Cybersecurity Maturity Model Certification Level 2
The CMMC is a cybersecurity framework that offers organizations the ability to assess and evaluate their cybersecurity maturity. It also provides a set of standards for improving an organization’s cyber security posture.
This document outlines assessment guidance for conducting CMMC assessments at Level 3 and Level 2, as well as the cumulative requirements provided by each level.
The ultimate goal of the Cybersecurity Maturity Model Certification is to provide protection for two types of information:
- Confidential digital information such as private emails, financial records, and data collected through work.
- Non-digital assets that are physically present at your site or elsewhere (e.g., research files).
CMMC level 2 Process Maturity and Practice
Processes: Documented
Organizations must document their practices and policies for implementing Cybersecurity Maturity Model Certification (CMMC) efforts in order to achieve Level 2. Documenting processes enables those with the appropriate levels of authority to perform CMMC certification processes using a repeatable process, which is essential at higher levels of CMMC.
Practices: Intermediate Cyber Hygiene
Level 2 serves as a progression from Level 1 basic cyber hygiene to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices reference the protection of CUI.
Achieving CMMC certification Level 2 requires the implementation of the practices listed below plus CMMC level 1 Practice
Cybersecurity Maturity Model Certification level 2 Purpose and Audience
This document is intended for Certified Assessors, contractors as well as information technology and cybersecurity practices who secure data and systems with responsibilities for information risk management and government wide, system development, security assessment and monitoring or security implementation or operations. Contractors can use this guide to prepare for a CMMC Assessment which includes but is not limited to a self-assessment.
Cybersecurity Maturity Model Certification level 2 Document Organization
This document is organized into the following sections:
- Assessment and Certification: Assessment and Certification: provides an overview of the CMMC assessment and certification process, guidance around contractor size, and the assessment scope.
- Assessment Criteria and Methodology: provides guidance on the criteria and methodology (i.e., interview, examine, and test) Certified Assessors will employ during a CMMC assessment, as well as practice and process findings.
- Practice and Process Descriptions: provides the assessment requirements and specifics for each CMMC certification practice and process.
Cybersecurity Maturity Model Certification Level 2 Assessment and Certification
Certified Assessors will use the assessment methods as defined in this guide to conduct CMMC Level 2 and Level 3 assessments. Certified Assessors will gather information and evidence to independently verify that a contractor meets the stated assessment objectives for all of the required practices and processes, both at an enterprise level or segment by segment basis depending on how scoped.
- Contractor Size – The CMMC assessment methodology is designed so that all contractors can achieve the highest level of security. No matter what size, constraints or complexity a contractor has to work with – they will be able to meet and maintain their high standards for data protection
- Assessment Scope – Prior to a CMMC assessment, the contractor must define an appropriate scope for the assessment that will represent the boundary on which their certification is valid. Additional guidance can be found in future versions of this guidebook and through working with our experts at your service center.
- Assessment Scope – Prior to a CMMC assessment, the contractor must define an appropriate scope for the assessment that will represent the boundary on which their certification is valid. Additional guidance can be found in future versions of this guidebook and through working with our experts at your service center.
Cybersecurity Maturity Model Certification level 2 Assessment Criteria and Methodology
- Criteria – An assessment of a practice begins with an objective. Objective criteria are provided for each Level 1 practice and based on existing standards such as NIST SP 800-171, which is authoritative in providing the basis to assess practices.
- Methodology – To be certified at Level 3, a company must also demonstrate achievement of Level 2. This is because CMMC levels are cumulative and certification requires the fulfillment of all previous levels. For example, you should have evidence from Level 1 Practices to be verified by a Certified Assessor. The objectives of a Cybersecurity Maturity Model Assessment can be met by documenting, configuring computers, and implementing network configurations. Certified Assessors are required to follow the guidelines from NIST SP 800-171A when choosing the appropriate assessment techniques they should use for determining if the contractor meets your Level 1 practices.
Organizations should not feel constrained by the assessment procedures in this publication when determining how to perform an assessment. Organizations [Certified Assessors] have flexibility and can decide which methods will provide them with the desired results. This determination is based on their budget constraints, as well as level of assurance needed for assessing a site or object
By testing their implementation, contractors are able to identify any discrepancies in the process. Interviews provide information on how staff believe a particular practice is done and documentation provides evidence of this intent, but seeing it happen for oneself can confirm that it’s being executed appropriately. This ensures there will be no discrepancy between what was intended and what is actually performed by contractor staff – making all three sources complementary rather than at odds with one another when evaluating an organization’s progress towards compliance.
