Skip to content
You’ve implemented your small business cybersecurity protection program to meet all the FAR 52.204-21 (aka FAR 52.240-93) basic protections for Federal Contract Information (FCI). You’ve done your Cybersecurity Maturity Model Certification (CMMC) Level 1 self-assessment, and reported the positive “Yes” results through the Supplier Performance Risk System (SPRS). A senior official at your company has affirmed the reported results in SPRS as well. You can say your business has achieved CMMC Level 1. Now what? If your business needs to handle FCI of a technical or mission-related nature, then that information is probably considered Controlled Unclassified Information (CUI). So, you’ll need to prepare to pass a CMMC Level 2 assessment. In this blog we’ll lay out the steps your small business will need to follow to transition from CMMC Level 1 to Level 2.
The main differences between CMMC Level 1 and Level 2
CMMC Level 1 assesses the organization’s implementation of the “basic” protections for FCI. CMMC Level 2, on the other hand, assesses the organization against a more advanced set of objectives for protecting CUI, the more sensitive subset of FCI. Accordingly, achieving CMMC Level 2 typically requires an order of magnitude more organizational effort. For example, if it took your business a few weeks to build out a CMMC Level 1 cybersecurity program, it will take your team a few months (at least) to build a program that will pass CMMC Level 2.
The table below shows a comparison between the CMMC model Level 1 and Level 2.
| CMMC Level | Associated contract clauses | Number of relevant NIST 800-171 controls | Number of 800-171 Assessment Objectives | Assessment type and frequency |
|---|---|---|---|---|
| 2 | DFARS 252.204-7012 | 110 | 320 | Triennial self- or C3PAO-assessment Annual affirmation |
| 1 | FAR 52.204-21 / 52.240-93 | 17 | 59 | Annual self-assessment Annual affirmation |
The key attribute here is the number of “Assessment Objectives”. There are five times (320/59) the number of things to do under CMMC Level 2 when compared to Level 1. And meeting many of those objectives involves implementing technologies most small businesses aren’t used to. Application allowlisting is an example of unfamiliar technology. Additionally, small businesses must inculcate detailed cybersecurity processes, which tend to disrupt business as usual. For instance, for most small businesses, developing an Incident Response process will be a new endeavor.
We must also be cognizant of other Federal government requirements, such as FedRAMP, that come into play for CUI protection. (More on FedRAMP below.) So, CMMC Level 2 is quite a lift for small businesses.
If you’d like to know more about CMMC Level 1, consider participating in our Level 1 Readiness Workshops. The rest of this post will focus on how your business can transition from CMMC Level 1 to Level 2.
First – most important – step when transitioning from CMMC Level 1 to Level 2: Narrowing the scope
For most businesses, their CUI scope will (and should) be different – smaller – than their FCI scope. While the entire staff may be involved in handling the FCI – including sales, HR, legal, receiving, etc. – a smaller portion of the staff handle the more technical CUI information. So the crucial first step in a transition from CMMC Level 1 to Level 2 is to precisely define the CUI system scope. The first step in scoping is identifying exactly what CUI elements your organization handles or will handle in the future. Then you’ll need to characterize the lifecycle of each of the identified CUI elements to determine your asset catalog. We cover scoping extensively in this post, so we encourage you to check that out.
The bottom line though – literally – is to reduce the CUI system scope down to the smallest possible footprint. Protecting CUI is expensive and time-consuming. The smaller the scope, the less the protections cost in time and money.
Categorize your assets
Asset categorization goes hand-in-hand with CMMC Scoping. CMMC Level 2 differs from CMMC Level 1 in the number and type of asset “categories”. Properly categorizing assets can eliminate a lot of the heartache in a CMMC Level 2 assessment. The DoW CMMC Scoping Guide defines five asset categories:
CUI assets
CUI assets are meant to handle – store, process, or transmit – CUI. Examples include CUI workstations, servers, and External Service Providers (ESP, more on these below). CUI Assets must be assessed against the full NIST 800-171 standard.
Security Protection Assets (SPA)
Security Protection Assets (SPA) protect the CUI assets, and may themselves handle Security Protection Data (SPD). Examples include firewalls and Security Information and Event Management (SIEM) servers that process security event logs. SPA must be assessed against all relevant NIST 800-171 controls.
