How to Implement CMMC Level 2

The Department of Defense (DoD) continues to refine the CMMC 2.0 model, with particular focus on requirements for CMMC Level 2 contractors, as part of its rulemaking process. This delay in CMMC implementation offers a valuable opportunity for contractors and subcontractors working diligently toward compliance. Achieving early compliance can give your company a competitive edge, positioning you to secure contract awards while others rush to meet the requirements.

This extended time is due to the DoD planning two rules to enforce how government contractors and their subcontractors protect controlled unclassified information in their systems instead of just one. The White House’s Office of Information and Regulatory Affairs said they expect to release the final proposed rules in June 2023, and it now looks like 2024 will be the year CMMC becomes operational. 

With extra time to prepare on the horizon, we want to address one of the most frequently asked questions: How should Level 2 contractors implement CMMC 2.0? 

Advanced CMMC Guide and Compliance Checklist eBook

Empower your company with CMMC knowledge. This guide covers the process, benefits, maturity levels, and how to prepare for your CMMC audit.

Table of Contents

CMMC Maturity Levels

What is CMMC 2.0?

The DoD requires regular cybersecurity assessments of contractors to ensure that sensitive information shared with the defense industrial base (DIB) is adequately protected. If used, the solicitation and Requests for Information (RFIs) will note the level needed for contractors and subcontractors. 

“The [CMMC 2.0] program simplifies and increases accountability in the cybersecurity assessment process.”
DoD
CIO

The CMMC 2.0 model (which is in alignment with NIST standards) is designed to protect Federal Contract Information (FCI), and Controlled Unclassified Information (CUI) shared with DoD contractors and subcontractors through acquisition programs. Any DIB company that processes, stores, or transmits CUI or FCI on its networks must be certified with an assessment.  

CMMC Level 2 Self-Assessments

Some programs with Level 2 requirements do not involve information critical to national security. Contractors who fall under this category will meet the criteria through annual self-assessments. 

A senior company official will also confirm that the company meets the requirements. Self-assessments and official affirmations require annual Supplier Performance Risk System (SPRS) documentation. 

It’s important to note that choosing to purchase a product and not monitoring it to receive contracts quickly is unacceptable. The Civil Cyber-Fraud Initiative will hold any individuals or entities responsible that put U.S. information or systems at risk by: 

Making false claims during a CMMC self-assessment violates the False Claims Act (FCA). The FCA imposes liability on individuals or entities who submit false claims for payment to the government, including claims for compensation of government contracts.  

Suppose you falsely claim that your organization has met specific cybersecurity requirements during a CMMC self-assessment to obtain a contract and fails to meet those requirements. In that case, you could be liable under the FCA. 

Under the FCA, individuals or entities that submit false claims may be subject to significant penalties, including treble damages (three times the number of damages sustained by the government), plus additional fines and penalties.  

The FCA also includes provisions for whistleblower protection, which may encourage individuals with knowledge of false claims to come forward and report them to the government. 

To prevent being penalized for cybersecurity-related fraud under the FCA, contractors must complete an assessment by a CMMC expert, such as a Registered Provider Organization (RPO).  

Having an expert review and providing guidance ensures an accurate representation of your cybersecurity practices and capabilities. Falsely claiming compliance with CMMC requirements can have severe legal and financial consequences for the contractor and government. 

CMMC Level 2 Third-Party Assessments

Subsets of Level 2 contractors with access to information critical to national security will be required to obtain a third-party assessment on a triennial basis. CMMC Third Party Assessment Organizations (C3PAOs) or certified CMMC Assessors assess these companies. 

Contractors are responsible for locating accredited C3PAOs listed on The Cyber AB Marketplace. Additionally, DIB companies will be wholly responsible for coordinating, planning, and obtaining their CMMC assessment and certification. 

Latest insights into CMMC 2.0, how government contractors can overcome the complexities of the compliance program, and more.

CMMC Implementation: Create a Program

Preparing for the updated CMMC requirements is vital to being eligible for those prized contract awards. Developing and maintaining a program to meet the requirements of CMMC is your key to success.  

The program should include the implementation of appropriate cyber security practices, processes, and technologies that are in line with each of the 17 domains of CMMC (with 43 capabilities).

Don’t forget to include other cybersecurity and compliance requirements you are subject to follow. Follow these steps to prepare your organization for future assessments. 

1. Understand the Requirements

The National Institute of Standards and Technology 800-171 (NIST) standards are at the heart of CMMC. Achieving a high SPRS Score sets DIB companies up for CMMC success. 

As noted earlier, there are two subsets for Level 2 contractors and subcontractors. You must understand the requirements your company must abide by and fulfill them. 

2. Locate CUI

First, you must identify which systems and solutions in your network store or transfer CUI to protect items using NIST 800-171 requirements. Once identified, you can turn your attention to their security. 