The examination process often includes inspection, observation and analysis of assessment objects. These items can include documents, mechanisms or activities.
For some practices, the Certified Assessor reviews documentation to determine if assessment objectives are met. Interviews with contractor staff may identify the documents they use and can provide insight on what is needed for evidence. Documents need to be in their final forms; working papers (e.g., drafts) of documentation are not eligible as evidence because they have not yet been finalized and could still change before being submitted officially.
- policy, process, and procedure documents
- training materials
- plans and planning documents and
- system-level, network, and data flow diagrams.
The list of documents is not exhaustive. For a truly complete assessment, it’s best to observe how staff are following processes and view hardware or configuration information associated with the safeguards in place.
By testing their implementation, contractors are able to identify any discrepancies in the process. Interviews provide information on how staff believe a particular practice is done and documentation provides evidence of this intent, but seeing it happen for oneself can confirm that it’s being executed appropriately. This ensures there will be no discrepancy between what was intended and what is actually performed by contractor staff – making all three sources complementary rather than at odds with one another when evaluating an organization’s progress towards compliance.
A CMMC practice or process can be evaluated on one of three levels. The assessment will consist of a finding that the measure is either MET, NOT MET, or NOT APPLICABLE to achieve Level 1 status for this specific category.
Cybersecurity Maturity Model Certification Level 2 Practice and Process Descriptions
- Identifier and Practice Statement: is headed by the practice or process identifier in the format Domain.Level.Number (e.g., AC.3.017) and followed by the CMMC practice or process statement.
- Assessment Objectives [Source]: When conducting assessments, the following objectives must be met for practices derived from NIST 800-171. If a practice or process is not based on NIST SP 800-171, CMMC objectives were developed using the same assessment methodology.
- Potential Assessment Methods and Objects [Source]: This document defines the nature and the extent of the Certified Assessor’s actions. For practices derived from NIST SP 800-171, potential assessment methods and objects are as defined in NIST SP 800-171A. For practices and processes not based on NIST SP 800-171, potential assessment methods and objects were developed using the same
- Discussion [Source]: For practices derived from NIST SP 800-171, the discussion contains commentary written by NIST for the associated security requirement. Section 2 states that CMMC Level 1 aligns with FAR Clause 52.204-21 and is specifically designed to address FCI risk from computers and networks. The section also provides supplementary information regarding how these policies will affect business
Cybersecurity Maturity Model Certification level 2 Access Control Practices
- AC.2.999 – Establish a policy that includes Access Control.
- AC.2.998 – Document the CMMC practices to implement the Access Control policy.
CMMC Level 2 Access Control Practices
- AC.2.005 – Provide privacy and security notices consistent with applicable controlled unclassified information CUI rules.
- AC.2.006 – Limit use of portable storage devices on external systems.
- AC.2.007 – Employ the principle of least privilege, including for specific security functions and privileged accounts.
- AC.2.008 – Use non-privileged accounts or roles when accessing nonsecurity functions.
- AC.2.009 – Limit unsuccessful logon attempts.
- AC.2.010 – Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
- AC.2.011 – Authorize wireless access prior to allowing such connections.
- AC.2.013 – Monitor and control remote access sessions.
- AC.2.015 – Route remote access via managed access control points.
- AC.2.016 – Control the flow of CUI in accordance with approved authorizations.
Cybersecurity Maturity Model Certification Level 2 Audit Accountability
- AU.2.999 – Establish a policy that includes Audit and Accountability.
- AU.2.998 – Document the CMMC practices to implement the Audit and Accountability policy.
Cybersecurity Maturity Model Certification Level 2 Audit Accountability Practice
- AU.2.041 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
- AU.2.042 – Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity
- AU.2.043 – Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
- AU.2.044 – Review audit logs.
- AT.2.056 – Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities. Ensure they are also made aware of the policies related to these dangers and how they can best combat them.
- AT.2.057 – Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities
Cybersecurity Maturity Model Certification Level 2 Awareness and Training
- AT.2.999 – Establish a policy that includes Awareness and Training.
- AT.2.998 – Document the CMMC practices to implement the Awareness and Training policy.
CMMC Level 2 Configuration Management (CM)
- CM.2.999 – Establish a policy that includes Configuration Management.
- CM.2.998 – Document the CMMC practices to implement the Configuration Management policy.
CMMC Model Level 2 Configuration Management Practices
- CM.2.061 – Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
- CM.2.062 – Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
- CM.2.063 – Control and monitor user-installed software.
- CM.2.064 – Establish and enforce security configuration settings for information technology products employed in organizational systems.
- CM.2.065 – Track, review, approve or disapprove, and log changes to organizational systems.
- CM.2.066 – Analyze the security impact of changes prior to implementation.
CMMC Model Level 2 Identification and Authentication Processes
- IA.2.999 – Establish a policy that includes Identification and Authentication.
- IA.2.998 – Document the CMMC practices to implement the Identification and Authentication policy.
CMMC Model Level 2 Identification and Authentication Practices
- IA.2.078 – Enforce a minimum password complexity and change of characters when new passwords are created.
- IA.2.079 – Prohibit password reuse for a specified number of generations.
- IA.2.080 – Allow temporary password use for system logons with an immediate change to a permanent password.
- IA.2.081 – Store and transmit only cryptographically-protected passwords.
- IA.2.082 – Obscure feedback of authentication information.
Level 2 Incident Response
- IR.2.999 – Establish a policy that includes Incident Response.
- IR.2.998 – Document the CMMC practices to implement the Incident Response policy.
CMMC Level 2 Incident Response Practices
- IR.2.092 – Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response.
- IR.2.093 – Detect and report events.
- IR.2.094 – Analyze and triage events to support event resolution and incident declaration.
- IR.2.096 – Develop and implement responses to declared incidents according to predefined procedures.
- IR.2.097 – Perform root cause analysis on incidents to determine underlying causes.
Level 2 Maintenance
- MA.2.999 – Establish a policy that includes Maintenance.
- MA.2.998 – Document the CMMC practices to implement the Maintenance policy.
CMMC Level 2 Maintenance Practices
- MA.2.111 – Perform maintenance on organizational systems.
- MA.2.112 – Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
- MA.2.113 – Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete
- MA.2.114 – Supervise the maintenance activities of maintenance personnel without required access authorization.
Level 2 Maintenance Practice Process
- MP.2.999 – Establish a policy that includes Media Protection.
- MP.2.998 – Document the CMMC practices to implement the Media Protection policy.
CMMC Level 2 Maintenance Practices
- MP.2.119 – Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
- MP.2.120 – Limit access to CUI on system media to authorized users.
- MP.2.121 – Control the use of removable media containing federal contract information FCI on system components.
CMMC Level 2 Personnel Security (PS)
- PS.2.999 – Establish a policy that includes Personnel Security.
- PS.2.998 – Document the CMMC practices to implement the Personnel Security policy.
CMMC Level 2 Personnel Security Practices
- PS.2.127 – Screen individuals prior to authorizing access to organizational systems containing CUI.
- PS.2.128 – Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
CMMC Level 2 Physical Protection Processes
- PE.2.999 – Establish a policy that includes Physical Protection.
- PE.2.998 – Document the CMMC practices to implement the Physical Protection policy.
CMMC Level 2 PE Practices
- PE.2.135 – Protect and monitor the physical facility and support infrastructure for organizational systems.
CMMC Level 2 Recovery
- RE.2.999 – Establish a policy that includes Recovery.
- RE.2.998 – Document the CMMC practices to implement the Recovery policy.
CMMC Model Level 2 RE Practices
- RE.2.137 – Regularly perform and test data backups.
- RE.2.138 – Protect the confidentiality of backup CUI at storage locations.
CMMC Model Level 2 Risk Management
- RM.2.999 – Establish a policy that includes Risk Management.
- RM.2.998 – Document the CMMC practices to implement the Risk Management policy.
CMMC Model Level 2 System and Information Integrity Processes
- SI.2.999 – Establish a policy that includes System and Information Integrity.
- SI.2.998 – Document the CMMC practices to implement the System and Information Integrity policy.
Level 2 System and Information Practices
- SI.2.214 – Monitor system security alerts and advisories and take action in response.
- SI.2.216 – Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks
- SI.2.217 – Identify unauthorized use of organizational systems.
Are you worried that your company is vulnerable to cybercriminals?
The Business Cybersecurity System protects you against real-world threats while building your cybersecurity culture.
Cybersecurity Maturity Model Certification (CMMC) Free Resources:
- Understanding CMMC Level 1 Requirements
- Understanding CMMC Level 2 Requirements
- Understanding CMMC Level 3 Requirements
- Understanding CMMC Level 4 Requirements
- Understanding CMMC Level 5 Requirements
Implement CMMC Faster and Easier?
Who is ChatFortress
ChatFortress is a leading cybersecurity company that helps small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.