Call now for cybersecurity help: 888-646-1616
Welcome to our comprehensive guide on Security Assessment for CMMC Level 2. This guide is tailored for small to midsize businesses with DoD contracts. We will guide you with straightforward steps to help you implement CMMC security controls effectively. From assessing your current security measures to establishing a CMMC System Security Plan (SSP), we cover essential actions for safeguarding Controlled Unclassified Information (CUI) and achieving CMMC level 2 compliance.
Security Assessment Control is vital for meeting CMMC standards, ensuring your organization maintains robust security and CUI protection. This guide also emphasizes CMMC security monitoring as a proactive measure to keep your systems secure.
If you need personalized support with CMMC compliance, including security assessments or setting up an SSP, schedule a free consultation with us. We’re here to make CMMC Level 2 compliance achievable and effective for your business.
“Periodically assess the CMMC security controls in organizational systems to determine if the controls are effective in their application.”
Level Of Effort: High
This control involves checking the security assessment measures in your computer systems to ensure they're working well. The aim is to find and fix any security issues early.
For instance, if you use encryption on your computers as required by SC.L2-3.13.11 – CUI ENCRYPTION, you need a way to check if someone forgets to encrypt a new computer.
Most CMMC controls require some verification to confirm your systems are working and are configured correctly. Here are a few ways to do this:
Remember, whichever methods you choose, maintaining documentation and evidence is crucial.
“Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.”
Level Of Effort: High
Having a solid plan to handle security problems and stop hackers from getting into your company's computer systems is essential for CMMC 2.0. This plan should tell you what to do when security checks find issues, helping keep your systems safe.
Create a Plan of Action and Milestones (POAM): A detailed plan to address security flaws. You can use a spreadsheet or project management software for this. Make sure to include:
Here’s an example of how you can organize your POAM:
| CMMC Control | Action | Milestones | Due Date | Owner | Status |
|---|---|---|---|---|---|
| 3.1.17 | Protect wireless access using authentication and encryption. | Upgrade to FIPS-validated equipment | 9/15/24 | Alice | In progress |
| 3.1.18 | Control connection of mobile devices. | Implement a new device management protocol | 10/1/24 | Mike | In progress |
| 3.1.19 | Encrypt CUI on mobile devices. | Device mgmt settings | 10/15/24 | Alice | Not started |
| 3.1.20 | Verify and control/limit connections to external systems. | Complete external connection audit | 12/1/24 | Mike | Not started |
Important Note: You will not be able to qualify for CMMC certification if you still have open items on your POAM. All POAM items must be addressed before you can qualify for CMMC certification.
What our clients say
“Monitor CMMC security controls on an ongoing basis to ensure the continued effectiveness of the controls.”
Level Of Effort: None
Always monitor your computer security to ensure it's working well. Imagine it like a security camera that's always recording, helping you stay safe.
This is important if you follow all the advice in AU.L2-3.3.1 – SYSTEM AUDITING.
“Develop, document, and periodically update CMMC System Security Plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems”
Level Of Effort: High
This control focuses on creating and keeping a detailed plan. It should describe your computer system's limits, how it works, its security features, and its connections to other systems. It's like a playbook that guides you through your security strategies.
While there's no 'official' SSP template, you can find many free and paid ones online. However, paying for a template may not be very helpful as they can be costly and only get you started.
You can either:
If you choose to write the SSP, here's what to do:
For example, let's look at AC.L2-3.1.18 – MOBILE DEVICE CONNECTION.
The NIST template only asks for the following:
To write an acceptable SSP, you could write details like the following:
For work-related tasks like handling emails or documents, mobile devices need to be set up to keep CUI (Controlled Unclassified Information) safe.
We use a tool called Mobile Application Management in Microsoft 365 GCC High to manage these devices. This tool lets them be used only for accessing CUI through email, OneDrive, or SharePoint.
Here's how we've set up the Mobile Application Management:
What you put in your plan depends on what you’ll implement.
Here's a helpful tip: It's good to decide early on how you'll handle the SSP in your project. But, it's best to create the document near the end of your CMMC work. Trying to write it while making changes can be tough.
