What’s the Point of CMMC Level 2?
You have probably heard a lot about the Cybersecurity Maturity Model Certification (CMMC) Level 1 and Level 3. But, have you noticed that CMMC Level 2 is rarely mentioned? There are a couple reasons for that and you should be aware of those reasons before getting ready for certification. CMMC Level 2 is a Bridge to Level 3.
But First, What is CMMC Level 2?
CMMC Level 2 introduces maturity into CMMC. There are currently no processes (also called maturity) in CMMC Level 1. Simply, the two processes for CMMC Level 2 are to establish a policy around each of the CMMC domains and to document that your practices implement the policy. CMMC level 2 also adds 55 practices on top of the 17 CMMC Level 1 practices, for a total of 72 cybersecurity controls.
There Will Be NO CMMC Level 2 Contracts
According to DoD, no contracts will require CMMC Level 2. That’s one of the main reasons you hear so little about it. It’s been described as a bridge to CMMC Level 3, but the number of practices in CMMC Level 2 are no joke—72 in total. That’s 55 more practices than CMMC Level 1! So, while it might not count in a proposal, it’s a badge of good hygiene and maturity, and that may count to partners, primes, and investors.
CMMC Level 2 Is Not Enough – CMMC Level 2 is a Bridge to Level 3
CMMC Level 2 is where protection of Controlled Unclassified Information (CUI) is introduced. Level 1 is about protecting Federal Contract Information (FCI). According to Katie Arrington, DoD CISO for acquisition, CMMC Level 2 demonstrates a company is “effectively documenting, managing, reviewing and optimizing its [cybersecurity] practices across its entire enterprise.” However, the practices in CMMC Level 2 do not go far enough in safeguarding CUI. Therefore, you should not be storing or transmitting any CUI if you are only CMMC Level 2. You need to be CMMC Level 3.
You Can Be Level 2 Certified
DoD and the CMMC Accreditation Body have never indicated that companies cannot be certified at CMMC Level 2. CMMC Level 2 is a great stepping stone and intermediary showing of both good cybersecurity maturity and hygiene. Whether your company ends up not quite meeting CMMC Level 3 or you receive a CMMC Level 2 certification because you’ve gone above and beyond CMMC Level 1, it is absolutely meaningful in business development efforts and long-term planning.
Consider that you will need to go through certification every three years and the rollout of CMMC into contracts will take five years. CMMC Level 2 buys you some time to allow the CMMC ecosystem to mature, the CMMC processes to mature, and for you to be in the perfect position to become CMMC Level 3 over time. If you are making progress you will have time to make sure processes are adopted and practiced by your organization, and you should have great artifacts to show assessors when they come to re-certify you for CMMC. This is all called “institutionalization” in CMMC documentation, and institutionalization is the entire point of the maturity levels in CMMC.
Tackling CMMC Level 2
Every seasoned assessor we speak with says you should begin with the CMMC Level 2 processes. Write out the framework for an organizational policy to address CMMC or take an existing one you can modify. Add the 17 domains and document any practices around those domains you currently have in place. This is a living and breathing document. It will be updated regularly. Once you’ve tackled the six domains and 17 practices in CMMC Level 1 within your document, move onto CMMC Level 2 practices and document the ones you are doing and any gaps between what you are doing and where you need to be. Incorporating processes can be a difficult hurdle when you haven’t done it before – BEI is always here to help!