Understanding CMMC controls is crucial for any business looking to work with the DoD. Whether you're a large contractor or a small business, adopting these security measures can make a significant difference in your cybersecurity efforts.

Let’s explore the three levels of CMMC 2.0 and tips for implementing requirements. We’ll also cover a subset of controls from each level for a better understanding of key requirements and security practices. 

The structure of CMMC 2.0

CMMC consists of three levels of cybersecurity maturity, each representing a different degree of cybersecurity practices and protections. 

The latest CMMC 2.0 revision consolidated the compliance levels from five to three. This was done to simplify the framework, making it more accessible for a wider range of organizations to implement. With fewer levels, defense contractors and subcontractors can more clearly identify the necessary requirements, reducing the complexity and associated costs of achieving and maintaining compliance. Plus, a simplified framework allows for a more efficient certification process. 

Here's a brief overview of each CMMC certification level:

• Level 1 - Foundational: Focuses on basic cyber hygiene, suitable for all contractors handling Federal Contract Information (FCI), with 17 essential requirements.
• Level 2 - Advanced: Aligns with NIST SP 800-171, targeting intermediate cyber hygiene for organizations handling Controlled Unclassified Information (CUI), incorporating 110 comprehensive requirements.
• Level 3 - Expert: Targets advanced cybersecurity practices for highly sensitive information, with 130 practices aimed at protecting against Advanced Persistent Threats (APT).

Each level of CMMC 2.0 represents a step up in cybersecurity maturity, ensuring that organizations progressively enhance their ability to protect sensitive information and respond to cyber threats.

CMMC 2.0 domains and practices

CMMC 2.0 is divided into 14 domains, each representing a key area of cybersecurity.

1. Access Control (AC)
2. Awareness and Training (AT)
3. Audit and Accountability (AU)
4. Configuration Management (CM)
5. Identification and Authentication (IA)
6. Incident Response (IR)
7. Maintenance (MA)
8. Media Protection (MP)
9. Personnel Security (PS)
10. Physical Protection (PE)
11. Risk Assessment (RA)
12. Security Assessment (CA)
13. System and Communications Protection (SC)
14. System and Information Integrity (SI)

Each maturity level within these domains includes specific requirements. These requirements are the actionable steps or security controls that organizations must implement to achieve the corresponding level of cybersecurity maturity. Requirements are cumulative, meaning that higher levels include the requirements from the lower levels.

For example, the Access Control (AC) domain includes the following requirements. 

Level 1: 

• 3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• 3.1.2: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• 3.1.20: Verify and control/limit connections to and use of external information systems.
• 3.1.22: Control information posted or processed on publicly accessible information systems.

Level 2: In addition to Level 1 controls, implement:

• 3.1.10: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
• 3.1.11: Terminate (automatically) user sessions after a defined condition.
• 3.1.12: Monitor and control remote access sessions.
• 3.1.14: Route remote access via managed access control points.
• 3.1.15: Authorize remote execution of privileged commands and remote access to security-relevant information.
• 3.1.16: Authorize wireless access prior to allowing such connections.
• 3.1.17: Protect wireless access using authentication and encryption.
• 3.1.18: Control connection of mobile devices.
• 3.1.19: Encrypt CUI on mobile devices and mobile computing platforms.
• 3.1.21: Limit use of portable storage devices on external systems.
• 3.1.3: Control the flow of CUI in accordance with approved authorizations.
• 3.1.4: Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
• 3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
• 3.1.6: Use non-privileged accounts or roles when accessing non-security functions.
• 3.1.7: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
• 3.1.8: Limit unsuccessful logon attempts.
• 3.1.9: Provide privacy and security notices consistent with applicable CUI rules.

Level 3: Adds the 24 additional requirements in NIST 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information. This is a supplemental publication to NIST 800-171 that details enhanced security requirements for safeguarding critical information against advanced persistent threats. 

Under NIST 800-172, Access Control requirements include:

• 3.1.1e: Employ dual authorization to execute critical or sensitive system and organizational operations
• 3.1.2e: Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization
• 3.1.3e: Employ organization-defined secure information transfer solutions to control information flows between security domains on connected systems.

This tiered structure helps organizations systematically improve their cybersecurity posture by implementing increasingly mature practices.