Contractor Risk Managed Assets (CRMA)
Contractor Risk Managed Assets (CRMA) assets could handle CUI, but by policy are not authorized to do so. Examples include email systems that are not used to handle CUI, and networked printers that users are not authorized to print CUI on. Companies are only assessed for how well they catalog and manage the risk of CRMA, and not against the entirety of the 800-171 standard.
Specialized Assets
Specialized Assets can handle CUI, but are not traditional IT and therefore cannot be subject to a full 800-171 assessment. Examples include industrial controllers, special test equipment, and Government-Furnished Equipment (GFE). Here again, companies are only assessed for how well they catalog and manage the risk of Specialized Assets.
Out of Scope Assets
Out of Scope Assets do not handle CUI or SPD, and are logically or physically isolated from other CUI or SPD Assets. Examples include mobile devices that are only used as hotspots or MFA, or Virtual Desktop Infrastructure (VDI) clients that only handle keyboard / video / mouse (KVM) data. These assets will not be assessed.
You may be able to save some implementation resources by scoping assets as CRMA instead of full CUI assets, assuming you manage the risk of possible CUI spillage into the CRMA. Administrative controls – in which a policy is established, and then staff are trained on this policy as well as the ramifications for policy violation – are an effective way to achieve this type of scoping.
Ultimately, the CMMC assessment process puts a good deal of focus on your asset categorization. The more effort you put into categorizing assets properly as you transition from CMMC Level 1 to Level 2, the better your cybersecurity program will be, and the smoother your assessment will go.
Gather External Service Providers (ESP) shared responsibility matrices
Each External Service Provider (ESP) that you use to handle or protect your CUI is in your system scope and has a role to play in your assessment. ESPs can be:
- Managed Service Providers (MSP, i.e. day-to-day IT, data backup),
- Managed Security Service Providers (MSSP, i.e. security monitoring),
- or cloud service providers (CSP, e.g. M365, Google Workspaces, filesharing services).
You would have identified ESP during the CUI system scoping you did as the first step in your CMMC Level 1 to Level 2 transition.
The kicker with ESPs is that they each add to your cybersecurity program management burden. In any ESP environment, security responsibility is shared between the service provider and the service consumer: your business. We describe shared responsibility in depth in this blog. The ESP is responsible for detailing shared responsibilities in a matrix, and the CMMC assessment process mandates that we address our portions of the shared responsibilities in our System Security Plan (SSP). So you’ll need to gather the Shared Responsibility Matrix (SRM, aka Customer Responsibility Matrix, CRM) from each ESP, and integrate them into your SSP. This can be a lot of work, so you’ll want to start this process early. (BTW, you can manage your SSP and SRMs in our Totem™ Cybersecurity Compliance Management tool.)
SRM come in many forms, so to make your job easier you’ll want to make sure your ESP maps their SRM to the NIST 800-171 standard. If your ESP doesn’t have an SRM or it isn’t mapped to the 800-171, you may want to look for another vendor. Or consider providing them with our SRM template, available in the blog mentioned above.
Cloud Service Providers (CSP) that handle CUI have additional FedRAMP requirements that do not come into play in CMMC Level 1. CMMC Level 2 requires you to ensure CUI-handling CSP have a FedRAMP Class C/D Certification (formerly FedRAMP “Moderate” Authorization) or equivalent. This requirement severely limits your CSP options for handling CUI, so you’ll need to ensure your CSP is FedRAMP Certified or equivalent early on in the transition. Switching ESP can be very painful, and in many cases invalidate a CMMC Level 2 assessment, so do your homework.
Building your documents (or transitioning CMMC Level 1 documents to Level 2)
The core documents in your cybersecurity program are the System Security Plan (SSP) and Plan of Actions and Milestones (POA&M). The SSP lays out a set of “blueprints” for the cybersecurity program, by establishing expectations (policies) and describing how those policies are enforced (technology or procedures). The POA&M describes how to turn those blueprints into a reality, and fix any residual deficiencies.
While CMMC Level 1 does not require formal documentation of the cybersecurity program, CMMC Level 2, through the NIST 800-171 standard, definitively does. Even for the smallest micro-business, the documentation required to achieve CMMC Level 2 certification, whether self or C3PAO, will be voluminous. Accepting this as a reality is a crucial step in the transition from Level 1 to Level 2.
