The DoD has confirmed that CMMC is on track to be in contracts by the end of 2024.[link] This upcoming reality means that an estimated 80,000 defense contractors handling CUI will soon be required to comply with NIST 8000-171 and meet CMMC level 2.

But what does meeting CMMC level 2 compliance mean for contractors and how can they  get ready? What do you need to know in order to meet Level 2’s assessment objectives? Read on to find out.

What is CMMC Level 2 and who needs to achieve it?

CMMC level 2, also known as ‘Advanced’, sits between Level 1 (Foundational) and Level 3 (Expert). Level 2’s focus is ensuring the protection of CUI and FCI. To achieve this level, organizations need to comply with the 110 security requirements specified in NIST SP 800-171 Rev 2 .

If an organization has a DFARS 7012 clause in their contract, then they will most likely need to meet CMMC Level 2. Until now, a defense organization with a DFARS 7012 clause was simply required to meet NIST 800-171 and were allowed to self-assess their compliance. However, CMMC differs from NIST 800-171 in two significant ways:

• Maturity. Organizations have to demonstrate that procedures and training described in NIST 800-171 are fully understood and practiced by employees handling CUI
• C3PAO assessments. A certified 3rd party assessment organization (C3PAO) must review the System Security Plan (SSP) and technology used by a defense organization seeking certification and the organization must initially meet at least 88/110 NIST 800-171 in order to pass.The organization will eventually have to meet all 110 NIST 800-171 controls though. This assessment must be passed every three years.

Any defense contractor handling CUI and expecting to continue working on contracts for DoD contractors where they handle CUI should be prepared to meet L2

CMMC Level 2 compliance requirements

As noted above, any contractor seeking to achieve level 2 must meet the 110 controls  found across the 14 families listed below. But, it’s not enough to just meet the assessment control –  contractors must also meet the 320 objectives that exist across the 110 controls and provide detailed documentation explaining how the objectives are met.

The 14 NIST 800-171 families at the core of CMMC 2.0

CMMC Level 2 Assessment Guide

Companies seeking CMMC Level 2 will be required to undergo third-party assessments once every three years. C3PAOs or a CMMC assessor will assess fulfillment of the 110 controls by referencing 320 assessment objectives. Assessors will examine, interview, and test for each assessment objective.

For example, in AC.L2-3.1.3, Control the flow of CUI, an organization is required to ‘Control the flow of CUI in accordance with approved authorizations.’ Assessors will ‘Examine’, ‘Interview’, ‘Test’ an organization’s compliance with the control using the following assessment methods and objectives :

Determine if:

 
https://youtu.be/UDlfC1ppyVI

Each of the 110 controls require detailed information and execution in order to achieve compliance. Clearly, organizations shouldn’t procrastinate. Preparation for a successful assessment takes 9-18 months based on maturity.

Clearly, organizations shouldn’t procrastinate. Preparation for a successful assessment takes 9-18 months based on maturity.

How to Achieve CMMC Level 2

You don’t have to start from scratch when it comes to CMMC level 2. PreVeil’s end-to-end encrypted email and file sharing solution enables organizations to store and share CUI in compliance with CMMC Level 2, NIST SP 800-171, DFARS 252.204-7012, and ITAR.
PreVeil is the leading solution for CMMC and ITAR compliance, trusted by over 1k defense contractors. PreVeil’s proven solution has been used by 10+ contractors and C3PAOs to achieve perfect 110 scores in DoD assessments

Our 3-part solution includes:
1.An email + file sharing platform to protect CUI, built on AWS GovCloud
2.Documentation to demonstrate compliance
3.Certified consultants and assessors

By using the PreVeil platform, contractors can save over 60% vs legacy solutions while securing their data with uncompromising end-to-end encryption.

<< See this post for our full CMMC checklist.>>

When deployed along with our SSP, PreVeil supports 102/110 NIST SP 800-171 that lie at the core of CMMC Level 2 controls. PreVeil also meets the stringent FedRAMP Moderate Equivalent standards as well as other contractual obligations stipulated in DFARS 252.204-7012 and ITAR.

Conclusion

If you’re a DIB company handling CUI, you’ll need to achieve Level 2 compliance. Without it, you won’t be able to remain eligible for DoD contracts. This guide provides understanding of what is required and how to move forward.

Ready to get started? Reach out, we’re here to answer your questions and get you started on your compliance journey.

FAQs

The post CMMC <span style="color:#f05f2a;">Level 2 (Advanced)</span> Explained appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Orlee Berlove. Read the original post at: https://www.preveil.com/blog/cmmc-level-2-advanced-explained/