CMMC Level 2: Going Beyond the Basics

Remember fire drills?

The monthly interruption in your school or office building that took you outside in a single file line. The tedious, time-consuming, often jarring practice that happened “in the unlikely event.” While the drills themselves seemed like an unneeded disruption, the science behind safety protocols like this has proven to save lives. In emergencies, adrenaline pumps and provides a heightened, overwhelming sense of awareness that hinders decision making skills. When nerves get in the way of taking swift action, a dangerous situation can become a deadly one. While walking outside in single file seems simple enough, this task can devolve quickly into chaos when adrenaline and stress are involved. In emergencies, our faculties are no longer capable of logical decisions, but they can rely on muscle memory or ingrained training.

Schools, private offices, and entire governments invest in emergency training — and CMMC is no exception. The Cybersecurity Maturity Model Certification is meant to standardize information security for all defense contractors. There are five levels within this certification, ranging from “basic security hygiene” to “advanced cybersecurity plan.” Level 1 certification focused on best technical practices in cybersecurity, but Level 2 will require documented policies, standards, and procedures. In a fire drill, an organization should have a plan of how to behave, which exits to use, who is the designated leader, and where to gather once out of the building. When faced with a cyberattack, can you provide your organization with a plan to rely on?

This is what Level 2 CMMC sets out to achieve; to help organizations develop and adhere to clear processes to keep security top-of-mind. Level 2 requires 72 practices, or things your organization needs to do in order to be compliant. This level adds 55 practices to the 17 practices in Level 1. For every practice in Level 2, organizations will need to prove their adherence with documentation of policies, standards and procedures.

Just as you would want to make sure your fire drill protocol is well-documented and communicated, CMMC Level 2 requirements help you do the same from an information security standpoint.

1. Review the “Blueprint”

It’s common for fire drill planning to commence by reviewing a blueprint or layout of the building. Familiarizing yourself with the most important components (exits, stairwells, walkways, etc.) allows you to formulate your plan. Through the lens of CMMC, we can do that by walking through the most important requirements you will need to follow.

Let’s look at the Technical Mechanisms your organization will need to have in place. You’ll need to:

  • Configure Active Directory Group Policy Objects
  • Implement the following tools/solutions:
    • Centralized logging and correlation system
    • Automated IT discovery and asset management system
    • Vulnerability management scanning system
    • Advanced endpoint protection system that monitors installed software
    • Multi-factor authentication (MFA) system, specifically for admin and remote access
    • Card readers into physical areas where FCI or CUI is transmitted, processed or stored
    • Cameras to monitor physical areas where FCI or CUI is transmitted, processed or stored
    • Risk management application (we have something to take care of this one)

These technical mechanisms meld together to serve as your blueprint – when all combined you will have a good sense of your access points, the state of your equipment, your high traffic areas, and the security mechanisms in place.

2. Standardize and Document

Now that we have a detailed blueprint of our “building,” the next step in fire drill planning is to document the actions everyone needs to take to respond effectively. In addition to the technical mechanisms above, CMMC Level 2 places focus on establishing policies and practices that support those technical components.

Specifically, in CMMC Level 2 your organization will need to:

  • Implement/maintain a policy that communicates the organization’s requirements for how CMMC compliance will be managed
  • Implement/maintain procedures for how the technology mechanisms will be implemented and managed
  • Additional policies and practices include:
    • Implement/maintain a cybersecurity awareness training program
    • Change management procedure
    • Configuration management standards
    • Incident handling procedure
    • Implement/maintain logging and auditing standards
    • Implement/maintain a System Security Plan (SSP)
    • Implement/maintain a Risk Management policy
    • Implement/maintain a Vulnerability Management policy
    • Implement/maintain an encryption standard

In a fire drill, everyone from the CEO to the newest team member is expected to leave the building. However, while everyone needs to exit, they may have different roles, responsibilities, or needs that factor into the actions they take. The same can hold true for cybersecurity measures. As your organization documents the policies above, keep these schools of thought in mind: the principal of least privileges and of least functionality. When standardizing a program, it’s best to only offer the most relevant parts of the network for employees to do their job. The accounting department needs access to payroll, yet the marketing department does not. For teams that use similar tools, be sure to restrict accounts based on functionality as well, the idea being that only appropriate accounts have access to the tools they need and nothing more.

3. Implement the Plan

Properly training and ultimately, enforcing these standardized procedures will be a marker for which organizations earn Level 2 certification for CMMC. To make sure no one is slipping through the cracks, even the most tech-savvy or experienced workers, there will need to be documented training procedures put in place for all employees. The questions posed by this level are, “Do all employees follow best practices? Is training updated in response to the most current threats? Are incident response plans prepared and practiced regularly?” This safeguard is arguably the most important when faced with potential threats; CMMC hopes to make these protocols as effective and as second nature as a fire drill.

4. Maintain the Plan

After the front-end work of preparing security measures and actively training all employees appropriately, organizations will then need to prove the ongoing maintenance of these procedures. Whether it’s updated training to reflect the most recent malicious activities, literal updating of applications, or even requiring new password credentials after X number of days can help prove the maturity of your cybersecurity environment. When possible, Tetra Defense recommends turning automatic updates on across all systems. No matter how inconvenient it may be to wait for an update to load or to become familiar with a new interface, it is one of the best defenses against some vulnerabilities.

5. Monitor for Reasons to Update the Plan

Similar to implementing an automatic update system, it’s worthwhile to invest in an automatic monitoring solution. Taking inventory of all devices and entrances to a network is required in Level 1 CMMC, and Level 2 will ensure the “fire drill” factor when it comes to monitoring. The importance of logging is clear when determining the “who,” “what,” and “when” of a cyberattack, but it also contributes to ongoing training if communicated appropriately. Tetra recommends automating the central logging and correlation system to alert appropriate personnel, as well as generate reports on a daily, weekly, quarterly, and annual basis for ongoing monitoring.

A complete overview of the required capabilities of Level 2 can be found in the official CMMC documentation. The overarching theme for Level 2 certification is that having all of the technical tools of the trade are just the tip of the iceberg. For the sake of national security, planning, implementing, and overall sustainability is key. Making sure to plan and prepare for a potential attack, as well as communicating these practices clearly will prove your plan is robust. After all, in an emergency, few swift decisions can be made. Just like the frequent practice of doing a fire drill or testing tornado sirens, Level 2 ensures an organization has a plan in place to identify, detect, and ultimately resolve any potential incidents.

Check out some related content on our blog: