In our previous blog, we discussed the purpose of the Cybersecurity Maturity Model Certification (CMMC) and the requirements potential contractors will need to meet to achieve compliance with Level 1. As we progress to Level 2, we will provide *Readiness Notes* to highlight potential roadblocks for achieving CMMC Level 2 readiness.
Potential contractors’ cybersecurity maturity is measured against CMMC’s five levels. Each level is broken into two parts: processes and practices. Level 2’s process is documented, and its practice is intermediate cyber hygiene. Each level and the corresponding sets of processes and practices across domains are cumulative. For potential contractors, that means encompassing all the requirements of Level 1 and Level 2 before achieving Level 2 readiness.
Purpose of Level 2
What is the purpose of Level 2? To serve as a transition step in cybersecurity maturity progression to protect Controlled Unclassified Information (CUI). As this Level is a progression from Level 1 to Level 3, it consists of a subset of the security requirements specified in NIST SP 800-171  in addition to practices from other standards.
Defining Process and Practice for Level 2
The main difference between Level 1’s process and Level 2’s process is that the process maturity is not assessed for Level 1. For Level 2, potential contractors will be required to have established and formally documented practices and policies in order for individuals to perform them in a repeatable manner. Processes should be practiced as documented.
Level 2 includes a subset of practices that reference the protection of CUI, though it is a transitional stage.
Level 2 Requirements
Potential contractors must meet each requirement as the grading for the certification is pass/fail. No partial credit is given to potential contractors. CMMC Version 1.0 Appendices identifies 72 requirements within Level 2 (including 17 from Level 1). Below we have selected requirements where we anticipate pitfalls the potential contractor may face.
1. AC.2.016: Control the flow of CUI in accordance with approved authorizations.
This requirement will include establishing approved data flow diagrams. Additionally, potential contractors will need to have a developed data classification schema in order to understand where data can be stored. Shadow IT comes into play with this requirement and policies should be in place around where CUI is held and how it is protected.
2. AU.2.042: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity and AU.2.044: Review audit logs.
Potential contractors will need to ensure logs are maintained for an entire audit period and the review is documented. Additionally, the potential contractor will need to determine a review frequency, establish response steps, and assign a reviewer. This requirement can become cumbersome for many organizations - implementing log analysis tools may help the potential contractor meet this requirement.
3. CM.2.065: Track, review, approve, or disapprove, and log changes to organizational systems and CM.2.066: Analyze the security impact of changes prior to implementation.
Potential contractors must have a formally documented change management policy that governs who, how, and when changes can be made. The policy must also include the process for handling emergency changes so that personnel have clear guidance. The changes should be properly requested, analyzed, reviewed, and approved. Many organizations utilize ticketing systems for the documentation of change management processes.
4. AC.2.013: Monitor and control remote access sessions.
It is critical that potential contractors ensure that remote sessions are approved and documented with strong authentication methods in place. COVID-19 has forced many organizations to implement remote work policies. See our previous blog for more details.
5. IR.2.092: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
The potential contractor will need to develop a formally documented incident response plan. All individuals must be trained in incident detection efforts. The plan needs to be a clear outline of response steps that individuals can follow to ensure appropriate actions are taken regarding detection, analysis, containment, notification, and recovery. Lessons learned should be incorporated into the plan after any incident.
6. RM.2.141: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from operation of organizational systems and the associated processing, storage, or transmission of CUI.
Many organizations do not gain clarity of process weaknesses until after performing a risk assessment. The potential contractor will need to have clearly defined system boundaries to ensure the risk assessment is effective. An effective risk assessment will include inadvertent actions, intentional actions, system failures, and supply chain failures. The potential contractor must ensure adequate mitigating efforts are identified to address each risk
Later in this blog series, we will discuss each of the three remaining CMMC levels and suggested steps for achieving CMMC readiness.
For more information regarding CMMC readiness, please contact Director of Cyber Intelligence, Kendall Blaylock, at firstname.lastname@example.org.
Cybersecurity Maturity Model Certification v1.0 (CMMC v1.0)
National Institute of Standards and Technology Cybersecurity Framework (NIST CSF v1.1)