Defense contractors handling CUI need to get ready for CMMC compliance. CMMC’s Stacy Bostjanick recently stated that the Pentagon will release its interim rule to implement CMMC in May 2023 and have requirements in contracts 60 days after the rule’s publication. And by July 2023, 80,000 defense contractors will be required to meet CMMC level 2 (Advanced).

But what does meeting level 2 compliance in CMMC mean and how can SMBs get ready? What do you need to know in order to meet Level 2’s assessment objectives? Read on to find out.

CMMC 2.0: The Basics

When originally developed in 2019, CMMC had five levels. Companies handling CUI were required to meet CMMC level 3 and were told they would be judged against a pass-fail model. Highlighting the complexity of CMMC as exclusionary of SMBs, the DIB pushed back. In response, the DoD released a streamlined CMMC 2.0 in late 2021.

CMMC 2.0 consists of only 3 levels, in which level 2 replaces the original level 3 for companies handling CUI. Level 2 drops 20 controls, to dovetail completely with NIST SP 800-171 Rev2.

This is great news for a lot of companies in the DIB, who have been subject to NIST SP 800-171 since 2017. However, there are some changes. Following the guidelines established by DFARS 252.204-7019, companies are now required to self-assess against the NIST framework and report their score to the DoD’s Supplier Performance Risk System (SPRS).

14 NIST 800-171 Families

The 14 NIST 800-171 families at the core of CMMC 2.0

Once a company achieves compliance with NIST SP 800-171 they have achieved a significant portion of CMMC Level 2’s requirements. However, as an organization handling CUI, they need to ensure that they support DFARS 252.204.7012 c-g for cyber incident reporting, FedRAMP Baseline Moderate or Equivalent for cloud services, and FIPS 140-2.

There is one major way in which CMMC 2.0 differs from NIST SP 800-171. The DoD is no longer simply taking your word for it when it comes to scores. Third party assessors will assess organizations to ensure scores are accurate. Detailed documentation will be required to demonstrate compliance.

Example of the type of documentation that you can use to meet some controls in Access Control

How can I meet CMMC Level 2 Assessment Objectives?

While companies that have been handling CUI already may have a headstart on CMMC Level 2 compliance, a lot of defense contractors will have some work to do. If you’re not quite up to standard, you might be worried about your ability to bid for contracts while you’re on your path to compliance.

CMMC 2.0 acknowledges that it will take time for organizations to get up to code. It understands that business disruptions can be ruinous to SMBs. To address these concerns, it permits the use of time-limited Plans of Actions and Milestones (POAMs) to close the gaps for unmet controls.

Allowing POAMs makes CMMC 2.0 more accessible for SMBs with limited human and financial resources. POAMs create a straightforward path to compliance and allow sufficient time to fulfill tasks in a cost-effective manner.

POAMs are not a loophole to get out of bringing your cybersecurity up to standard. They will be time-limited and must be closed within 6 months. Further, POAMs will likely not be permitted for a subset of the highest-weighted security requirements, which are also some of the hardest requirements to meet. Even so, POAMs are a win for SMBs seeking CMMC Level 2.

CMMC Level 2 Assessment Guide

Companies seeking CMMC Level 2 will be required to undergo third-party assessments once every three years. C3PAOs or a CMMC assessor will assess fulfillment of the 110 controls by referencing 320 assessment objectives. Assessors will examine, interview, and test for each assessment objective.

For example, in AC.L2-3.1.3, Control the flow of CUI, an organization is required to ‘Control the flow of CUI in accordance with approved authorizations.’ Assessors will ‘Examine’, ‘Interview’, ‘Test’ an organization’s compliance with the control using the following assessment methods and objectives :

Determine if:

[a] information flow control policies are defined;
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
[d] authorizations for controlling the flow of CUI are defined; and
[e] approved authorizations for controlling the flow of CUI are enforced

Each of the 110 controls require detailed information and execution in order to achieve compliance. Clearly, organizations shouldn’t procrastinate. Preparation for a successful assessment takes 9-18 months based on maturity.

Getting ready: CMMC Level 2 checklist

There are five steps in your path to CMMC Level 2.

First, you need to determine the scope of your project. Where does CUI reside within your company?

Second, protect your CUI. Protecting CUI is at the heart of CMMC Level 2 and a security-first approach will lead organically to compliance. Make sure you’re keeping your emails and files containing CUI secure.

Third, determine your starting point. Assess your organization against the 110 controls and 320 assessment objectives to determine your current score.

Fourth, prove it. Thoroughly document how you meet the 110 controls. Clear and robust documentation is essential for passing an assessment.

Fifth, find the right cybersecurity partner. Most SMBs don’t have inhouse IT staff that can handle the management of NIST SP 800-171 and, by extension, CMMC Level 2. Hiring an MSP/MSSP partner or (Registered Practitioner Organization) RPO can provide crucial support in areas with additional need.

See this post for our full CMMC checklist.

How PreVeil can help

You don’t have to start from scratch when it comes to CMMC level 2. PreVeil is an end-to-end encrypted email and file sharing solution that enables organizations to store and share CUI in compliance with CMMC Level 2, NIST SP 800-171, DFARS 252.204-7012, and ITAR.

PreVeil’s platform supports all CMMC Level 2 controls relevant to the exchange and control of CUI in the cloud. When deployed along with our SSP, PreVeil supports 102/110 NIST SP 800-171 and CMMC Level 2 controls. In addition, PreVeil meets NIST 800-171 and CMMC requirements for FIPS 140-2 as well as contractual obligations stipulated in DFARS 252.204-7012 and ITAR.

We want to support you all the way through your compliance journey. Our partner program can connect you with an MSP, MSSP, or RPO that can help with the remaining 26 controls.

Our system is proven. See our recent case study demonstrating how a SMB defense contractor using PreVeil scored a 110/110 in a NIST SP 800-171 DoD assessment.

Achieve CMMC Level 2

If you’re a DIB company handling CUI, you’ll need to achieve Level 2 compliance. Without it, you won’t be able to remain eligible for DoD contracts. This guide provides understanding of what is required and how to move forward.

Ready to get started? Reach out, we’re here to answer your questions and get you started on your compliance journey.

Learn more: