Introduction to CMMC Level 2

This blog introduces

• CMMC Level 2 Requirements

• The formal CMMC Assessment Process (CAP)

The Cybersecurity Maturity Model Certification's second level comprises 110 security requirements specified in NIST SP 800-171 Revision 2, aligning with the DFARS Clause 252.204-7012. It is centered on protecting controlled unclassified information (CUI): information that requires safeguarding or dissemination controls in accordance with laws, regulations, and government-wide policies but is not classified. CMMC Level 2 Certification verifies for the Department of Defense (DoD) that a contractor can protect CUI at a level commensurate with its risk throughout a (multi-tier) supply chain. To achieve CMMC Level 2 Certification, contractors must implement 110 practices and pass a CMMC Third-Party Assessment Organization (C3PAO) assessment every 3 years.*

Level 2 Practice Requirements: The CMMC Level 2 requirements are divided into fourteen domains, which are further divided into ‌110 practices. Under each practice is a list of assessment objectives (320 objectives total). Assessment objectives outline specific requirements, or determination statements, for each practice.

These practices include technical and non-technical controls and policies and procedures to ensure the ongoing security of CUI, like FIPS-validated cryptography and a System Security Plan (SSP).

See the CMMC Level 2 Assessment Guide for a complete list of practices. For more information on domains, see our previous blog post here. 

Note that, because CMMC is cumulative, the 17 practices of Level 1 are included in Level 2. To be certified at a specific CMMC level, a contractor must also demonstrate compliance with the practices and requirements of the lower levels. If a contractor does not meet the requirements for its targeted CMMC level, it will be certified at the highest level for which it has achieved all the applicable practices.

Assessment

It is imperative to understand that the Level 2 CMMC Assessment is a formal test. Unlike Level 1, self-assessment by contractors using the CMMC guidelines will not result in certification at Level 2. To achieve CMMC Level 2 certification, contractors, or organizations seeking certification (OSC), must undergo an assessment by a Certified CMMC Assessor (CCA) and C3PAO.

C3PAOS are organizations licensed by the Cyber-AB (The CMMC Accreditation Body) to conduct CMMC Level 2 Assessments. A list of authorized or accredited C3PAOs can be found on the Cyber-AB Marketplace. 

C3PAOs rely on the CMMC Assessment Process (CAP) to guide their assessment of the extent to which an OSC has implemented CMMC practices. The process is organized into four phases:

Phase 1: Plan and Prepare the Assessment.

In phase one, the OSC and the assessor work together to plan and prepare for the assessment. The first phase may involve identifying the specific CMMC domains and practices that will be assessed (scoping), gathering relevant documentation and evidence, and developing an assessment schedule. The assessor may also conduct pre-assessment activities, such as reviewing the organization's self-assessment or conducting a risk assessment, to help identify any areas of potential non-compliance. The aim of phase one is to ensure that the assessment is conducted efficiently and effectively and that all parties are adequately prepared for the assessment process.

Phase 2: Conduct the Assessment

In the second phase, the C3PAO assesses a contractor’s “…practices to determine the extent to which the practices are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization”.

Scoring the Assessment

Level 2 assessments are scored using the CMMC Scoring with DoD Assessment Scoring Methodology and recorded in the CMMC Assessment Results Template. There are three possible findings for each practice: met, not met, and not applicable. Each applicable practice is assessed at the objective level. An assessment procedure consists of an assessment objective, assessment methods, and assessment objects.

Assessment objectives outline specific requirements, or determination statements, that determine whether a practice has been met. Assessors rely on assessment methods like examining, interviewing, and testing, to evaluate assessment objects. Assessment objects identify what is being examined, interviewed, or tested. They can be specifications, mechanisms, activities, or (groups of) individuals. 

Some practice requirements are worth more than others. Failing to meet critically important requirements (AC.L1-3.1.1, for example) will result in 5 points being subtracted from the total score. Thus, it is possible to get a negative score.

If the overall score of the Assessment, after placing eligible items on the Limited Practice Deficiency Correction program (the Limited Practice Deficiency Correction program enables OSCs to correct deficiencies for certain practices that are already implemented but require small updates within a restricted timeframe), falls below 80% (88/110 practices met), an OSC will receive a final result of Not Achieved for CMMC Level 2 Certification. The OSC will be required to address any deficiencies and reapply.

If the overall score of the Assessment, after placing items on the Limited Practice Deficiency Correction program, is 80% or higher (88/110 practices met), the OSC will be required to address deficiencies within five business days of the Final Findings Briefing, or by an alternative date determined by the Lead Assessor, but no later than five calendar days before the submission of the Final Findings Report into CMMC Enterprise Mission Assurance Support Service (eMASS web-based tool that automates cybersecurity management processes for the DoD).

Phase 3: Report Assessment Results

The third phase of the CMMC assessment process is called the "Report Assessment Results" phase. In this phase, the assessor compiles a report that summarizes the assessment's findings, including details on any identified areas of non-compliance. This report is provided to the organization being assessed, along with any recommendations for addressing any issues. The organization can review and respond to the report before it is finalized. The final report is then provided to the Cyber-AB, which will use it to determine the organization's overall CMMC level and provide guidance on any necessary steps to achieve compliance.

Phase 4: Close-Out POA&Ms and Assessment

In the fourth phase, the organization being assessed works with the C3PAO to address any issues or non-compliances identified during the assessment. Phase four may involve developing a plan of action and milestones (POA&M) to address any deficiencies and implementing corrective actions. Unlike CMMC 1.0, CMMC 2.0 allows the use of POA&Ms under limited conditions.**

A POA&M is a document and plan used when an OSC’s assessor identifies practices that are not fully or successfully implemented. They detail the resources required to correct the relevant practices, milestones, and scheduled completion dates. POA&Ms allow OSCs to address concerns without redoing the entire assessment process. They outline the steps and timeline for vulnerability remediation. 

The lead assessor must validate the final POA&M. Once all issues have been addressed and the organization complies with the CMMC model, the assessment process is considered closed-out.

It is essential to be well-prepared for the CMMC assessment to ensure that your organization can demonstrate its compliance with the required cybersecurity practices and processes. Before an organization enters the formal assessment process for certification, it should work to align itself with CMMC requirements. If it does, chances are the assessment will end in certification!

Wondering how to prepare for a formal assessment? Check back later this week for more insights! We’re publishing a step-by-step guide all about preparing for assessment! 

*Note 1: It is possible, though increasingly unlikely, that a small subset of Level 2 contractors (those whose work involves non-prioritized acquisitions) will be allowed to self-assess under CMMC.

**Note 2: Compliance waivers will also be allowed under extremely limited circumstances.