CMMC 2.0 Level 2

CMMC 2.0 Level 2-that’s where things really start to get serious. While the controls required aren’t incredibly difficult, there are probably a fair number that most companies haven’t considered before, especially since there are 110 of them. And I am not going to go over each one here. I know no one would want to read through them all (that’s my job). So what we are going to do here is cover the subcategories with a brief description of each, which reduces the number to fourteen.

Access Control

One of the largest categories is access control. This involves limiting who can get the protected information and includes a control you have maybe heard about before – least privilege. Many of the other controls fall into creating a cyber hygiene program.

Awareness and Training

The next section, awareness and training, is fairly self-explanatory. The biggest change here would probably be making sure training is regularly planned and documented.

Audit and Accountability

Up next is audit and accountability. This probably includes some of the heaviest lifts in level two. To be able to fulfill these requirements, most companies will likely need either new software or even engaging with a managed service provider (MSP). This decision will really depend on how many contracts your company works on and the internal knowledge and skills of employees. An MSP can really help to fulfill some of the more technical aspects of these requirements without needing to hire a full time employee.

Configuration and Management

Configuration and management will have a lot of work with system inventory and design at the beginning, but will get easier once that is established. Steps to achieve this can often find some interesting vulnerabilities that have been forgotten with time and be a great place to enhance organization of your company’s digital assets.

Mostly covering passwords, password management, and multifactor authentication (MFA) is the identification and authentication section. These are some things that we always recommend to every company, no matter what they do. MFA is actually one of the most important things that can be done, and may have even stopped the massive MGM hack, if they had been using it.

Incident Response

One area missed by many companies is the next one, incident response. Too many companies are caught flat footed when encountering an incident, and this section would have them in a much better place to react to anything happening.

Maintenance

Probably one of the more “boring” sections is maintenance, but is important nonetheless. Just like a car won’t continue to run well without oil changes, digital systems need regular and planned maintenance.

Media protection

Media protection for level 2 is essentially an enhancement of level 1, requiring more advanced controls and actions for handling digital media.

Personnel Security

Personnel security just has screening requirements and implementation of procedures that address issues like what to do when an employee leaves the company. Physical protection also only adds a few requirements around the monitoring of facilities.

Risk Assessment

Another more technical section is risk assessment. Not only is a risk assessment needed, but vulnerability scanning is also required. Many companies will need outside assistance in the performance of these scans and with help on how to address any issues discovered.

Security Assessment

Security assessment is a documentation and policy heavy section, with requirements for developing, implementing, and monitoring security plans.

System and Communications Protection

Another large section is system and communications protection. Here we again encounter a number of requirements that delve into more technical controls which may require involving an MSP. And finally tying in with this is system and information integrity where a number of things are expected to be monitored.

Hopefully this can help make a little sense of what types of things you can expect to see as requirements so you can better prepare. I also want to convey that while this is a lot, it is not insurmountable.