What Is CMMC Level 2?

CMMC level 2 is the Advanced compliance tier of the Cybersecurity Maturity Model Certification Model. Keep reading to learn more about CMMC level 2, from the practices it comprises to how it compares to other CMMC levels and how to achieve CMMC level 2 compliance.

CMMC level 2 is also known as the “Advanced” level of CMMC, a program designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department of Defense (DoD) through acquisition programs.

CMMC 2.0, announced in November 2021, simplified the program structure, which now features three levels: Level 1 or Foundational, Level 2 or Advanced, and Level 3 or Expert.

The three CMMC levels differ in four fundamental ways:

Number of practices
Type of practices
Type of assessment (self-assessment, third-party assessment, or government-led assessment)
Frequency of assessments (annual or triennial)

CMMC Level 2, a closer look

We have seen the four fundamental aspects that constitute the differences between the three CMMC levels. Now let’s take a look at what this means when applied to CMMC Level 2.

Number of Practices

CMMC level 1 (Foundational), requires just 17 practices, whereas CMMC level 2 contemplates 110 practices aligned with NIST SP 800-171, and CMMC level 3 (Expert) features 110+ practices aligned with NIST SP 800-172.

Type of Practices

As noted above, CMMC level 2 practices are aligned with NIST SP 800-171, a set of recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). By contrast, CMMC level 3 practices are aligned with NIST SP 800-172, a set of enhanced requirements that supplement the basic and derived security requirements in NIST SP 800-171.

Type of Assessment

CMMC level 2 is achieved through third-party assessments for national security information and self-assessments for select programs. Third-party assessments are carried out by Third Party Assessment Organizations (C3PAOs) accredited by The CMMC Accreditation Body (The Cyber AB). CMMC level 1 contemplates only self-assessments, while CMMC level 3 is achieved exclusively through government-led assessments.

Frequency of Assessments

When it comes to the frequency of assessments, CMMC level 2 requires triennial third party assessments for national security information and annual self-assessments for select programs. CMMC level 1 involves annual self-assessments only and CMMC level 3 mandates government led-assessments performed by government officials

Contact our CMMC Registered Practitioners Today

Who Needs To Comply With CMMC Level 2?

According to the Department of Defense, once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation.

The required CMMC level will depend on the type of information a contractor handles:

CMMC Level 1 and a subset of CMMC Level 2: Contractors who do not handle information deemed critical to national security
CMMC Level 2: Contractors managing information critical to national security
CMMC Level 3: Reserved for the highest priority, most critical defense programs

In its Assessment Scope for CMMC level 2, DoD reviews two common CMMC level 2 compliance scenarios. Here it is worth noting that, depending on how the CMMC assessment is scoped, a contractor can achieve CMMC certification for an entire enterprise network, for particular segments of said network, or for a specific enclave.

If a contractor processes, stores, or transmits both Federal Contract Information (FCI) and controlled unclassified information (CUI), the contractor can obtain a single certification. Given that the contractor in this scenario handles CUI, CMMC Level 2 would be the minimum certification level needed.
If a contractor processes, stores, or transmits FCI within one assessment scope, but processes, stores, and transmits CUI within another assessment scope, then the contractor may choose to conduct two separate CMMC activities. In this scenario, the contractor may want to perform a CMMC Level 1 self-assessment for the boundary containing FCI (a common example would be the enterprise network), but obtain a CMMC Level 2 certification for the boundary within which all CUI is handled (for example, an enclave dedicated to this type of task).

To learn more about the Cybersecurity Maturity Model Certification, read our previous blog, “CMMC Continuous Monitoring: What Is It and Why Is It Important?”

Need To Comply With CMMC Level 2? We Are Here To Help

Whether it’s CMMC, NIST 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.

Brea Neworks, LLC is a full Registred Provider Organization (RPO) and is a Microsof partner with full Microsoft GCC High licensing and migration solutions.

Contact our CMMC Registered Practitioners today by clicking here.