High Level summary of the first two levels of CMMC and assessment requirements. Level 2 includes required conformity assessments by an authorized C3PAO.

CMMC Level 2 Conformity Assessments

CMMC Level 2 Model Baseline

The CMMC Model for Level 2 maps to the 110 Security Requirements from NIST SP 800-171 Rev. 2 that are designed to protect the confidentiality of Controlled Unclassified Information (CUI).

There is NO inheritance from CMMC Level 1.  CMMC Level 1 is exclusively focused on protecting Federal Contract Information (FCI).  CMMC Level 2 does take the same 15 requirements, which become 17 in NIST SP-800-171, and focuses on safeguarding CUI.

All requirements are evaluated against the 320 Assessment Objectives specified in NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information.

CMMC Level 2 Self-Affirmation Requirements

Like CMMC Level 1, every organization with  DFARS Clause 252.204-7021 Cybersecurity Maturity Model Certification Requirement. is required to:

  • Conduct an annual CMMC Level 2 Self-Assessment to determine their conformity to protect CUI.
  • Submit an annual self-affirmation of the organization’s compliance to DFARS Clause 252.204-7012 and the NIST SP 800-171 security requirements to SPRS (c.f., §170.22, Affirmation ).
  • If the FCI and CUI boundaries for the organization are the same, then the CMMC Level 2 annual assessment and self-affirmation letter will suffice for Level 1.
  • If the self-assessment reveals your organization does not meet the Plans of Action & Milestone (POA&M) threshold guidance below, your organization cannot submit an entry into SPRS.

Some organizations may want to have their authorized C3PAO conduct these to assessment reduce risks.

CMMC Level 2 Third Party Certification Requirements

CMMC Level 2 requires the vast majority of organizations to undergo a CMMC Conformity Assessment once every three years or triennially.

For these organizations, the CMMC Conformity Assessment must be conducted by an Authorized CMMC 3rd Party Assessment Organization (C3PAO).

Organizations must be either conditionally certified per the POA&M threshold guidance below or fully meet all Security Requirements to be Fully Certified (c.f., §170.17).

CMMC Level 2 Plans of Action & Milestones (POA&M)

§170.21, Plan of Action and Milestones requirements.  Specifically, paragraph §170,21(a)(2) governs CMMC Level 2 POA&Ms.

While not stated in the rule, all organizations are expected to have had and maintain a POA&M for all actions needed to get them into compliance.  During a Conformity Assessment, your organization should be able to provide a POA&M with closed out/completed remediations to address deficiencies.

POA&M guidance in §170.21 is about being eligible for certification, and if so, what kind.  In short, under CMMC Level 2, the three certification states are:

  1. Uncertified:  An organization is either uncertified because they are pending a successful C3PAO Conformity Assessment, or the organization fails to meet the threshold POA&M criteria.
  2. Conditionally Certified:  An organization met the threshold POA&M criteria, is within the 180-day POA&M window; and, has open deficiencies identified in their POA&M.
  3. Certified:  An organization that successfully completed a C3PAO Conformity Assessment with a score of 110.

There are three key business rules here:

  1. When CMMC goes into effect, uncertified or organizations that cannot self-affirm their compliance will not be eligible for any contracts involving CUI.
  2. Whether the organization self-affirms or undergoes a C3PAO Conformity Assessment, the organization will have 180-days from the point in time they self-report a score of 88 to 109 in SPRS; or from the date when they receive a conditional certification to complete all remediation actions.
  3. Organizations triennial window begins the day of the first CMMC Conformity Assessment outbrief.

Per §170,21(a)(2), the following defines the threshold to be eligible for a “Conditional POA&M” and Conditional Certification:

  1. The organization’s DoD Assessment Methodology (DoDAM) Score must be greater than 88.
  2. No 5- or 3-point valued DoDAM Security Requirement can be evaluated as NOT MET.  SC.L2–3.13.11, FIPS-validated Encryption, may be included on a POA&M if it has a value of 1 or 3 (c.f., §170.21(a)(2)(ii)).
  3. None of the following 1-point Security Requirements are NOT MET:
    1. AC.L2–3.1.20 External Connections (CUI Data)
    2. AC.L2–3.1.22 Control Public Information (CUI Data)
    3. PE.L2–3.10.3 Escort Visitors (CUI Data)
    4. PE.L2–3.10.4 Physical Access Logs (CUI Data)
    5. PE.L2–3.10.5 Manage Physical Access (CUI Data).

Peak InfoSec Provided Services

For CMMC Level 2, as an Authorized C3PAO, Peak InfoSec can support your organization with the following services:

  • CMMC Level 2 Conformity Assessments:  This is the formal event that would lead to your organization getting certified.  While we cannot as yet provide these today, we encourage all organizations to start planning when they want to get certified and get on your selected C3PAO’s schedule.
  • CMMC Level 2 Mock Assessments:  Like a normal Conformity Assessment, a mock assessment is a pre-cursor to see if your organization is ready to move forward.  We do not recommend doing a 100% mock assessment.  By checking 12 Security Requirements, we can get a solid understanding of your organization’s readiness.
  • CMMC Level 1 services may still be needed if your organization maintains FCI outside of its CUI boundary.
    • CMMC Level 1 Conformity Assessments & Letters of Attestation:  To reduce your organization’s business and senior leader’s personal liability risks when they submit the self-affirmation into SPRS, Peak InfoSec can conduct a Level 1 Conformity Assessment and issue a Letter of Attestation regarding your organization’s compliance.
    • FCI Scoping:  Defining the scope of your FCI is harder due to the more nebulous nature of FCI.  For example, an email between your organization and the DoD about a contract you won is generally FCI.  Failure to understand your FCI scope can lead your organization to not implementing the required safeguarding requirements and incorrectly attest your compliance.

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

Information Security Turnaround Specialists