CMMC 2.0 and Level 2 Maturity

CMMC 2.0 Level 2 featured

CMMC 2.0, while retaining the foundational principles of its predecessor, introduces refined maturity levels, each delineating a progressive enhancement in cybersecurity practices and protocols. Transitioning from Maturity Level 1 to Level 2 is not just about adding additional requirements to an organization. It’s about committing to security strategies to protect critical Controlled Unclassified Information (CUI). 

This article will discuss the basics of CMMC Maturity Level 2.


Introduction and Understanding CMMC 2.0 Maturity Levels

CMMC emerged as a pivotal framework to enhance and standardize DIB cybersecurity practices, ensuring CUI and Federal Contract Information (FCI) protection from potential cyber threats.

The CMMC model is structured into distinct maturity levels, each escalating in complexity and rigor, to enhance organizations’ cybersecurity posture systematically. Level 1 establishes the foundational cybersecurity practices, providing a baseline that safeguards FCI. 

Transitioning to Level 2, organizations delve into a more intricate cybersecurity landscape, focusing on protecting CUI and implementing a subset of the security requirements specified in NIST SP 800-171, along with additional practices to mitigate threats.

Distinguishing Between CMMC Level 1 and Level 2

The move from Level 1 to Level 2 in the CMMC 2.0 model signifies an elevation in cybersecurity practices and controls. While Level 1 lays down the fundamental techniques to protect FCI (ensuring the implementation of 17 practices derived from NIST Special Publication 800-171), Level 2 introduces additional requirements to establish and document standardized cybersecurity management processes and strategic plans.

Specifically, Level 2 encompasses 110 requirements aligned with NIST SP 800-171. Since this publication only contains 110 controls, Level 2 essentially includes the entirety of the document. 

The enhanced focus areas in Level 2 include a more robust approach towards risk management, access control, audit and accountability, and incident response. For instance, while Level 1 emphasizes using antivirus software and having an identified individual for security, Level 2 accentuates the importance of establishing and documenting practices related to security assessments, security training, and incident response, to name a few.

The enhanced focus areas in Level 2 include a more robust approach towards risk management, access control, audit and accountability, and incident response. For instance, while Level 1 emphasizes using antivirus software and having an identified individual for security, Level 2 accentuates the importance of establishing and documenting practices related to security assessments, security training, and incident response, to name a few.



Level 2 also has specific assessment guidelines that, while stricter than Level 1, also provide flexibility as compared to the CMMC 1.0 model:

  • Triennial Assessment: CMMC requires organizations meeting Level 2 requirements to undergo third-party assessment from a C3PAO once every three years. Additionally, organizations must provide annual affirmations, signed by a senior officer of that organization, that attest to continued compliance.
  • Select Assessment Exemptions: Some organizations qualify for an exemption from third-party assessment if they handle information deemed not a national security risk. In these cases, they may perform triennial self-assessments with annual affirmations. 


Certification for CMMC 2.0 Maturity Level 2

Embarking on the journey towards CMMC 2.0 Maturity Level 2 certification necessitates a meticulous understanding and strategic navigation through the certification process, ensuring that the organization adheres to the requisite cybersecurity practices and proficiently demonstrates their compliance with the assessing bodies.

Here are the 14 domains from NIST SP 800-171 that are included in CMMC 2.0 Level 2:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

Each domain contains several security controls that organizations need to implement to achieve compliance with CMMC 2.0 Level 2. It’s worth noting that while CMMC Level 2 requires the implementation of all 110 security practices from NIST SP 800-171, it does not require the process maturity practices that were a part of the original CMMC model.


Overview of the Certification Process

CMMC 2.0 Level 2

The certification process for Level 2 is inherently more intricate than Level 1, involving a thorough assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). 

The process commences with the organization’s self-assessment, followed by a comprehensive audit by the C3PAO, which evaluates the implementation and management of the 110 requirements. The C3PAO ensures that the organization has implemented the requisite cybersecurity practices and effectively documented and managed its cybersecurity policies and strategic plans.

  • Selecting a C3PAO: This process involves considering various factors, including the C3PAO’s expertise, experience, and understanding of the organization’s operational domain. Engaging with a C3PAO early in the preparation phase can provide valuable insights into the assessment process and help identify potential gaps in the organization’s cybersecurity posture. Establishing clear communication channels and understanding the assessment methodology is imperative to ensure a smooth and transparent certification process.
  • Evidence: Documentation is pivotal in demonstrating compliance during the certification process. Organizations must meticulously document their cybersecurity practices, policies, and strategic plans, providing clear evidence of consistent implementation and management. This includes maintaining records of security assessments, incident response plans, training programs, and continuous monitoring activities, among others.
  • Challenges: Common challenges during the certification process may encompass gaps in cybersecurity practices, inadequate documentation, and misalignment between policies and practices. Because Level 2 is much more comprehensive than its predecessor, it demands a strategic, structured, and continuous approach. It ensures the organization implements the requisite cybersecurity practices, establishes documents, and proficiently manages its cybersecurity policies and strategic plans.

Because of the increased complexity of Level 2 and the increased demands of handling CUI more generally, there are a few more sophisticated or advanced steps organizations can take to prepare:

  • Gap Analysis: A comprehensive gap analysis comparing the current cybersecurity practices with the requirements of Level 2 serves as the foundation for the compliance journey. This involves evaluating the implementation and management of the 72 practices and processes, identifying gaps, and developing a strategic plan to address them.
  • Compliance Roadmap: Developing a compliance roadmap involves prioritizing the identified gaps, allocating resources, and defining timelines to achieve compliance. This includes considering the technical, procedural, and managerial aspects of implementing and managing cybersecurity practices, ensuring they align with the organization’s operational context and strategic objectives.
  • Aligning Controls and Policies: Implementing the controls necessitates a balanced approach, ensuring that the technical and procedural aspects are harmoniously integrated. This involves configuring technical controls, developing and documenting procedures, and ensuring they are effectively communicated and adhered to across the organization.
  • Continuous Monitoring and Improvement: Continuous monitoring and improvement mechanisms ensure that cybersecurity practices are implemented, effectively managed, and enhanced over time. This involves establishing mechanisms to monitor, assess, and improve cybersecurity practices, ensuring that they evolve in alignment with the changing cybersecurity landscape and organizational context.

Achieving Level 2 maturity signifies more than compliance; it reflects an organization’s commitment to establishing and managing a robust cybersecurity posture. It enhances the protection of CUI and FCI and fortifies the organization’s overall cybersecurity resilience, safeguarding its operations, reputation, and stakeholder trust against the potential repercussions of cybersecurity threats.


Get and Stay Ready for CMMC 2.0 with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • GDPR
  • NIST 800-53
  • FARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series
  • ISO Assessment and Audit Standards

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC