In previous blogs, we’ve attempted to simplify CMMC and its pseudo-predecessor, NIST 800-171, as well as outlining the predicted timeline for CMMC implementation. Today, we’re taking a look at the second level of CMMC certification. Join us as we explore what the level entails, why you might want to consider advancing, and how to go about achieving it.
CMMC Level 1 (Foundational): The Starting Point
Most SMBs begin their CMMC journey with Level 1, known as the Foundational level. At this stage, businesses are expected to implement basic cybersecurity practices to safeguard confidential data. These practices are generally straightforward and include measures like ensuring physical security, controlling access to information, and conducting regular backups. For many SMBs, achieving Level 1 is the most accessible way to secure CMMC Level 1 Federal government contracts since it involves a self-assessment, allowing you to confirm compliance without the added expense of a third-party evaluation.
However, while Level 1 may be sufficient for contracts that involve fewer sensitive data, if you’re aiming for more substantial contracts involving Controlled Unclassified Information (CUI), you’ll need to step up your cybersecurity efforts.
Advanced Cybersecurity for Small Businesses: CMMC Level 2
Unlike the self-assessment approach of Level 1, Level 2 introduces the requirement for third-party assessments to verify that a business isn’t just claiming compliance but is actively implementing and maintaining the required cybersecurity practices appropriately.
Essentially, Level 2 means your cybersecurity processes are documented and your practices are intermediate in terms of cyber hygiene. At this level, organizations must document their processes, enabling them to be repeated in a standardized manner.
Depending on the types of data you handle, the assessment requirements expected of your organization will differ. Those that handle critical data need to undergo third-party assessment every three years, while those handling non-critical data must conduct self-assessments annually to maintain certification. The number of Level 2 contractors that will not handle critical data is expected to be less than 5%.
Don’t forget, though, any contractual requirements you currently have could shift when the CMMC rulings are introduced. You’ll need to understand which types of data your business handles (or is going to handle) in order to stay ahead.
Who Needs CMMC Level 2?
DoD contractors and subcontractors that store, process, or transmit controlled unclassified information (CUI) through their IT systems (or are planning to in the future) will be required to have Level 2 certification once CMMC 2.0 is fully rolled out. Once the CMMC ruling goes into effect (likely Q1 2025), the DoD estimates that Level 2 certification will be obtained by around one-third of defense contractors—which could give them a competitive edge over the two-thirds who don’t. You’ll know if a contract requires this level because it’ll be specified during solicitation.
When the CMMC framework is fully implemented, compliance will no longer be optional. Failing to achieve the necessary certification level could result in the loss of current contracts and disqualification from future opportunities. And, because the process can take some time, it’s better to begin the journey to CMMC Level 2 compliance sooner rather than later.
Achieving CMMC Level 2: The Path Forward
The good news for SMBs is that if you’re already compliant with NIST 800-171—a framework many DoD contractors are already familiar with—you’re well on your way to meeting CMMC Level 2 requirements. CMMC Level 2 demands full implementation of NIST 800-171, meaning that much of the groundwork may already be in place.
To achieve CMMC Level 2, your organization will need to undergo a thorough assessment. This can be conducted by a certified third-party assessor, who will evaluate your current cybersecurity posture against the CMMC Level 2 requirements—though there are currently discussions around whether Level 2 contractors might be able to self-assess during the rollout period.
If your business meets all the criteria, you’ll be awarded final certification.
If there are gaps in your defenses, you may receive a conditional certification, which allows you to submit a Plan of Action and Milestones (POAM) outlining how you’ll address the deficiencies. These remaining measures must be implemented within 180 days to maintain eligibility for contracts requiring Level 2 certification.
Don’t mistake the POAM as a safety net—there are a very limited number of controls allowed in these submissions. You’ll need to have fully implemented the vast majority of the requirements before evaluation.
For many, achieving CMMC Level 2 will require partnering with an IT service provider experienced in advanced cybersecurity. These providers can assist in conducting gap analyses, implementing any necessary controls either business-wide or in designated enclaves, and ensuring that all your documentation and processes are in line with CMMC requirements for SMBs. By leveraging the expertise of an IT service provider, you can streamline the path to certification, ensuring that your business remains competitive in the defense industry.
Ready for CMMC Level 2?
While Level 1 is a great starting point, obtaining Level 2 certification ensures you’re not misinterpreting CMMC guidelines and mistakenly claiming compliance with requirements that you don’t actually meet. With thorough documentation processes and external verification, your business’s cybersecurity practices are kept watertight and ready to evolve should you wish to level up again in the future.
Infinity Technologies: Premier Managed IT, Cybersecurity, and IT Support Partners for Businesses in North Virginia
At Infinity Technologies, we specialize in providing IT and cybersecurity solutions that cover all bases—from support and ongoing assessments to threat management, response, and recovery—to SMBs in Charlottesville, VA, and beyond. Our services are designed to keep your business safe, secure, and operational, no matter the cyber threats you face.
Curious to see the difference that we can make for your SMB? Contact us today to learn how our IT support and cybersecurity solutions can provide the robust protection your business deserves.