Introduction
The Cybersecurity Maturity Model Certification (CMMC) was developed by the United States Department of Defense (DoD) to ensure that companies that work with the government have adequate cybersecurity measures in place. The CMMC model has five levels of certification, with level 2 being a higher level of certification than level 1. In this article, we will discuss the basics of CMMC Level 2 and what you need to know to achieve compliance.
What is CMMC Level 2?
CMMC Level 2 is the second level of certification in the CMMC model. It is designed for companies that handle Controlled Unclassified Information (CUI). CUI is unclassified information that requires safeguarding or dissemination controls required by law, regulation, or government-wide policy. CMMC Level 2 requires the implementation of 55 cybersecurity practices. These practices are based on the requirements of the National Institute of Standards and Technology (NIST) Special Publication 800-171.
What are the 55 cybersecurity practices?
The 55 cybersecurity practices are divided into 17 domains as follows:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- Supply Chain Risk Management (SR)
- Recovery (RE)
Each domain has three to four practices that must be implemented for a total of 55 cybersecurity practices.
How to achieve compliance with CMMC Level 2?
To achieve compliance with CMMC Level 2, companies must implement the 55 cybersecurity practices mentioned above. The following are the steps that companies can take to achieve compliance:
- Identify the scope of the system that requires compliance with CMMC Level 2.
- Perform a self-assessment to determine the company's compliance with the 55 cybersecurity practices.
- Identify any gaps and deficiencies and develop a plan to address them.
- Implement the plan and ensure that all 55 cybersecurity practices are in place.
- Obtain a third-party assessment to verify compliance with CMMC Level 2.
- Upload the assessment results to the DoD's Supplier Performance Risk System (SPRS).
Conclusion
CMMC Level 2 is a higher level of certification than Level 1, and it is designed for companies that handle Controlled Unclassified Information (CUI). Compliance with CMMC Level 2 requires the implementation of 55 cybersecurity practices. Companies can achieve compliance by identifying the scope of the system that requires compliance, performing a self-assessment, identifying any gaps and deficiencies, developing a plan to address them, implementing the plan, obtaining a third-party assessment, and uploading the assessment results to the DoD's SPRS. Achieving compliance with CMMC Level 2 is a significant step towards ensuring the security of the nation's critical infrastructure and protecting sensitive government information.
Carl B. Johnson, President of Cleared Systems, is a highly experienced and a ITAR, CMMC 2.0, Microsoft GCC High, and Microsoft DLP/AIP consultant. With over twenty years of experience in information assurance, cybersecurity, policy development, risk management, and regulatory compliance, he brings a wealth of knowledge and expertise to his clients.
-
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
-
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
-
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
-
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
