With 72 controls spanning all but two of the 17 domains, CMMC level 2 presents a significant step up from the first level. However, it is also widely considered to be a transitional phase in developing sufficiently robust cybersecurity standards, since most businesses will ultimately be aiming for the third level.
CMMC controls and capabilities introduced in the second level include all universally accepted best security practices, including many of those from the industry-standard NIST SP 800-171 framework. Implementation of these controls provides improved resilience against malicious actors and data exfiltration, and it also introduces the requirement to document your practices.
Here are some of the new areas covered by CMMC level 2:
What is intermediate cyber hygiene?
Intermediate cyber hygiene is a transitional step towards safeguarding controlled unclassified information (CUI) pertaining to the Department of Defense. This includes all the practices that should have been implemented during the first CMMC level, like those pertaining to access control and media protection. The single most important feature of CMMC level 2 is the need to document all your security efforts to demonstrate your capabilities to future auditors, clients, and stakeholders.
Audit and accountability (AU)
In addition to introducing a raft of new access control (AC) practices, CMMC level 2 introduces a new domain governing the way employees interact with sensitive data. These practices are less concerned with technology and more concerned with people and processes. They involve creating auditing and accountability practices to prevent the unauthorized use of your systems.
Awareness and training (AT)
Contrary to popular belief, cybersecurity is more of a human challenge than a technical one. After all, most data breaches include a phishing element that specifically targets employees rather than vulnerable systems. This is why CMMC level 2 introduces requirements for security awareness training for everyone with privileged access to sensitive data.
Configuration management (CM)
Another new domain introduced in CMMC level 2, configuration management concerns how data-bearing systems, networking devices, and other assets are set up. For example, changes to system configurations must be monitored, while baseline configurations should be applied and maintained across all newly implemented software, hardware, and firmware.
Incident response (IR)
There is no such thing as perfect cybersecurity, hence the need for a contingency plan if things do go wrong. CMMC level 2 introduces the requirement for fully documented incident response plans. This includes the detection and analysis of security incidents, response and recovery protocols, and remediation strategies.
CMMC controls do not always directly pertain to security matters. They also concern integrity and availability of data, hence the need for proactive maintenance. This domain requires that you perform regular scheduled and supervised maintenance of all organizational systems.
Related article: Technology Checklist for CMMC Level 2
Personnel security (PS)
Another domain introduced in CMMC level 2, personnel security governs the screening of all individuals who are to have access to systems containing CUI and other sensitive data. This domain also encompasses the protection of systems and user accounts during staff transfers and terminations.
By now, virtually every business leader recognizes the need to back up their data both on-site and remotely. This domain introduces the need for robust backup and disaster recovery with regular testing and updates. Moreover, backup data must be protected both in storage and in transit according to the controls specified in other domains, such as media protection.
Risk management (RM)
While no company can ever help to eliminate cyber risk entirely, a risk management strategy helps ensure that risk levels are always kept as low as reasonably possible and in line with company-wide policies. Compliance and security teams should regularly assess their evolving risk landscape, classify all data in their care, and contain and isolate it as necessary.
Security assessment (CA)
CMMC level 2 introduces the first practices from the security assessment domain. To achieve compliance, you will need to develop and regularly update security plans documenting your measures and inventorying your system components. You should also create plans to correct any potential vulnerabilities in a coherent and clearly prioritized manner.
Charles IT offers expert guidance to help you advance your security maturity, no matter where you are in your CMMC compliance journey. Call today to schedule your first consultation!