Site icon

CMMC and Level 2 Assessment Guidelines

Our previous articles on CMMC Level 1 certification focused on what organizations need to know when conducting self-assessments. These documents relied primarily on the fact that the contractor would do their assessments and reporting. 

With Level 2 certification, the game changes. Not only are nearly all assessments performed by C3PAOs, but their requirements expand nearly tenfold. That said, some basics of what to expect in the assessment remain the same. 

Here, we’re discussing the CIO’s guidance for Level 2 assessments

 

CMMC Level 2 and Assessment Scope

CMMC Level 2 directly aligns with NIST SP 800-171, focusing exclusively on protecting CUI and serving as the required certification level for contractors handling CUI. It effectively streamlines the pathway for compliance with Department of Defense requirements.

For CMMC Level 2, determining the assessment scope involves identifying the parts of an organization’s information system that process, store, or transmit CUI and the environment supporting those operations. This scoping process is critical to ensuring that all relevant areas are covered during the CMMC assessment and that CUI is adequately protected according to DoD requirements. 

Here’s an overview of how contractors can determine the assessment scope for CMMC Level 2:

 

CIO Guidance for Level 2 Assessments

Like the Level 1 assessment document, this CIO guidance outlines a comprehensive approach to assessing an organization’s cybersecurity practices and procedures to determine compliance with CMMC Level 2 standards. 

The assessment objectives are derived from NIST SP 800-171 and include a set of criteria that must be met for compliance. These objectives typically involve verifying the implementation and effectiveness of security controls, ensuring that they are correctly configured, operating as intended, and producing the desired outcome for meeting an organization’s security requirements.

The guide outlines three primary methods for conducting assessments:

Assessment objects can include specifications, mechanisms, activities, and individuals implementing and following cybersecurity practices. It’s important to note that unlike the Level 1 guidance, which focuses on self-assessment, Level 2 primarily focuses on the methodologies and expectations of third-party assessors (C3PAO). 

 

What Are the Practice Categories for Level 2 Assessment?

The document provides a detailed overview of cybersecurity practices organized into specific categories for meeting CMMC Level 2 requirements. Here’s a list of the practice categories mentioned, each designed to enhance the protection of CUI within the DIB:

Access Control (AC)

Access controls ensure that access to information systems is limited to authorized users, processes, or devices and control the flow of CUI within the system.

 

Awareness and Training (AT)

Awareness and training focus on providing role-based training to all personnel, including training on recognizing and reporting potential cybersecurity threats.

 

Audit and Accountability (AU)

AU controls create, protect, and retain audit logs to ensure that individual users can track system activity.

 

Configuration Management (CM)

CM establishes and maintains the security of systems by managing the configuration of software and hardware.

 

Identification and Authentication (IA)

Ensures that the identity of users, processes, or devices is authenticated before allowing access to the system.

 

Incident Response (IR)

Incident response involves enacting and implementing an operational incident-handling capability for organizational systems, including preparation, detection, analysis, containment, recovery, and user response activities.

 

Maintenance (MA)

MA focuses on performing timely system maintenance and providing effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

 

Media Protection (MP)

Organizations must protect media containing paper and digital CUI, ensuring proper handling, storage, and disposal to prevent unauthorized access.

 

Personnel Security (PS)

Personnel security addresses the security aspects of personnel interacting with systems, including screening processes and ensuring that individuals with access to CUI have the appropriate clearance and authorization.

 

Physical Protection (PE)

Physical protection includes physical measures, policies, and procedures to protect systems, buildings, and related supporting infrastructure against unauthorized physical access.

 

Risk Management (RA)

Managing risk involves identifying, assessing, and prioritizing risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, and other organizations. This is followed by coordinated resource application to monitor and control the probability and impact of unfortunate events.

 

Security Assessment (CA)

This category focuses on assessing the security controls in organizational systems to determine if they are implemented correctly, operating as intended, and producing the desired outcome regarding meeting security requirements.

 

System and Communications Protection (SC)

SC ensures that system and communications activities are monitored and controlled to protect CUI against unauthorized access and disclosure.

 

System and Information Integrity (SI)

SI controls protect systems and information from malware and unauthorized access, ensuring integrity through monitoring, detecting, and correcting security flaws.

Each category comprises specific practices to strengthen cybersecurity and protect sensitive information against cyber threats. Collectively, these categories contribute to building a robust security posture for organizations within the DIB, aligning with the comprehensive goals of the CMMC Level 2 certification.

 

Track and Monitor Your CMMC Level 2 Controls with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including support for CMMC certification (along with our sister company and C3PAO, Lazarus Alliance). We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version