What is the purpose of CMMC Level 2?
CMMC Level 2 (Cybersecurity Maturity Model Certification Level 2) gives the Department of Defense (DoD) increased assurance that an organization can adequately protect Controlled Unclassified Information (CUI). Specifically, it addresses adversarial risk, including information flows within multi-tier supply chains. Moreover, CMMC Level 2 directly incorporates all 110 security requirements from NIST Special Publication 800-171 Revision 2. As a result, it serves as the practical implementation standard for most defense contractors handling CUI.
What is Controlled Unclassified Information (CUI)?
CUI is unclassified information that requires safeguarding or dissemination controls under federal law, regulation, or government-wide policy. Specifically, it covers information the Government creates or possesses. Furthermore, it also covers information that a non-executive branch entity creates or possesses on behalf of the Government. Moreover, the online CUI Registry standardizes handling, marking, and safeguarding procedures across the executive branch.
In practice, CUI appears across many defense contracts. Examples include technical data, export-controlled information, privacy data, and law enforcement sensitive information. Therefore, contractors must identify which systems process, store, or transmit CUI before they can accurately define their CMMC Level 2 assessment scope.
What are the different types of CMMC Level 2 assessments?
CMMC Level 2 offers two distinct assessment paths. Specifically, the path a contractor follows depends on the sensitivity of the programs they support and the contractual requirements from their DoD customer. Moreover, each path produces a different level of assurance and results in a different CMMC status in the Supplier Performance Risk System (SPRS).
In practice, the two assessment types are:
- Level 2 Self-Assessment: the Organization Seeking Assessment (OSA) evaluates its own systems against the 110 NIST SP 800-171 requirements and submits the score to SPRS. DoD applies this path when the CUI involved does not require third-party validation
- Level 2 Certification Assessment: a Certified Third-Party Assessment Organization (C3PAO) conducts the evaluation independently. The organization must achieve either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO) status to fulfill contracts that require this higher level of assurance
How do assessors score CMMC Level 2 requirements?
During a CMMC Level 2 assessment, assessors evaluate each security requirement and assign one of three findings. Specifically, the scoring model is strict: a single failed objective fails the entire requirement. Moreover, every failed requirement lowers the overall SPRS score. As a result, a low score directly impacts the organization’s ability to win and retain DoD contracts.
In practice, the three possible findings are:
- MET: all applicable assessment objectives are satisfied based on final evidence. This includes enduring exceptions or temporary deficiencies that an approved Plan of Action and Milestones (POA&M) addresses
- NOT MET: one or more objectives for the requirement are not satisfied. A single failed objective fails the entire requirement
- NOT APPLICABLE: the requirement or objective does not apply to the organization at the time of assessment, based on the defined scope
When do CMMC enhanced security requirements apply?
Enhanced security requirements apply when CUI connects to a critical program or a High Value Asset (HVA). Specifically, federal agencies mandate these requirements when the DoD determines the information environment faces Advanced Persistent Threat (APT) risks. Moreover, these requirements supplement the 110 NIST SP 800-171 requirements that CMMC Level 2 already requires. They do not replace them. As a result, contractors supporting highly sensitive programs may need controls that go significantly beyond the standard Level 2 baseline.
In practice, the enhanced requirements focus on three mutually supportive strategies:
- Penetration-Resistant Architecture (PRA): reduces opportunities for APT actors to compromise systems or establish persistence
- Damage-Limiting Operations (DLO): detects successful compromises rapidly and contains their impact before the adversary achieves objectives
- Cyber Resiliency and Survivability (CRS): enables systems to anticipate, withstand, recover from, and adapt to attacks targeting critical programs
