CMMC and Level 2 Assessment Guidelines

Digital cloud of computers and lock images.

Our previous articles on CMMC Level 1 certification focused on what organizations need to know when conducting self-assessments. These documents relied primarily on the fact that the contractor would do their assessments and reporting. 

With Level 2 certification, the game changes. Not only are nearly all assessments performed by C3PAOs, but their requirements expand nearly tenfold. That said, some basics of what to expect in the assessment remain the same. 

Here, we’re discussing the CIO’s guidance for Level 2 assessments


CMMC Level 2 and Assessment Scope

CMMC Level 2 directly aligns with NIST SP 800-171, focusing exclusively on protecting CUI and serving as the required certification level for contractors handling CUI. It effectively streamlines the pathway for compliance with Department of Defense requirements.

For CMMC Level 2, determining the assessment scope involves identifying the parts of an organization’s information system that process, store, or transmit CUI and the environment supporting those operations. This scoping process is critical to ensuring that all relevant areas are covered during the CMMC assessment and that CUI is adequately protected according to DoD requirements. 

Here’s an overview of how contractors can determine the assessment scope for CMMC Level 2:

  • Identify CUI within the Organization: Contractors must first understand CUI and identify where it resides within their information systems. They should then map out how CUI flows through the organization’s information systems, including how it is received, processed, stored, and transmitted. This helps them understand which parts of the IT environment interact with CUI.
  • Define the CMMC Assessment Boundary: The assessment boundary includes all components of the organization’s information system that store, process, or transmit CUI or provide security protection for those components. It’s essential to define this boundary clearly to understand what will be included in the CMMC assessment. Systems that do not directly handle CUI but support CUI operations, such as security systems, network infrastructure, and environmental controls, should also be included in the assessment scope.
  • Segment and Control the Environment: If the organization uses network segmentation to separate CUI from non-CUI information systems, the assessment scope may be limited to the segments where CUI is processed or stored. However, controls at the boundary of these segments must be evaluated to ensure they adequately protect CUI.


CIO Guidance for Level 2 Assessments

Like the Level 1 assessment document, this CIO guidance outlines a comprehensive approach to assessing an organization’s cybersecurity practices and procedures to determine compliance with CMMC Level 2 standards. 

The assessment objectives are derived from NIST SP 800-171 and include a set of criteria that must be met for compliance. These objectives typically involve verifying the implementation and effectiveness of security controls, ensuring that they are correctly configured, operating as intended, and producing the desired outcome for meeting an organization’s security requirements.

The guide outlines three primary methods for conducting assessments:

  • Examine: This method involves reviewing, inspecting, observing, studying, or analyzing assessment objects such as policies, procedures, security plans, system configuration settings, and documentation.
  • Interview: This method includes discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. Interviewees might consist of personnel with account management responsibilities, system or network administrators, and personnel with information security responsibilities.
  • Test: Test exercises assess objects under specified conditions to compare actual and expected behavior. It aims to demonstrate the operation of security controls.

Assessment objects can include specifications, mechanisms, activities, and individuals implementing and following cybersecurity practices. It’s important to note that unlike the Level 1 guidance, which focuses on self-assessment, Level 2 primarily focuses on the methodologies and expectations of third-party assessors (C3PAO). 


What Are the Practice Categories for Level 2 Assessment?

The document provides a detailed overview of cybersecurity practices organized into specific categories for meeting CMMC Level 2 requirements. Here’s a list of the practice categories mentioned, each designed to enhance the protection of CUI within the DIB:

Access Control (AC)

Access controls ensure that access to information systems is limited to authorized users, processes, or devices and control the flow of CUI within the system.

  • AC.L2-3.1.3 Control CUI Flow: Ensures mechanisms are in place to control the flow of CUI by approved authorizations to prevent unauthorized access or disclosure.
  • AC.L2-3.1.4 Separate Duties: Implement policies to separate duties within an organization to reduce the risk of a single person controlling multiple security-related functions.


Awareness and Training (AT)

Awareness and training focus on providing role-based training to all personnel, including training on recognizing and reporting potential cybersecurity threats.

  • AT.L2-3.2.1 Role-Based Training: Provides cybersecurity training tailored to an individual’s specific role within the organization, enhancing their ability to protect CUI.
  • AT.L2-3.2.3 Insider Threat Awareness: Trains employees to identify and respond to behaviors indicative of insider threats, enhancing organizational security.


Audit and Accountability (AU)

AU controls create, protect, and retain audit logs to ensure that individual users can track system activity.

  • AU.L2-3.3.1 System Auditing: Implements mechanisms to create and retain system audit logs, which are crucial for detecting and analyzing malicious activity or policy violations.
  • AU.L2-3.3.2 Review and Update Audited Events: The list of audited events must be periodically reviewed and updated to ensure comprehensive monitoring of critical activities.


Configuration Management (CM)

CM establishes and maintains the security of systems by managing the configuration of software and hardware.

  • CM.L2-3.4.1 Establish Configuration Baseline: Establishes and maintains a baseline configuration for systems and components, ensuring that systems are deployed and operate according to approved specifications.
  • CM.L2-3.4.6 Least Functionality: Ensures that systems and applications are configured to execute only the functionalities necessary for their intended purpose, reducing the surface for potential attacks.


