As the minimum cybersecurity requirement for contractors and subcontractors wanting to bid on contracts, CMMC Level 2 is the standard most businesses will need to reach in order to continue doing business with the DoD. CMMC Level 2 indicates the basic level security required to store and process CUI (Controlled Unclassified Information) and subject to verification through a third-party audit to ensure compliance. This added layer of trust is one of the key differences between CMMC compliance and previous compliance requirements.
How many controls fall under CMMC Level 2?
In total, there are 110 practices: Derived from the NIST 800-171 Special Publication.
What focus falls under CMMC Level 2?
The goal of CMMC Level 2 is the continued security management and protection of CUI.
How do I know if I need to be compliant under CMMC Level 2?
If your company has or generates CUI and the Government has requested you be CMMC Level 2 in your RFP, you need to be CMMC Level 2 compliant.
A key difference between CMMC Level 1 and Level 2 is on-going cybersecurity management and greater number of controls. Setting up a secure foundation and continuing to monitor that foundation for flaws and gaps is the key to prolonged protection and data loss prevention.
Building Off a Strong Foundation
The basis of CMMC is primarily NIST 800-171, FAR and DFAR clauses. These regulations provide guidance on the proper storage, protection and access of CUI — who can access it, how it should be accessed, how to keep track of employee access, etc. Level 2 requires that these added security controls must not only be defined but constantly managed. This means that these processes are being constantly audited by an accountable party. All incidents are logged and reported as well as routinely monitored for gaps or changes in the security landscape.
What is the difference between CMMC Level 2 and 3?
The key difference between CMMC Level 2 and Level 3 is that CMMC Level 3 is designed to not only protect CUI but to also reduce the risk of advanced persistent threats (APT) to companies. While CMMC Level 2 provides a solid cybersecurity foundation, it does not prepare businesses for these kinds of attacks or fortifies them fully for data loss prevention.
Occurring in various phases, the end goal of APTs is to quietly obtain prolonged access to companies to steal and obtain sensitive information. Being able to fly under the radar undetected for so long makes APTs an incredibly dangerous threat to companies and is responsible for some of the largest data breaches in history.
Learn more about CMMC and explore the other levels.
What processes and practices fall under CMMC Level 2?
According to CMMC version 2.0, processes and practices that fall under CMMC Level 2 include those defined and scope within the NIST 800-171 Special Publication. This means that practices like providing security logging and montioring, reporting potential indicators of insider threats, ensuring equipment removed for off-site maintenance is sanitized of CUI and automatically terminating user sessions after a defined time are included in Level 2.
How do I prepare for a CMMC Level 2 audit?
Once you identify CMMC Level 2 as the level to which your company needs to comply, you can begin the process of reaching compliance by comparing your current processes and operations against the CMMC practices outline. Once you’ve identified your gaps, work with your IT team or a third party to begin the process of filling those gaps. Conducting an internal audit one last time before submitting to an external audit is a good idea to make sure you don’t have any holes in your documentation or plans.
It’s important to remember that the goal of CMMC is to be a cost-effective way for contractors and sub-contractors to reach a basic level of cybersecurity compliance, so if tackling the new changes looks like it could drain your resources or take too long, reach out to a third party to help the implementation process.
Start Your Journey Towards CMMC Level 2 Compliance
Depending on where your business currently stands, preparing for a CMMC Level 2 audit can take a considerable amount of time, effort and resources when trying to do it yourself. By working with the cybersecurity experts at Hyper Vigilance, you can get back your time and effort and put it towards running your business. Give us a call today and see what we can do for you.
Hyper Vigilance was the right choice to guide us through the cybersecurity process as we attempt to grow the business. They provide excellent service and we continue to look forward to working with the Hyper Vigilance team. We are very grateful for how they simplified the entire process and the efficiency during the transition to a secure platform!
Hyper Vigilance moved us from negative NIST score to almost full compliance in less than 1 month. The team is experienced, quick, efficient and works to find the best solution to maintain business operations while keeping security at maximum level. Communication and issue resolving is fast. Highly recommended.
We are required to comply with NIST 171 and CMMC to remain competitive for defense contracting, so we sought and received several quotes from reputable companies, and Hyper Vigilance was the top choice. They offered a higher level of assistance compared to others that were more expensive. The professionals at Hyper Vigilance have proved to be very knowledgeable, responsive, professional, and customer focused. The support they provide is very comprehensive and flexible, and have executed several innovative options/solutions to achieve our goal. Their technical professionals are always on the clock and are very responsive.