Examples of CMMC 2.0 controls

Let’s take a closer look at specific examples of security practices for each level of CMMC 2.0 compliance. 

Level 1: Foundational

This level includes basic safeguarding practices required for all defense contractors handling FCI. These practices align with FAR 52.204-21 and include security measures such as antivirus protection, regular password changes, and physical security measures.

A few examples of Level 1 compliance requirements:

• Limit information system access to authorized users.
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• Verify and control/limit connections to and use of external information systems.
• Control information posted or processed on publicly accessible information systems.
• Identify information system users, processes acting on behalf of users, or devices.
• Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
• Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
• Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
• Escort visitors and monitor visitor activity.
• Maintain audit logs of physical access.
• Control and manage physical access devices.
• Provide protection from malicious code at appropriate locations within organizational information systems.
• Update malicious code protection mechanisms when new releases are available.
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
• Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
• Identify, report, and correct information and information system flaws in a timely manner.
• Provide security awareness training on recognizing and reporting potential indicators of insider threat.

Level 2: Advanced

This level is aligned with NIST SP 800-171 and includes practices for protecting CUI. It builds on Level 1 by adding more comprehensive cybersecurity measures and policies.

Examples of key Level 2 compliance requirements include: 

• Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
• Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
• Ensure the confidentiality of CUI at rest.
• Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
• Implement a capability to discover and identify systems in order to maintain an up-to-date asset inventory.
• Develop, document, and maintain under configuration control, a current baseline configuration of the information system.
• Conduct penetration testing periodically on information systems to identify vulnerabilities.
• Employ automated mechanisms to detect and alert any unauthorized hardware or software.
• Employ spam protection mechanisms at information system entry and exit points to detect and act on unsolicited messages.

Level 3: Expert

This level is intended for organizations handling the most sensitive information and aligns with a subset of NIST SP 800-172. It includes advanced and adaptive cybersecurity measures to protect against sophisticated threats.

Controls for this level of compliance include continuous monitoring, advanced threat detection, and network segmentation. Here are a few additional control examples: 

• Establish and maintain a security operations center to monitor, analyze, and respond to security incidents.
• Implement advanced network segmentation to contain and limit the impact of potential cyber incidents.
• Employ deception technologies to detect, analyze, and respond to advanced persistent threats.
• Conduct red team exercises to test organizational response capabilities against simulated advanced adversary tactics.
• Integrate threat intelligence into the incident response process to enhance detection and response capabilities.
• Implement continuous monitoring and real-time analysis of cybersecurity threats.
• Employ machine learning and artificial intelligence technologies to enhance threat detection and response capabilities.
• Ensure the use of automated tools to support situational awareness and cybersecurity posture assessments.
• Implement and regularly test data backup and recovery plans to ensure the ability to restore critical information in the event of a cyber incident.
• Utilize advanced encryption techniques to protect the integrity and confidentiality of CUI.

What are NFO controls?

 Non-Federal Organization (NFO) controls are baseline security controls that are expected to be a part of any organization's standard cybersecurity posture, regardless of their CMMC level. 

To understand NFO controls, we need to examine NIST 800-171 and its relationship with NIST 800-53. CMMC 2.0 is built around the NIST 800-171 Revision 2. control set, which itself is a derivative of NIST 800-53. NIST 800-171 is designed to be more lightweight, and in the process of paring down NIST 800-53’s 262 controls into a smaller subset for 800-171, NIST made some assumptions about which controls organizations would already have implemented. 

To put it in a different context, a home security company is going to give you advice about cameras and motion sensor lights because they assume you already have locks on your doors. In that same way, NIST 800-171 Revision 2. assumed you already have the basics in place. NFO requirements typically cover areas such as access control, incident response, system and information integrity, awareness and training, and security assessment.

NFO controls were removed in NIST 800-171 Rev. 3. However because CMMC 2.0 is still based on NIST 800-171 Rev. 2, NFO controls remain relevant to an OSC's readiness posture.

CMMC 2.0 control overlap

CMMC controls overlap significantly with other federal frameworks like NIST SP 800-171, NIST SP 800-53, and FedRAMP, as they are all designed to ensure the security of federal information systems and data. 