Identification and Authentication (IA)

Ensures that the identity of users, processes, or devices is authenticated before allowing access to the system.

  • IA.L2-3.5.3 Multifactor Authentication: This requirement requires using multiple factors for authentication to increase security for access to systems containing CUI.
  • IA.L2-3.5.4 Replay-Resistant Authentication: This feature implements mechanisms to protect against replay attacks, ensuring that stolen or intercepted data cannot be reused to gain unauthorized access.


Incident Response (IR)

Incident response involves enacting and implementing an operational incident-handling capability for organizational systems, including preparation, detection, analysis, containment, recovery, and user response activities.

  • IR.L2-3.6.1 Incident Response Plan: Develops and implements an incident response plan outlining procedures for effectively responding to cybersecurity incidents.
  • IR.L2-3.6.2 Incident Response Training: This training provides personnel with knowledge of their incident response roles and responsibilities, preparing them to handle security incidents effectively.


Maintenance (MA)

MA focuses on performing timely system maintenance and providing effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

  • MA.L2-3.7.1 Perform Maintenance: Establishes policies and procedures for performing and documenting routine system maintenance, ensuring continued security and performance.
  • MA.L2-3.7.2 System Maintenance Control: Controls the maintenance activities on system components, ensuring that maintenance tools and personnel do not compromise security.


Media Protection (MP)

Organizations must protect media containing paper and digital CUI, ensuring proper handling, storage, and disposal to prevent unauthorized access.

  • MP.L2-3.8.1 Media Protection: Protects digital and non-digital media containing CUI, ensuring proper handling, storage, and disposal to prevent unauthorized access.
  • MP.L2-3.8.2 Media Access: This restriction restricts authorized individuals’ access to CUI media, reducing the risk of data leakage or unauthorized disclosure.


Personnel Security (PS)

Personnel security addresses the security aspects of personnel interacting with systems, including screening processes and ensuring that individuals with access to CUI have the appropriate clearance and authorization.

  • PS.L2-3.9.1 Screen Individuals: Implements screening procedures for individuals accessing CUI, ensuring they are authorized and trustworthy.
  • PS.L2-3.9.2 Personnel Actions: This section ensures actions are taken to safeguard access to CUI when individuals are transferred or terminated, preventing unauthorized access.


Physical Protection (PE)

Physical protection includes physical measures, policies, and procedures to protect systems, buildings, and related supporting infrastructure against unauthorized physical access.

  • PE.L2-3.10.1 Limit Physical Access: Implements physical security measures to limit access to systems and environments that store, process, or transmit CUI.
  • PE.L2-3.10.3 Escort Visitors: This requires visitors to be escorted in areas where CUI is processed or stored, minimizing the risk of unauthorized access.


Risk Management (RA)

Managing risk involves identifying, assessing, and prioritizing risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, and other organizations. This is followed by coordinated resource application to monitor and control the probability and impact of unfortunate events.

  • RA.L2-3.11.1 Risk Assessments: Conducts periodic risk assessments to identify and evaluate risks to organizational operations and assets, enabling proactive risk management strategies.
  • RA.L2-3.11.2 Vulnerability Scanning: Regularly scans systems and networks for vulnerabilities, identifying and addressing potential security weaknesses.


Security Assessment (CA)

This category focuses on assessing the security controls in organizational systems to determine if they are implemented correctly, operating as intended, and producing the desired outcome regarding meeting security requirements.

  • CA.L2-3.12.1 Develop Security Plans: This requires developing, documenting, and periodically updating security plans that describe system boundaries, security requirements, and control implementations.
  • CA.L2-3.12.3 Monitor Security Controls: Involves continuous monitoring of security controls to ensure their effectiveness and adjust them based on evolving threats.


System and Communications Protection (SC)

SC ensures that system and communications activities are monitored and controlled to protect CUI against unauthorized access and disclosure.

  • SC.L2-3.13.2 Security Engineering Principles: Applies security engineering principles to protect the integrity of system communications and prevent unauthorized information transfer.
  • SC.L2-3.13.7 Split Tunneling Prohibition: This prohibits split tunneling in virtual private networks (VPNs), ensuring that all data traffic is routed through secure channels.


System and Information Integrity (SI)

SI controls protect systems and information from malware and unauthorized access, ensuring integrity through monitoring, detecting, and correcting security flaws.

  • SI.L2-3.14.3 Flaw Remediation: Identifies, reports, and corrects information system flaws while testing software and firmware updates for effectiveness and potential side effects.
  • SI.L2-3.14.5 Malicious Code Protection: This employs mechanisms to detect, eradicate, and prevent malicious code from executing in information systems.

Each category comprises specific practices to strengthen cybersecurity and protect sensitive information against cyber threats. Collectively, these categories contribute to building a robust security posture for organizations within the DIB, aligning with the comprehensive goals of the CMMC Level 2 certification.


Track and Monitor Your CMMC Level 2 Controls with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including support for CMMC certification (along with our sister company and C3PAO, Lazarus Alliance). We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

Continuum GRC