Skip to content

CMMC Level 2: Requirements and Solutions for DoD Contractors

Has CMMC 2.0 been published?

On October 15th, 2024, the CMMC Final Rule was published.  We know this is a stressful time for many government contractors. We've provided a wealth of knowledge below, but if you need to speak with an expert now to get answers, fill out this form and we'll get in touch with you within 1-2 business days.

Key Takeaways:

  • CMMC is the Department of Defense's method for ensuring that contractors have implemented adequate cybersecurity measures to protect sensitive data.
  • The CMMC Program Rule was published on October 15, 2024.
  • CMMC assessments will start in Q1 2025.
  • The phased rollout of CMMC in contracts will begin in Q3 2025.
  • Prime contractors will likely expect subs to be CMMC compliant well before the phased rollout period.
  • There are 3 levels of CMMC depending on the types of data you handle as a part of your DoD contracts.
  • For Level 2, which is the most common, it takes an average of 6-18 months to prepare for a CMMC assessment.
  • The CMMC rule is built on the assumption that contractors have already implemented NIST SP 800-171.
  • If you're in a time crunch, you can do a CMMC Enclave to ensure that your business doesn't lose contracts while you gradually move your company all-in over time.

What Is CMMC Level 2?

CMMC is the DoD's method for requiring organizations in the DoD supply chain to protect FCI, CUI, and/or ITAR to the appropriate level determined.

CMMC Level 2 compliance is intended for those handling sensitive data and therefore requires organizations to satisfy all 110 security controls from NIST SP 800-171.

CMMC Level 2 certification is necessary for those who want to bid on DoD contracts that handle the following:

If the DFARS 252.204-7012 requirement is in your current contracts, you are most likely in the CMMC Level 2 category.

What does it take to achieve CMMC Level 2 Compliance?

A Cyber-AB CMMC Third Party Assessment Organization (C3PAO) will attest that you have fully implemented all assessment objectives for you to receive a CMMC certification.

- When ready, you will be responsible for scheduling your assessment with a C3PAO. An assessment will remain valid for 3 years from the assessment certification.

- Every year a senior company official must re-affirm that all 320 assessment objectives are still being met.

- Every 3 years a C3PAO must re-certify the organization

Expert Insight: Any MSP/MSSP working with the organization must have a Level 2 final certification as well.

How do I know if I have CUI?

When it comes to the CMMC framework, the scope of a CMMC assessment for an Organization Seeking Assessment (OSA) is dictated by the flow of CUI throughout the environment. Properly identifying all the locations where CUI resides within that environment is critical for OSAs who want to successfully pass upcoming CMMC assessments.

Classifying CUI can define the scope of an organization’s assessment so it is critical that it is done properly. For each classification, the amount of CMMC requirements that are applicable to the asset varies, and the determining factor for asset classification is the way in which the asset interacts with sensitive data. 

Identifying-CUI-M365-CMMC

How do DFARS and CMMC Level 2 overlap?


CMMC and DFARS 7012 collectively consist of three basic requirements:
  1. Adequate Security: NIST SP 800-171's 110 security controls

  2. Contractual Flowdown: If the prime contractor has to meet DFARS and CMMC requirements and CDI/CUI is passed down to subcontractors, then the sub would be required to meet the same level of CMMC

  3. Event and Incident Reporting: In response to an incident or cyber event, DFARS 7012 requires your organization to notify the DoD through formal reporting mechanisms. The DoD will need access to your environment - including cloud tenants and other cloud systems handling CUI.

  4. FedRAMP Compliance for Partners: Since 2016 DFARS clause 252.204-7012 has said that if a contractor puts CUI in the cloud then the contractor needs to require and ensure that the cloud service provider meets security requirements "equivalent" to the FedRAMP Moderate baseline.

    On 12/21/23, the DoD released a memo clarifying the stringent requirements of FedRAMP moderate “equivalency”– and it’s effective immediately. DoD Contractors are now on the hook for their Cloud Service Provider’s (CSP) FedRAMP compliance. According to the memo: the DoD requires a lot of contractors with defense data being stored, processed, or transmitted with a FedRAMP Equivalent CSP. 

    A FedRAMP Moderate Authorized CSP will require considerably less effort by the contractor. You can check if your CSP is Authorized on the FedRAMP marketplace. If you do have an FedRAMP moderate "equivalent” CSP, you might consider switching to a FedRAMP-Tailored Solution. We recommend either Microsoft GCC or GCC High.


*DFARS-7012-7020-7021-CMMC

 

How should I prepare for CMMC Level 2 now?

​Aerospace and defense contractors should be taking the following measures right now in order to prepare for CMMC Level 2 assessments:

  1. Define Your Required Level
  2. Identify Assets
  3. Choose A Technical Design
  4. Implement Microsoft Government
  5. Find A Managed Service Provider
  6. Prepare and Document for CMMC
  7. Complete a CMMC Assessment

What solution can get me to CMMC Level 2?

The proper configuration of the Microsoft Government suite has the ability to satisfy the controls found in CMMC Level 2. Essentially, there are two options to approach CMMC Compliance. 

1. The All-In Approach

2. Cloud Enclave

Enclave-Graphic (1800 × 1200 px) (3)

 

7StepsCMMC_step4

This blog covers the implementation of Microsoft Government (GCC and GCC High) for CMMC Level 2 compliance.

How do I prepare for a CMMC Level 2 assessment?

To pass a CMMC Level 2 assessment, companies will be assessed by an authorized Cyber-AB C3PAO on their ability to meet and demonstrate all practices to address Levels 1 and 2 in aggregate. 

This will include technical architecture and solutions, along with written policies and procedures.

CMMC Events for The DIB

CS2 Full Logo Black-1What Is CS2?

CS2, or The Cloud Security and Compliance Series, is an ongoing informational series for contractors in the Defense Industrial Base looking to meet federal compliance mandates. These hybrid events are specifically curated towards aerospace and defense contractors and those in higher education institutions looking for practical approaches to address security threats, invest in the culture of cybersecurity for their organization, and glean best practices for their cloud investments.

Areas of focus for CS2 events include, but are not limited to

Contact Us About CMMC Level 2

More Resources

MSPartner-security-competencies