain CUI, and the systems that protect and support them.
The easiest way to tell if you have CUI is to search for any of the following keywords in your environment:
A qualified IT or cybersecurity firm should be able to help you search your cloud systems and local computers for files that contain these keywords.
In the future, the DoD will be more consistently labeling documents with CUI and will be explicitly saying in each contract what CUI you will be given. Until then, this requires a bit of an educated guess.
Also, please keep in mind that your company may be creating CUI, which will also need to follow the standards outlined below.
If you send CUI to subcontractors, then they are also required to comply with CMMC (and have been required to comply with NIST 800-171 since 2017).
It is also likely (though not guaranteed) that the I.T. managed service providers that work with CMMC-compliant firms will also need to be CMMC-compliant themselves.
You should be taking steps to confirm that they are working on their CMMC compliance.
This will become easier once CMMC audits are fully implemented. In the meantime, here are some tips:
This is tough to answer without doing some analysis, so here are some general principles:
This is tough to answer without doing an analysis. Highly motivated companies have finished the process (other than the audit) in 6-9 months with outside help. Some companies, who are having a tough time deciding on large changes, have been working on this for three years and still have a ways to go.
Companies that must comply with CMMC will need to pass an audit every three years.
To get the audit done, companies will need to:
Level 2 is primarily dedicated to safeguarding Controlled Unclassified Information (CUI) and encompasses the 110 security requirements outlined in NIST SP 800-171 Rev 2, which are further divided into 14 control families.
Involves the management of information access to ensure only authorized users and devices interact with sensitive data. It includes encryption, monitoring remote access, session termination due to inactivity, and login attempt limits. Its core purpose is to protect data confidentiality and integrity by regulating access.
Involves educating personnel about security risks and explaining the policies and procedures in place to manage them. It empowers individuals to make informed decisions and enhances overall security awareness.
Entails preserving secure information system audit records that track system usage. These records trace actions back to specific users for accountability when needed, supporting effective incident investigations and security management.
Involves establishing, maintaining, and enforcing configurations across the entire lifecycle of an information system. This process ensures that the system remains consistently configured and adheres to established standards, enhancing its reliability and security.
Verifying and confirming users' identities is a prerequisite for granting access to organizational information systems. This process is fundamental in ensuring that only authorized individuals gain entry to these systems.
Involves testing and implementing capabilities to prepare for, detect, analyze, contain, recover from, and respond to security incidents. This comprehensive approach ensures organizations are well-equipped to handle and mitigate incidents.
Encompasses the practice of maintaining information systems and implementing necessary controls to verify and oversee the actions of personnel responsible for this maintenance. This ensures that the systems are properly cared for and that maintenance activities adhere to established protocols.
Involves the secure storage of information system media that contains both paper and digital Controlled Unclassified Information (CUI). Additionally, it entails the use of secure procedures to sanitize and properly dispose of CUI.
Requires screening of all individuals who will access information systems containing Controlled Unclassified Information (CUI). Additionally, it mandates the timely revocation of access privileges in cases of transfer or termination.
Entails the restriction of physical access to information systems. It involves the implementation of physical security controls and monitoring to safeguard these systems. This ensures that only authorized personnel can physically access the systems and that they are protected from unauthorized entry or tampering through effective security measures.
Involves the continuous process of evaluating and assessing risks and vulnerabilities in information systems that handle Controlled Unclassified Information (CUI).
Requires the periodic evaluation of security controls to assess their effectiveness. This process involves testing the controls, replacing any that are found to be deficient, and implementing continuous monitoring to ensure that the security measures remain effective over time.
Involves enabling secure communication between information systems. This practice ensures that data and information can be exchanged between systems in a manner that preserves its confidentiality, integrity, and availability, safeguarding it from unauthorized access or interception during transmission.
Learn System and Communications Protection For Level 2 Compliance
Requires continuous monitoring of information systems to safeguard against malicious code, detect and report vulnerabilities or flaws, and respond appropriately to security alerts.
Learn System and Information Integrity For Level 2 Compliance
One of the most important parts of a CMMC project is to accurately identify the scope of the project.
Not only will this save you time and money by reducing the size and complexity of your audit, but it will also increase the likelihood of success during the CMMC audit, as the auditors will have fewer systems to examine.
CMMC only applies to the parts of your business that have CUI.
Figuring out what CUI you have and where it’s stored is the most important part of your CMMC project.
Let me explain why using two examples:
As you work on this project, always ask yourself if there’s a way to restrict access to CUI.
Better yet, figure out how to limit the places where it’s stored and handled, and possibly even redact the parts that make it CUI.
As you delve into the 110 requirements for CMMC compliance, it can be an overwhelming prospect.
Here are the Top 10 sections that will drive much of the cost and complexity of your CMMC project.
We recommend focusing on these initially:
Pro Tip: Working through this Top 10 list is a great way to get started and test how well you’ll be able to manage CMMC compliance using your existing team. If you find this list overwhelming or difficult, it might make sense to hire a CMMC expert (called a Registered Practitioner) to help you with your efforts.
Most companies are already using Microsoft 365.
Unfortunately, according to this Microsoft post, the commercial version of Microsoft 365 cannot be used by companies looking to comply with CMMC.
You will need to migrate to one of two different “Government Community Cloud” (GCC) versions:
GCC and GCC High are more expensive than the normal version of Microsoft 365 (20-100% more per license), and we recommend looking into this as one of the first things that you do in this project.
However, if you plan to build an enclave, there may be a less expensive option. Systems like Preveil offer a more affordable way (~$20-30/user/month) to handle secure email and secure document sharing, but it wouldn’t be appropriate for an entire company. If you are planning to build an enclave, take a look at Preveil, an enclave is a CMMC-compliant repository that segregates CUI from a larger organization.
If you're eager to dive deeper into the world of CMMC Level 2 compliance and explore the 110 security controls, you're in the right place.
Below, you'll find links to our comprehensive guides, each dedicated to helping you master these essential controls, ensuring your organization is well-prepared for the journey ahead.
Are you a DoD contractor grappling with the challenges of securing government contracts?
Compliance complexities, security threats, and budget constraints can weigh you down.
Our team, led by CMMC Registered Practitioner Josh Ablett, specializes in providing expert guidance and hands-on support to help you navigate the intricacies of compliance, so you can focus on what you do best.
Build a Robust SSP: Your System Security Plan (SSP) is the backbone of your compliance efforts. Let us help you create a comprehensive, customized SSP that aligns with CMMC Level 2 requirements.
Manage Your POAM: Plan of Action and Milestones (POAM) can be daunting. Our experts will assist you in developing and managing an effective POAM, ensuring you're always on the right track.
Stay Ahead of the Curve: With Adelia Risk, you'll have the guidance and support you need to continually adapt to evolving cybersecurity standards and emerging technologies.