Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented. Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in the National Institute for Science and Technology (NIST) Special Publication (SP) 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices reference the protection of Controlled Unclassified Information (CUI).
The NIST SP 800-171 is the catalog of security controls (or requirements) required, for which CMMC is based upon. These controls are grouped into a family of similar controls based on what process they impact. One key consideration is that the controls are only applicable to the systems that process CUI. If you’ve segregated your networks between commercial and government customers then you need only focus on the government segment. Below are the families and their impact on your organization. Rather than repeating the control requirements, we’re going to discuss what we believe are high-level impacts on your infrastructure. Obviously this is not meant to override or even supplement the language in the CMMC docs, but rather give you an executive overview of what we believe to be significant impacts to you and your business.
Level 2 has 10 controls in the Access Control family, these deal with controlling access to CUI and safeguarding those access control mechanisms.
In level 1 you implemented a firewall and IDS, in Level 2 you now have to establish firewall rules to control the flow of CUI between your servers, internal or cloud-based. Remember, this only affects servers that process/store CUI.
You can’t give everyone administrator permissions on their computer and even the administrator must have a regular user account for when they are engaged in non-admin related activities.
Remote access must be controlled and authorized prior to connectivity. This means that software like logmein or teamviewer will most likely need to be prohibited.
Portable storage devices cannot be used on non-company owned computers, or at least must be limited to specific use-cases.
This family basically requires that you train your users on proper cybersecurity. This can easily be outsourced to a company like Inspired eLearning. You could develop your own training but we like the idea of just outsourcing the whole process. Inspired eLearning does allow for the export of their training materials for use in your own Learning Management System (LMS).
Each computer and network device has the ability to collect information on who did what and when as well as other security relevant activities; such as successful and unsuccessful login attempts. These settings must be turned on to collect that data in the event a security incident is incurred. This data allows for forensic analysis of the security incident and ensures that the scope of the incident and possibly the cause of the incident can be determined.
A key component to any good cybersecurity and IT program is Configuration Management; this is the process by which you control the software and hardware that is used on your network as well as the individual configuration settings that set up the computers and network equipment. A good configuration management program includes a Configuration Control Board; a board made up of stakeholders who review each change and it’s impact to their area of responsibility,
There is only one Level 2 control in this control family and it requires that your passwords are obscured when input to the system. All modern systems obscure the password so this should already be implemented throughout your network.
A rudimentary incident response capability will need to be established. The incident response plan will require your team to be prepared for incidents and that they can detect, analyze, contain, and recover from incidents. One of the more prevalent incidents that cripple businesses is ransomware. A simple method to recover from ransomware is to maintain backups of your data and systems so that they can easily be restored.
For this control family, you must maintain your systems, and control that maintenance; this includes activities like corrective maintenance, preventative maintenance, adaptive maintenance, and perfective maintenance. Basically you’ll need an IT team that is ready to implement a maintenance program. You can easily outsource this to a Managed Service Provider (MSP) who can maintain your system’s software and hardware.
Controlling the maintenance means that you are aware and approve any tools, techniques, mechanisms, and personnel that maintain your system. A good MSP will have these controls already in place.
This control family requires that you prohibit the reuse of passwords, so that each generation of a users password is unique. You’ll also need to use temporary passwords when assigning a password to a new user, or a password reset, and that this password is immediately changed upon their first logon with the new password.
This control family basically requires you to protect, control, backup, and limit access to media (paper and digital) that contains CUI. The easiest way to implement this is to prohibit external media and keep CUI papers locked up in a filing cabinet when not in use.
There are only two easy to implement controls in Personnel Security; implement background screening and control CUI during personnel transfers and terminations. Make sure that company equipment is returned to the company when it’s no longer needed by an employee.
Implement some form of physical security control and monitoring for public areas and network/server rooms. This can be either a front desk person or cameras. Other device implementations can be used but these are the most common.
You’ll need a security professional to conduct risk assessments on a periodic basis. This goes above and beyond the control implementation and assesses the risk of being compromised and the mitigations that are in place. The types of risk mentioned in the control are Mission, Functions, Image and Reputation risks. You’ll also need to scan your computers for vulnerabilities and remediate any vulnerabilities found. An MSP or Managed Security Service Provider will be able to assist with this control.
This requires that you periodically verify the CMMC controls that you have in place as well as their effectiveness and develop a Plan of Actions and Milestones for each weakness that is identified by the security assessment. A system security plan will need to be developed and updated periodically as well. There is no guidance from CMMC on what should be included in the system security plan.
Simply store and transmit only encrypted representation of passwords. On your computers this is already implemented, where you’ll want to check on this is any software or web applications. Some applications still transmit your password in an unencrypted format. Check with the developer of provider to ensure that this control is implemented. Remember this is only for software that processes/stores CUI.
This control should already be implemented on modern Operating Systems. Prohibit the remote activation of collaborative computing devices, like your camera or microphone.
This is an enhancement to the firewall and IDS that you implemented in Level 1. You need to monitor your IDS and Firewall as well as identify any unauthorized use of the information systems. This may also require the monitoring and analysis of your audit log information, although that is a separate requirement in Level 3.
Your incident response capability from Level 1 will need to be a bit more robust in that you have predefined responses to incidents and you perform root cause analysis as well as detecting and reporting events. Some incidents will need to be reported to the DoD, verify with the DFARS 7012 clause to determine which events are reportable, and to whom.
Non Local or remote maintenance requires multi-factor authentication to protect the connection and prevent the compromise of your maintenance accounts. If a maintenance person doesn’t have authorization to use your system, (i.e. Xerox maintenance personnel) then they must be supervised by an employee.
Regularly perform and test data backups. Your MSP or IT staff should be able to implement this with little to no problems. Backup and recovery software is very mature and should be easily implemented.
Use encrypted sessions for the management of network devices. This requires that you are using HTTPS protocol for any web based access to manage your network devices. Some devices allow for the less secure HTTP protocol.