You must be able to communicate intricate details of your cybersecurity program to internal stakeholders as well as external 3rd parties. The most effective way to do this is roll up your sleeves and start addressing the nitty-gritty details of the cybersecurity program. Your SSP should address each one of the NIST 800-171 Assessment Objectives (see above), and your POA&M items should map back to the Assessment Objectives as well.
In addition to the SSP and POA&M, your organization will need an Incident Response Plan (IRP), and most likely a dozen or so peripheral plans and policies, such as an Acceptable Use Policy (AUP). You will also need to gather “compelling evidence” of control implementation, e.g. screen shots of asset technical configurations and proof of training attendance. Even a micro-business will have hundreds of pieces of compelling evidence, commonly referred to as “artifacts”. So you’ll need to prepare a method to organize all of this information.
If you need help with what an SSP and POA&M look like, templates for policies and plans, and/or an artifact repository, you’ll get it all with a Totem™ subscription. Consider the Engaged tier, which comes with a vast library of interpretive and training materials.
Executive leadership must establish a cybersecurity culture
We saved for last the thing that executive leadership fears the most.
Treating CMMC as simply an “IT problem” may be the biggest reason companies cannot successfully pass a CMMC Level 2 assessment. About 50% of the NIST 800-171 objectives are technology related, meaning they may be primarily the responsibility of your IT team. However, the other 50% of the objectives are business process related, for which the IT team has little to no purview. (This is especially true if you outsource IT to an MSP!) For example, CMMC Level 2 includes requirements to:
- establish a remote work policy and enforce consequences for policy violation
- conduct background checks on employees with access to CUI
- train staff on insider threat and ensure staff can report suspicious activity
- ensure there are no security lapses during the employee termination process
Imagine asking your IT staff to handle those types of requirements. Not only is it outside their lane of expertise, IT staff most likely do not have the company clout to effectively execute these actions.
To have a successful CMMC Level 2 worthy CUI protection program, your company’s executive leadership must “steer the ship”, building cybersecurity into all relevant business processes. They must build and inculcate a cybersecurity culture.
The C3PAO assessors will “read between the lines” of your SSP and can quickly suss out whether your cybersecurity program is vapor or not. By “vapor” we mean a program that looks decent on paper but is not realistic, practical, nor sustainable. Assessor artifact review and staff interviews will quickly elucidate whether or not your organization takes the protection of CUI seriously, or whether it treats CMMC like another “paper drill” certification.
Thus, your executive leadership team needs to foster a cybersecurity culture, akin to a safety culture. Just as a safety culture starts at the top, so must cybersecurity culture. Your leadership cannot treat CMMC as a “one and done” certification, they must embody the business process and fully empower the IT and compliance teams, not pass the buck. In a nutshell, they must take cybersecurity seriously.
This starts by appointing an executive as the Information Security Officer (ISO), with whom the “buck will stop” for the cybersecurity program. Without an executive point-person for the cybersecurity program, it is doomed to fail. In many small businesses, the ISO role is performed by an executive who already has other duties, such as the CFO. The reality for small businesses is that someone in leadership must step up and take on these additional duties. And it probably makes the most sense for that person to assume the CMMC Affirming Official (AO) role. Someone in your organization has already affirmed your CMMC Level 1 assessment results in SPRS, right? There’s your ISO / AO.
A last word of advice for our fellow IT administrators in the trenches: too often, companies foist the ISO / AO role off on a member of the IT staff. If you’re an IT staff member and your company leadership is asking you to be the Affirming Official, ask yourself this question:
“Do I have enough of a stake in this company to justify potential civil liability in assuming the ISO / Affirming Official role?”
I.e., does the company compensate you enough to take the fall on its behalf for a deficient cybersecurity program? If the answer is no, you should push back, suggesting the company find a more appropriate executive leader to assume those duties.
Wrapping Up
So there you have an explanation of the most critical actions small businesses must execute during a transition from CMMC Level 1 to Level 2. If you’re interested in learning more details about the CMMC Level 2 requirements and how small businesses can build a CMMC Level 2 cybersecurity program, check out our Engaged service. Our Engaged tier offers a vast library of training resources, various SSP and plan templates, access to our flagship Totem™ tool, participation in our monthly Subscriber Forums, and ability to book ad hoc consulting sessions with us.
Totem Technologies exists to help small businesses – particularly micro-businesses – through the Federal government cybersecurity compliance miasma. We regularly host webinars on these topics, so follow us on LinkedIn for notifications about our upcoming presentations.
Good Hunting!
–Adam