Key Controls for Achieving CMMC Level 2 Compliance

Contractors working with the Department of Defense (DoD) must have strong security measures in place to protect sensitive information. Cybersecurity Maturity Model Certification (CMMC) requirements were developed to provide a mandatory framework for adequate cybersecurity measures when working with the DoD. The CMMC Final Rule scheduled the phased rollout of CMMC contracts to begin in Q3 2025. To ensure their eligibility to bid on these contracts, prime contractors will likely expect subs to be CMMC compliant well before the rollout.

There are three levels of CMMC with requirements that vary depending on the types of data an organization handles. Level 2 is considered intermediate and is the level most commonly required. The controls in Level 2 are based on NIST SP 800-171 and direct the use of access control, incident response, and system monitoring safeguards to protect CUI more thoroughly. This post will clarify who needs CMMC Level 2 and the crucial security controls necessary for achieving compliance.

Understanding CMMC Level 2 Compliance

CMMC Level 1 compliance focuses on minimum safeguarding practices for Federal Contract Information (FCI). It includes 17 controls that establish basic cyber hygiene. Level 2 builds off Level 1 by adding controls based on NIST SP 800-171. Achieving CMMC compliance will require determining whether you need CMMC Level 2 based on the information your organization handles and learning your assessment requirements.

Who Needs CMMC Level 2?

If your company processes, stores, or transmits Controlled Unclassified Information (CUI), you will likely need to meet CMMC Level 2 requirements. CUI is information possessed or created by the government (or is created or possessed on behalf of the government) that is legally required to be safeguarded. CUI is usually identified with markings that categorize the data as Legislative Materials (LMI) or For Committee Use Only. Reviewing your current and potential contracts can help you determine if you handle CUI. Look for language stating the need to protect CUI or referencing DFARS 252.204-7012 or NIST SP 800-171.

Assessment Requirements

Routine assessments are required for an organization to achieve and maintain CMMC Level 2 compliance. Whether you are allowed to conduct an annual self-assessment or require third-party certification (C3PAO assessment) every three years depends on the type of data you handle and contract requirements. It is expected that most contracts involving CUI will require a CMMC Level 2 third-party certification once the rule is fully implemented.

Key Security Controls for CMMC Level 2

CMMC Level 2 requirements include 110 controls grouped under 14 domains. Organizations will be assessed to ensure they have all controls in the following 14 domains.

Access Control

22 controls describe how to limit access to sensitive data to authorized users and control remote access and portable storage, including:

• Implementing role-based access control (RBAC)
• Restricting access based on least privilege principles
• Secure remote access to CUI

Audit and Accountability

9 controls define requirements for tracking and monitoring user activity, including:

• Maintaining system logs and audit trails
• Implementing log monitoring and retention policies

Awareness and Training

3 controls that require businesses to ensure managers, system administrators, and users know security risks associated with their activities and create policies for mitigating threats, including:

• Conducting regular security awareness training
• Providing specialized cybersecurity training for privileged users

Configuration Management

9 controls focused on system operational changes and the avoidance of introducing vulnerabilities, including:

• Establishing secure baseline configurations for systems
• Implementing change management processes for software updates

Identification and Authentication

11 controls focused on securing user credentials with password and authentication procedures and policies, including:

• Multi-factor authentication (MFA)
• Unique user identification
• Credential complexity and reuse controls

Incident Response

3 controls that outline creating a documented plan for detecting, responding to, and reporting incidents, including:

• Developing and testing an incident response plan
• Monitoring and reporting security incidents in real time

Maintenance

6 controls that describe security requirements for maintenance activities, including:

• Controlled Maintenance
• Non-local maintenance authorization

Media Protection

9 controls to set requirements to ensure the security of system media containing CUI, including:

• Encrypting or securely disposing of CUI storage devices
• Restricting access to removable media and external drives
• Media access controls and labeling

Personnel Security

2 controls that require businesses to monitor user activities and ensure CUI is protected during and after personnel actions, including:

• Handling changes in employment
• Screening

Physical Protection

6 controls focused on limiting physical access across devices, systems, and equipment, and maintaining audit logs of physical access, including:

• Implementing physical security controls for CUI storage locations
• Audit logs of physical access

Risk Assessment

3 controls outlining requirements for routine vulnerability scans for keeping network devices and software updated and secure, including:

• Conducting regular risk assessments and vulnerability scans
• Developing risk mitigation plans based on assessment results

Security Assessment

4 controls describing how to set up a data security plan, describing system boundaries, relationships between systems, and procedures for implementing security requirements and updating the plan, including:

• Security control assessments
• System Security Plan (SSP)
• Plan of Action & Milestones (POA&M)
• Continuous monitoring

System and Communications Protection

16 controls describing how to protect data during transmission, including:

• Encrypting CUI in transit and at rest
• Implementing network segmentation and firewalls for security

System and Information Integrity

7 controls requiring businesses to quickly identify and correct system flaws by monitoring and acting on security alerts, performing scans, and updating malicious code protection mechanisms, including:

• Deploying endpoint detection and response (EDR) solutions
• Regularly updating and patching security vulnerabilities

Best Practices for Achieving CMMC Level 2 Compliance

Achieving CMMC Level 2 compliance requires organizations to apply advanced cybersecurity practices to protect CUI. Breaking the process down into clear, actionable steps can help you avoid security gaps. This checklist can help you prepare for your assessment.

Implement Security Controls Before Assessments

Familiarizing yourself with Level 2 requirements and making necessary improvements will help you update your cybersecurity practices and prepare for your assessment. Implement all technical and administrative controls before assessing your system to see where additional improvements are needed.

Conduct Pre-Assessment Gap Analysis to Identify Weaknesses

Once you’ve applied solutions for the 110 required controls, perform a gap analysis to see where your cybersecurity practices fall short. After identifying gaps, create an official remediation plan (often formalized in a Plan of Action and Milestones) to outline specific actions to improve and a timeline in which the actions should be completed.

Use Microsoft 365 GCC High for a Compliance-Ready Infrastructure

Microsoft 365 GCC High is not required to meet any level of CMMC compliance. However, the regulations required to protect CUI do require GCC High. The additional compliance features found in GCC High make it the only Microsoft cloud environment where you can meet DFARS. By leveraging Microsoft’s GCC High’s ITAR-compliant environment, your organization can handle defense-related articles and services with unwavering confidence in data security and regulatory compliance.

Partner with a CMMC Registered Provider Organization (RPO)

Partnering with an experienced RPO like Agile IT can streamline your journey to CMMC Level 2 compliance with pre-assessment consulting services and professional guidance. No matter where you are in your CMMC compliance journey, a skilled RPO can help you address weaknesses and provide tools and techniques to prepare you for your Level 2 assessment.

Agile IT Can Help You Meet Your CMMC Level 2 Compliance Goals

As a DoD contractor handling CUI, you will be required to achieve CMMC Level 2 compliance. Achieving and maintaining CMMC compliance is a major undertaking that requires aligning your security practices with all 110 controls and regularly testing your systems for vulnerabilities. The assistance of an experienced RPO like Agile IT can speed up the process and eliminate much of the stress that comes with achieving CMMC compliance. Preparing for Level 2 compliance now will ensure you’re prepared for contracts in the future.

Need help achieving CMMC Level 2 certification? Contact us today to learn more about how AgileThrive helps you meet your compliance needs, and how AgileDefend can uniquely address your ongoing Microsoft 365 security and compliance needs.