CMMC Level 2 Compliance: What It Takes to Get There

If your business works with the Department of Defense (DoD) or handles Controlled Unclassified Information (CUI), CMMC Level 2 compliance is crucial. Unlike CMMC Level 1, which focuses on basic security, Level 2 steps up the game by requiring 110 practices across 14 domains. But don’t worry—let’s break this down into understandable steps.

What is CMMC Level 2?

CMMC Level 2 is the “progressive” stage of cybersecurity maturity, where the goal is to protect sensitive information like CUI from cyberattacks. This level aligns closely with the NIST SP 800-171 framework, covering 14 key domains. Getting certified for Level 2 compliance means you’ve implemented the necessary cybersecurity controls to safeguard your data.

Let’s dive into what you need to do across each of these 14 domains!

1. Access Control (AC)

This domain is all about ensuring the right people have access to the right information. You’ll need to:

• Limit who can view sensitive data.
• Use multi-factor authentication (like requiring a code sent to your phone in addition to your password).
• Make sure remote access is secure, especially for employees working from home.

2. Awareness and Training (AT)

Your employees are your first line of defense. For this domain, you must:

• Provide cybersecurity training to all employees.
• Teach staff how to recognize phishing scams or suspicious activity.
• Make sure everyone knows the importance of protecting CUI.

3. Audit and Accountability (AU)

Keep track of who does what in your system. For this:

• Maintain logs of user activity to track any unusual behavior.
• Regularly review these logs for security risks or breaches.
• Ensure audit logs can’t be altered without detection.

4. Configuration Management (CM)

This involves managing your system’s setup to reduce vulnerabilities. You should:

• Control what software is installed on your systems.
• Keep all software up to date with security patches.
• Regularly review your systems for any unauthorized changes.

5. Identification and Authentication (IA)

This ensures that users accessing your system are who they say they are. To comply:

• Require unique user IDs for everyone.
• Use strong passwords and multi-factor authentication.
• Ensure systems automatically log out users after periods of inactivity.

6. Incident Response (IR)

When something goes wrong (and it will), you need a plan. For this domain:

• Create a detailed incident response plan outlining what to do if a breach occurs.
• Regularly test this plan with “practice” incidents.
• Keep a record of any incidents and how they were resolved.

7. Maintenance (MA)

Maintenance is about securing your systems during repairs or updates. Here’s what to do:

• Ensure any maintenance on your systems is secure.
• Monitor maintenance activities, especially when third parties are involved.
• Control who can perform maintenance and document any changes.

8. Media Protection (MP)

This domain is focused on how you handle and store sensitive information, especially physical media like USB drives or paper records. To comply:

• Encrypt sensitive data stored on USB drives, external hard drives, or CDs.
• Dispose of sensitive information properly—think shredding paper documents and wiping old hard drives.
• Control access to any physical media that contains CUI.

9. Personnel Security (PS)

Protecting your systems isn’t just about technology—people are key too. In this domain, you’ll need to:

• Screen employees and contractors before giving them access to sensitive information.
• Remove access immediately if someone leaves the company or no longer needs access to CUI.

10. Physical Protection (PE)

This domain focuses on securing your physical office or server spaces. To comply:

• Restrict access to areas where CUI is stored (e.g., lock doors, require badges for entry).
• Use security cameras or guards if necessary.
• Ensure visitors can’t access sensitive areas without proper authorization.

11. Risk Assessment (RA)

Every business faces risks, but you need a plan to manage them. For this:

• Regularly assess potential cybersecurity risks.
• Identify vulnerabilities in your system and prioritize fixing them.
• Document the steps taken to mitigate risks.

12. Security Assessment (CA)

Security assessments ensure that your defenses are strong. Here’s what to do:

• Perform regular internal reviews of your cybersecurity practices.
• Hire a third-party assessor to evaluate your system’s security.
• Document the results and make improvements where needed.

13. System and Communications Protection (SC)

This domain is about protecting the information that flows through your systems. You’ll need to:

• Use encryption to protect data transmitted over networks.
• Block unauthorized communication and monitor network activity.
• Implement firewalls and other security measures to prevent attacks.

14. System and Information Integrity (SI)

Finally, this domain focuses on keeping your system secure and up to date. To comply:

• Use anti-virus software and regularly scan for malware.
• Patch vulnerabilities as soon as they’re identified.
• Monitor your system for suspicious activity and address any issues immediately.

Path to Compliance

So how do you put all of this into action?

1. Assess Your Current Security
   Take a look at where your business stands in terms of cybersecurity. Are you already covering some of these areas? Where are the gaps? Identify the areas that need improvement.
2. Create a Plan
   Once you know where you need to improve, develop a step-by-step plan to implement the required controls. It’s a good idea to prioritize the most critical areas first.
3. Train Your Team
   Everyone needs to be on board when it comes to cybersecurity. Make sure your employees understand their role in protecting CUI and what they need to do.
4. Document Everything
   CMMC is all about being able to prove that you’ve implemented the right practices. Keep records of training sessions, security updates, incident responses, and more. This documentation will be crucial when you go for certification.

Why It Matters

CMMC Level 2 isn’t just about ticking boxes—it’s about safeguarding sensitive information that, if compromised, could have serious consequences. By achieving Level 2 compliance, you’re demonstrating a commitment to securing Controlled Unclassified Information (CUI), a critical requirement for working with the Department of Defense.

More than that, it shows your business is prepared to handle more complex and sensitive contracts, opening the door to larger and more secure opportunities. In a world where cyber threats are becoming more sophisticated, meeting Level 2 standards sets you apart as a trusted partner capable of protecting valuable data, which can build stronger, long-term relationships with government clients.

Final Thoughts Getting to CMMC Level 2 may seem like a lot of work, but it’s an achievable goal with the right plan in place. By tackling these 14 domains step by step, you’ll not only meet the compliance requirements but also strengthen your overall security posture. It’s a win-win for your business and your clients.

Stay secure, and good luck on your path to compliance!