Mobile devices often access data, including controlled unclassified information (CUI) data – making mobility a significant focus in the CMMC auditing process. Organizations must address this when moving towards CMMC 2.0 compliance. 

CUI can be stored in many places, including: 

  • Endpoints 
  • Local storage solutions 
  • Cloud storage solutions 
  • Portable hard drives or devices

3. Categorize CUI

Ensuring CUI is protected is of utmost importance. In the event of an assessment, you must be able to demonstrate that CUI is protected. You should divide data into two categories: 

  • CUI 
  • All other data 

You can streamline how you implement NIST 800-171 by first safeguarding the most sensitive data – the CUI. Separating the data into categories makes this process easier. You can move on to ensuring all the other data is secure after implementing controls for your CUI. 

4. Implement Controls

Now, you can implement controls. NIST 800-171 standards mandate that you encrypt all files in transit and at rest. Ensure you encrypt all CUI wherever it is stored. 

You must use solutions to prevent unauthorized users from accessing CUI (e.g., multi-factor authentication tools, access controls, etc.) and keep security patches updated. Remember also to monitor your physical space to mitigate unauthorized access. To do this: 

  • Escort visitors 
  • Maintain audit logs 
  • Monitor visitor activity 
  • Manage physical devices (e.g., USB keys) 

5. Create a System Security Plan (SSP)

Develop a System Security Plan that covers the scope of your computer network. This document needs to outline your approach to meeting the requirements of NIST 800-171. Cover the processes and technologies you use to implement the security practices outlined in the System Security Plan.  

Your SSP should include:

  • The types of CUI your business handles  
  • What you do with the CUI  
  • How you store, process, and transmit the CUI  
  • The controls in place to protect the CUI 
  • Known gaps in your compliance 

Access controls must limit access to authorized users and the actions they need to perform. 

The key access points to be tracked:

  • Users 
  • IT providers  
  • Cloud service providers  
  • Other networks 

Regularly review and update this plan to stay current with industry best practices. Additionally, this assessment will ensure that your processes and technologies are effectively implemented and that the program is geared toward meeting CMMC 2.0 requirements. 

6. Plan of Action and Milestones (POA&M)

The DoD plans to allow companies to receive contract awards with a limited-time Plan of Action and Milestones (POA&M) to complete CMMC requirements. A baseline number of conditions must be met – including a minimum score and ensuring essential items are not on the POA&M list. 

In preparation, document any NIST requirements that are unfulfilled. Annotate the steps being taken to meet them, who will ensure they are fulfilled, and when it’s expected to be completed.  

The POA&M is a comprehensive document that requires technical expertise. Work with your internal security team or partner with a Registered Provider Organization (RPO)to complete this documentation. 

7. Train Employees

Most cyber incidents start at the human level. User error puts your organization – and data – at risk. Educate your employees on the importance of strong passwords, security patches, and recognizing malicious links. 

Employees must understand processing, storing, or transmitting CUI per NIST 800-171. This training is a vital step as they are the ones who will be regularly interacting with the data. Training should be ongoing, and you should share any changes to compliance processes with them. 

8. Monitor Data

To be NIST compliant, you must be able to record all user activities and have a solution that can track every action back to an individual. Administrators should monitor who is accessing CUI and why, and procedures should be in place for the monitoring process. 

9. Conduct Regular Internal Assessments

Conduct regular assessments to ensure your organization complies with NIST – quarterly or bi-annually. These internal assessments will ensure that the current processes continue to protect CUI. With any changes that arise, such as growth or new technologies, you should assess how they will impact your data security processes and policies. 

Get Assessed Early for Faster Contracts

CMMC assessments currently aren’t available. However, the DoD allows third-party assessor organizations to conduct joint assessments with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

 

The Joint Surveillance Voluntary Assessment program validates the organization’s compliance with NIST 800-171. The DIBCAC records the assessment score and will convert it to CMMC 2.0 Level 2 when the rule becomes final. Currently, 60 companies are signed up for this process, seven of which have completed it. 

Now is the time to get ahead of your competitors by getting an early assessment in the Joint Surveillance Voluntary Assessment program. Don’t let this opportunity pass you by.  

Latest Teal News

The Insider's Edge

The right IT strategies can transform your business. Subscribe now to access curated strategies, trends, and solutions for forward-thinking executives like you.

Recent Articles
Categories
Don’t Stop Here

More To Explore

Compliance

9 Vital Steps to Foster a Strong Compliance Culture

A compliance culture means adopting the right mindset. It goes beyond ticking boxes or following rules. At its heart, it’s about protecting your organization from the serious risks of non-compliance,

Automation tools

Most MSPs Miss These 4 Business Automations

Are you and your IT provider relying on manual processes for routine tasks? If so, you’re leaving money on the table. According to the Academy to Innovate HR (AIHR), business