Here’s how CMMC controls relate to each of these frameworks:

1. CMMC and NIST SP 800-171

There is significant overlap between these two frameworks. NIST SP 800-171 provides a set of guidelines for protecting CUI in non-federal systems and organizations. CMMC 2.0 Levels 2 and 3 include all 110 security requirements from NIST SP 800-171.

CMMC Level 2 is designed to closely align with NIST SP 800-171, making it a natural step for organizations that already comply with NIST SP 800-171. Level 3 adds practices from NIST 800-172 to ensure more robust protection of CUI, especially against advanced persistent threats. 

2. CMMC and NIST SP 800-53

NIST SP 800-53 is a broader and more comprehensive set of security and privacy controls designed for federal information systems. It applies to federal agencies and contractors handling federal information systems and covers a wide range of security controls beyond just those for CUI.

NIST SP 800-53 is more comprehensive than CMMC and covers a wider range of controls that apply to various types of information, not just CUI. It includes controls for high-impact systems, making it relevant for federal agencies and contractors working with more sensitive or critical information.

CMMC draws from NIST SP 800-53, and more specifically its derivative NIST 800-171, and is adapted to meet the specific needs of the DoD supply chain. Most of the controls in CMMC are in NIST 800-53.

3. CMMC and FedRAMP

FedRAMP is specifically focused on cloud service providers (CSPs) and ensures that cloud-based systems used by federal agencies meet stringent security requirements. It uses NIST SP 800-53 as its baseline, but with additional requirements and controls tailored for cloud environments.

CMMC does not specifically target cloud environments like FedRAMP does, but there is a lot of overlap in the security controls required for both. For instance, both frameworks emphasize the importance of access control, incident response, system and information integrity, and continuous monitoring.

Organizations that are both FedRAMP-compliant and seeking CMMC certification may find some overlap in the controls they need to implement, particularly at CMMC Levels 2 and 3. This overlap can help streamline compliance efforts, but organizations must be careful to address the specific requirements of each framework.

The key difference between CMMC and these other frameworks is that CMMC is specifically designed for the DoD supply chain, with a focus on verifying and certifying that non-federal organizations meet the required security standards to protect FCI and CUI. Other frameworks like NIST SP 800-171 and FedRAMP are broader in scope, applying to various sectors and types of information systems beyond just those in the DoD supply chain.

Tips for implementing the CMMC 2.0 controls list

The first step in implementing controls is to understand your compliance level and associated requirements. Once you have a list of controls, you can compare against your current security practices to identify any gaps in your compliance posture. Compliance automation tools like Secureframe will automatically map your existing controls to specific frameworks, including CMMC 2.0, so you can quickly understand your compliance status and focus on implementing any missing controls. And because controls can be mapped to multiple frameworks, organizations that are already compliant with similar frameworks such as NIST 800-171 can quickly demonstrate compliance with CMMC.

Highlight any areas of non-compliance so you can prioritize your efforts and create an implementation plan. You’ll need to assess budget, personnel, and tools needed to implement the required controls. You may need to implement security awareness training tools, compliance and/or GRC tools, CMMC CUI enclaves, and other CUI protection technologies. From a personnel standpoint this may include IT team members, security professionals, compliance officers, HR staff, and other stakeholders across the company. You’ll also need to train personnel to ensure everyone understands their role in the compliance process and in maintaining strong cybersecurity practices. 

Once it’s time to implement specific controls, work off your prioritized list. Keep detailed records of your efforts, including policies, procedures, and evidence of implemented controls. Many organizations find it easiest to start with foundational controls like password policies and antivirus software before implementing more comprehensive controls like encryption and continuous monitoring systems. Secureframe’s compliance platform includes tools to streamline this process, including policy templates, automated evidence collection, and continuous control monitoring. 

After you’ve closed any compliance gaps you can begin the formal CMMC assessment process. Depending on your compliance level, this may involve a self-assessment, working with a Certified Third-Party Assessor (C3PAO), or completing a Supplier Performance Risk System (SPRS) assessment with the DoD.

After certification, you’ll need to continually monitor your control environment to ensure it’s effective and identify any areas of improvement. This also enables you to keep up with evolving threats and any new CMMC revisions or changing requirements.