Level 2: Intermediate cyber hygiene

CMMC level 2 adds security domains and security practices to level 1, increasing cybersecurity maturity.  CMMC Level 2 adds a further 55 practices to those of level 1 (17).  Increasing the total number of practices under evaluation, to 72 (17+55) practices.  Level 2 includes the 17 practices identified at level 1, 48 additional practices from NIST 800 – 171 r1 (now r2) and a further 7 practices from other sources.   Level 2 compliance requires an organisation to both demonstrate Level 1 practice compliance (practices are performed across all 72 practices) and demonstrate Level 2 process compliance demonstrating practices are documented in policies and procedures to guide the implementation of Level 2.

By demonstrating that Level 2 practices are being performed and are documented the organisation will develop its cyber security maturity, for the protection of Federal Contract Information (FCI).

Processes : DocumentedLevel 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practising them as documented.
Practices : Intermediate cyber hygieneLevel 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 [4] as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices reference the protection of CUI.

CMMC Level 2 consist of 15 security domains addressing 28 capabilities with an additional 55 security practices.

DomainCapabilityPracticePractice description
Access Control (AC)C001 Establish system access requirementsAC.2.005Provide privacy and security notices consistent with applicable Controlled Unclassified Information (CUI) rules.
AC.2.006Limit use of portable storage devices on external systems.
C002 Control internal system accessAC.2.007Employ the principle of least privilege, including for specific security functions and privileged accounts.
AC.2.008Use non-privileged accounts or roles when accessing nonsecurity functions.
AC.2.009Limit unsuccessful logon attempts.
AC.2.010Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
AC.2.011Authorize wireless access prior to allowing such connections.
C003 Control remote system accessAC.2.013Monitor and control remote access sessions.
AC.2.015Route remote access via managed access control points.
AC.2.016Control the flow of CUI in accordance with approved authorizations.
Audit & Accountability (AU)C007 Define audit requirementsAU.2.041Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
C008 Perform auditingAU.2.042Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity.
AU.2.043Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
C010 Review and manage audit logsAU.2.044Review audit logs.
Awareness & Training (AT)C011 Conduct security awareness activitiesAT.2.056Ensure that managers, system administrators and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.
C012 Conduct trainingAT.2.057Ensure that personnel are trained to carry out their assigned information security- related duties and responsibilities.
Configuration Management (CM)C013 Establish configuration baselinesCM.2.061Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware and documentation) throughout the respective system development life cycles.
CM.2.062Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
CM.2.063Control and monitor user-installed software.
C014 Perform configuration and change managementCM.2.064Establish and enforce security configuration settings for information technology products employed in organizational systems.
CM.2.065Track, review, approve or disapprove and log changes to organizational systems.
CM.2.066Analyze the security impact of changes prior to implementation.
Identification & Authentication (IA)C015 Grant access to authenticated entitiesIA.2.078Enforce a minimum password complexity and change of characters when new passwords are created.
IA.2.079Prohibit password reuse for a specified number of generations.
IA.2.080Allow temporary password use for system logons with an immediate change to a permanent password.
IA.2.081Store and transmit only cryptographically- protected passwords.
IA.2.082Obscure feedback of authentication information.
Incident Response (IR)C016 Plan incident responseIR.2.092Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response activities.
C017 Detect and report eventsIR.2.093Detect and report events.
IR.2.094Analyze and triage events to support event resolution and incident declaration.
C018 Develop and implement a response to a declared incidentIR.2.095Develop and implement responses to declared incidents according to pre- defined procedures.
C019
Perform post incident reviews
IR.2.097Perform root cause analysis on incidents to determine underlying causes.
Maintenance (MA)C021
Manage maintenance
MA.2.111Perform maintenance on organizational systems.
MA.2.112Provide controls on the tools, techniques, mechanisms and personnel used to conduct system maintenance.
MA.2.113Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
MA.2.114Supervise the maintenance activities of personnel without required access authorization.
Media Protection (MP)C023 Protect and control mediaMP.2.119Protect (e.g., physically control and securely store) system media containing Federal Contract Information, both paper and digital.
MP.2.120Limit access to CUI on system media to authorized users.
MP.2.121Control the use of removable media on system components.
Personnel Security (PS)C026 Screen personnelPS.2.127Screen individuals prior to authorizing access to organizational systems containing CUI.
C027 Protect federal contract information during personnel actionsPS.2.128Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Physical Protection (PE)C028 Limit physical accessPE.2.135Protect and monitor the physical facility and support infrastructure for organizational systems.
Recovery (RE)C029 Manage back-upsRE.2.137Regularly perform and test data back-ups.
RE.2.138Protect the confidentiality of backup CUI at storage locations.
Risk Management (RM)C031 Identify and evaluate riskRM.2.141Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of CUI.
RM.2.142Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
C032 Manage riskRM.2.143Remediate vulnerabilities in accordance with risk assessments.
Security Assessment (CA)C034 Develop and manage a system security planCA.2.157Develop, document and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems.
C035 Define and manage controlsCA.2.158Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
CA.2.159Develop and implement plans of action (e.g., POA&M) designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
System & Communications Protection (SC)C038 Define security requirements for systems and communicationsSC.2.178Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
SC.2.179Use encrypted sessions for the management of network devices.
System & Information Integrity (SI)CO40 Identify and manage information system flawsSI.2.214Monitor system security alerts and advisories and take action in response.
C042 Perform network and system monitoringSI.2.216Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
SI.2.217Identify unauthorized use of organizational systems.

Table:  CMMC Level 2 domains, capabilities and practices